# .cryptagion.yaml — sample sensitivity policy
# ---------------------------------------------------------------------------
# Drop this file at the root of a repository (or pass it with --policy) to give
# each cryptographic asset its own data-sensitivity classification and
# confidentiality lifetime. These drive Harvest-Now-Decrypt-Later (HNDL) risk
# scoring: long-lived confidential data scores higher than short-lived public data.
#
# Matching: fnmatch-style globs, relative to this file's directory. First match
# wins; assets with no match fall back to `defaults`.
# ---------------------------------------------------------------------------

defaults:
  classification: internal        # public | internal | confidential | secret
  confidentiality_years: 3

overrides:
  # Long-lived key material — maximum HNDL horizon.
  - match:
      - "vault/**/*"
      - "secrets/**/*"
      - "kms/**/*"
    classification: secret
    confidentiality_years: 25
    reason: "Long-lived key material — must stay confidential for decades."

  # Cardholder / payment data — PCI scope.
  - match: "payments/**/*"
    classification: secret
    confidentiality_years: 15
    reason: "Cardholder data (PCI)."

  # Authentication / identity services.
  - match: "auth_service/**/*"
    classification: confidential
    confidentiality_years: 7
    reason: "Tokens and identity material."

  # Public-facing assets — short-lived sensitivity.
  - match:
      - "public/**/*"
      - "www.example.com*"
    classification: internal
    confidentiality_years: 1
    reason: "Public traffic — routine, short-lived sensitivity."

  # Tests and examples — exclude from inflated scoring.
  - match:
      - "tests/**/*"
      - "examples/**/*"
    classification: public
    confidentiality_years: 0
    reason: "Non-production code."