# `Mailglass.Webhook.Providers.SES.TrustPolicy`
[🔗](https://github.com/szTheory/mailglass/blob/v1.0.0/lib/mailglass/webhook/providers/ses/trust_policy.ex#L1)

SNS URL trust-policy validation — SSRF guard for cert and subscribe URLs.

Validates `SigningCertURL` and `SubscribeURL` from SNS messages before any
network I/O. Implements the safe host pattern from the AWS PHP SDK reference
implementation to prevent S3 namespace collision attacks (per D-06, D-09).

All functions are pure predicates — no side effects, no network I/O, no Logger.
Callers raise `%Mailglass.SignatureError{}` on `false`.

# `valid_cert_url?`

```elixir
@spec valid_cert_url?(binary()) :: boolean()
```

Returns `true` if `url` is a trusted SNS signing certificate URL.

Requirements (all must hold):
- Scheme: https only
- Host: matches `^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$`
- No userinfo component
- No fragment component
- Path ends with `.pem`
- No query string (certs are static resources)

# `valid_subscribe_url?`

```elixir
@spec valid_subscribe_url?(binary()) :: boolean()
```

Returns `true` if `url` is a trusted SNS subscribe/unsubscribe URL.

Requirements (all must hold):
- Scheme: https only
- Host: matches SNS host pattern (same regex as cert URL)
- No userinfo component
- No fragment component

Note: SubscribeURL validation is a consistency check per D-07. The actual
subscription confirmation does NOT follow this URL — it constructs the
ConfirmSubscription API request from `TopicArn` + `Token` instead.

---

*Consult [api-reference.md](api-reference.md) for complete listing*