# High-Level Flow

1. **User completes KYC once** → Vault + Cloud Agent store raw docs.
2. **Fairway issues EAS attestation** with:
   * Subject address (EOA or ERC-1271 smart account).
   * `kyc_verified_at` timestamp.
   * Current `sanctions_epoch`.
   * Risk score if applicable.
3. **Protocol calls PolicyEngine** before sensitive actions.
4. PolicyEngine checks:
   * Attestation validity + signature.
   * `sanctions_epoch` freshness.
   * `now - kyc_verified_at ≤ max_age` (defined by the dApp).
5. Returns YES/NO + reason code.