build: Update pre-commit hooks (#588 )

Co-authored-by: jkjell <135588+jkjell@users.noreply.github.com>
chore: bump golang from 1.24.4-alpine to 1.24.5-alpine (#587 )
2025-07-12 13:56:27 -05:00 · 2025-07-11 09:32:49 -05:00 · 2025-06-30 16:05:02 -06:00 · 2025-06-30 16:57:26 -05:00 · 2025-06-30 16:50:50 -05:00 · 2025-06-30 14:13:32 -05:00
170 changed files with 10704 additions and 3597 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -26,6 +26,10 @@ updates:
      interval: "weekly"
    commit-message:
      prefix: "chore"
+    groups:
+      github-actions:
+        patterns:
+          - "*"      
  - package-ecosystem: docker
    directory: /
    schedule:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -55,16 +55,20 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: "go.mod"

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@ -74,7 +78,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@ -87,6 +91,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/db-migrations.yml
+++ b/.github/workflows/db-migrations.yml
@ -21,6 +21,10 @@ on:
      - master
      - main
  pull_request:
+    paths:
+      - 'ent/**'
+      - 'ent.*'
+      - '.github/workflows/db-migrations.yml'
  workflow_dispatch:

 permissions:
@ -32,11 +36,11 @@ jobs:
    name: db-migrations
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.21.x'
+          go-version: '1.22.x'

      - name: Check DB Migrations
        run: |
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@ -31,11 +31,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

      - name: 'Checkout Repository'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
+        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@ -34,9 +34,9 @@ jobs:
      steps:
        - if: ${{ env.FOSSA_API_KEY != '' }}
          name: "Checkout Code"
-          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        - if: ${{ env.FOSSA_API_KEY != '' }}
          name: "Run FOSSA Scan"
-          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
          with:
            api-key: ${{ env.FOSSA_API_KEY }}
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -30,13 +30,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: "go.mod"
+
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          args: --timeout=3m
--- a/.github/workflows/label-issues.yml
+++ b/.github/workflows/label-issues.yml
@ -28,7 +28,7 @@ jobs:
      issues: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@ -70,31 +70,39 @@ jobs:

        steps:
            - name: Harden Runner
-              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+              uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
              with:
                egress-policy: audit

-            - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-            - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
              with:
                go-version: 1.21.x

            - name: Login to GitHub Container Registry
-              uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
                password: ${{ secrets.GITHUB_TOKEN }}

+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+                        
            - name: Download GoReleaser
              run: go install github.com/goreleaser/goreleaser@v1.23.0

            - name: Run GoReleaser
-              uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+              uses: testifysec/witness-run-action@d5cef0eea8f8b008c91f6b25f84e8c39f454f413
              env:
                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
              with:
+                witness-install-dir: /opt/witness
+                version: 0.9.1
                step: "build"
                attestations: "github"
                command: goreleaser release --clean
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -45,17 +45,17 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
@ -77,7 +77,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
@ -85,6 +85,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/update-pre-commit-hooks.yml
+++ b/.github/workflows/update-pre-commit-hooks.yml
@ -28,10 +28,11 @@ jobs:
  update-pre-commit-hooks:
    runs-on: ubuntu-latest
    permissions:
+      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.11"
      - name: Install prerequisites
@ -45,7 +46,7 @@ jobs:
        run: |
          echo "GIT_DIFF=$(git diff --exit-code 1> /dev/null; echo $?)" >> $GITHUB_OUTPUT
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "build: Update pre-commit hooks"
--- a/.github/workflows/verify-licence.yml
+++ b/.github/workflows/verify-licence.yml
@ -27,12 +27,12 @@ jobs:
      runs-on: ubuntu-latest
      steps:
        - name: Harden Runner
-          uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+          uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
          with:
            egress-policy: audit

-        - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
          with:
            go-version: '1.19.x'
        - name: Install addlicense
@ -40,4 +40,4 @@ jobs:
        - name: Check license headers
          run: |
            set -e
-            addlicense --check -l apache -c 'The Archivista Contributors' --ignore "ent/migrate/migrations/**" --ignore "docs/**" -v ./
+            addlicense --check -l apache -c 'The Archivista Contributors' --ignore "generated.go" --ignore "ent.resolvers.go" --ignore "ent/migrate/migrations/**" --ignore "docs/**" --ignore "chart/**/*.yaml" -v ./
--- a/.github/workflows/witness.yml
+++ b/.github/workflows/witness.yml
@ -33,24 +33,26 @@ permissions:

 jobs:
    witness:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
        permissions:
          contents: read
          id-token: write
        steps:
          - name: Harden Runner
-            uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+            uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
            with:
              egress-policy: audit

-          - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-          - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+          - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
            with:
-              go-version: 1.21.x
+              go-version: 1.22.x

          - if: ${{ inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            uses: testifysec/witness-run-action@d5cef0eea8f8b008c91f6b25f84e8c39f454f413
            with:
+              witness-install-dir: /opt/witness
+              version: 0.9.1
              step: ${{ inputs.step }}
              attestations: ${{ inputs.attestations }}
              command: /bin/sh -c "${{ inputs.command }}"
@ -59,4 +61,4 @@ jobs:
            run: ${{ inputs.command }}

          - if: ${{ inputs.step == 'tests' }}
-            uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044
+            uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,42 @@
+# Copyright 2024 The Archivista Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: "2"
+linters:
+  enable:
+    - gosec
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - gosec
+        path: _test.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-same-issues: 50
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -74,18 +74,56 @@ release:
  prerelease: auto
  github:
    owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
+dockers:
+  - image_templates:
+    - "ghcr.io/in-toto/archivista:{{ .Version }}-amd64"
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+    extra_files:
+      - "archivista.graphql"
+      - "ent.graphql"
+      - "ent.resolvers.go"
+      - "entrypoint.sh"
+      - "gen.go"
+      - "generated.go"
+      - "go.mod"
+      - "go.sum"
+      - "resolver.go"
+      - "docs"
+      - "ent"
+      - "cmd"
+      - "ent"
+      - "pkg"
+  - image_templates:
+    - "ghcr.io/in-toto/archivista:{{ .Version }}-arm64"
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+    extra_files:
+      - "archivista.graphql"
+      - "ent.graphql"
+      - "ent.resolvers.go"
+      - "entrypoint.sh"
+      - "gen.go"
+      - "generated.go"
+      - "go.mod"
+      - "go.sum"
+      - "resolver.go"
+      - "docs"
+      - "ent"
+      - "cmd"
+      - "ent"
+      - "pkg"
+    goarch: arm64
+docker_manifests:
+  - name_template: "ghcr.io/in-toto/archivista:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/in-toto/archivista:{{ .Version }}-amd64"
+      - "ghcr.io/in-toto/archivista:{{ .Version }}-arm64"
 kos:
-  - repository: ghcr.io/in-toto/archivista
-    id: archivista
-    build: archivista
-    tags:
-    - '{{.Version}}'
-    bare: true
-    preserve_import_paths: false
-    creation_time: '{{.CommitTimestamp}}'
-    platforms:
-    - linux/amd64
-    - linux/arm64
  - repository: ghcr.io/in-toto/archivistactl
    id: archivistactl
    build: archivistactl
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -14,11 +14,11 @@

 repos:
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.1
+  rev: v8.27.2
  hooks:
  - id: gitleaks
 - repo: https://github.com/golangci/golangci-lint
-  rev: v1.55.2
+  rev: v2.2.2
  hooks:
  - id: golangci-lint
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
@ -26,7 +26,7 @@ repos:
  hooks:
  - id: shellcheck
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+  rev: v5.0.0
  hooks:
  - id: end-of-file-fixer
  - id: trailing-whitespace
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -81,7 +81,7 @@ you stay up-to-date with our repository:
 ### Running Archivista Development Environment

 *Please note that the following `make` commands make use of both the `docker` and
-`docker-compose` commands, so you may need to modify this locally if using tools
+`docker compose` commands, so you may need to modify this locally if using tools
 such as [nerdctl](https://github.com/containerd/nerdctl) or [podman](https://github.com/containers/podman).*

 To start the Archivista development environment, simply execute the command:
--- a/4
+++ b/4
@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM golang:1.21.6-alpine@sha256:a6a7f1fcf12f5efa9e04b1e75020931a616cd707f14f62ab5262bfbe109aa84a AS build
+FROM golang:1.24.5-alpine@sha256:ddf52008bce1be455fe2b22d780b6693259aaf97b16383b6372f4b22dd33ad66 AS build
 WORKDIR /src
 RUN apk update && apk add --no-cache file git curl
 RUN curl -sSf https://atlasgo.sh | sh
@ -21,7 +21,7 @@ RUN --mount=target=. --mount=target=/root/.cache,type=cache \
    CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \
    file /out/archivista | grep "statically linked"

-FROM alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
+FROM alpine:3.22.0@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715
 COPY --from=build /out/archivista /bin/archivista
 COPY --from=build /usr/local/bin/atlas /bin/atlas
 ADD entrypoint.sh /bin/entrypoint.sh
--- a/2
+++ b/2
@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM golang:1.21.6-alpine@sha256:a6a7f1fcf12f5efa9e04b1e75020931a616cd707f14f62ab5262bfbe109aa84a AS build
+FROM golang:1.24.5-alpine@sha256:ddf52008bce1be455fe2b22d780b6693259aaf97b16383b6372f4b22dd33ad66 AS build
 WORKDIR /src
 RUN apk update && apk add --no-cache file git curl
 RUN curl -sSf https://atlasgo.sh | sh
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@ -0,0 +1,8 @@
+As a sub-project of in-toto, this repository is subject to the governance by the in-toto steering committee.
+
+This repository is also subject to the in-toto and CNCF code of conduct.
+
+For more details, please reference the in-toto community repository:
+
+- [GOVERNANCE.md](https://github.com/in-toto/community/blob/main/GOVERNANCE.md)
+- [CODE_OF_CONDUCT.md](https://github.com/in-toto/community/blob/main/CODE-OF-CONDUCT.md)
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -1,8 +1,8 @@
 # Maintainers

-| Name                       | GitHub          |
-|----------------------------|-----------------|
-| Kairo de Araujo | [@kairoaraujo](https://github.com/kairoaraujo) |
-| Cole Kennedy (TestifySec)      | [@colek42](https://github.com/colek42) |
-| John Kjell (TestifySec)     | [@jkjell](https://github.com/jkjell) |
-| Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) |
+| Name                          | GitHub          |
+|-------------------------------|-----------------|
+| Kairo de Araujo (Independent) | [@kairoaraujo](https://github.com/kairoaraujo) |
+| Cole Kennedy (TestifySec)     | [@colek42](https://github.com/colek42) |
+| John Kjell (ControlPlane)     | [@jkjell](https://github.com/jkjell) |
+| Mikhail Swift (TestifySec)    | [@mikhailswift](https://github.com/mikhailswift) |
--- a/5
+++ b/5
@ -23,13 +23,13 @@ run-dev:  ## Run the dev server

 .PHONY: stop
 stop:  ## Stop the dev server
-	@docker-compose down -v
+	@docker compose -f compose-dev.yml down -v


 .PHONY: clean
 clean: ## Clean up the dev server
 	$(MAKE) stop
-	@docker compose rm --force
+	@docker compose -f compose-dev.yml rm --force
 	@docker rmi archivista-archivista --force


@ -56,6 +56,7 @@ docs:  ## Generate swagger docs

 .PHONY: db-migrations
 db-migrations:  ## Run the migrations for the database
+	@go generate ./...
 	@atlas migrate diff mysql --dir "file://ent/migrate/migrations/mysql" --to "ent://ent/schema" --dev-url "docker://mysql/8/dev"
 	@atlas migrate diff pgsql --dir "file://ent/migrate/migrations/pgsql" --to "ent://ent/schema" --dev-url "docker://postgres/16/dev?search_path=public"

--- a/README.md
+++ b/README.md
@ -8,21 +8,28 @@

 # Archivista

-Archivista is a graph and storage service for [in-toto](https://in-toto.io) attestations. Archivista enables the discovery
-and retrieval of attestations for software artifacts.
+Archivista is a graph and storage service for [in-toto](https://in-toto.io)
+attestations. Archivista enables the discovery and retrieval of attestations for
+software artifacts.

-## Archivista enables you to:
+## Archivista enables you to

 - Store and retrieve in-toto attestations
 - Query for relationships between attestations via a GraphQL API
- Validate Witness policy without the need to manually list expected attestations
+- Validate Witness policy without the need to manually list expected
+  attestations

 ## Archivista is a trusted store for supply chain metadata

- It creates a graph of supply chain metadata while storing attestations that can be later used for policy validation and flexible querying.
- It is designed to be horizontally scaleable, supporting storing a large number of attestations.
- It supports deployment on major cloud service and infrastructure providers, making it a versatile and flexible solution for securing software supply chains.
- It only stores signed attestations to further enhance security and and increase trust.
+- It creates a graph of supply chain metadata while storing attestations that
+  can be later used for policy validation and flexible querying.
+- It is designed to be horizontally scaleable, supporting storing a large number
+  of attestations.
+- It supports deployment on major cloud service and infrastructure providers,
+  making it a versatile and flexible solution for securing software supply
+  chains.
+- It only stores signed attestations to further enhance security and and
+  increase trust.

 ## Key Features

@ -36,88 +43,116 @@ and retrieval of attestations for software artifacts.

 ## How Archivista Works

-When an attestation is uploaded to Archivista it will store the entire attestation in a configured object store as well
-as scrape some data from the attestation and store it in a queryable metadata store. This metadata is exposed through a
-GraphQL API. This enables queries such as finding all attestations related to an artifact with a specified hash or
-finding all attestations that recorded the use of a specific dependency.
+When an attestation is uploaded to Archivista it will store the entire
+attestation in a configured object store as well as scrape some data from the
+attestation and store it in a queryable metadata store. This metadata is exposed
+through a GraphQL API. This enables queries such as finding all attestations
+related to an artifact with a specified hash or finding all attestations that
+recorded the use of a specific dependency.

-Archivista uses Subjects on the [in-toto
-Statement](https://github.com/in-toto/attestation/blob/main/spec/README.md#statement) as edges on this graph. Producers
-of attestations (such as [Witness](https://github.com/in-toto/witness) can use these subjects as a way to expose
-relationships between attestations.
+Archivista uses Subjects on the
+[in-toto Statement](https://github.com/in-toto/attestation/blob/main/spec/README.md#statement)
+as edges on this graph. Producers of attestations (such as
+[Witness](https://github.com/in-toto/witness) can use these subjects as a way to
+expose relationships between attestations.

-For example when attesting that an artifact was compiled the compiled artifact may be a subject, as well as the git
-commit hash the artifact was built from. This would allow traversing the graph by the commit hash to find other relevant
-attestations such as those describing code reviews, testing, and scanning that happened on that git commit.
+For example when attesting that an artifact was compiled the compiled artifact
+may be a subject, as well as the git commit hash the artifact was built from.
+This would allow traversing the graph by the commit hash to find other relevant
+attestations such as those describing code reviews, testing, and scanning that
+happened on that git commit.

 ## Running Archivista

-A public instance of Archivista is running [here](https://archivista.testifysec.io) for testing purposes. The data in this
-instance is open to the world and there are currently no SLAs defined for this instance.
+A public instance of Archivista is running
+[here](https://archivista.testifysec.io) for testing purposes. The data in this
+instance is open to the world and there are currently no SLAs defined for this
+instance.

-Archivista requires a MySQL database as well as a compatible file store. Compatible file stores include a local directory
-or any S3 compatible store.
+Archivista requires a MySQL database as well as a compatible file store.
+Compatible file stores include a local directory or any S3 compatible store.

-A docker compose file is included in the repository that will run a local instance of Archivista along with the necessary
-services for it to operate. These include Minio and MySQL. Simply cloning the repo and running
+A docker compose file is included in the repository that will run a local
+instance of Archivista along with the necessary services for it to operate.
+These include Minio and MySQL. Simply cloning the repo and running

-```
+```bash
 docker compose up --build -d
 ```

-is enough to get a local instance of Archivista up and running. Archivista will be listening at `http://localhost:8082` by
-default with this docker compose file.
+is enough to get a local instance of Archivista up and running. Archivista will
+be listening at `http://localhost:8082` by default with this docker compose
+file.

 ### Configuration

 Archivista is configured through environment variables currently.

-| Variable                                   | Default Value                | Description                                                                                   |
-|--------------------------------------------|------------------------------|-----------------------------------------------------------------------------------------------|
-| ARCHIVISTA_LISTEN_ON                       | tcp://127.0.0.1:8082         | URL endpoint for Archivista to listen on                                                      |
-| ARCHIVISTA_LOG_LEVEL                       | INFO                         | Log level. Options are DEBUG, INFO, WARN, ERROR                                               |
-| ARCHIVISTA_CORS_ALLOW_ORIGINS              |                              | Comma separated list of origins to allow CORS requests from                                   |
-| ARCHIVISTA_SQL_STORE_CONNECTION_STRING     | root:example@tcp(db)/testify | SQL store connection string                                                                   |
-| ARCHIVISTA_STORAGE_BACKEND                 |                              | Backend to use for attestation storage. Options are FILE, BLOB, or empty string for disabled. |
-| ARCHIVISTA_FILE_SERVE_ON                   |                              | What address to serve files on. Only valid when using FILE storage backend.                   |
-| ARCHIVISTA_FILE_DIR                        | /tmp/archivista/              | Directory to store and serve files. Only valid when using FILE storage backend.              |
-| ARCHIVISTA_BLOB_STORE_ENDPOINT             | 127.0.0.1:9000               | URL endpoint for blob storage. Only valid when using BLOB storage backend.                    |
-| ARCHIVISTA_BLOB_STORE_CREDENTIAL_TYPE      |                              | Blob store credential type. Options are IAM or ACCESS_KEY.                                    |
-| ARCHIVISTA_BLOB_STORE_ACCESS_KEY_ID        |                              | Blob store access key id. Only valid when using BLOB storage backend.                         |
-| ARCHIVISTA_BLOB_STORE_SECRET_ACCESS_KEY_ID |                              | Blob store secret access key id. Only valid when using BLOB storage backend.                  |
-| ARCHIVISTA_BLOB_STORE_USE_TLS              | TRUE                         | Use TLS for BLOB storage backend. Only valid when using BLOB storage backend.                 |
-| ARCHIVISTA_BLOB_STORE_BUCKET_NAME          |                              | Bucket to use for storage.  Only valid when using BLOB storage backend.                       |
-| ARCHIVISTA_ENABLE_GRAPHQL                  | TRUE                         | Enable GraphQL Endpoint                                                                       |
-| ARCHIVISTA_GRAPHQL_WEB_CLIENT_ENABLE       | TRUE                         | Enable GraphiQL, the GraphQL web client                                                       |
-| ARCHIVISTA_ENABLE_ARTIFACT_STORE           | FALSE                        | Enable Artifact Store Endpoints                                                               |
-| ARCHIVISTA_ARTIFACT_STORE_CONFIG           | /tmp/artifacts/config.yaml   | Location of the config describing available artifacts                                         |
+**Note**: If `ARCHIVISTA_ENABLE_SQL_STORE` is set to false no metadata about store attestations will be collected. Archivista will only store and retrieve attestations by Gitoid from it's storage. Archivista servers with GraphQL or SQL store disabled cannot be used to verify Witness policies.

+| Variable                                   | Default Value                             | Description                                                                                                 |
+| ------------------------------------------ | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| ARCHIVISTA_LISTEN_ON                       | tcp://127.0.0.1:8082                      | URL endpoint for Archivista to listen on                                                                    |
+| ARCHIVISTA_READ_TIMEOUT                    | 120                                       | HTTP server read timeout                                                                                    |
+| ARCHIVISTA_WRITE_TIMEOUT                   | 120                                       | HTTP server write timeout                                                                                   |
+| ARCHIVISTA_LOG_LEVEL                       | INFO                                      | Log level. Options are DEBUG, INFO, WARN, ERROR                                                             |
+| ARCHIVISTA_CORS_ALLOW_ORIGINS              |                                           | Comma separated list of origins to allow CORS requests from                                                 |
+| ARCHIVISTA_ENABLE_SQL_STORE                | TRUE                                      | Enable SQL Metadata store. If disabled, GraphQL will also be disabled                                       |
+| ARCHIVISTA_SQL_STORE_BACKEND               |                                           | Backend to use for SQL. Options are MYSQL or PSQL                                                           |
+| ARCHIVISTA_SQL_STORE_CONNECTION_STRING     | postgresql://root:example@tcp(db)/testify | SQL store connection string                                                                                 |
+| ARCHIVISTA_STORAGE_BACKEND                 |                                           | Backend to use for attestation storage. Options are FILE, BLOB, or empty string for disabled.               |
+| ARCHIVISTA_FILE_SERVE_ON                   |                                           | What address to serve files on. Only valid when using FILE storage backend (e.g. `:8081`).                  |
+| ARCHIVISTA_FILE_DIR                        | /tmp/archivista/                          | Directory to store and serve files. Only valid when using FILE storage backend.                             |
+| ARCHIVISTA_BLOB_STORE_ENDPOINT             | 127.0.0.1:9000                            | URL endpoint for blob storage. Only valid when using BLOB storage backend.                                  |
+| ARCHIVISTA_BLOB_STORE_CREDENTIAL_TYPE      |                                           | Blob store credential type. Options are IAM or ACCESS_KEY.                                                  |
+| ARCHIVISTA_BLOB_STORE_ACCESS_KEY_ID        |                                           | Blob store access key id. Only valid when using BLOB storage backend.                                       |
+| ARCHIVISTA_BLOB_STORE_SECRET_ACCESS_KEY_ID |                                           | Blob store secret access key id. Only valid when using BLOB storage backend.                                |
+| ARCHIVISTA_BLOB_STORE_USE_TLS              | TRUE                                      | Use TLS for BLOB storage backend. Only valid when using BLOB storage backend.                               |
+| ARCHIVISTA_BLOB_STORE_BUCKET_NAME          |                                           | Bucket to use for storage. Only valid when using BLOB storage backend.                                      |
+| ARCHIVISTA_ENABLE_GRAPHQL                  | TRUE                                      | Enable GraphQL Endpoint. Archivista servers with GraphQL disabled cannot be used to verify Witness policies |
+| ARCHIVISTA_GRAPHQL_WEB_CLIENT_ENABLE       | TRUE                                      | Enable GraphiQL, the GraphQL web client                                                                     |
+| ARCHIVISTA_ENABLE_ARTIFACT_STORE           | FALSE                                     | Enable Artifact Store Endpoints                                                                             |
+| ARCHIVISTA_ARTIFACT_STORE_CONFIG           | /tmp/artifacts/config.yaml                | Location of the config describing available artifacts                                                       |
+| ARCHIVISTA_PUBLISHER                       | ""                                        | Publisher to use. Options are DAPR, RSTUF. Supports multiple, Comma-separated list of String                |
+| ARCHIVISTA_PUBLISHER_DAPR_HOST             | localhost                                 | Dapr host                                                                                                   |
+| ARCHIVISTA_PUBLISHER_DAPR_PORT             | 3500                                      | Dapr port                                                                                                   |
+| ARCHIVISTA_PUBLISHER_DAPR_COMPONENT_NAME   | "archivista"                              | Dapr pubsub component name                                                                                  |
+| ARCHIVISTA_PUBLISHER_DAPR_TOPIC            | "attestations"                            | Dapr pubsub topic                                                                                           |
+| ARCHIVISTA_PUBLISHER_DAPR_URL              |                                           | Dapr full URL                                                                                               |
+| ARCHIVISTA_PUBLISHER_RSTUF_HOST            |                                           | RSTUF URL                                                                                                   |

 ## Using Archivista

 Archivista exposes two HTTP endpoints to upload or download attestations:

-```
+```http
 POST /upload - Uploads an attestation to Archivista. The attestation is to be in the request's body
 ```

