# T-03: Policy & Enforcement Layer

## T-03: Policy & Enforcement Layer

<div id="bkmrk-odrl-%28open-digital-r" style="border-left:4px solid #1a7f64;padding:14px 18px;margin:12px 0;background:#f9fbfa;">**ODRL (Open Digital Rights Language)**  
W3C standard for expressing data usage policies. CTH uses ODRL to encode: permitted purposes, geographic scope, time limitations, benefit-sharing requirements. ODRL policies are stored as JSON-LD in the `policies` table.</div><div id="bkmrk-w3c-dpv-2.0-%28data-pr" style="border-left:4px solid #1a6b8a;padding:14px 18px;margin:12px 0;background:#f9fbfa;">**W3C DPV 2.0 (Data Privacy Vocabulary)**  
Vocabulary for expressing data processing purposes, legal bases, data subjects, and processing activities. Used to map CTH policies to GDPR Article 6 and Colombian habeas data (Law 1581/2012).</div><div id="bkmrk-opa-%28open-policy-age" style="border-left:4px solid #b35c00;padding:14px 18px;margin:12px 0;background:#f9fbfa;">**OPA (Open Policy Agent) — ODRE Pattern**  
OPA evaluates ODRL policies at runtime. The ODRE (ODRL Policy Reasoner and Enforcer) pattern: ODRL policy → Rego translation → OPA evaluation. The `POST /policy/evaluate` endpoint is the mandatory pre-flight check for all agent write operations (R-AGT-02).</div><div id="bkmrk-shacl-validationused" style="border-left:4px solid #555;padding:14px 18px;margin:12px 0;background:#f9fbfa;">**SHACL Validation**  
Used at two points: (1) at ingestion to validate data quality (T-02), and (2) at policy evaluation to validate that credential claims match policy requirements. SHACL shapes are versioned with the framework.</div>### POST /policy/evaluate — Agent Integration

This is the primary integration point for AI agents. Every agent must call this endpoint before any write operation.

```
POST /policy/evaluate
Authorization: Bearer <agent-jwt>

{
  "principal_did": "did:key:z6Mk...",
  "delegating_did": "did:web:example.org#gideon",
  "action": "submit_parcel",
  "resource": {
    "type": "parcel",
    "territory_id": "COL-CHO-001",
    "purpose": "eudr"
  }
}

Response 200 (allow):
{
  "allow": true,
  "policy_token": "eyJ...",
  "expires_in": 30
}

Response 403 (deny):
{
  "allow": false,
  "reason": "FPIC_NOT_GRANTED",
  "territory_id": "COL-CHO-001"
}
```

<div id="bkmrk-%F0%9F%9A%A7-implementation-sta" style="background:#fff3cd;border:1px solid #ffc107;border-radius:8px;padding:14px 18px;margin:16px 0">#### 🚧 Implementation Status — POST /policy/evaluate

**Status:** Specification complete. Endpoint not yet deployed.

The `POST /policy/evaluate` endpoint described above is the *target specification*. Implementation requires:

- OPA instance with Rego policies (`submit.rego`, `validate.rego`, `purpose.rego`, `commercial.rego`)
- API gateway middleware for X-Policy-Token validation
- SHACL validator endpoint for R-SUB-01 shape checks
- Postgres RLS policies for FPIC enforcement (R-AGT-03)

Until deployed, agents should treat this as a design contract. The endpoint signature, request/response schema, and error codes are stable and will not change in v1.0.

</div>