POLICY LAYER

Current scope: Gest

Category: 10_normative | Version: v1.0.0

Owner: DOCUMENT_CUSTODIAN | Review cycle: 90 days

Approval Authority: GOVERNANCE_ADMIN

Read-only Documentation Portal. Editing and mutation endpoints are disabled.

METADATA INCOMPLETE: Document ID, Version, Status, Owner Role, Last Review Date, Next Review Date, Change Log

Policy Layer (Thin Policy-as-Code)

This layer adds declarative governance checks on top of existing permission guards. It does not replace RBAC and does not change JWT/auth flow.

Permission:
- Atomic capability token (for example roles:request.review).
- Evaluated by RBAC permission evaluator.
Policy:
- Declarative rule set that includes a permission plus optional account/identity gates.
- Example fields:
  - permission
  - requiresActiveAccount
  - requiresVerifiedIdentity

Policy is a higher-level contract. Permission is one input to policy.