# `SignCore.Policy`
[🔗](https://github.com/utaladriz/pkcs11ex/blob/v0.1.0/lib/sign_core/policy.ex#L1)

Behaviour for trust policies.

See `docs/specs/api.md` §2.3 for the canonical contract. The verify pipeline
treats sender-supplied certificates as **untrusted input**: `resolve/2` MUST
return `{:error, :unknown_signer}` when the candidate certificate (or its
identity hint) does not match an allowlist the verifier maintains.

Cryptographic verification only runs after `resolve/2` succeeds AND
`validate/3` returns `{:ok, subject_id}`.

# `cert`

```elixir
@type cert() :: SignCore.X509.t()
```

# `chain`

```elixir
@type chain() :: [cert()]
```

# `header`

```elixir
@type header() :: map()
```

# `subject_id`

```elixir
@type subject_id() :: term()
```

# `resolve`

```elixir
@callback resolve(header(), opts :: keyword()) ::
  {:ok, cert(), chain()} | {:error, term()}
```

# `validate`

```elixir
@callback validate(cert(), chain(), opts :: keyword()) ::
  {:ok, subject_id()} | {:error, term()}
```

---

*Consult [api-reference.md](api-reference.md) for complete listing*