# `SignCore.Policy.Allow`
[🔗](https://github.com/utaladriz/pkcs11ex/blob/v0.1.0/lib/sign_core/policy/allow.ex#L1)

Test-only trust policy that accepts any signer with a parseable cert in the
JWS `x5c` header. **Refuses to start under `Mix.env() == :prod`.**

Used as the default in test environments. Production deployments must use
`SignCore.Policy.PinnedRegistry` (allowlist by SPKI hash) or
`SignCore.Policy.CASignedAllowlist` (CA + per-subject allowlist).

This policy intentionally violates the hard invariant in `specs.md` §7.1
("sender-supplied certs are untrusted input until allowlist match") and
exists only to make round-trip tests possible without setting up a registry.
The Mix-env guard ensures it cannot be misused in production by accident.

---

*Consult [api-reference.md](api-reference.md) for complete listing*