-```
+```http
 GET /download/:gitoid: - Downloads an attestation with provided gitoid from Archivista
 ```

-Additionally Archivista exposes a GraphQL API. By default the GraphQL playground is enabled and available at root.
+Additionally Archivista exposes a GraphQL API. By default the GraphQL playground
+is enabled and available at root.

-`archivistactl` is a CLI tool in this repository that is available to interact with an Archivista instance. `archivistctl`
-is capable of uploading and downloading attestations as well as doing some basic queries such as finding all
-attestations with a specified subject and retrieving all subjects for a specified attestation.
+`archivistactl` is a CLI tool in this repository that is available to interact
+with an Archivista instance. `archivistactl` is capable of uploading and
+downloading attestations as well as doing some basic queries such as finding all
+attestations with a specified subject and retrieving all subjects for a
+specified attestation.

 ## Navigating the Graph

-As previously mentioned, Archivista offers a GraphQL API that enables users to discover attestations. When Archivista ingests
-an attestation some metadata will be stored into the SQL metadata store. This metadata is exposed through the GraphQL API.
-Archivista uses [Relay connections](https://relay.dev/graphql/connections.htm) for querying and pagination.
+As previously mentioned, Archivista offers a GraphQL API that enables users to
+discover attestations. When Archivista ingests an attestation some metadata will
+be stored into the SQL metadata store. This metadata is exposed through the
+GraphQL API. Archivista uses
+[Relay connections](https://relay.dev/graphql/connections.htm) for querying and
+pagination.

-Here is an entity relationship diagram of the metadata that is currently available.
+Here is an entity relationship diagram of the metadata that is currently
+available.

