# `OCSF.Policy`
[🔗](https://github.com/docjerem/ocsf/blob/v0.1.0/lib/ocsf/policy.ex#L1)

Sink redaction policy.

Defines which data classes a **sink** allows, denies, or transforms
before writing. Every sink declares a policy; `apply/2` enforces it
on an event by walking nested objects and dropping or transforming
fields based on their `__ocsf_fields__/0` classification.

`:credential` is always denied — not configurable.

## Example

    policy = %OCSF.Policy{
      allow: [:identifier, :tenant, :taxonomic, :temporal],
      deny:  [:contact, :identity, :network],
      transform: []
    }

    redacted = OCSF.Policy.apply(policy, event)
    # redacted event has no PII fields

See `OCSF.Classification`, `OCSF.Sink`.

# `t`

```elixir
@type t() :: %OCSF.Policy{
  allow: [OCSF.Classification.data_class()],
  deny: [OCSF.Classification.data_class()],
  transform: keyword()
}
```

# `transform`

```elixir
@type transform() ::
  :truncate_v4_24
  | :truncate_v6_48
  | :hash_salted
  | :ua_parse_only
  | :drop
  | {module(), atom(), list()}
```

# `apply`

```elixir
@spec apply(t(), OCSF.Event.t()) :: OCSF.Event.t()
```

Apply a policy to an event, returning a redacted event.

Walks all nested objects and drops fields whose data class is denied.
`:credential` is always dropped regardless of policy. `deny` always
wins over `allow`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*