# How-To: Declare Authoritative State Per Project

Aphoria allows organizations to define their own authoritative "truth." This means you can say: *"At Acme Corp, this is how we do Auth,"* and Aphoria will enforce it across all your projects.

## The Mechanism: Trust Packs

You don't edit the engine; you publish a **Trust Pack**.

### 1. Define Your "Truth" (The Acme Auth Policy)

You want to enforce that all authentication must happen via gRPC to `auth.acme.internal`.

**A. Create a Policy Repo**
Create a repository (e.g., `acme-policies`) to hold your assertions.

**B. Author the Assertion**
You can create assertions using the Aphoria CLI or by writing a policy definition file (planned feature, currently we use `aphoria ack` to "bless" patterns or manual ingestion).

*Conceptual Workflow (Future `aphoria policy author`):*
```toml
# policy/auth.toml
[[assertion]]
subject = "code://acme/auth/mechanism"
predicate = "protocol"
object = "grpc"
source_class = "Regulatory" # It's a hard rule for your company
confidence = 1.0
description = "All auth must use gRPC to auth.acme.internal"
```

*Current Workflow (using `ack` to bootstrap):*
Scan a "Golden Repo" that does it right.
```bash
$ aphoria scan ./golden-auth-service
# Aphoria sees: code://go/auth/protocol = grpc
# You confirm:
$ aphoria ack "code://go/auth/protocol" --reason "This is the Acme Standard"
```

**C. Export the Trust Pack**
Export your "acknowledged truth" as a portable pack.
```bash
$ aphoria policy export --name "Acme Auth Standard" --output acme-auth.pack
```

### 2. Distribute the Truth

Host the pack where your developers can reach it (S3, Artifactory, internal Git).
`https://internal.acme.com/policies/acme-auth.pack`

### 3. Enforce the Truth (The Consumer)

In every project's `aphoria.toml`:

```toml
[policies]
# Subscribe to the company standard
auth = "https://internal.acme.com/policies/acme-auth.pack"
```

### 4. The Result

When Developer Bob tries to implement Auth using `REST` / `HTTP`:

1.  **Extractor** sees: `code://go/auth/protocol = http`
2.  **Aphoria** loads `acme-auth.pack`.
3.  **Conflict Detected:**
    *   Code Claim: `http`
    *   Authority (Acme Pack): `grpc` (Tier 0 Regulatory for this org)
4.  **Verdict:** **BLOCK**.
    *   *Report:* "Conflict: Auth protocol must be gRPC (Source: Acme Auth Standard)"

---

## Why this is easy

1.  **No Code Changes:** You didn't write a regex or a linter rule to "ban HTTP." You just asserted "Truth is gRPC." The engine handled the conflict logic.
2.  **Inheritance:** You can stack packs. `[Global Security]` + `[Team Backend]` + `[Project Specifics]`.
3.  **Dynamic Updates:** When you update the pack (e.g., "gRPC or GraphQL are okay"), everyone's next scan picks up the new truth automatically. No plugin updates required.