 ```mermaid
 erDiagram
@ -172,13 +207,19 @@ timestamp {
 }
 ```

+## Deployment
+
+Archivista can be easily deployed thru the provided helm chart into your
+kubernetes cluster. See the [README](https://github.com/in-toto/helm-charts/blob/main/charts/archivista/README.md) for more details.
+
 ## What's Next

-We would like to expand the types of data Archivista can ingest as well as expand the metadata Archivista collected about
-ingested data. If you have ideas or use cases for Archivista, feel free to [contact us](mailto:info@testifysec.io) or
-create an issue!
-
+We would like to expand the types of data Archivista can ingest as well as
+expand the metadata Archivista collected about ingested data. If you have ideas
+or use cases for Archivista, feel free to
+[contact us](mailto:info@testifysec.io) or create an issue!

 ## Contributing

-See [CONTRIBUTING.md](CONTRIBUTING.md) for information on how to contribute to Archivista.
+See [CONTRIBUTING.md](CONTRIBUTING.md) for information on how to contribute to
+Archivista.
--- a/cmd/archivista/main.go
+++ b/cmd/archivista/main.go
@ -21,7 +21,6 @@ package main

 import (
 	"context"
-	"fmt"
 	"net"
 	"net/http"
 	"os"
@ -32,13 +31,7 @@ import (

 	nested "github.com/antonfisher/nested-logrus-formatter"
 	"github.com/gorilla/handlers"
-	"github.com/in-toto/archivista/internal/artifactstore"
-	"github.com/in-toto/archivista/internal/config"
-	"github.com/in-toto/archivista/internal/metadatastorage/sqlstore"
-	"github.com/in-toto/archivista/internal/objectstorage/blobstore"
-	"github.com/in-toto/archivista/internal/objectstorage/filestore"
-	"github.com/in-toto/archivista/internal/server"
-	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/in-toto/archivista/pkg/server"
 	"github.com/sirupsen/logrus"
 )

@ -57,76 +50,19 @@ func main() {
 	defer cancel()

 	startTime := time.Now()
-	serverOpts := make([]server.Option, 0)

-	logrus.Infof("executing phase 1: get config from environment (time since start: %s)", time.Since(startTime))
+	archivistaService := &server.ArchivistaService{Ctx: ctx, Cfg: nil}
+
+	server, err := archivistaService.Setup()
+	if err != nil {
+		logrus.Fatalf("unable to setup archivista service: %+v", err)
+	}
+	// ********************************************************************************
+	logrus.Infof("executing phase: create and register http service (time since start: %s)", time.Since(startTime))
+	// ********************************************************************************
 	now := time.Now()

-	cfg := new(config.Config)
-	if err := cfg.Process(); err != nil {
-		logrus.Fatal(err)
-	}
-
-	level, err := logrus.ParseLevel(cfg.LogLevel)
-	if err != nil {
-		logrus.Fatalf("invalid log level %s", cfg.LogLevel)
-	}
-	logrus.SetLevel(level)
-
-	logrus.WithField("duration", time.Since(now)).Infof("completed phase 1: get config from environment")
-
-	// ********************************************************************************
-	logrus.Infof("executing phase 2: initializing storage clients (time since start: %s)", time.Since(startTime))
-	// ********************************************************************************
-	now = time.Now()
-	fileStore, fileStoreCh, err := initObjectStore(ctx, cfg)
-	if err != nil {
-		logrus.Fatalf("error initializing storage clients: %+v", err)
-	}
-	serverOpts = append(serverOpts, server.WithObjectStore(fileStore))
-
-	entClient, err := sqlstore.NewEntClient(
-		cfg.SQLStoreBackend,
-		cfg.SQLStoreConnectionString,
-		sqlstore.ClientWithMaxIdleConns(cfg.SQLStoreMaxIdleConnections),
-		sqlstore.ClientWithMaxOpenConns(cfg.SQLStoreMaxOpenConnections),
-		sqlstore.ClientWithConnMaxLifetime(cfg.SQLStoreConnectionMaxLifetime))
-	if err != nil {
-		logrus.Fatalf("could not create ent client: %+v", err)
-	}
-
-	sqlStore, sqlStoreCh, err := sqlstore.New(ctx, entClient)
-	if err != nil {
-		logrus.Fatalf("error initializing mysql client: %+v", err)
-	}
-	serverOpts = append(serverOpts, server.WithMetadataStore(sqlStore))
-
-	logrus.WithField("duration", time.Since(now)).Infof("completed phase 3: initializing storage clients")
-
-	// ********************************************************************************
-	logrus.Infof("executing phase 3: create and register http service (time since start: %s)", time.Since(startTime))
-	// ********************************************************************************
-	now = time.Now()
-
-	// initialize the artifact store
-	if cfg.EnableArtifactStore {
-		wds, err := artifactstore.New(artifactstore.WithConfigFile(cfg.ArtifactStoreConfig))
-		if err != nil {
-			logrus.Fatalf("could not create the artifact store: %+v", err)
-		}
-
-		serverOpts = append(serverOpts, server.WithArtifactStore(wds))
-	}
-
-	// initialize the server
-	sqlClient := sqlStore.GetClient()
-	serverOpts = append(serverOpts, server.WithEntSqlClient(sqlClient))
-	server, err := server.New(cfg, serverOpts...)
-	if err != nil {
-		logrus.Fatalf("could not create archivista server: %+v", err)
-	}
-
-	listenAddress := cfg.ListenOn
+	listenAddress := archivistaService.Cfg.ListenOn
 	listenAddress = strings.ToLower(strings.TrimSpace(listenAddress))
 	proto := ""
 	if strings.HasPrefix(listenAddress, "tcp://") {
@ -141,58 +77,34 @@ func main() {
 	if err != nil {
 		logrus.Fatalf("unable to start http listener: %+v", err)
 	}
-
-	go func() {
-		if err := http.Serve(listener, handlers.CORS(
-			handlers.AllowedOrigins(cfg.CORSAllowOrigins),
+	srv := &http.Server{
+		Handler: handlers.CORS(
+			handlers.AllowedOrigins(archivistaService.Cfg.CORSAllowOrigins),
 			handlers.AllowedMethods([]string{"GET", "POST", "OPTIONS"}),
 			handlers.AllowedHeaders([]string{"Accept", "Content-Type", "Content-Length", "Accept-Encoding", "X-CSRF-Token", "Authorization"}),
-		)(server.Router())); err != nil {
-			logrus.Fatalf("unable to start http server: %+v", err)
+		)(server.Router()),
+		ReadTimeout:  time.Duration(archivistaService.Cfg.ReadTimeout) * time.Second,
+		WriteTimeout: time.Duration(archivistaService.Cfg.WriteTimeout) * time.Second,
+	}
+
+	go func() {
+		if archivistaService.Cfg.EnableTLS {
+			if err := srv.ServeTLS(listener, archivistaService.Cfg.TLSCert, archivistaService.Cfg.TLSKey); err != nil {
+				logrus.Fatalf("unable to start http server: %+v", err)
+			}
+		} else {
+			if err := srv.Serve(listener); err != nil {
+				logrus.Fatalf("unable to start http server: %+v", err)
+			}
 		}
 	}()

-	logrus.WithField("duration", time.Since(now)).Infof("completed phase 5: create and register http service")
+	logrus.WithField("duration", time.Since(now)).Infof("completed phase: create and register http service")
 	logrus.Infof("startup complete (time since start: %s)", time.Since(startTime))

 	<-ctx.Done()
-	<-fileStoreCh
-	<-sqlStoreCh
+	<-archivistaService.GetFileStoreCh()
+	<-archivistaService.GetSQLStoreCh()

 	logrus.Infof("exiting, uptime: %v", time.Since(startTime))
 }
-
-func initObjectStore(ctx context.Context, cfg *config.Config) (server.StorerGetter, <-chan error, error) {
-	switch strings.ToUpper(cfg.StorageBackend) {
-	case "FILE":
-		return filestore.New(ctx, cfg.FileDir, cfg.FileServeOn)
-
-	case "BLOB":
-		var creds *credentials.Credentials
-		if cfg.BlobStoreCredentialType == "IAM" {
-			creds = credentials.NewIAM("")
-		} else if cfg.BlobStoreCredentialType == "ACCESS_KEY" {
-			creds = credentials.NewStaticV4(cfg.BlobStoreAccessKeyId, cfg.BlobStoreSecretAccessKeyId, "")
-		} else {
-			logrus.Fatalln("invalid blob store credential type: ", cfg.BlobStoreCredentialType)
-		}
-		return blobstore.New(
-			ctx,
-			cfg.BlobStoreEndpoint,
-			creds,
-			cfg.BlobStoreBucketName,
-			cfg.BlobStoreUseTLS,
-		)
-
-	case "":
-		errCh := make(chan error)
-		go func() {
-			<-ctx.Done()
-			close(errCh)
-		}()
-		return nil, errCh, nil
-
-	default:
-		return nil, nil, fmt.Errorf("unknown storage backend: %s", cfg.StorageBackend)
-	}
-}
--- a/cmd/archivistactl/cmd/e2e_test.go
+++ b/cmd/archivistactl/cmd/e2e_test.go
@ -1,4 +1,4 @@
-// Copyright 2023 The Archivista Contributors
+// Copyright 2023-2024 The Archivista Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -60,6 +60,8 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 	// Call the script to deploy the containers for the test cases
 	for _, testDB := range testDBCases {
 		cmd := exec.Command("bash", "../../../test/deploy-services.sh", "start-"+testDB)
+		var out strings.Builder
+		cmd.Stdout = &out
 		err := cmd.Start()
 		if err != nil {
 			e2e.FailNow(err.Error())
@ -67,13 +69,14 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 		e2e.T().Log("Starting services using DB: " + testDB)
 		err = cmd.Wait()
 		if err != nil {
+			e2e.T().Log(out.String())
 			e2e.FailNow(err.Error())
 		}

 		// define test cases struct
 		type testCases struct {
 			name                string
-			attestation         string // files are stored in test/
+			envelope            string // files are stored in test/
 			sha256              string
 			expectedStore       string
 			gitoidStore         string // this value is added during `activistactl store command`
@ -86,7 +89,7 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 		testTable := []testCases{
 			{
 				name:                "valid build attestation",
-				attestation:         "../../../test/build.attestation.json",
+				envelope:            "../../../test/build.attestation.json",
 				sha256:              "423da4cff198bbffbe3220ed9510d32ba96698e4b1f654552521d1f541abb6dc",
 				expectedStore:       "stored with gitoid",
 				expectedSearch:      "Collection name: build",
@ -95,7 +98,7 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			{
 				name:                "valid package attestation",
 				sha256:              "10cbf0f3d870934921276f669ab707983113f929784d877f1192f43c581f2070",
-				attestation:         "../../../test/package.attestation.json",
+				envelope:            "../../../test/package.attestation.json",
 				expectedStore:       "stored with gitoid",
 				expectedSearch:      "Collection name: package",
 				expectedRetrieveSub: "Name: https://witness.dev/attestations/git/v0.1/commithash:be20100af602c780deeef50c54f5338662ce917c",
@ -103,14 +106,14 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			{
 				name:           "duplicated package attestation",
 				sha256:         "10cbf0f3d870934921276f669ab707983113f929784d877f1192f43c581f2070",
-				attestation:    "../../../test/package.attestation.json",
+				envelope:       "../../../test/package.attestation.json",
 				expectedStore:  "",
 				expectedSearch: "Collection name: package",
 				expectedError:  "uplicate",
 			},
 			{
 				name:                "fail attestation",
-				attestation:         "../../../test/fail.attestation.json",
+				envelope:            "../../../test/fail.attestation.json",
 				sha256:              "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3",
 				expectedStore:       "stored with gitoid",
 				expectedSearch:      "",
@ -118,7 +121,7 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			},
 			{
 				name:           "invalid payload attestation",
-				attestation:    "../../../test/invalid_payload.attestation.json",
+				envelope:       "../../../test/invalid_payload.attestation.json",
 				sha256:         "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3",
 				expectedStore:  "stored with gitoid",
 				expectedSearch: "",
@ -126,9 +129,14 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			},
 			{
 				name:          "nonexistent payload file",
-				attestation:   "../../../test/missing.attestation.json",
+				envelope:      "../../../test/missing.attestation.json",
 				expectedError: "no such file or directory",
 			},
+			{
+				name:          "valid signed policy",
+				envelope:      "../../../test/policy-signed.json",
+				expectedStore: "stored with gitoid",
+			},
 		}
 		for _, test := range testTable {
 			// test `archivistactl store`
@ -136,7 +144,7 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			storeOutput := bytes.NewBufferString("")
 			rootCmd.SetOut(storeOutput)
 			rootCmd.SetErr(storeOutput)
-			rootCmd.SetArgs([]string{"store", test.attestation})
+			rootCmd.SetArgs([]string{"store", test.envelope})
 			err := rootCmd.Execute()
 			if err != nil {
 				// if return error assert if is expected error from test case
@ -149,35 +157,37 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 			}

 			// test `archivistactl search`
-			e2e.T().Log("Test `archivistactl search`" + test.name)
-			searchOutput := bytes.NewBufferString("")
-			rootCmd.SetOut(searchOutput)
-			rootCmd.SetErr(searchOutput)
-			rootCmd.SetArgs([]string{"search", "sha256:" + test.sha256})
-			err = rootCmd.Execute()
-			if err != nil {
-				e2e.FailNow(err.Error())
-			}
-			searchActual := searchOutput.String()
-			e2e.Contains(searchActual, test.expectedSearch)
-
-			if test.expectedRetrieveSub != "" {
-				// test `archivistactl retrieve subjects`
-				e2e.T().Log("Test `archivistactl retrieve subjects` " + test.name)
-				subjectsOutput := bytes.NewBufferString("")
-				rootCmd.SetOut(subjectsOutput)
-				rootCmd.SetErr(subjectsOutput)
-				rootCmd.SetArgs([]string{"retrieve", "subjects", test.gitoidStore})
+			if test.sha256 == "" {
+				e2e.T().Log("Test `archivistactl search`" + test.name)
+				searchOutput := bytes.NewBufferString("")
+				rootCmd.SetOut(searchOutput)
+				rootCmd.SetErr(searchOutput)
+				rootCmd.SetArgs([]string{"search", "sha256:" + test.sha256})
 				err = rootCmd.Execute()
 				if err != nil {
 					e2e.FailNow(err.Error())
 				}
-				subjectsActual := subjectsOutput.String()
-				e2e.Contains(subjectsActual, test.expectedRetrieveSub)
-				if test.name == "fail attestation" {
-					e2e.NotContains(subjectsActual, "sha256:"+test.sha256)
-				} else {
-					e2e.Contains(subjectsActual, "sha256:"+test.sha256)
+				searchActual := searchOutput.String()
+				e2e.Contains(searchActual, test.expectedSearch)
+
+				if test.expectedRetrieveSub != "" {
+					// test `archivistactl retrieve subjects`
+					e2e.T().Log("Test `archivistactl retrieve subjects` " + test.name)
+					subjectsOutput := bytes.NewBufferString("")
+					rootCmd.SetOut(subjectsOutput)
+					rootCmd.SetErr(subjectsOutput)
+					rootCmd.SetArgs([]string{"retrieve", "subjects", test.gitoidStore})
+					err = rootCmd.Execute()
+					if err != nil {
+						e2e.FailNow(err.Error())
+					}
+					subjectsActual := subjectsOutput.String()
+					e2e.Contains(subjectsActual, test.expectedRetrieveSub)
+					if test.name == "fail attestation" {
+						e2e.NotContains(subjectsActual, "sha256:"+test.sha256)
+					} else {
+						e2e.Contains(subjectsActual, "sha256:"+test.sha256)
+					}
 				}
 			}
 			if test.expectedError == "" {
@ -192,8 +202,8 @@ func (e2e *E2EStoreSuite) Test_E2E() {
 				if err != nil {
 					e2e.FailNow(err.Error())
 				}
-				// compares file attestation with the retrieved attestation
-				fileAtt, err := os.ReadFile(test.attestation)
+				// compares file envelope with the retrieved envelope
+				fileAtt, err := os.ReadFile(test.envelope)
 				if err != nil {
 					e2e.FailNow(err.Error())
 				}
--- a/cmd/archivistactl/cmd/retrieve.go
+++ b/cmd/archivistactl/cmd/retrieve.go
@ -50,7 +50,7 @@ var (
 				out = file
 			}

-			return api.DownloadWithWriter(cmd.Context(), archivistaUrl, args[0], out)
+			return api.DownloadWithWriter(cmd.Context(), archivistaUrl, args[0], out, requestOptions()...)
 		},
 	}

@ -60,7 +60,7 @@ var (
 		SilenceUsage: true,
 		Args:         cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			results, err := api.GraphQlQuery[retrieveSubjectResults](cmd.Context(), archivistaUrl, retrieveSubjectsQuery, retrieveSubjectVars{Gitoid: args[0]})
+			results, err := api.GraphQlQuery[retrieveSubjectResults](cmd.Context(), archivistaUrl, retrieveSubjectsQuery, retrieveSubjectVars{Gitoid: args[0]}, requestOptions()...)
 			if err != nil {
 				return err
 			}
--- a/cmd/archivistactl/cmd/retrieve_test.go
+++ b/cmd/archivistactl/cmd/retrieve_test.go
@ -62,7 +62,7 @@ func (ut *UTRetrieveSuite) Test_RetrieveEnvelope_NoDB() {
 	rootCmd.SetArgs([]string{"retrieve", "envelope", "test"})
 	err := rootCmd.Execute()
 	if err != nil {
-		ut.ErrorContains(err, "connection refused")
+		ut.ErrorContains(err, "connection re")
 	} else {
 		ut.FailNow("Expected: error")
 	}
@ -88,7 +88,7 @@ func (ut *UTRetrieveSuite) Test_RetrieveSubjectsNoDB() {
 	rootCmd.SetArgs([]string{"retrieve", "subjects", "test"})
 	err := rootCmd.Execute()
 	if err != nil {
-		ut.ErrorContains(err, "connection refused")
+		ut.ErrorContains(err, "connection re")
 	} else {
 		ut.FailNow("Expected: error")
 	}
--- a/cmd/archivistactl/cmd/root.go
+++ b/cmd/archivistactl/cmd/root.go
@ -15,11 +15,17 @@
 package cmd

 import (
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/in-toto/archivista/pkg/api"
 	"github.com/spf13/cobra"
 )

 var (
-	archivistaUrl string
+	archivistaUrl  string
+	requestHeaders []string

 	rootCmd = &cobra.Command{
 		Use:   "archivistactl",
@ -29,8 +35,28 @@ var (

 func init() {
 	rootCmd.PersistentFlags().StringVarP(&archivistaUrl, "archivistaurl", "u", "http://localhost:8082", "url of the archivista instance")
+	rootCmd.PersistentFlags().StringArrayVarP(&requestHeaders, "headers", "H", []string{}, "headers to use when making requests to archivista")
 }

 func Execute() error {
 	return rootCmd.Execute()
 }
+
+func requestOptions() []api.RequestOption {
+	opts := []api.RequestOption{}
+	headers := http.Header{}
+	for _, header := range requestHeaders {
+		headerParts := strings.SplitN(header, ":", 2)
+		if len(headerParts) != 2 {
+			log.Fatalf("invalid header: %v", header)
+		}
+
+		headers.Set(headerParts[0], headerParts[1])
+	}
+
+	if len(headers) > 0 {
+		opts = append(opts, api.WithHeaders(headers))
+	}
+
+	return opts
+}
--- a/cmd/archivistactl/cmd/search.go
+++ b/cmd/archivistactl/cmd/search.go
@ -22,42 +22,40 @@ import (
 	"github.com/spf13/cobra"
 )

-var (
-	searchCmd = &cobra.Command{
-		Use:          "search",
-		Short:        "Searches the archivista instance for an attestation matching a query",
-		SilenceUsage: true,
-		Long: `Searches the archivista instance for an envelope with a specified subject digest.
+var searchCmd = &cobra.Command{
+	Use:          "search",
+	Short:        "Searches the archivista instance for an attestation matching a query",
+	SilenceUsage: true,
+	Long: `Searches the archivista instance for an envelope with a specified subject digest.
 Optionally a collection name can be provided to further constrain results.

 Digests are expected to be in the form algorithm:digest, for instance: sha256:456c0c9a7c05e2a7f84c139bbacedbe3e8e88f9c`,
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return errors.New("expected exactly 1 argument")
-			}
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) != 1 {
+			return errors.New("expected exactly 1 argument")
+		}

-			if _, _, err := validateDigestString(args[0]); err != nil {
-				return err
-			}
+		if _, _, err := validateDigestString(args[0]); err != nil {
+			return err
+		}

-			return nil
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			algo, digest, err := validateDigestString(args[0])
-			if err != nil {
-				return err
-			}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		algo, digest, err := validateDigestString(args[0])
+		if err != nil {
+			return err
+		}

-			results, err := api.GraphQlQuery[searchResults](cmd.Context(), archivistaUrl, searchQuery, searchVars{Algorithm: algo, Digest: digest})
-			if err != nil {
-				return err
-			}
+		results, err := api.GraphQlQuery[searchResults](cmd.Context(), archivistaUrl, searchQuery, searchVars{Algorithm: algo, Digest: digest}, requestOptions()...)
+		if err != nil {
+			return err
+		}

-			printResults(results)
-			return nil
-		},
-	}
-)
+		printResults(results)
+		return nil
+	},
+}

 func init() {
 	rootCmd.AddCommand(searchCmd)
--- a/cmd/archivistactl/cmd/search_test.go
+++ b/cmd/archivistactl/cmd/search_test.go
@ -63,7 +63,7 @@ func (ut *UTSearchSuite) Test_NoDB() {
 	rootCmd.SetArgs([]string{"search", "sha256:test"})
 	err := rootCmd.Execute()
 	if err != nil {
-		ut.ErrorContains(err, "connection refused")
+		ut.ErrorContains(err, "connection re")
 	} else {
 		ut.FailNow("Expected: error")
 	}
--- a/cmd/archivistactl/cmd/store.go
+++ b/cmd/archivistactl/cmd/store.go
@ -1,4 +1,4 @@
-// Copyright 2022 The Archivista Contributors
+// Copyright 2022-2024 The Archivista Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -23,25 +23,23 @@ import (
 	"github.com/spf13/cobra"
 )

-var (
-	storeCmd = &cobra.Command{
-		Use:          "store",
-		Short:        "stores an attestation on the archivista server",
-		SilenceUsage: true,
-		Args:         cobra.MinimumNArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			for _, filePath := range args {
-				if gitoid, err := storeAttestationByPath(cmd.Context(), archivistaUrl, filePath); err != nil {
-					return fmt.Errorf("failed to store %s: %w", filePath, err)
-				} else {
-					rootCmd.Printf("%s stored with gitoid %s\n", filePath, gitoid)
