Workstream: Integration · Part of #89
Context
A key compliance win: a declarative rule is part of the signed schema artifact — reviewable in a PR, covered by the signature, an auditable control for ATO — unlike opaque out-of-band hook binaries. Must integrate with the existing signing pipeline (sign/verify, off→warn→enforce, trust bundles).
Scope
- Ensure rule definitions are inside the signed schema payload and covered by signature verification.
- Confirm
verify and the enforce stage reject tampered rules.
- Document the audit story (how a reviewer enumerates all rules gating an entity).
Acceptance
- Rules are signed/verified with the schema; tampering fails verification; audit doc added.
Dependencies: Suggested order: after rules persist in the schema payload (#103). Soft.
Workstream: Integration · Part of #89
Context
A key compliance win: a declarative rule is part of the signed schema artifact — reviewable in a PR, covered by the signature, an auditable control for ATO — unlike opaque out-of-band hook binaries. Must integrate with the existing signing pipeline (
sign/verify, off→warn→enforce, trust bundles).Scope
verifyand the enforce stage reject tampered rules.Acceptance
Dependencies: Suggested order: after rules persist in the schema payload (#103). Soft.