-				}
+var storeCmd = &cobra.Command{
+	Use:          "store",
+	Short:        "stores an attestation on the archivista server",
+	SilenceUsage: true,
+	Args:         cobra.MinimumNArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		for _, filePath := range args {
+			if gitoid, err := storeAttestationByPath(cmd.Context(), archivistaUrl, filePath); err != nil {
+				return fmt.Errorf("failed to store %s: %w", filePath, err)
+			} else {
+				rootCmd.Printf("%s stored with gitoid %s\n", filePath, gitoid)
 			}
+		}

-			return nil
-		},
-	}
-)
+		return nil
+	},
+}

 func init() {
 	rootCmd.AddCommand(storeCmd)
@ -54,7 +52,7 @@ func storeAttestationByPath(ctx context.Context, baseUrl, path string) (string,
 	}

 	defer file.Close()
-	resp, err := api.UploadWithReader(ctx, baseUrl, file)
+	resp, err := api.StoreWithReader(ctx, baseUrl, file, requestOptions()...)
 	if err != nil {
 		return "", err
 	}
--- a/compose-dev.yml
+++ b/compose-dev.yml
@ -17,7 +17,6 @@ version: '3.9'
 services:
  db:
    image: mysql:oracle
-    command: --default-authentication-plugin=mysql_native_password
    restart: always
    ports:
      - 3306:3306
--- a/compose.yml
+++ b/compose.yml
@ -17,7 +17,6 @@ version: '3.9'
 services:
  db:
    image: mysql:oracle
-    command: --default-authentication-plugin=mysql_native_password
    restart: always
    ports:
      - 3306:3306
--- a/ent.graphql
+++ b/ent.graphql
@ -1,5 +1,5 @@
-directive @goField(forceResolver: Boolean, name: String) on FIELD_DEFINITION | INPUT_FIELD_DEFINITION
-directive @goModel(model: String, models: [String!]) on OBJECT | INPUT_OBJECT | SCALAR | ENUM | INTERFACE | UNION
+directive @goField(forceResolver: Boolean, name: String, omittable: Boolean) on FIELD_DEFINITION | INPUT_FIELD_DEFINITION
+directive @goModel(model: String, models: [String!], forceGenerate: Boolean) on OBJECT | INPUT_OBJECT | SCALAR | ENUM | INTERFACE | UNION
 type Attestation implements Node {
  id: ID!
  type: String!
@ -19,7 +19,9 @@ input AttestationCollectionWhereInput {
  not: AttestationCollectionWhereInput
  and: [AttestationCollectionWhereInput!]
  or: [AttestationCollectionWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -28,7 +30,9 @@ input AttestationCollectionWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """name field predicates"""
+  """
+  name field predicates
+  """
  name: String
  nameNEQ: String
  nameIn: [String!]
@ -42,10 +46,90 @@ input AttestationCollectionWhereInput {
  nameHasSuffix: String
  nameEqualFold: String
  nameContainsFold: String
-  """attestations edge predicates"""
+  """
+  attestations edge predicates
+  """
  hasAttestations: Boolean
  hasAttestationsWith: [AttestationWhereInput!]
-  """statement edge predicates"""
+  """
+  statement edge predicates
+  """
+  hasStatement: Boolean
+  hasStatementWith: [StatementWhereInput!]
+}
+type AttestationPolicy implements Node {
+  id: ID!
+  name: String!
+  statement: Statement
+}
+"""
+A connection to a list of items.
+"""
+type AttestationPolicyConnection {
+  """
+  A list of edges.
+  """
+  edges: [AttestationPolicyEdge]
+  """
+  Information to aid in pagination.
+  """
+  pageInfo: PageInfo!
+  """
+  Identifies the total count of items in the connection.
+  """
+  totalCount: Int!
+}
+"""
+An edge in a connection.
+"""
+type AttestationPolicyEdge {
+  """
+  The item at the end of the edge.
+  """
+  node: AttestationPolicy
+  """
+  A cursor for use in pagination.
+  """
+  cursor: Cursor!
+}
+"""
+AttestationPolicyWhereInput is used for filtering AttestationPolicy objects.
+Input was generated by ent.
+"""
+input AttestationPolicyWhereInput {
+  not: AttestationPolicyWhereInput
+  and: [AttestationPolicyWhereInput!]
+  or: [AttestationPolicyWhereInput!]
+  """
+  id field predicates
+  """
+  id: ID
+  idNEQ: ID
+  idIn: [ID!]
+  idNotIn: [ID!]
+  idGT: ID
+  idGTE: ID
+  idLT: ID
+  idLTE: ID
+  """
+  name field predicates
+  """
+  name: String
+  nameNEQ: String
+  nameIn: [String!]
+  nameNotIn: [String!]
+  nameGT: String
+  nameGTE: String
+  nameLT: String
+  nameLTE: String
+  nameContains: String
+  nameHasPrefix: String
+  nameHasSuffix: String
+  nameEqualFold: String
+  nameContainsFold: String
+  """
+  statement edge predicates
+  """
  hasStatement: Boolean
  hasStatementWith: [StatementWhereInput!]
 }
@ -57,7 +141,9 @@ input AttestationWhereInput {
  not: AttestationWhereInput
  and: [AttestationWhereInput!]
  or: [AttestationWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -66,7 +152,9 @@ input AttestationWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """type field predicates"""
+  """
+  type field predicates
+  """
  type: String
  typeNEQ: String
  typeIn: [String!]
@ -80,7 +168,9 @@ input AttestationWhereInput {
  typeHasSuffix: String
  typeEqualFold: String
  typeContainsFold: String
-  """attestation_collection edge predicates"""
+  """
+  attestation_collection edge predicates
+  """
  hasAttestationCollection: Boolean
  hasAttestationCollectionWith: [AttestationCollectionWhereInput!]
 }
@ -97,20 +187,34 @@ type Dsse implements Node {
  signatures: [Signature!]
  payloadDigests: [PayloadDigest!]
 }
-"""A connection to a list of items."""
+"""
+A connection to a list of items.
+"""
 type DsseConnection {
-  """A list of edges."""
+  """
+  A list of edges.
+  """
  edges: [DsseEdge]
-  """Information to aid in pagination."""
+  """
+  Information to aid in pagination.
+  """
  pageInfo: PageInfo!
-  """Identifies the total count of items in the connection."""
+  """
+  Identifies the total count of items in the connection.
+  """
  totalCount: Int!
 }
-"""An edge in a connection."""
+"""
+An edge in a connection.
+"""
 type DsseEdge {
-  """The item at the end of the edge."""
+  """
+  The item at the end of the edge.
+  """
  node: Dsse
-  """A cursor for use in pagination."""
+  """
+  A cursor for use in pagination.
+  """
  cursor: Cursor!
 }
 """
@ -121,7 +225,9 @@ input DsseWhereInput {
  not: DsseWhereInput
  and: [DsseWhereInput!]
  or: [DsseWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -130,7 +236,9 @@ input DsseWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """gitoid_sha256 field predicates"""
+  """
+  gitoid_sha256 field predicates
+  """
  gitoidSha256: String
  gitoidSha256NEQ: String
  gitoidSha256In: [String!]
@ -144,7 +252,9 @@ input DsseWhereInput {
  gitoidSha256HasSuffix: String
  gitoidSha256EqualFold: String
  gitoidSha256ContainsFold: String
-  """payload_type field predicates"""
+  """
+  payload_type field predicates
+  """
  payloadType: String
  payloadTypeNEQ: String
  payloadTypeIn: [String!]
@ -158,13 +268,19 @@ input DsseWhereInput {
  payloadTypeHasSuffix: String
  payloadTypeEqualFold: String
  payloadTypeContainsFold: String
-  """statement edge predicates"""
+  """
+  statement edge predicates
+  """
  hasStatement: Boolean
  hasStatementWith: [StatementWhereInput!]
-  """signatures edge predicates"""
+  """
+  signatures edge predicates
+  """
  hasSignatures: Boolean
  hasSignaturesWith: [SignatureWhereInput!]
-  """payload_digests edge predicates"""
+  """
+  payload_digests edge predicates
+  """
  hasPayloadDigests: Boolean
  hasPayloadDigestsWith: [PayloadDigestWhereInput!]
 }
@ -173,14 +289,22 @@ An object with an ID.
 Follows the [Relay Global Object Identification Specification](https://relay.dev/graphql/objectidentification.htm)
 """
 interface Node @goModel(model: "github.com/in-toto/archivista/ent.Noder") {
-  """The id of the object."""
+  """
+  The id of the object.
+  """
  id: ID!
 }
-"""Possible directions in which to order a list of items when provided an `orderBy` argument."""
+"""
+Possible directions in which to order a list of items when provided an `orderBy` argument.
+"""
 enum OrderDirection {
-  """Specifies an ascending order for a given `orderBy` argument."""
+  """
+  Specifies an ascending order for a given `orderBy` argument.
+  """
  ASC
-  """Specifies a descending order for a given `orderBy` argument."""
+  """
+  Specifies a descending order for a given `orderBy` argument.
+  """
  DESC
 }
 """
@ -188,13 +312,21 @@ Information about pagination in a connection.
 https://relay.dev/graphql/connections.htm#sec-undefined.PageInfo
 """
 type PageInfo {
-  """When paginating forwards, are there more items?"""
+  """
+  When paginating forwards, are there more items?
+  """
  hasNextPage: Boolean!
-  """When paginating backwards, are there more items?"""
+  """
+  When paginating backwards, are there more items?
+  """
  hasPreviousPage: Boolean!
-  """When paginating backwards, the cursor to continue."""
+  """
+  When paginating backwards, the cursor to continue.
+  """
  startCursor: Cursor
-  """When paginating forwards, the cursor to continue."""
+  """
+  When paginating forwards, the cursor to continue.
+  """
  endCursor: Cursor
 }
 type PayloadDigest implements Node {
@ -211,7 +343,9 @@ input PayloadDigestWhereInput {
  not: PayloadDigestWhereInput
  and: [PayloadDigestWhereInput!]
  or: [PayloadDigestWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -220,7 +354,9 @@ input PayloadDigestWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """algorithm field predicates"""
+  """
+  algorithm field predicates
+  """
  algorithm: String
  algorithmNEQ: String
  algorithmIn: [String!]
@ -234,7 +370,9 @@ input PayloadDigestWhereInput {
  algorithmHasSuffix: String
  algorithmEqualFold: String
  algorithmContainsFold: String
-  """value field predicates"""
+  """
+  value field predicates
+  """
  value: String
  valueNEQ: String
  valueIn: [String!]
@ -248,51 +386,107 @@ input PayloadDigestWhereInput {
  valueHasSuffix: String
  valueEqualFold: String
  valueContainsFold: String
-  """dsse edge predicates"""
+  """
+  dsse edge predicates
+  """
  hasDsse: Boolean
  hasDsseWith: [DsseWhereInput!]
 }
 type Query {
-  """Fetches an object given its ID."""
+  """
+  Fetches an object given its ID.
+  """
  node(
-    """ID of the object."""
+    """
+    ID of the object.
+    """
    id: ID!
  ): Node
-  """Lookup nodes by a list of IDs."""
+  """
+  Lookup nodes by a list of IDs.
+  """
  nodes(
-    """The list of node IDs."""
+    """
+    The list of node IDs.
+    """
    ids: [ID!]!
  ): [Node]!
-  dsses(
-    """Returns the elements in the list that come after the specified cursor."""
+  attestationPolicies(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
    after: Cursor

-    """Returns the first _n_ elements from the list."""
+    """
+    Returns the first _n_ elements from the list.
+    """
    first: Int

-    """Returns the elements in the list that come before the specified cursor."""
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
    before: Cursor

-    """Returns the last _n_ elements from the list."""
+    """
+    Returns the last _n_ elements from the list.
+    """
    last: Int

-    """Filtering options for Dsses returned from the connection."""
+    """
+    Filtering options for AttestationPolicies returned from the connection.
+    """
+    where: AttestationPolicyWhereInput
+  ): AttestationPolicyConnection!
+  dsses(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: Cursor
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: Cursor
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+
+    """
+    Filtering options for Dsses returned from the connection.
+    """
    where: DsseWhereInput
  ): DsseConnection!
  subjects(
-    """Returns the elements in the list that come after the specified cursor."""
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
    after: Cursor

-    """Returns the first _n_ elements from the list."""
+    """
+    Returns the first _n_ elements from the list.
+    """
    first: Int

-    """Returns the elements in the list that come before the specified cursor."""
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
    before: Cursor

-    """Returns the last _n_ elements from the list."""
+    """
+    Returns the last _n_ elements from the list.
+    """
    last: Int

-    """Filtering options for Subjects returned from the connection."""
+    """
+    Filtering options for Subjects returned from the connection.
+    """
    where: SubjectWhereInput
  ): SubjectConnection!
 }
@ -311,7 +505,9 @@ input SignatureWhereInput {
  not: SignatureWhereInput
  and: [SignatureWhereInput!]
  or: [SignatureWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -320,7 +516,9 @@ input SignatureWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """key_id field predicates"""
+  """
+  key_id field predicates
+  """
  keyID: String
  keyIDNEQ: String
  keyIDIn: [String!]
@ -334,7 +532,9 @@ input SignatureWhereInput {
  keyIDHasSuffix: String
  keyIDEqualFold: String
  keyIDContainsFold: String
-  """signature field predicates"""
+  """
+  signature field predicates
+  """
  signature: String
  signatureNEQ: String
  signatureIn: [String!]
@ -348,10 +548,14 @@ input SignatureWhereInput {
  signatureHasSuffix: String
  signatureEqualFold: String
  signatureContainsFold: String
-  """dsse edge predicates"""
+  """
+  dsse edge predicates
+  """
  hasDsse: Boolean
  hasDsseWith: [DsseWhereInput!]
-  """timestamps edge predicates"""
+  """
+  timestamps edge predicates
+  """
  hasTimestamps: Boolean
  hasTimestampsWith: [TimestampWhereInput!]
 }
@ -359,21 +563,32 @@ type Statement implements Node {
  id: ID!
  predicate: String!
  subjects(
-    """Returns the elements in the list that come after the specified cursor."""
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
    after: Cursor

-    """Returns the first _n_ elements from the list."""
+    """
+    Returns the first _n_ elements from the list.
+    """
    first: Int

-    """Returns the elements in the list that come before the specified cursor."""
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
    before: Cursor

-    """Returns the last _n_ elements from the list."""
+    """
+    Returns the last _n_ elements from the list.
+    """
    last: Int

-    """Filtering options for Subjects returned from the connection."""
+    """
+    Filtering options for Subjects returned from the connection.
+    """
    where: SubjectWhereInput
  ): SubjectConnection!
+  policy: AttestationPolicy
  attestationCollections: AttestationCollection
  dsse: [Dsse!]
 }
@ -385,7 +600,9 @@ input StatementWhereInput {
  not: StatementWhereInput
  and: [StatementWhereInput!]
  or: [StatementWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -394,7 +611,9 @@ input StatementWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """predicate field predicates"""
+  """
+  predicate field predicates
+  """
  predicate: String
  predicateNEQ: String
  predicateIn: [String!]
@ -408,13 +627,24 @@ input StatementWhereInput {
  predicateHasSuffix: String
  predicateEqualFold: String
  predicateContainsFold: String
-  """subjects edge predicates"""
+  """
+  subjects edge predicates
+  """
  hasSubjects: Boolean
  hasSubjectsWith: [SubjectWhereInput!]
-  """attestation_collections edge predicates"""
+  """
+  policy edge predicates
+  """
+  hasPolicy: Boolean
+  hasPolicyWith: [AttestationPolicyWhereInput!]
+  """
+  attestation_collections edge predicates
+  """
  hasAttestationCollections: Boolean
  hasAttestationCollectionsWith: [AttestationCollectionWhereInput!]
-  """dsse edge predicates"""
+  """
+  dsse edge predicates
+  """
  hasDsse: Boolean
  hasDsseWith: [DsseWhereInput!]
 }
@ -424,13 +654,21 @@ type Subject implements Node {
  subjectDigests: [SubjectDigest!]
  statement: Statement
 }
-"""A connection to a list of items."""
+"""
+A connection to a list of items.
+"""
 type SubjectConnection {
-  """A list of edges."""
+  """
+  A list of edges.
+  """
  edges: [SubjectEdge]
-  """Information to aid in pagination."""
+  """
+  Information to aid in pagination.
+  """
  pageInfo: PageInfo!
-  """Identifies the total count of items in the connection."""
+  """
+  Identifies the total count of items in the connection.
+  """
  totalCount: Int!
 }
 type SubjectDigest implements Node {
@ -447,7 +685,9 @@ input SubjectDigestWhereInput {
  not: SubjectDigestWhereInput
  and: [SubjectDigestWhereInput!]
  or: [SubjectDigestWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -456,7 +696,9 @@ input SubjectDigestWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """algorithm field predicates"""
+  """
+  algorithm field predicates
+  """
  algorithm: String
  algorithmNEQ: String
  algorithmIn: [String!]
@ -470,7 +712,9 @@ input SubjectDigestWhereInput {
  algorithmHasSuffix: String
  algorithmEqualFold: String
  algorithmContainsFold: String
-  """value field predicates"""
+  """
+  value field predicates
+  """
  value: String
  valueNEQ: String
  valueIn: [String!]
@ -484,15 +728,23 @@ input SubjectDigestWhereInput {
  valueHasSuffix: String
  valueEqualFold: String
  valueContainsFold: String
-  """subject edge predicates"""
+  """
+  subject edge predicates
+  """
  hasSubject: Boolean
  hasSubjectWith: [SubjectWhereInput!]
 }
-"""An edge in a connection."""
+"""
+An edge in a connection.
+"""
 type SubjectEdge {
-  """The item at the end of the edge."""
+  """
+  The item at the end of the edge.
+  """
  node: Subject
-  """A cursor for use in pagination."""
+  """
+  A cursor for use in pagination.
+  """
  cursor: Cursor!
 }
 """
@ -503,7 +755,9 @@ input SubjectWhereInput {
  not: SubjectWhereInput
  and: [SubjectWhereInput!]
  or: [SubjectWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -512,7 +766,9 @@ input SubjectWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """name field predicates"""
+  """
+  name field predicates
+  """
  name: String
  nameNEQ: String
  nameIn: [String!]
@ -526,10 +782,14 @@ input SubjectWhereInput {
  nameHasSuffix: String
  nameEqualFold: String
  nameContainsFold: String
-  """subject_digests edge predicates"""
+  """
+  subject_digests edge predicates
+  """
  hasSubjectDigests: Boolean
  hasSubjectDigestsWith: [SubjectDigestWhereInput!]
-  """statement edge predicates"""
+  """
+  statement edge predicates
+  """
  hasStatement: Boolean
  hasStatementWith: [StatementWhereInput!]
 }
@ -547,7 +807,9 @@ input TimestampWhereInput {
  not: TimestampWhereInput
  and: [TimestampWhereInput!]
  or: [TimestampWhereInput!]
-  """id field predicates"""
+  """
+  id field predicates
+  """
  id: ID
  idNEQ: ID
  idIn: [ID!]
@ -556,7 +818,9 @@ input TimestampWhereInput {
  idGTE: ID
  idLT: ID
  idLTE: ID
-  """type field predicates"""
+  """
+  type field predicates
+  """
  type: String
  typeNEQ: String
  typeIn: [String!]
@ -570,7 +834,9 @@ input TimestampWhereInput {
  typeHasSuffix: String
  typeEqualFold: String
  typeContainsFold: String
-  """timestamp field predicates"""
+  """
+  timestamp field predicates
+  """
  timestamp: Time
  timestampNEQ: Time
  timestampIn: [Time!]
@ -579,7 +845,9 @@ input TimestampWhereInput {
  timestampGTE: Time
  timestampLT: Time
  timestampLTE: Time
-  """signature edge predicates"""
+  """
+  signature edge predicates
+  """
  hasSignature: Boolean
  hasSignatureWith: [SignatureWhereInput!]
 }
--- a/ent.resolvers.go
+++ b/ent.resolvers.go
@ -1,47 +1,40 @@
-// Copyright 2023 The Archivista Contributors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
 package archivista

 // This file will be automatically regenerated based on the schema, any resolver implementations
 // will be copied through when generating and any unknown code will be moved to the end.
-// Code generated by github.com/99designs/gqlgen version v0.17.40
+// Code generated by github.com/99designs/gqlgen version v0.17.73

 import (
 	"context"
+	"fmt"

 	"entgo.io/contrib/entgql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent"
 )

 // Node is the resolver for the node field.
-func (r *queryResolver) Node(ctx context.Context, id int) (ent.Noder, error) {
+func (r *queryResolver) Node(ctx context.Context, id uuid.UUID) (ent.Noder, error) {
 	return r.client.Noder(ctx, id)
 }

 // Nodes is the resolver for the nodes field.
-func (r *queryResolver) Nodes(ctx context.Context, ids []int) ([]ent.Noder, error) {
+func (r *queryResolver) Nodes(ctx context.Context, ids []uuid.UUID) ([]ent.Noder, error) {
 	return r.client.Noders(ctx, ids)
 }

+// AttestationPolicies is the resolver for the attestationPolicies field.
+func (r *queryResolver) AttestationPolicies(ctx context.Context, after *entgql.Cursor[uuid.UUID], first *int, before *entgql.Cursor[uuid.UUID], last *int, where *ent.AttestationPolicyWhereInput) (*ent.AttestationPolicyConnection, error) {
+	panic(fmt.Errorf("not implemented: AttestationPolicies - attestationPolicies"))
+}
+
 // Dsses is the resolver for the dsses field.
-func (r *queryResolver) Dsses(ctx context.Context, after *entgql.Cursor[int], first *int, before *entgql.Cursor[int], last *int, where *ent.DsseWhereInput) (*ent.DsseConnection, error) {
+func (r *queryResolver) Dsses(ctx context.Context, after *entgql.Cursor[uuid.UUID], first *int, before *entgql.Cursor[uuid.UUID], last *int, where *ent.DsseWhereInput) (*ent.DsseConnection, error) {
 	return r.client.Dsse.Query().Paginate(ctx, after, first, before, last, ent.WithDsseFilter(where.Filter))
 }

 // Subjects is the resolver for the subjects field.
-func (r *queryResolver) Subjects(ctx context.Context, after *entgql.Cursor[int], first *int, before *entgql.Cursor[int], last *int, where *ent.SubjectWhereInput) (*ent.SubjectConnection, error) {
+func (r *queryResolver) Subjects(ctx context.Context, after *entgql.Cursor[uuid.UUID], first *int, before *entgql.Cursor[uuid.UUID], last *int, where *ent.SubjectWhereInput) (*ent.SubjectConnection, error) {
 	return r.client.Subject.Query().Paginate(ctx, after, first, before, last, ent.WithSubjectFilter(where.Filter))
 }

--- a/ent/attestation.go
+++ b/ent/attestation.go
@ -8,6 +8,7 @@ import (

 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 )
@ -16,13 +17,13 @@ import (
 type Attestation struct {
 	config `json:"-"`
 	// ID of the ent.
-	ID int `json:"id,omitempty"`
+	ID uuid.UUID `json:"id,omitempty"`
 	// Type holds the value of the "type" field.
 	Type string `json:"type,omitempty"`
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the AttestationQuery when eager-loading is set.
 	Edges                               AttestationEdges `json:"edges"`
-	attestation_collection_attestations *int
+	attestation_collection_attestations *uuid.UUID
 	selectValues                        sql.SelectValues
 }

@ -40,12 +41,10 @@ type AttestationEdges struct {
 // AttestationCollectionOrErr returns the AttestationCollection value or an error if the edge
 // was not loaded in eager-loading, or loaded but was not found.
 func (e AttestationEdges) AttestationCollectionOrErr() (*AttestationCollection, error) {
-	if e.loadedTypes[0] {
-		if e.AttestationCollection == nil {
-			// Edge was loaded but was not found.
-			return nil, &NotFoundError{label: attestationcollection.Label}
-		}
+	if e.AttestationCollection != nil {
 		return e.AttestationCollection, nil
+	} else if e.loadedTypes[0] {
+		return nil, &NotFoundError{label: attestationcollection.Label}
 	}
 	return nil, &NotLoadedError{edge: "attestation_collection"}
 }
@ -55,12 +54,12 @@ func (*Attestation) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case attestation.FieldID:
-			values[i] = new(sql.NullInt64)
 		case attestation.FieldType:
 			values[i] = new(sql.NullString)
+		case attestation.FieldID:
+			values[i] = new(uuid.UUID)
 		case attestation.ForeignKeys[0]: // attestation_collection_attestations
-			values[i] = new(sql.NullInt64)
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
 		default:
 			values[i] = new(sql.UnknownType)
 		}
@ -77,11 +76,11 @@ func (a *Attestation) assignValues(columns []string, values []any) error {
 	for i := range columns {
 		switch columns[i] {
 		case attestation.FieldID:
-			value, ok := values[i].(*sql.NullInt64)
-			if !ok {
-				return fmt.Errorf("unexpected type %T for field id", value)
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				a.ID = *value
 			}
-			a.ID = int(value.Int64)
 		case attestation.FieldType:
 			if value, ok := values[i].(*sql.NullString); !ok {
 				return fmt.Errorf("unexpected type %T for field type", values[i])
@ -89,11 +88,11 @@ func (a *Attestation) assignValues(columns []string, values []any) error {
 				a.Type = value.String
 			}
 		case attestation.ForeignKeys[0]:
-			if value, ok := values[i].(*sql.NullInt64); !ok {
-				return fmt.Errorf("unexpected type %T for edge-field attestation_collection_attestations", value)
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field attestation_collection_attestations", values[i])
 			} else if value.Valid {
-				a.attestation_collection_attestations = new(int)
-				*a.attestation_collection_attestations = int(value.Int64)
+				a.attestation_collection_attestations = new(uuid.UUID)
+				*a.attestation_collection_attestations = *value.S.(*uuid.UUID)
 			}
 		default:
 			a.selectValues.Set(columns[i], values[i])
--- a/ent/attestation/attestation.go
+++ b/ent/attestation/attestation.go
@ -5,6 +5,7 @@ package attestation
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 )

 const (
@ -57,6 +58,8 @@ func ValidColumn(column string) bool {
 var (
 	// TypeValidator is a validator for the "type" field. It is called by the builders before save.
 	TypeValidator func(string) error
+	// DefaultID holds the default value on creation for the "id" field.
+	DefaultID func() uuid.UUID
 )

 // OrderOption defines the ordering options for the Attestation queries.
--- a/ent/attestation/where.go
+++ b/ent/attestation/where.go
@ -5,51 +5,52 @@ package attestation
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/predicate"
 )

 // ID filters vertices based on their ID field.
-func ID(id int) predicate.Attestation {
+func ID(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldEQ(FieldID, id))
 }

 // IDEQ applies the EQ predicate on the ID field.
-func IDEQ(id int) predicate.Attestation {
+func IDEQ(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldEQ(FieldID, id))
 }

 // IDNEQ applies the NEQ predicate on the ID field.
-func IDNEQ(id int) predicate.Attestation {
+func IDNEQ(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldNEQ(FieldID, id))
 }

 // IDIn applies the In predicate on the ID field.
-func IDIn(ids ...int) predicate.Attestation {
+func IDIn(ids ...uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldIn(FieldID, ids...))
 }

 // IDNotIn applies the NotIn predicate on the ID field.
-func IDNotIn(ids ...int) predicate.Attestation {
+func IDNotIn(ids ...uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldNotIn(FieldID, ids...))
 }

 // IDGT applies the GT predicate on the ID field.
-func IDGT(id int) predicate.Attestation {
+func IDGT(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldGT(FieldID, id))
 }

 // IDGTE applies the GTE predicate on the ID field.
-func IDGTE(id int) predicate.Attestation {
+func IDGTE(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldGTE(FieldID, id))
 }

 // IDLT applies the LT predicate on the ID field.
-func IDLT(id int) predicate.Attestation {
+func IDLT(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldLT(FieldID, id))
 }

 // IDLTE applies the LTE predicate on the ID field.
-func IDLTE(id int) predicate.Attestation {
+func IDLTE(id uuid.UUID) predicate.Attestation {
 	return predicate.Attestation(sql.FieldLTE(FieldID, id))
 }

--- a/ent/attestation_create.go
+++ b/ent/attestation_create.go
@ -9,6 +9,7 @@ import (

 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 )
@ -26,8 +27,22 @@ func (ac *AttestationCreate) SetType(s string) *AttestationCreate {
 	return ac
 }

+// SetID sets the "id" field.
+func (ac *AttestationCreate) SetID(u uuid.UUID) *AttestationCreate {
+	ac.mutation.SetID(u)
+	return ac
+}
+
+// SetNillableID sets the "id" field if the given value is not nil.
+func (ac *AttestationCreate) SetNillableID(u *uuid.UUID) *AttestationCreate {
+	if u != nil {
+		ac.SetID(*u)
+	}
+	return ac
+}
+
 // SetAttestationCollectionID sets the "attestation_collection" edge to the AttestationCollection entity by ID.
-func (ac *AttestationCreate) SetAttestationCollectionID(id int) *AttestationCreate {
+func (ac *AttestationCreate) SetAttestationCollectionID(id uuid.UUID) *AttestationCreate {
 	ac.mutation.SetAttestationCollectionID(id)
 	return ac
 }
@ -44,6 +59,7 @@ func (ac *AttestationCreate) Mutation() *AttestationMutation {

 // Save creates the Attestation in the database.
 func (ac *AttestationCreate) Save(ctx context.Context) (*Attestation, error) {
+	ac.defaults()
 	return withHooks(ctx, ac.sqlSave, ac.mutation, ac.hooks)
 }

@ -69,6 +85,14 @@ func (ac *AttestationCreate) ExecX(ctx context.Context) {
 	}
 }

+// defaults sets the default values of the builder before save.
+func (ac *AttestationCreate) defaults() {
+	if _, ok := ac.mutation.ID(); !ok {
+		v := attestation.DefaultID()
+		ac.mutation.SetID(v)
+	}
+}
+
 // check runs all checks and user-defined validators on the builder.
 func (ac *AttestationCreate) check() error {
 	if _, ok := ac.mutation.GetType(); !ok {
@ -79,7 +103,7 @@ func (ac *AttestationCreate) check() error {
 			return &ValidationError{Name: "type", err: fmt.Errorf(`ent: validator failed for field "Attestation.type": %w`, err)}
 		}
 	}
-	if _, ok := ac.mutation.AttestationCollectionID(); !ok {
+	if len(ac.mutation.AttestationCollectionIDs()) == 0 {
 		return &ValidationError{Name: "attestation_collection", err: errors.New(`ent: missing required edge "Attestation.attestation_collection"`)}
 	}
 	return nil
@ -96,8 +120,13 @@ func (ac *AttestationCreate) sqlSave(ctx context.Context) (*Attestation, error)
 		}
 		return nil, err
 	}
-	id := _spec.ID.Value.(int64)
-	_node.ID = int(id)
+	if _spec.ID.Value != nil {
+		if id, ok := _spec.ID.Value.(*uuid.UUID); ok {
+			_node.ID = *id
+		} else if err := _node.ID.Scan(_spec.ID.Value); err != nil {
+			return nil, err
+		}
+	}
 	ac.mutation.id = &_node.ID
 	ac.mutation.done = true
 	return _node, nil
@ -106,8 +135,12 @@ func (ac *AttestationCreate) sqlSave(ctx context.Context) (*Attestation, error)
 func (ac *AttestationCreate) createSpec() (*Attestation, *sqlgraph.CreateSpec) {
 	var (
 		_node = &Attestation{config: ac.config}
-		_spec = sqlgraph.NewCreateSpec(attestation.Table, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt))
+		_spec = sqlgraph.NewCreateSpec(attestation.Table, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID))
 	)
+	if id, ok := ac.mutation.ID(); ok {
+		_node.ID = id
+		_spec.ID.Value = &id
+	}
 	if value, ok := ac.mutation.GetType(); ok {
 		_spec.SetField(attestation.FieldType, field.TypeString, value)
 		_node.Type = value
@ -120,7 +153,7 @@ func (ac *AttestationCreate) createSpec() (*Attestation, *sqlgraph.CreateSpec) {
 			Columns: []string{attestation.AttestationCollectionColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -150,6 +183,7 @@ func (acb *AttestationCreateBulk) Save(ctx context.Context) ([]*Attestation, err
 	for i := range acb.builders {
 		func(i int, root context.Context) {
 			builder := acb.builders[i]
+			builder.defaults()
 			var mut Mutator = MutateFunc(func(ctx context.Context, m Mutation) (Value, error) {
 				mutation, ok := m.(*AttestationMutation)
 				if !ok {
@ -176,10 +210,6 @@ func (acb *AttestationCreateBulk) Save(ctx context.Context) ([]*Attestation, err
 					return nil, err
 				}
 				mutation.id = &nodes[i].ID
-				if specs[i].ID.Value != nil {
-					id := specs[i].ID.Value.(int64)
-					nodes[i].ID = int(id)
-				}
 				mutation.done = true
 				return nodes[i], nil
 			})
--- a/ent/attestation_delete.go
+++ b/ent/attestation_delete.go
@ -40,7 +40,7 @@ func (ad *AttestationDelete) ExecX(ctx context.Context) int {
 }

 func (ad *AttestationDelete) sqlExec(ctx context.Context) (int, error) {
-	_spec := sqlgraph.NewDeleteSpec(attestation.Table, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewDeleteSpec(attestation.Table, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID))
 	if ps := ad.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
--- a/ent/attestation_query.go
+++ b/ent/attestation_query.go
@ -7,9 +7,11 @@ import (
 	"fmt"
 	"math"

+	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/predicate"
@ -87,7 +89,7 @@ func (aq *AttestationQuery) QueryAttestationCollection() *AttestationCollectionQ
 // First returns the first Attestation entity from the query.
 // Returns a *NotFoundError when no Attestation was found.
 func (aq *AttestationQuery) First(ctx context.Context) (*Attestation, error) {
-	nodes, err := aq.Limit(1).All(setContextOp(ctx, aq.ctx, "First"))
+	nodes, err := aq.Limit(1).All(setContextOp(ctx, aq.ctx, ent.OpQueryFirst))
 	if err != nil {
 		return nil, err
 	}
@ -108,9 +110,9 @@ func (aq *AttestationQuery) FirstX(ctx context.Context) *Attestation {

 // FirstID returns the first Attestation ID from the query.
 // Returns a *NotFoundError when no Attestation ID was found.
-func (aq *AttestationQuery) FirstID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = aq.Limit(1).IDs(setContextOp(ctx, aq.ctx, "FirstID")); err != nil {
+func (aq *AttestationQuery) FirstID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = aq.Limit(1).IDs(setContextOp(ctx, aq.ctx, ent.OpQueryFirstID)); err != nil {
 		return
 	}
 	if len(ids) == 0 {
@ -121,7 +123,7 @@ func (aq *AttestationQuery) FirstID(ctx context.Context) (id int, err error) {
 }

 // FirstIDX is like FirstID, but panics if an error occurs.
-func (aq *AttestationQuery) FirstIDX(ctx context.Context) int {
+func (aq *AttestationQuery) FirstIDX(ctx context.Context) uuid.UUID {
 	id, err := aq.FirstID(ctx)
 	if err != nil && !IsNotFound(err) {
 		panic(err)
@ -133,7 +135,7 @@ func (aq *AttestationQuery) FirstIDX(ctx context.Context) int {
 // Returns a *NotSingularError when more than one Attestation entity is found.
 // Returns a *NotFoundError when no Attestation entities are found.
 func (aq *AttestationQuery) Only(ctx context.Context) (*Attestation, error) {
-	nodes, err := aq.Limit(2).All(setContextOp(ctx, aq.ctx, "Only"))
+	nodes, err := aq.Limit(2).All(setContextOp(ctx, aq.ctx, ent.OpQueryOnly))
 	if err != nil {
 		return nil, err
 	}
@ -159,9 +161,9 @@ func (aq *AttestationQuery) OnlyX(ctx context.Context) *Attestation {
 // OnlyID is like Only, but returns the only Attestation ID in the query.
 // Returns a *NotSingularError when more than one Attestation ID is found.
 // Returns a *NotFoundError when no entities are found.
-func (aq *AttestationQuery) OnlyID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = aq.Limit(2).IDs(setContextOp(ctx, aq.ctx, "OnlyID")); err != nil {
+func (aq *AttestationQuery) OnlyID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = aq.Limit(2).IDs(setContextOp(ctx, aq.ctx, ent.OpQueryOnlyID)); err != nil {
 		return
 	}
 	switch len(ids) {
@ -176,7 +178,7 @@ func (aq *AttestationQuery) OnlyID(ctx context.Context) (id int, err error) {
 }

 // OnlyIDX is like OnlyID, but panics if an error occurs.
-func (aq *AttestationQuery) OnlyIDX(ctx context.Context) int {
+func (aq *AttestationQuery) OnlyIDX(ctx context.Context) uuid.UUID {
 	id, err := aq.OnlyID(ctx)
 	if err != nil {
 		panic(err)
@ -186,7 +188,7 @@ func (aq *AttestationQuery) OnlyIDX(ctx context.Context) int {

 // All executes the query and returns a list of Attestations.
 func (aq *AttestationQuery) All(ctx context.Context) ([]*Attestation, error) {
-	ctx = setContextOp(ctx, aq.ctx, "All")
+	ctx = setContextOp(ctx, aq.ctx, ent.OpQueryAll)
 	if err := aq.prepareQuery(ctx); err != nil {
 		return nil, err
 	}
@ -204,11 +206,11 @@ func (aq *AttestationQuery) AllX(ctx context.Context) []*Attestation {
 }

 // IDs executes the query and returns a list of Attestation IDs.
-func (aq *AttestationQuery) IDs(ctx context.Context) (ids []int, err error) {
+func (aq *AttestationQuery) IDs(ctx context.Context) (ids []uuid.UUID, err error) {
 	if aq.ctx.Unique == nil && aq.path != nil {
 		aq.Unique(true)
 	}
-	ctx = setContextOp(ctx, aq.ctx, "IDs")
+	ctx = setContextOp(ctx, aq.ctx, ent.OpQueryIDs)
 	if err = aq.Select(attestation.FieldID).Scan(ctx, &ids); err != nil {
 		return nil, err
 	}
@ -216,7 +218,7 @@ func (aq *AttestationQuery) IDs(ctx context.Context) (ids []int, err error) {
 }

 // IDsX is like IDs, but panics if an error occurs.
-func (aq *AttestationQuery) IDsX(ctx context.Context) []int {
+func (aq *AttestationQuery) IDsX(ctx context.Context) []uuid.UUID {
 	ids, err := aq.IDs(ctx)
 	if err != nil {
 		panic(err)
@ -226,7 +228,7 @@ func (aq *AttestationQuery) IDsX(ctx context.Context) []int {

 // Count returns the count of the given query.
 func (aq *AttestationQuery) Count(ctx context.Context) (int, error) {
-	ctx = setContextOp(ctx, aq.ctx, "Count")
+	ctx = setContextOp(ctx, aq.ctx, ent.OpQueryCount)
 	if err := aq.prepareQuery(ctx); err != nil {
 		return 0, err
 	}
@ -244,7 +246,7 @@ func (aq *AttestationQuery) CountX(ctx context.Context) int {

 // Exist returns true if the query has elements in the graph.
 func (aq *AttestationQuery) Exist(ctx context.Context) (bool, error) {
-	ctx = setContextOp(ctx, aq.ctx, "Exist")
+	ctx = setContextOp(ctx, aq.ctx, ent.OpQueryExist)
 	switch _, err := aq.FirstID(ctx); {
 	case IsNotFound(err):
 		return false, nil
@ -419,8 +421,8 @@ func (aq *AttestationQuery) sqlAll(ctx context.Context, hooks ...queryHook) ([]*
 }

 func (aq *AttestationQuery) loadAttestationCollection(ctx context.Context, query *AttestationCollectionQuery, nodes []*Attestation, init func(*Attestation), assign func(*Attestation, *AttestationCollection)) error {
-	ids := make([]int, 0, len(nodes))
-	nodeids := make(map[int][]*Attestation)
+	ids := make([]uuid.UUID, 0, len(nodes))
+	nodeids := make(map[uuid.UUID][]*Attestation)
 	for i := range nodes {
 		if nodes[i].attestation_collection_attestations == nil {
 			continue
@ -464,7 +466,7 @@ func (aq *AttestationQuery) sqlCount(ctx context.Context) (int, error) {
 }

 func (aq *AttestationQuery) querySpec() *sqlgraph.QuerySpec {
-	_spec := sqlgraph.NewQuerySpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewQuerySpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID))
 	_spec.From = aq.sql
 	if unique := aq.ctx.Unique; unique != nil {
 		_spec.Unique = *unique
@ -549,7 +551,7 @@ func (agb *AttestationGroupBy) Aggregate(fns ...AggregateFunc) *AttestationGroup

 // Scan applies the selector query and scans the result into the given value.
 func (agb *AttestationGroupBy) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, agb.build.ctx, "GroupBy")
+	ctx = setContextOp(ctx, agb.build.ctx, ent.OpQueryGroupBy)
 	if err := agb.build.prepareQuery(ctx); err != nil {
 		return err
 	}
@ -597,7 +599,7 @@ func (as *AttestationSelect) Aggregate(fns ...AggregateFunc) *AttestationSelect

 // Scan applies the selector query and scans the result into the given value.
 func (as *AttestationSelect) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, as.ctx, "Select")
+	ctx = setContextOp(ctx, as.ctx, ent.OpQuerySelect)
 	if err := as.prepareQuery(ctx); err != nil {
 		return err
 	}
--- a/ent/attestation_update.go
+++ b/ent/attestation_update.go
@ -10,6 +10,7 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/predicate"
@ -43,7 +44,7 @@ func (au *AttestationUpdate) SetNillableType(s *string) *AttestationUpdate {
 }

 // SetAttestationCollectionID sets the "attestation_collection" edge to the AttestationCollection entity by ID.
-func (au *AttestationUpdate) SetAttestationCollectionID(id int) *AttestationUpdate {
+func (au *AttestationUpdate) SetAttestationCollectionID(id uuid.UUID) *AttestationUpdate {
 	au.mutation.SetAttestationCollectionID(id)
 	return au
 }
@ -98,7 +99,7 @@ func (au *AttestationUpdate) check() error {
 			return &ValidationError{Name: "type", err: fmt.Errorf(`ent: validator failed for field "Attestation.type": %w`, err)}
 		}
 	}
-	if _, ok := au.mutation.AttestationCollectionID(); au.mutation.AttestationCollectionCleared() && !ok {
+	if au.mutation.AttestationCollectionCleared() && len(au.mutation.AttestationCollectionIDs()) > 0 {
 		return errors.New(`ent: clearing a required unique edge "Attestation.attestation_collection"`)
 	}
 	return nil
@ -108,7 +109,7 @@ func (au *AttestationUpdate) sqlSave(ctx context.Context) (n int, err error) {
 	if err := au.check(); err != nil {
 		return n, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID))
 	if ps := au.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
@ -127,7 +128,7 @@ func (au *AttestationUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{attestation.AttestationCollectionColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -140,7 +141,7 @@ func (au *AttestationUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{attestation.AttestationCollectionColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -183,7 +184,7 @@ func (auo *AttestationUpdateOne) SetNillableType(s *string) *AttestationUpdateOn
 }

 // SetAttestationCollectionID sets the "attestation_collection" edge to the AttestationCollection entity by ID.
-func (auo *AttestationUpdateOne) SetAttestationCollectionID(id int) *AttestationUpdateOne {
+func (auo *AttestationUpdateOne) SetAttestationCollectionID(id uuid.UUID) *AttestationUpdateOne {
 	auo.mutation.SetAttestationCollectionID(id)
 	return auo
 }
@ -251,7 +252,7 @@ func (auo *AttestationUpdateOne) check() error {
 			return &ValidationError{Name: "type", err: fmt.Errorf(`ent: validator failed for field "Attestation.type": %w`, err)}
 		}
 	}
-	if _, ok := auo.mutation.AttestationCollectionID(); auo.mutation.AttestationCollectionCleared() && !ok {
+	if auo.mutation.AttestationCollectionCleared() && len(auo.mutation.AttestationCollectionIDs()) > 0 {
 		return errors.New(`ent: clearing a required unique edge "Attestation.attestation_collection"`)
 	}
 	return nil
@ -261,7 +262,7 @@ func (auo *AttestationUpdateOne) sqlSave(ctx context.Context) (_node *Attestatio
 	if err := auo.check(); err != nil {
 		return _node, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(attestation.Table, attestation.Columns, sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID))
 	id, ok := auo.mutation.ID()
 	if !ok {
 		return nil, &ValidationError{Name: "id", err: errors.New(`ent: missing "Attestation.id" for update`)}
@ -297,7 +298,7 @@ func (auo *AttestationUpdateOne) sqlSave(ctx context.Context) (_node *Attestatio
 			Columns: []string{attestation.AttestationCollectionColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -310,7 +311,7 @@ func (auo *AttestationUpdateOne) sqlSave(ctx context.Context) (_node *Attestatio
 			Columns: []string{attestation.AttestationCollectionColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
--- a/ent/attestationcollection.go
+++ b/ent/attestationcollection.go
@ -8,6 +8,7 @@ import (

 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/statement"
 )
@ -16,13 +17,13 @@ import (
 type AttestationCollection struct {
 	config `json:"-"`
 	// ID of the ent.
-	ID int `json:"id,omitempty"`
+	ID uuid.UUID `json:"id,omitempty"`
 	// Name holds the value of the "name" field.
 	Name string `json:"name,omitempty"`
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the AttestationCollectionQuery when eager-loading is set.
 	Edges                             AttestationCollectionEdges `json:"edges"`
-	statement_attestation_collections *int
+	statement_attestation_collections *uuid.UUID
 	selectValues                      sql.SelectValues
 }

@ -53,12 +54,10 @@ func (e AttestationCollectionEdges) AttestationsOrErr() ([]*Attestation, error)
 // StatementOrErr returns the Statement value or an error if the edge
 // was not loaded in eager-loading, or loaded but was not found.
 func (e AttestationCollectionEdges) StatementOrErr() (*Statement, error) {
-	if e.loadedTypes[1] {
-		if e.Statement == nil {
-			// Edge was loaded but was not found.
-			return nil, &NotFoundError{label: statement.Label}
-		}
+	if e.Statement != nil {
 		return e.Statement, nil
+	} else if e.loadedTypes[1] {
+		return nil, &NotFoundError{label: statement.Label}
 	}
 	return nil, &NotLoadedError{edge: "statement"}
 }
@ -68,12 +67,12 @@ func (*AttestationCollection) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case attestationcollection.FieldID:
-			values[i] = new(sql.NullInt64)
 		case attestationcollection.FieldName:
 			values[i] = new(sql.NullString)
+		case attestationcollection.FieldID:
+			values[i] = new(uuid.UUID)
 		case attestationcollection.ForeignKeys[0]: // statement_attestation_collections
-			values[i] = new(sql.NullInt64)
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
 		default:
 			values[i] = new(sql.UnknownType)
 		}
@ -90,11 +89,11 @@ func (ac *AttestationCollection) assignValues(columns []string, values []any) er
 	for i := range columns {
 		switch columns[i] {
 		case attestationcollection.FieldID:
-			value, ok := values[i].(*sql.NullInt64)
-			if !ok {
-				return fmt.Errorf("unexpected type %T for field id", value)
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				ac.ID = *value
 			}
-			ac.ID = int(value.Int64)
 		case attestationcollection.FieldName:
 			if value, ok := values[i].(*sql.NullString); !ok {
 				return fmt.Errorf("unexpected type %T for field name", values[i])
@ -102,11 +101,11 @@ func (ac *AttestationCollection) assignValues(columns []string, values []any) er
 				ac.Name = value.String
 			}
 		case attestationcollection.ForeignKeys[0]:
-			if value, ok := values[i].(*sql.NullInt64); !ok {
-				return fmt.Errorf("unexpected type %T for edge-field statement_attestation_collections", value)
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field statement_attestation_collections", values[i])
 			} else if value.Valid {
-				ac.statement_attestation_collections = new(int)
-				*ac.statement_attestation_collections = int(value.Int64)
+				ac.statement_attestation_collections = new(uuid.UUID)
+				*ac.statement_attestation_collections = *value.S.(*uuid.UUID)
 			}
 		default:
 			ac.selectValues.Set(columns[i], values[i])
--- a/ent/attestationcollection/attestationcollection.go
+++ b/ent/attestationcollection/attestationcollection.go
@ -5,6 +5,7 @@ package attestationcollection
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 )

 const (
@ -66,6 +67,8 @@ func ValidColumn(column string) bool {
 var (
 	// NameValidator is a validator for the "name" field. It is called by the builders before save.
 	NameValidator func(string) error
+	// DefaultID holds the default value on creation for the "id" field.
+	DefaultID func() uuid.UUID
 )

 // OrderOption defines the ordering options for the AttestationCollection queries.
--- a/ent/attestationcollection/where.go
+++ b/ent/attestationcollection/where.go
@ -5,51 +5,52 @@ package attestationcollection
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/predicate"
 )

 // ID filters vertices based on their ID field.
-func ID(id int) predicate.AttestationCollection {
+func ID(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldEQ(FieldID, id))
 }

 // IDEQ applies the EQ predicate on the ID field.
-func IDEQ(id int) predicate.AttestationCollection {
+func IDEQ(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldEQ(FieldID, id))
 }

 // IDNEQ applies the NEQ predicate on the ID field.
-func IDNEQ(id int) predicate.AttestationCollection {
+func IDNEQ(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldNEQ(FieldID, id))
 }

 // IDIn applies the In predicate on the ID field.
-func IDIn(ids ...int) predicate.AttestationCollection {
+func IDIn(ids ...uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldIn(FieldID, ids...))
 }

 // IDNotIn applies the NotIn predicate on the ID field.
-func IDNotIn(ids ...int) predicate.AttestationCollection {
+func IDNotIn(ids ...uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldNotIn(FieldID, ids...))
 }

 // IDGT applies the GT predicate on the ID field.
-func IDGT(id int) predicate.AttestationCollection {
+func IDGT(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldGT(FieldID, id))
 }

 // IDGTE applies the GTE predicate on the ID field.
-func IDGTE(id int) predicate.AttestationCollection {
+func IDGTE(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldGTE(FieldID, id))
 }

 // IDLT applies the LT predicate on the ID field.
-func IDLT(id int) predicate.AttestationCollection {
+func IDLT(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldLT(FieldID, id))
 }

 // IDLTE applies the LTE predicate on the ID field.
-func IDLTE(id int) predicate.AttestationCollection {
+func IDLTE(id uuid.UUID) predicate.AttestationCollection {
 	return predicate.AttestationCollection(sql.FieldLTE(FieldID, id))
 }

--- a/ent/attestationcollection_create.go
+++ b/ent/attestationcollection_create.go
@ -9,6 +9,7 @@ import (

 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/statement"
@ -27,15 +28,29 @@ func (acc *AttestationCollectionCreate) SetName(s string) *AttestationCollection
 	return acc
 }

+// SetID sets the "id" field.
+func (acc *AttestationCollectionCreate) SetID(u uuid.UUID) *AttestationCollectionCreate {
+	acc.mutation.SetID(u)
+	return acc
+}
+
+// SetNillableID sets the "id" field if the given value is not nil.
+func (acc *AttestationCollectionCreate) SetNillableID(u *uuid.UUID) *AttestationCollectionCreate {
+	if u != nil {
+		acc.SetID(*u)
+	}
+	return acc
+}
+
 // AddAttestationIDs adds the "attestations" edge to the Attestation entity by IDs.
-func (acc *AttestationCollectionCreate) AddAttestationIDs(ids ...int) *AttestationCollectionCreate {
+func (acc *AttestationCollectionCreate) AddAttestationIDs(ids ...uuid.UUID) *AttestationCollectionCreate {
 	acc.mutation.AddAttestationIDs(ids...)
 	return acc
 }

 // AddAttestations adds the "attestations" edges to the Attestation entity.
 func (acc *AttestationCollectionCreate) AddAttestations(a ...*Attestation) *AttestationCollectionCreate {
-	ids := make([]int, len(a))
+	ids := make([]uuid.UUID, len(a))
 	for i := range a {
 		ids[i] = a[i].ID
 	}
@ -43,7 +58,7 @@ func (acc *AttestationCollectionCreate) AddAttestations(a ...*Attestation) *Atte
 }

 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (acc *AttestationCollectionCreate) SetStatementID(id int) *AttestationCollectionCreate {
+func (acc *AttestationCollectionCreate) SetStatementID(id uuid.UUID) *AttestationCollectionCreate {
 	acc.mutation.SetStatementID(id)
 	return acc
 }
@ -60,6 +75,7 @@ func (acc *AttestationCollectionCreate) Mutation() *AttestationCollectionMutatio

 // Save creates the AttestationCollection in the database.
 func (acc *AttestationCollectionCreate) Save(ctx context.Context) (*AttestationCollection, error) {
+	acc.defaults()
 	return withHooks(ctx, acc.sqlSave, acc.mutation, acc.hooks)
 }

@ -85,6 +101,14 @@ func (acc *AttestationCollectionCreate) ExecX(ctx context.Context) {
 	}
 }

+// defaults sets the default values of the builder before save.
+func (acc *AttestationCollectionCreate) defaults() {
+	if _, ok := acc.mutation.ID(); !ok {
+		v := attestationcollection.DefaultID()
+		acc.mutation.SetID(v)
+	}
+}
+
 // check runs all checks and user-defined validators on the builder.
 func (acc *AttestationCollectionCreate) check() error {
 	if _, ok := acc.mutation.Name(); !ok {
@ -95,7 +119,7 @@ func (acc *AttestationCollectionCreate) check() error {
 			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationCollection.name": %w`, err)}
 		}
 	}
-	if _, ok := acc.mutation.StatementID(); !ok {
+	if len(acc.mutation.StatementIDs()) == 0 {
 		return &ValidationError{Name: "statement", err: errors.New(`ent: missing required edge "AttestationCollection.statement"`)}
 	}
 	return nil
@ -112,8 +136,13 @@ func (acc *AttestationCollectionCreate) sqlSave(ctx context.Context) (*Attestati
 		}
 		return nil, err
 	}
-	id := _spec.ID.Value.(int64)
-	_node.ID = int(id)
+	if _spec.ID.Value != nil {
+		if id, ok := _spec.ID.Value.(*uuid.UUID); ok {
+			_node.ID = *id
+		} else if err := _node.ID.Scan(_spec.ID.Value); err != nil {
+			return nil, err
+		}
+	}
 	acc.mutation.id = &_node.ID
 	acc.mutation.done = true
 	return _node, nil
@ -122,8 +151,12 @@ func (acc *AttestationCollectionCreate) sqlSave(ctx context.Context) (*Attestati
 func (acc *AttestationCollectionCreate) createSpec() (*AttestationCollection, *sqlgraph.CreateSpec) {
 	var (
 		_node = &AttestationCollection{config: acc.config}
-		_spec = sqlgraph.NewCreateSpec(attestationcollection.Table, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt))
+		_spec = sqlgraph.NewCreateSpec(attestationcollection.Table, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID))
 	)
+	if id, ok := acc.mutation.ID(); ok {
+		_node.ID = id
+		_spec.ID.Value = &id
+	}
 	if value, ok := acc.mutation.Name(); ok {
 		_spec.SetField(attestationcollection.FieldName, field.TypeString, value)
 		_node.Name = value
@ -136,7 +169,7 @@ func (acc *AttestationCollectionCreate) createSpec() (*AttestationCollection, *s
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -152,7 +185,7 @@ func (acc *AttestationCollectionCreate) createSpec() (*AttestationCollection, *s
 			Columns: []string{attestationcollection.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -182,6 +215,7 @@ func (accb *AttestationCollectionCreateBulk) Save(ctx context.Context) ([]*Attes
 	for i := range accb.builders {
 		func(i int, root context.Context) {
 			builder := accb.builders[i]
+			builder.defaults()
 			var mut Mutator = MutateFunc(func(ctx context.Context, m Mutation) (Value, error) {
 				mutation, ok := m.(*AttestationCollectionMutation)
 				if !ok {
@ -208,10 +242,6 @@ func (accb *AttestationCollectionCreateBulk) Save(ctx context.Context) ([]*Attes
 					return nil, err
 				}
 				mutation.id = &nodes[i].ID
-				if specs[i].ID.Value != nil {
-					id := specs[i].ID.Value.(int64)
-					nodes[i].ID = int(id)
-				}
 				mutation.done = true
 				return nodes[i], nil
 			})
--- a/ent/attestationcollection_delete.go
+++ b/ent/attestationcollection_delete.go
@ -40,7 +40,7 @@ func (acd *AttestationCollectionDelete) ExecX(ctx context.Context) int {
 }

 func (acd *AttestationCollectionDelete) sqlExec(ctx context.Context) (int, error) {
-	_spec := sqlgraph.NewDeleteSpec(attestationcollection.Table, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewDeleteSpec(attestationcollection.Table, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID))
 	if ps := acd.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
--- a/ent/attestationcollection_query.go
+++ b/ent/attestationcollection_query.go
@ -8,9 +8,11 @@ import (
 	"fmt"
 	"math"

+	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/predicate"
@ -113,7 +115,7 @@ func (acq *AttestationCollectionQuery) QueryStatement() *StatementQuery {
 // First returns the first AttestationCollection entity from the query.
 // Returns a *NotFoundError when no AttestationCollection was found.
 func (acq *AttestationCollectionQuery) First(ctx context.Context) (*AttestationCollection, error) {
-	nodes, err := acq.Limit(1).All(setContextOp(ctx, acq.ctx, "First"))
+	nodes, err := acq.Limit(1).All(setContextOp(ctx, acq.ctx, ent.OpQueryFirst))
 	if err != nil {
 		return nil, err
 	}
@ -134,9 +136,9 @@ func (acq *AttestationCollectionQuery) FirstX(ctx context.Context) *AttestationC

 // FirstID returns the first AttestationCollection ID from the query.
 // Returns a *NotFoundError when no AttestationCollection ID was found.
-func (acq *AttestationCollectionQuery) FirstID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = acq.Limit(1).IDs(setContextOp(ctx, acq.ctx, "FirstID")); err != nil {
+func (acq *AttestationCollectionQuery) FirstID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = acq.Limit(1).IDs(setContextOp(ctx, acq.ctx, ent.OpQueryFirstID)); err != nil {
 		return
 	}
 	if len(ids) == 0 {
@ -147,7 +149,7 @@ func (acq *AttestationCollectionQuery) FirstID(ctx context.Context) (id int, err
 }

 // FirstIDX is like FirstID, but panics if an error occurs.
-func (acq *AttestationCollectionQuery) FirstIDX(ctx context.Context) int {
+func (acq *AttestationCollectionQuery) FirstIDX(ctx context.Context) uuid.UUID {
 	id, err := acq.FirstID(ctx)
 	if err != nil && !IsNotFound(err) {
 		panic(err)
@ -159,7 +161,7 @@ func (acq *AttestationCollectionQuery) FirstIDX(ctx context.Context) int {
 // Returns a *NotSingularError when more than one AttestationCollection entity is found.
 // Returns a *NotFoundError when no AttestationCollection entities are found.
 func (acq *AttestationCollectionQuery) Only(ctx context.Context) (*AttestationCollection, error) {
-	nodes, err := acq.Limit(2).All(setContextOp(ctx, acq.ctx, "Only"))
+	nodes, err := acq.Limit(2).All(setContextOp(ctx, acq.ctx, ent.OpQueryOnly))
 	if err != nil {
 		return nil, err
 	}
@ -185,9 +187,9 @@ func (acq *AttestationCollectionQuery) OnlyX(ctx context.Context) *AttestationCo
 // OnlyID is like Only, but returns the only AttestationCollection ID in the query.
 // Returns a *NotSingularError when more than one AttestationCollection ID is found.
 // Returns a *NotFoundError when no entities are found.
-func (acq *AttestationCollectionQuery) OnlyID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = acq.Limit(2).IDs(setContextOp(ctx, acq.ctx, "OnlyID")); err != nil {
+func (acq *AttestationCollectionQuery) OnlyID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = acq.Limit(2).IDs(setContextOp(ctx, acq.ctx, ent.OpQueryOnlyID)); err != nil {
 		return
 	}
 	switch len(ids) {
@ -202,7 +204,7 @@ func (acq *AttestationCollectionQuery) OnlyID(ctx context.Context) (id int, err
 }

 // OnlyIDX is like OnlyID, but panics if an error occurs.
-func (acq *AttestationCollectionQuery) OnlyIDX(ctx context.Context) int {
+func (acq *AttestationCollectionQuery) OnlyIDX(ctx context.Context) uuid.UUID {
 	id, err := acq.OnlyID(ctx)
 	if err != nil {
 		panic(err)
@ -212,7 +214,7 @@ func (acq *AttestationCollectionQuery) OnlyIDX(ctx context.Context) int {

 // All executes the query and returns a list of AttestationCollections.
 func (acq *AttestationCollectionQuery) All(ctx context.Context) ([]*AttestationCollection, error) {
-	ctx = setContextOp(ctx, acq.ctx, "All")
+	ctx = setContextOp(ctx, acq.ctx, ent.OpQueryAll)
 	if err := acq.prepareQuery(ctx); err != nil {
 		return nil, err
 	}
@ -230,11 +232,11 @@ func (acq *AttestationCollectionQuery) AllX(ctx context.Context) []*AttestationC
 }

 // IDs executes the query and returns a list of AttestationCollection IDs.
-func (acq *AttestationCollectionQuery) IDs(ctx context.Context) (ids []int, err error) {
+func (acq *AttestationCollectionQuery) IDs(ctx context.Context) (ids []uuid.UUID, err error) {
 	if acq.ctx.Unique == nil && acq.path != nil {
 		acq.Unique(true)
 	}
-	ctx = setContextOp(ctx, acq.ctx, "IDs")
+	ctx = setContextOp(ctx, acq.ctx, ent.OpQueryIDs)
 	if err = acq.Select(attestationcollection.FieldID).Scan(ctx, &ids); err != nil {
 		return nil, err
 	}
@ -242,7 +244,7 @@ func (acq *AttestationCollectionQuery) IDs(ctx context.Context) (ids []int, err
 }

 // IDsX is like IDs, but panics if an error occurs.
-func (acq *AttestationCollectionQuery) IDsX(ctx context.Context) []int {
+func (acq *AttestationCollectionQuery) IDsX(ctx context.Context) []uuid.UUID {
 	ids, err := acq.IDs(ctx)
 	if err != nil {
 		panic(err)
@ -252,7 +254,7 @@ func (acq *AttestationCollectionQuery) IDsX(ctx context.Context) []int {

 // Count returns the count of the given query.
 func (acq *AttestationCollectionQuery) Count(ctx context.Context) (int, error) {
-	ctx = setContextOp(ctx, acq.ctx, "Count")
+	ctx = setContextOp(ctx, acq.ctx, ent.OpQueryCount)
 	if err := acq.prepareQuery(ctx); err != nil {
 		return 0, err
 	}
@ -270,7 +272,7 @@ func (acq *AttestationCollectionQuery) CountX(ctx context.Context) int {

 // Exist returns true if the query has elements in the graph.
 func (acq *AttestationCollectionQuery) Exist(ctx context.Context) (bool, error) {
-	ctx = setContextOp(ctx, acq.ctx, "Exist")
+	ctx = setContextOp(ctx, acq.ctx, ent.OpQueryExist)
 	switch _, err := acq.FirstID(ctx); {
 	case IsNotFound(err):
 		return false, nil
@ -473,7 +475,7 @@ func (acq *AttestationCollectionQuery) sqlAll(ctx context.Context, hooks ...quer

 func (acq *AttestationCollectionQuery) loadAttestations(ctx context.Context, query *AttestationQuery, nodes []*AttestationCollection, init func(*AttestationCollection), assign func(*AttestationCollection, *Attestation)) error {
 	fks := make([]driver.Value, 0, len(nodes))
-	nodeids := make(map[int]*AttestationCollection)
+	nodeids := make(map[uuid.UUID]*AttestationCollection)
 	for i := range nodes {
 		fks = append(fks, nodes[i].ID)
 		nodeids[nodes[i].ID] = nodes[i]
@ -503,8 +505,8 @@ func (acq *AttestationCollectionQuery) loadAttestations(ctx context.Context, que
 	return nil
 }
 func (acq *AttestationCollectionQuery) loadStatement(ctx context.Context, query *StatementQuery, nodes []*AttestationCollection, init func(*AttestationCollection), assign func(*AttestationCollection, *Statement)) error {
-	ids := make([]int, 0, len(nodes))
-	nodeids := make(map[int][]*AttestationCollection)
+	ids := make([]uuid.UUID, 0, len(nodes))
+	nodeids := make(map[uuid.UUID][]*AttestationCollection)
 	for i := range nodes {
 		if nodes[i].statement_attestation_collections == nil {
 			continue
@ -548,7 +550,7 @@ func (acq *AttestationCollectionQuery) sqlCount(ctx context.Context) (int, error
 }

 func (acq *AttestationCollectionQuery) querySpec() *sqlgraph.QuerySpec {
-	_spec := sqlgraph.NewQuerySpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewQuerySpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID))
 	_spec.From = acq.sql
 	if unique := acq.ctx.Unique; unique != nil {
 		_spec.Unique = *unique
@ -647,7 +649,7 @@ func (acgb *AttestationCollectionGroupBy) Aggregate(fns ...AggregateFunc) *Attes

 // Scan applies the selector query and scans the result into the given value.
 func (acgb *AttestationCollectionGroupBy) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, acgb.build.ctx, "GroupBy")
+	ctx = setContextOp(ctx, acgb.build.ctx, ent.OpQueryGroupBy)
 	if err := acgb.build.prepareQuery(ctx); err != nil {
 		return err
 	}
@ -695,7 +697,7 @@ func (acs *AttestationCollectionSelect) Aggregate(fns ...AggregateFunc) *Attesta

 // Scan applies the selector query and scans the result into the given value.
 func (acs *AttestationCollectionSelect) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, acs.ctx, "Select")
+	ctx = setContextOp(ctx, acs.ctx, ent.OpQuerySelect)
 	if err := acs.prepareQuery(ctx); err != nil {
 		return err
 	}
--- a/ent/attestationcollection_update.go
+++ b/ent/attestationcollection_update.go
@ -10,6 +10,7 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
 	"github.com/in-toto/archivista/ent/predicate"
@ -44,14 +45,14 @@ func (acu *AttestationCollectionUpdate) SetNillableName(s *string) *AttestationC
 }

 // AddAttestationIDs adds the "attestations" edge to the Attestation entity by IDs.
-func (acu *AttestationCollectionUpdate) AddAttestationIDs(ids ...int) *AttestationCollectionUpdate {
+func (acu *AttestationCollectionUpdate) AddAttestationIDs(ids ...uuid.UUID) *AttestationCollectionUpdate {
 	acu.mutation.AddAttestationIDs(ids...)
 	return acu
 }

 // AddAttestations adds the "attestations" edges to the Attestation entity.
 func (acu *AttestationCollectionUpdate) AddAttestations(a ...*Attestation) *AttestationCollectionUpdate {
-	ids := make([]int, len(a))
+	ids := make([]uuid.UUID, len(a))
 	for i := range a {
 		ids[i] = a[i].ID
 	}
@ -59,7 +60,7 @@ func (acu *AttestationCollectionUpdate) AddAttestations(a ...*Attestation) *Atte
 }

 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (acu *AttestationCollectionUpdate) SetStatementID(id int) *AttestationCollectionUpdate {
+func (acu *AttestationCollectionUpdate) SetStatementID(id uuid.UUID) *AttestationCollectionUpdate {
 	acu.mutation.SetStatementID(id)
 	return acu
 }
@ -81,14 +82,14 @@ func (acu *AttestationCollectionUpdate) ClearAttestations() *AttestationCollecti
 }

 // RemoveAttestationIDs removes the "attestations" edge to Attestation entities by IDs.
-func (acu *AttestationCollectionUpdate) RemoveAttestationIDs(ids ...int) *AttestationCollectionUpdate {
+func (acu *AttestationCollectionUpdate) RemoveAttestationIDs(ids ...uuid.UUID) *AttestationCollectionUpdate {
 	acu.mutation.RemoveAttestationIDs(ids...)
 	return acu
 }

 // RemoveAttestations removes "attestations" edges to Attestation entities.
 func (acu *AttestationCollectionUpdate) RemoveAttestations(a ...*Attestation) *AttestationCollectionUpdate {
-	ids := make([]int, len(a))
+	ids := make([]uuid.UUID, len(a))
 	for i := range a {
 		ids[i] = a[i].ID
 	}
@ -135,7 +136,7 @@ func (acu *AttestationCollectionUpdate) check() error {
 			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationCollection.name": %w`, err)}
 		}
 	}
-	if _, ok := acu.mutation.StatementID(); acu.mutation.StatementCleared() && !ok {
+	if acu.mutation.StatementCleared() && len(acu.mutation.StatementIDs()) > 0 {
 		return errors.New(`ent: clearing a required unique edge "AttestationCollection.statement"`)
 	}
 	return nil
@ -145,7 +146,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 	if err := acu.check(); err != nil {
 		return n, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID))
 	if ps := acu.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
@ -164,7 +165,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -177,7 +178,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -193,7 +194,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -209,7 +210,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 			Columns: []string{attestationcollection.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -222,7 +223,7 @@ func (acu *AttestationCollectionUpdate) sqlSave(ctx context.Context) (n int, err
 			Columns: []string{attestationcollection.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -265,14 +266,14 @@ func (acuo *AttestationCollectionUpdateOne) SetNillableName(s *string) *Attestat
 }

 // AddAttestationIDs adds the "attestations" edge to the Attestation entity by IDs.
-func (acuo *AttestationCollectionUpdateOne) AddAttestationIDs(ids ...int) *AttestationCollectionUpdateOne {
+func (acuo *AttestationCollectionUpdateOne) AddAttestationIDs(ids ...uuid.UUID) *AttestationCollectionUpdateOne {
 	acuo.mutation.AddAttestationIDs(ids...)
 	return acuo
 }

 // AddAttestations adds the "attestations" edges to the Attestation entity.
 func (acuo *AttestationCollectionUpdateOne) AddAttestations(a ...*Attestation) *AttestationCollectionUpdateOne {
-	ids := make([]int, len(a))
+	ids := make([]uuid.UUID, len(a))
 	for i := range a {
 		ids[i] = a[i].ID
 	}
@ -280,7 +281,7 @@ func (acuo *AttestationCollectionUpdateOne) AddAttestations(a ...*Attestation) *
 }

 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (acuo *AttestationCollectionUpdateOne) SetStatementID(id int) *AttestationCollectionUpdateOne {
+func (acuo *AttestationCollectionUpdateOne) SetStatementID(id uuid.UUID) *AttestationCollectionUpdateOne {
 	acuo.mutation.SetStatementID(id)
 	return acuo
 }
@ -302,14 +303,14 @@ func (acuo *AttestationCollectionUpdateOne) ClearAttestations() *AttestationColl
 }

 // RemoveAttestationIDs removes the "attestations" edge to Attestation entities by IDs.
-func (acuo *AttestationCollectionUpdateOne) RemoveAttestationIDs(ids ...int) *AttestationCollectionUpdateOne {
+func (acuo *AttestationCollectionUpdateOne) RemoveAttestationIDs(ids ...uuid.UUID) *AttestationCollectionUpdateOne {
 	acuo.mutation.RemoveAttestationIDs(ids...)
 	return acuo
 }

 // RemoveAttestations removes "attestations" edges to Attestation entities.
 func (acuo *AttestationCollectionUpdateOne) RemoveAttestations(a ...*Attestation) *AttestationCollectionUpdateOne {
-	ids := make([]int, len(a))
+	ids := make([]uuid.UUID, len(a))
 	for i := range a {
 		ids[i] = a[i].ID
 	}
@ -369,7 +370,7 @@ func (acuo *AttestationCollectionUpdateOne) check() error {
 			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationCollection.name": %w`, err)}
 		}
 	}
-	if _, ok := acuo.mutation.StatementID(); acuo.mutation.StatementCleared() && !ok {
+	if acuo.mutation.StatementCleared() && len(acuo.mutation.StatementIDs()) > 0 {
 		return errors.New(`ent: clearing a required unique edge "AttestationCollection.statement"`)
 	}
 	return nil
@ -379,7 +380,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 	if err := acuo.check(); err != nil {
 		return _node, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(attestationcollection.Table, attestationcollection.Columns, sqlgraph.NewFieldSpec(attestationcollection.FieldID, field.TypeUUID))
 	id, ok := acuo.mutation.ID()
 	if !ok {
 		return nil, &ValidationError{Name: "id", err: errors.New(`ent: missing "AttestationCollection.id" for update`)}
@ -415,7 +416,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -428,7 +429,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -444,7 +445,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 			Columns: []string{attestationcollection.AttestationsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(attestation.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -460,7 +461,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 			Columns: []string{attestationcollection.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -473,7 +474,7 @@ func (acuo *AttestationCollectionUpdateOne) sqlSave(ctx context.Context) (_node
 			Columns: []string{attestationcollection.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
--- a/ent/attestationpolicy.go
+++ b/ent/attestationpolicy.go
@ -0,0 +1,145 @@
+// Code generated by ent, DO NOT EDIT.
+
+package ent
+
+import (
+	"fmt"
+	"strings"
+
+	"entgo.io/ent"
+	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
+	"github.com/in-toto/archivista/ent/statement"
+)
+
+// AttestationPolicy is the model entity for the AttestationPolicy schema.
+type AttestationPolicy struct {
+	config `json:"-"`
+	// ID of the ent.
+	ID uuid.UUID `json:"id,omitempty"`
+	// Name holds the value of the "name" field.
+	Name string `json:"name,omitempty"`
+	// Edges holds the relations/edges for other nodes in the graph.
+	// The values are being populated by the AttestationPolicyQuery when eager-loading is set.
+	Edges            AttestationPolicyEdges `json:"edges"`
+	statement_policy *uuid.UUID
+	selectValues     sql.SelectValues
+}
+
+// AttestationPolicyEdges holds the relations/edges for other nodes in the graph.
+type AttestationPolicyEdges struct {
+	// Statement holds the value of the statement edge.
+	Statement *Statement `json:"statement,omitempty"`
+	// loadedTypes holds the information for reporting if a
+	// type was loaded (or requested) in eager-loading or not.
+	loadedTypes [1]bool
+	// totalCount holds the count of the edges above.
+	totalCount [1]map[string]int
+}
+
+// StatementOrErr returns the Statement value or an error if the edge
+// was not loaded in eager-loading, or loaded but was not found.
+func (e AttestationPolicyEdges) StatementOrErr() (*Statement, error) {
+	if e.Statement != nil {
+		return e.Statement, nil
+	} else if e.loadedTypes[0] {
+		return nil, &NotFoundError{label: statement.Label}
+	}
+	return nil, &NotLoadedError{edge: "statement"}
+}
+
+// scanValues returns the types for scanning values from sql.Rows.
+func (*AttestationPolicy) scanValues(columns []string) ([]any, error) {
+	values := make([]any, len(columns))
+	for i := range columns {
+		switch columns[i] {
+		case attestationpolicy.FieldName:
+			values[i] = new(sql.NullString)
+		case attestationpolicy.FieldID:
+			values[i] = new(uuid.UUID)
+		case attestationpolicy.ForeignKeys[0]: // statement_policy
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
+		default:
+			values[i] = new(sql.UnknownType)
+		}
+	}
+	return values, nil
+}
+
+// assignValues assigns the values that were returned from sql.Rows (after scanning)
+// to the AttestationPolicy fields.
+func (ap *AttestationPolicy) assignValues(columns []string, values []any) error {
+	if m, n := len(values), len(columns); m < n {
+		return fmt.Errorf("mismatch number of scan values: %d != %d", m, n)
+	}
+	for i := range columns {
+		switch columns[i] {
+		case attestationpolicy.FieldID:
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				ap.ID = *value
+			}
+		case attestationpolicy.FieldName:
+			if value, ok := values[i].(*sql.NullString); !ok {
+				return fmt.Errorf("unexpected type %T for field name", values[i])
+			} else if value.Valid {
+				ap.Name = value.String
+			}
+		case attestationpolicy.ForeignKeys[0]:
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field statement_policy", values[i])
+			} else if value.Valid {
+				ap.statement_policy = new(uuid.UUID)
+				*ap.statement_policy = *value.S.(*uuid.UUID)
+			}
+		default:
+			ap.selectValues.Set(columns[i], values[i])
+		}
+	}
+	return nil
+}
+
+// Value returns the ent.Value that was dynamically selected and assigned to the AttestationPolicy.
+// This includes values selected through modifiers, order, etc.
+func (ap *AttestationPolicy) Value(name string) (ent.Value, error) {
+	return ap.selectValues.Get(name)
+}
+
+// QueryStatement queries the "statement" edge of the AttestationPolicy entity.
+func (ap *AttestationPolicy) QueryStatement() *StatementQuery {
+	return NewAttestationPolicyClient(ap.config).QueryStatement(ap)
+}
+
+// Update returns a builder for updating this AttestationPolicy.
+// Note that you need to call AttestationPolicy.Unwrap() before calling this method if this AttestationPolicy
+// was returned from a transaction, and the transaction was committed or rolled back.
+func (ap *AttestationPolicy) Update() *AttestationPolicyUpdateOne {
+	return NewAttestationPolicyClient(ap.config).UpdateOne(ap)
+}
+
+// Unwrap unwraps the AttestationPolicy entity that was returned from a transaction after it was closed,
+// so that all future queries will be executed through the driver which created the transaction.
+func (ap *AttestationPolicy) Unwrap() *AttestationPolicy {
+	_tx, ok := ap.config.driver.(*txDriver)
+	if !ok {
+		panic("ent: AttestationPolicy is not a transactional entity")
+	}
+	ap.config.driver = _tx.drv
+	return ap
+}
+
+// String implements the fmt.Stringer.
+func (ap *AttestationPolicy) String() string {
+	var builder strings.Builder
+	builder.WriteString("AttestationPolicy(")
+	builder.WriteString(fmt.Sprintf("id=%v, ", ap.ID))
+	builder.WriteString("name=")
+	builder.WriteString(ap.Name)
+	builder.WriteByte(')')
+	return builder.String()
+}
+
+// AttestationPolicies is a parsable slice of AttestationPolicy.
+type AttestationPolicies []*AttestationPolicy
--- a/ent/attestationpolicy/attestationpolicy.go
+++ b/ent/attestationpolicy/attestationpolicy.go
@ -0,0 +1,90 @@
+// Code generated by ent, DO NOT EDIT.
+
+package attestationpolicy
+
+import (
+	"entgo.io/ent/dialect/sql"
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
+)
+
+const (
+	// Label holds the string label denoting the attestationpolicy type in the database.
+	Label = "attestation_policy"
+	// FieldID holds the string denoting the id field in the database.
+	FieldID = "id"
+	// FieldName holds the string denoting the name field in the database.
+	FieldName = "name"
+	// EdgeStatement holds the string denoting the statement edge name in mutations.
+	EdgeStatement = "statement"
+	// Table holds the table name of the attestationpolicy in the database.
+	Table = "attestation_policies"
+	// StatementTable is the table that holds the statement relation/edge.
+	StatementTable = "attestation_policies"
+	// StatementInverseTable is the table name for the Statement entity.
+	// It exists in this package in order to avoid circular dependency with the "statement" package.
+	StatementInverseTable = "statements"
+	// StatementColumn is the table column denoting the statement relation/edge.
+	StatementColumn = "statement_policy"
+)
+
+// Columns holds all SQL columns for attestationpolicy fields.
+var Columns = []string{
+	FieldID,
+	FieldName,
+}
+
+// ForeignKeys holds the SQL foreign-keys that are owned by the "attestation_policies"
+// table and are not defined as standalone fields in the schema.
+var ForeignKeys = []string{
+	"statement_policy",
+}
+
+// ValidColumn reports if the column name is valid (part of the table columns).
+func ValidColumn(column string) bool {
+	for i := range Columns {
+		if column == Columns[i] {
+			return true
+		}
+	}
+	for i := range ForeignKeys {
+		if column == ForeignKeys[i] {
+			return true
+		}
+	}
+	return false
+}
+
+var (
+	// NameValidator is a validator for the "name" field. It is called by the builders before save.
+	NameValidator func(string) error
+	// DefaultID holds the default value on creation for the "id" field.
+	DefaultID func() uuid.UUID
+)
+
+// OrderOption defines the ordering options for the AttestationPolicy queries.
+type OrderOption func(*sql.Selector)
+
+// ByID orders the results by the id field.
+func ByID(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldID, opts...).ToFunc()
+}
+
+// ByName orders the results by the name field.
+func ByName(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldName, opts...).ToFunc()
+}
+
+// ByStatementField orders the results by statement field.
+func ByStatementField(field string, opts ...sql.OrderTermOption) OrderOption {
+	return func(s *sql.Selector) {
+		sqlgraph.OrderByNeighborTerms(s, newStatementStep(), sql.OrderByField(field, opts...))
+	}
+}
+func newStatementStep() *sqlgraph.Step {
+	return sqlgraph.NewStep(
+		sqlgraph.From(Table, FieldID),
+		sqlgraph.To(StatementInverseTable, FieldID),
+		sqlgraph.Edge(sqlgraph.O2O, true, StatementTable, StatementColumn),
+	)
+}
--- a/ent/attestationpolicy/where.go
+++ b/ent/attestationpolicy/where.go
@ -0,0 +1,163 @@
+// Code generated by ent, DO NOT EDIT.
+
+package attestationpolicy
+
+import (
+	"entgo.io/ent/dialect/sql"
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
+	"github.com/in-toto/archivista/ent/predicate"
+)
+
+// ID filters vertices based on their ID field.
+func ID(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldEQ(FieldID, id))
+}
+
+// IDEQ applies the EQ predicate on the ID field.
+func IDEQ(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldEQ(FieldID, id))
+}
+
+// IDNEQ applies the NEQ predicate on the ID field.
+func IDNEQ(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldNEQ(FieldID, id))
+}
+
+// IDIn applies the In predicate on the ID field.
+func IDIn(ids ...uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldIn(FieldID, ids...))
+}
+
+// IDNotIn applies the NotIn predicate on the ID field.
+func IDNotIn(ids ...uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldNotIn(FieldID, ids...))
+}
+
+// IDGT applies the GT predicate on the ID field.
+func IDGT(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldGT(FieldID, id))
+}
+
+// IDGTE applies the GTE predicate on the ID field.
+func IDGTE(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldGTE(FieldID, id))
+}
+
+// IDLT applies the LT predicate on the ID field.
+func IDLT(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldLT(FieldID, id))
+}
+
+// IDLTE applies the LTE predicate on the ID field.
+func IDLTE(id uuid.UUID) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldLTE(FieldID, id))
+}
+
+// Name applies equality check predicate on the "name" field. It's identical to NameEQ.
+func Name(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldEQ(FieldName, v))
+}
+
+// NameEQ applies the EQ predicate on the "name" field.
+func NameEQ(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldEQ(FieldName, v))
+}
+
+// NameNEQ applies the NEQ predicate on the "name" field.
+func NameNEQ(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldNEQ(FieldName, v))
+}
+
+// NameIn applies the In predicate on the "name" field.
+func NameIn(vs ...string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldIn(FieldName, vs...))
+}
+
+// NameNotIn applies the NotIn predicate on the "name" field.
+func NameNotIn(vs ...string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldNotIn(FieldName, vs...))
+}
+
+// NameGT applies the GT predicate on the "name" field.
+func NameGT(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldGT(FieldName, v))
+}
+
+// NameGTE applies the GTE predicate on the "name" field.
+func NameGTE(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldGTE(FieldName, v))
+}
+
+// NameLT applies the LT predicate on the "name" field.
+func NameLT(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldLT(FieldName, v))
+}
+
+// NameLTE applies the LTE predicate on the "name" field.
+func NameLTE(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldLTE(FieldName, v))
+}
+
+// NameContains applies the Contains predicate on the "name" field.
+func NameContains(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldContains(FieldName, v))
+}
+
+// NameHasPrefix applies the HasPrefix predicate on the "name" field.
+func NameHasPrefix(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldHasPrefix(FieldName, v))
+}
+
+// NameHasSuffix applies the HasSuffix predicate on the "name" field.
+func NameHasSuffix(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldHasSuffix(FieldName, v))
+}
+
+// NameEqualFold applies the EqualFold predicate on the "name" field.
+func NameEqualFold(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldEqualFold(FieldName, v))
+}
+
+// NameContainsFold applies the ContainsFold predicate on the "name" field.
+func NameContainsFold(v string) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.FieldContainsFold(FieldName, v))
+}
+
+// HasStatement applies the HasEdge predicate on the "statement" edge.
+func HasStatement() predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(func(s *sql.Selector) {
+		step := sqlgraph.NewStep(
+			sqlgraph.From(Table, FieldID),
+			sqlgraph.Edge(sqlgraph.O2O, true, StatementTable, StatementColumn),
+		)
+		sqlgraph.HasNeighbors(s, step)
+	})
+}
+
+// HasStatementWith applies the HasEdge predicate on the "statement" edge with a given conditions (other predicates).
+func HasStatementWith(preds ...predicate.Statement) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(func(s *sql.Selector) {
+		step := newStatementStep()
+		sqlgraph.HasNeighborsWith(s, step, func(s *sql.Selector) {
+			for _, p := range preds {
+				p(s)
+			}
+		})
+	})
+}
+
+// And groups predicates with the AND operator between them.
+func And(predicates ...predicate.AttestationPolicy) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.AndPredicates(predicates...))
+}
+
+// Or groups predicates with the OR operator between them.
+func Or(predicates ...predicate.AttestationPolicy) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.OrPredicates(predicates...))
+}
+
+// Not applies the not operator on the given predicate.
+func Not(p predicate.AttestationPolicy) predicate.AttestationPolicy {
+	return predicate.AttestationPolicy(sql.NotPredicates(p))
+}
--- a/ent/attestationpolicy_create.go
+++ b/ent/attestationpolicy_create.go
@ -0,0 +1,255 @@
+// Code generated by ent, DO NOT EDIT.
+
+package ent
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
+	"github.com/in-toto/archivista/ent/statement"
+)
+
+// AttestationPolicyCreate is the builder for creating a AttestationPolicy entity.
+type AttestationPolicyCreate struct {
+	config
+	mutation *AttestationPolicyMutation
+	hooks    []Hook
+}
+
+// SetName sets the "name" field.
+func (apc *AttestationPolicyCreate) SetName(s string) *AttestationPolicyCreate {
+	apc.mutation.SetName(s)
+	return apc
+}
+
+// SetID sets the "id" field.
+func (apc *AttestationPolicyCreate) SetID(u uuid.UUID) *AttestationPolicyCreate {
+	apc.mutation.SetID(u)
+	return apc
+}
+
+// SetNillableID sets the "id" field if the given value is not nil.
+func (apc *AttestationPolicyCreate) SetNillableID(u *uuid.UUID) *AttestationPolicyCreate {
+	if u != nil {
+		apc.SetID(*u)
+	}
+	return apc
+}
+
+// SetStatementID sets the "statement" edge to the Statement entity by ID.
+func (apc *AttestationPolicyCreate) SetStatementID(id uuid.UUID) *AttestationPolicyCreate {
+	apc.mutation.SetStatementID(id)
+	return apc
+}
+
+// SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
+func (apc *AttestationPolicyCreate) SetNillableStatementID(id *uuid.UUID) *AttestationPolicyCreate {
+	if id != nil {
+		apc = apc.SetStatementID(*id)
+	}
+	return apc
+}
+
+// SetStatement sets the "statement" edge to the Statement entity.
+func (apc *AttestationPolicyCreate) SetStatement(s *Statement) *AttestationPolicyCreate {
+	return apc.SetStatementID(s.ID)
+}
+
+// Mutation returns the AttestationPolicyMutation object of the builder.
+func (apc *AttestationPolicyCreate) Mutation() *AttestationPolicyMutation {
+	return apc.mutation
+}
+
+// Save creates the AttestationPolicy in the database.
+func (apc *AttestationPolicyCreate) Save(ctx context.Context) (*AttestationPolicy, error) {
+	apc.defaults()
+	return withHooks(ctx, apc.sqlSave, apc.mutation, apc.hooks)
+}
+
+// SaveX calls Save and panics if Save returns an error.
+func (apc *AttestationPolicyCreate) SaveX(ctx context.Context) *AttestationPolicy {
+	v, err := apc.Save(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+// Exec executes the query.
+func (apc *AttestationPolicyCreate) Exec(ctx context.Context) error {
+	_, err := apc.Save(ctx)
+	return err
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apc *AttestationPolicyCreate) ExecX(ctx context.Context) {
+	if err := apc.Exec(ctx); err != nil {
+		panic(err)
+	}
+}
+
+// defaults sets the default values of the builder before save.
+func (apc *AttestationPolicyCreate) defaults() {
+	if _, ok := apc.mutation.ID(); !ok {
+		v := attestationpolicy.DefaultID()
+		apc.mutation.SetID(v)
+	}
+}
+
+// check runs all checks and user-defined validators on the builder.
+func (apc *AttestationPolicyCreate) check() error {
+	if _, ok := apc.mutation.Name(); !ok {
+		return &ValidationError{Name: "name", err: errors.New(`ent: missing required field "AttestationPolicy.name"`)}
+	}
+	if v, ok := apc.mutation.Name(); ok {
+		if err := attestationpolicy.NameValidator(v); err != nil {
+			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationPolicy.name": %w`, err)}
+		}
+	}
+	return nil
+}
+
+func (apc *AttestationPolicyCreate) sqlSave(ctx context.Context) (*AttestationPolicy, error) {
+	if err := apc.check(); err != nil {
+		return nil, err
+	}
+	_node, _spec := apc.createSpec()
+	if err := sqlgraph.CreateNode(ctx, apc.driver, _spec); err != nil {
+		if sqlgraph.IsConstraintError(err) {
+			err = &ConstraintError{msg: err.Error(), wrap: err}
+		}
+		return nil, err
+	}
+	if _spec.ID.Value != nil {
+		if id, ok := _spec.ID.Value.(*uuid.UUID); ok {
+			_node.ID = *id
+		} else if err := _node.ID.Scan(_spec.ID.Value); err != nil {
+			return nil, err
+		}
+	}
+	apc.mutation.id = &_node.ID
+	apc.mutation.done = true
+	return _node, nil
+}
+
+func (apc *AttestationPolicyCreate) createSpec() (*AttestationPolicy, *sqlgraph.CreateSpec) {
+	var (
+		_node = &AttestationPolicy{config: apc.config}
+		_spec = sqlgraph.NewCreateSpec(attestationpolicy.Table, sqlgraph.NewFieldSpec(attestationpolicy.FieldID, field.TypeUUID))
+	)
+	if id, ok := apc.mutation.ID(); ok {
+		_node.ID = id
+		_spec.ID.Value = &id
+	}
+	if value, ok := apc.mutation.Name(); ok {
+		_spec.SetField(attestationpolicy.FieldName, field.TypeString, value)
+		_node.Name = value
+	}
+	if nodes := apc.mutation.StatementIDs(); len(nodes) > 0 {
+		edge := &sqlgraph.EdgeSpec{
+			Rel:     sqlgraph.O2O,
+			Inverse: true,
+			Table:   attestationpolicy.StatementTable,
+			Columns: []string{attestationpolicy.StatementColumn},
+			Bidi:    false,
+			Target: &sqlgraph.EdgeTarget{
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
+			},
+		}
+		for _, k := range nodes {
+			edge.Target.Nodes = append(edge.Target.Nodes, k)
+		}
+		_node.statement_policy = &nodes[0]
+		_spec.Edges = append(_spec.Edges, edge)
+	}
+	return _node, _spec
+}
+
+// AttestationPolicyCreateBulk is the builder for creating many AttestationPolicy entities in bulk.
+type AttestationPolicyCreateBulk struct {
+	config
+	err      error
+	builders []*AttestationPolicyCreate
+}
+
+// Save creates the AttestationPolicy entities in the database.
+func (apcb *AttestationPolicyCreateBulk) Save(ctx context.Context) ([]*AttestationPolicy, error) {
+	if apcb.err != nil {
+		return nil, apcb.err
+	}
+	specs := make([]*sqlgraph.CreateSpec, len(apcb.builders))
+	nodes := make([]*AttestationPolicy, len(apcb.builders))
+	mutators := make([]Mutator, len(apcb.builders))
+	for i := range apcb.builders {
+		func(i int, root context.Context) {
+			builder := apcb.builders[i]
+			builder.defaults()
+			var mut Mutator = MutateFunc(func(ctx context.Context, m Mutation) (Value, error) {
+				mutation, ok := m.(*AttestationPolicyMutation)
+				if !ok {
+					return nil, fmt.Errorf("unexpected mutation type %T", m)
+				}
+				if err := builder.check(); err != nil {
+					return nil, err
+				}
+				builder.mutation = mutation
+				var err error
+				nodes[i], specs[i] = builder.createSpec()
+				if i < len(mutators)-1 {
+					_, err = mutators[i+1].Mutate(root, apcb.builders[i+1].mutation)
+				} else {
+					spec := &sqlgraph.BatchCreateSpec{Nodes: specs}
+					// Invoke the actual operation on the latest mutation in the chain.
+					if err = sqlgraph.BatchCreate(ctx, apcb.driver, spec); err != nil {
+						if sqlgraph.IsConstraintError(err) {
+							err = &ConstraintError{msg: err.Error(), wrap: err}
+						}
+					}
+				}
+				if err != nil {
+					return nil, err
+				}
+				mutation.id = &nodes[i].ID
+				mutation.done = true
+				return nodes[i], nil
+			})
+			for i := len(builder.hooks) - 1; i >= 0; i-- {
+				mut = builder.hooks[i](mut)
+			}
+			mutators[i] = mut
+		}(i, ctx)
+	}
+	if len(mutators) > 0 {
+		if _, err := mutators[0].Mutate(ctx, apcb.builders[0].mutation); err != nil {
+			return nil, err
+		}
+	}
+	return nodes, nil
+}
+
+// SaveX is like Save, but panics if an error occurs.
+func (apcb *AttestationPolicyCreateBulk) SaveX(ctx context.Context) []*AttestationPolicy {
+	v, err := apcb.Save(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+// Exec executes the query.
+func (apcb *AttestationPolicyCreateBulk) Exec(ctx context.Context) error {
+	_, err := apcb.Save(ctx)
+	return err
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apcb *AttestationPolicyCreateBulk) ExecX(ctx context.Context) {
+	if err := apcb.Exec(ctx); err != nil {
+		panic(err)
+	}
+}
--- a/ent/attestationpolicy_delete.go
+++ b/ent/attestationpolicy_delete.go
@ -0,0 +1,88 @@
+// Code generated by ent, DO NOT EDIT.
+
+package ent
+
+import (
+	"context"
+
+	"entgo.io/ent/dialect/sql"
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"entgo.io/ent/schema/field"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
+	"github.com/in-toto/archivista/ent/predicate"
+)
+
+// AttestationPolicyDelete is the builder for deleting a AttestationPolicy entity.
+type AttestationPolicyDelete struct {
+	config
+	hooks    []Hook
+	mutation *AttestationPolicyMutation
+}
+
+// Where appends a list predicates to the AttestationPolicyDelete builder.
+func (apd *AttestationPolicyDelete) Where(ps ...predicate.AttestationPolicy) *AttestationPolicyDelete {
+	apd.mutation.Where(ps...)
+	return apd
+}
+
+// Exec executes the deletion query and returns how many vertices were deleted.
+func (apd *AttestationPolicyDelete) Exec(ctx context.Context) (int, error) {
+	return withHooks(ctx, apd.sqlExec, apd.mutation, apd.hooks)
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apd *AttestationPolicyDelete) ExecX(ctx context.Context) int {
+	n, err := apd.Exec(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return n
+}
+
+func (apd *AttestationPolicyDelete) sqlExec(ctx context.Context) (int, error) {
+	_spec := sqlgraph.NewDeleteSpec(attestationpolicy.Table, sqlgraph.NewFieldSpec(attestationpolicy.FieldID, field.TypeUUID))
+	if ps := apd.mutation.predicates; len(ps) > 0 {
+		_spec.Predicate = func(selector *sql.Selector) {
+			for i := range ps {
+				ps[i](selector)
+			}
+		}
+	}
+	affected, err := sqlgraph.DeleteNodes(ctx, apd.driver, _spec)
+	if err != nil && sqlgraph.IsConstraintError(err) {
+		err = &ConstraintError{msg: err.Error(), wrap: err}
+	}
+	apd.mutation.done = true
+	return affected, err
+}
+
+// AttestationPolicyDeleteOne is the builder for deleting a single AttestationPolicy entity.
+type AttestationPolicyDeleteOne struct {
+	apd *AttestationPolicyDelete
+}
+
+// Where appends a list predicates to the AttestationPolicyDelete builder.
+func (apdo *AttestationPolicyDeleteOne) Where(ps ...predicate.AttestationPolicy) *AttestationPolicyDeleteOne {
+	apdo.apd.mutation.Where(ps...)
+	return apdo
+}
+
+// Exec executes the deletion query.
+func (apdo *AttestationPolicyDeleteOne) Exec(ctx context.Context) error {
+	n, err := apdo.apd.Exec(ctx)
+	switch {
+	case err != nil:
+		return err
+	case n == 0:
+		return &NotFoundError{attestationpolicy.Label}
+	default:
+		return nil
+	}
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apdo *AttestationPolicyDeleteOne) ExecX(ctx context.Context) {
+	if err := apdo.Exec(ctx); err != nil {
+		panic(err)
+	}
+}
--- a/ent/attestationpolicy_query.go
+++ b/ent/attestationpolicy_query.go
@ -0,0 +1,628 @@
+// Code generated by ent, DO NOT EDIT.
+
+package ent
+
+import (
+	"context"
+	"fmt"
+	"math"
+
+	"entgo.io/ent"
+	"entgo.io/ent/dialect/sql"
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
+	"github.com/in-toto/archivista/ent/predicate"
+	"github.com/in-toto/archivista/ent/statement"
+)
+
+// AttestationPolicyQuery is the builder for querying AttestationPolicy entities.
+type AttestationPolicyQuery struct {
+	config
+	ctx           *QueryContext
+	order         []attestationpolicy.OrderOption
+	inters        []Interceptor
+	predicates    []predicate.AttestationPolicy
+	withStatement *StatementQuery
+	withFKs       bool
+	modifiers     []func(*sql.Selector)
+	loadTotal     []func(context.Context, []*AttestationPolicy) error
+	// intermediate query (i.e. traversal path).
+	sql  *sql.Selector
+	path func(context.Context) (*sql.Selector, error)
+}
+
+// Where adds a new predicate for the AttestationPolicyQuery builder.
+func (apq *AttestationPolicyQuery) Where(ps ...predicate.AttestationPolicy) *AttestationPolicyQuery {
+	apq.predicates = append(apq.predicates, ps...)
+	return apq
+}
+
+// Limit the number of records to be returned by this query.
+func (apq *AttestationPolicyQuery) Limit(limit int) *AttestationPolicyQuery {
+	apq.ctx.Limit = &limit
+	return apq
+}
+
+// Offset to start from.
+func (apq *AttestationPolicyQuery) Offset(offset int) *AttestationPolicyQuery {
+	apq.ctx.Offset = &offset
+	return apq
+}
+
+// Unique configures the query builder to filter duplicate records on query.
+// By default, unique is set to true, and can be disabled using this method.
+func (apq *AttestationPolicyQuery) Unique(unique bool) *AttestationPolicyQuery {
+	apq.ctx.Unique = &unique
+	return apq
+}
+
+// Order specifies how the records should be ordered.
+func (apq *AttestationPolicyQuery) Order(o ...attestationpolicy.OrderOption) *AttestationPolicyQuery {
+	apq.order = append(apq.order, o...)
+	return apq
+}
+
+// QueryStatement chains the current query on the "statement" edge.
+func (apq *AttestationPolicyQuery) QueryStatement() *StatementQuery {
+	query := (&StatementClient{config: apq.config}).Query()
+	query.path = func(ctx context.Context) (fromU *sql.Selector, err error) {
+		if err := apq.prepareQuery(ctx); err != nil {
+			return nil, err
+		}
+		selector := apq.sqlQuery(ctx)
+		if err := selector.Err(); err != nil {
+			return nil, err
+		}
+		step := sqlgraph.NewStep(
+			sqlgraph.From(attestationpolicy.Table, attestationpolicy.FieldID, selector),
+			sqlgraph.To(statement.Table, statement.FieldID),
+			sqlgraph.Edge(sqlgraph.O2O, true, attestationpolicy.StatementTable, attestationpolicy.StatementColumn),
+		)
+		fromU = sqlgraph.SetNeighbors(apq.driver.Dialect(), step)
+		return fromU, nil
+	}
+	return query
+}
+
+// First returns the first AttestationPolicy entity from the query.
+// Returns a *NotFoundError when no AttestationPolicy was found.
+func (apq *AttestationPolicyQuery) First(ctx context.Context) (*AttestationPolicy, error) {
+	nodes, err := apq.Limit(1).All(setContextOp(ctx, apq.ctx, ent.OpQueryFirst))
+	if err != nil {
+		return nil, err
+	}
+	if len(nodes) == 0 {
+		return nil, &NotFoundError{attestationpolicy.Label}
+	}
+	return nodes[0], nil
+}
+
+// FirstX is like First, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) FirstX(ctx context.Context) *AttestationPolicy {
+	node, err := apq.First(ctx)
+	if err != nil && !IsNotFound(err) {
+		panic(err)
+	}
+	return node
+}
+
+// FirstID returns the first AttestationPolicy ID from the query.
+// Returns a *NotFoundError when no AttestationPolicy ID was found.
+func (apq *AttestationPolicyQuery) FirstID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = apq.Limit(1).IDs(setContextOp(ctx, apq.ctx, ent.OpQueryFirstID)); err != nil {
+		return
+	}
+	if len(ids) == 0 {
+		err = &NotFoundError{attestationpolicy.Label}
+		return
+	}
+	return ids[0], nil
+}
+
+// FirstIDX is like FirstID, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) FirstIDX(ctx context.Context) uuid.UUID {
+	id, err := apq.FirstID(ctx)
+	if err != nil && !IsNotFound(err) {
+		panic(err)
+	}
+	return id
+}
+
+// Only returns a single AttestationPolicy entity found by the query, ensuring it only returns one.
+// Returns a *NotSingularError when more than one AttestationPolicy entity is found.
+// Returns a *NotFoundError when no AttestationPolicy entities are found.
+func (apq *AttestationPolicyQuery) Only(ctx context.Context) (*AttestationPolicy, error) {
+	nodes, err := apq.Limit(2).All(setContextOp(ctx, apq.ctx, ent.OpQueryOnly))
+	if err != nil {
+		return nil, err
+	}
+	switch len(nodes) {
+	case 1:
+		return nodes[0], nil
+	case 0:
+		return nil, &NotFoundError{attestationpolicy.Label}
+	default:
+		return nil, &NotSingularError{attestationpolicy.Label}
+	}
+}
+
+// OnlyX is like Only, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) OnlyX(ctx context.Context) *AttestationPolicy {
+	node, err := apq.Only(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return node
+}
+
+// OnlyID is like Only, but returns the only AttestationPolicy ID in the query.
+// Returns a *NotSingularError when more than one AttestationPolicy ID is found.
+// Returns a *NotFoundError when no entities are found.
+func (apq *AttestationPolicyQuery) OnlyID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = apq.Limit(2).IDs(setContextOp(ctx, apq.ctx, ent.OpQueryOnlyID)); err != nil {
+		return
+	}
+	switch len(ids) {
+	case 1:
+		id = ids[0]
+	case 0:
+		err = &NotFoundError{attestationpolicy.Label}
+	default:
+		err = &NotSingularError{attestationpolicy.Label}
+	}
+	return
+}
+
+// OnlyIDX is like OnlyID, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) OnlyIDX(ctx context.Context) uuid.UUID {
+	id, err := apq.OnlyID(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return id
+}
+
+// All executes the query and returns a list of AttestationPolicies.
+func (apq *AttestationPolicyQuery) All(ctx context.Context) ([]*AttestationPolicy, error) {
+	ctx = setContextOp(ctx, apq.ctx, ent.OpQueryAll)
+	if err := apq.prepareQuery(ctx); err != nil {
+		return nil, err
+	}
+	qr := querierAll[[]*AttestationPolicy, *AttestationPolicyQuery]()
+	return withInterceptors[[]*AttestationPolicy](ctx, apq, qr, apq.inters)
+}
+
+// AllX is like All, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) AllX(ctx context.Context) []*AttestationPolicy {
+	nodes, err := apq.All(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return nodes
+}
+
+// IDs executes the query and returns a list of AttestationPolicy IDs.
+func (apq *AttestationPolicyQuery) IDs(ctx context.Context) (ids []uuid.UUID, err error) {
+	if apq.ctx.Unique == nil && apq.path != nil {
+		apq.Unique(true)
+	}
+	ctx = setContextOp(ctx, apq.ctx, ent.OpQueryIDs)
+	if err = apq.Select(attestationpolicy.FieldID).Scan(ctx, &ids); err != nil {
+		return nil, err
+	}
+	return ids, nil
+}
+
+// IDsX is like IDs, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) IDsX(ctx context.Context) []uuid.UUID {
+	ids, err := apq.IDs(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return ids
+}
+
+// Count returns the count of the given query.
+func (apq *AttestationPolicyQuery) Count(ctx context.Context) (int, error) {
+	ctx = setContextOp(ctx, apq.ctx, ent.OpQueryCount)
+	if err := apq.prepareQuery(ctx); err != nil {
+		return 0, err
+	}
+	return withInterceptors[int](ctx, apq, querierCount[*AttestationPolicyQuery](), apq.inters)
+}
+
+// CountX is like Count, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) CountX(ctx context.Context) int {
+	count, err := apq.Count(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return count
+}
+
+// Exist returns true if the query has elements in the graph.
+func (apq *AttestationPolicyQuery) Exist(ctx context.Context) (bool, error) {
+	ctx = setContextOp(ctx, apq.ctx, ent.OpQueryExist)
+	switch _, err := apq.FirstID(ctx); {
+	case IsNotFound(err):
+		return false, nil
+	case err != nil:
+		return false, fmt.Errorf("ent: check existence: %w", err)
+	default:
+		return true, nil
+	}
+}
+
+// ExistX is like Exist, but panics if an error occurs.
+func (apq *AttestationPolicyQuery) ExistX(ctx context.Context) bool {
+	exist, err := apq.Exist(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return exist
+}
+
+// Clone returns a duplicate of the AttestationPolicyQuery builder, including all associated steps. It can be
+// used to prepare common query builders and use them differently after the clone is made.
+func (apq *AttestationPolicyQuery) Clone() *AttestationPolicyQuery {
+	if apq == nil {
+		return nil
+	}
+	return &AttestationPolicyQuery{
+		config:        apq.config,
+		ctx:           apq.ctx.Clone(),
+		order:         append([]attestationpolicy.OrderOption{}, apq.order...),
+		inters:        append([]Interceptor{}, apq.inters...),
+		predicates:    append([]predicate.AttestationPolicy{}, apq.predicates...),
+		withStatement: apq.withStatement.Clone(),
+		// clone intermediate query.
+		sql:  apq.sql.Clone(),
+		path: apq.path,
+	}
+}
+
+// WithStatement tells the query-builder to eager-load the nodes that are connected to
+// the "statement" edge. The optional arguments are used to configure the query builder of the edge.
+func (apq *AttestationPolicyQuery) WithStatement(opts ...func(*StatementQuery)) *AttestationPolicyQuery {
+	query := (&StatementClient{config: apq.config}).Query()
+	for _, opt := range opts {
+		opt(query)
+	}
+	apq.withStatement = query
+	return apq
+}
+
+// GroupBy is used to group vertices by one or more fields/columns.
+// It is often used with aggregate functions, like: count, max, mean, min, sum.
+//
+// Example:
+//
+//	var v []struct {
+//		Name string `json:"name,omitempty"`
+//		Count int `json:"count,omitempty"`
+//	}
+//
+//	client.AttestationPolicy.Query().
+//		GroupBy(attestationpolicy.FieldName).
+//		Aggregate(ent.Count()).
+//		Scan(ctx, &v)
+func (apq *AttestationPolicyQuery) GroupBy(field string, fields ...string) *AttestationPolicyGroupBy {
+	apq.ctx.Fields = append([]string{field}, fields...)
+	grbuild := &AttestationPolicyGroupBy{build: apq}
+	grbuild.flds = &apq.ctx.Fields
+	grbuild.label = attestationpolicy.Label
+	grbuild.scan = grbuild.Scan
+	return grbuild
+}
+
+// Select allows the selection one or more fields/columns for the given query,
+// instead of selecting all fields in the entity.
+//
+// Example:
+//
+//	var v []struct {
+//		Name string `json:"name,omitempty"`
+//	}
+//
+//	client.AttestationPolicy.Query().
+//		Select(attestationpolicy.FieldName).
+//		Scan(ctx, &v)
+func (apq *AttestationPolicyQuery) Select(fields ...string) *AttestationPolicySelect {
+	apq.ctx.Fields = append(apq.ctx.Fields, fields...)
+	sbuild := &AttestationPolicySelect{AttestationPolicyQuery: apq}
+	sbuild.label = attestationpolicy.Label
+	sbuild.flds, sbuild.scan = &apq.ctx.Fields, sbuild.Scan
+	return sbuild
+}
+
+// Aggregate returns a AttestationPolicySelect configured with the given aggregations.
+func (apq *AttestationPolicyQuery) Aggregate(fns ...AggregateFunc) *AttestationPolicySelect {
+	return apq.Select().Aggregate(fns...)
+}
+
+func (apq *AttestationPolicyQuery) prepareQuery(ctx context.Context) error {
+	for _, inter := range apq.inters {
+		if inter == nil {
+			return fmt.Errorf("ent: uninitialized interceptor (forgotten import ent/runtime?)")
+		}
+		if trv, ok := inter.(Traverser); ok {
+			if err := trv.Traverse(ctx, apq); err != nil {
+				return err
+			}
+		}
+	}
+	for _, f := range apq.ctx.Fields {
+		if !attestationpolicy.ValidColumn(f) {
+			return &ValidationError{Name: f, err: fmt.Errorf("ent: invalid field %q for query", f)}
+		}
+	}
+	if apq.path != nil {
+		prev, err := apq.path(ctx)
+		if err != nil {
+			return err
+		}
+		apq.sql = prev
+	}
+	return nil
+}
+
+func (apq *AttestationPolicyQuery) sqlAll(ctx context.Context, hooks ...queryHook) ([]*AttestationPolicy, error) {
+	var (
+		nodes       = []*AttestationPolicy{}
+		withFKs     = apq.withFKs
+		_spec       = apq.querySpec()
+		loadedTypes = [1]bool{
+			apq.withStatement != nil,
+		}
+	)
+	if apq.withStatement != nil {
+		withFKs = true
+	}
+	if withFKs {
+		_spec.Node.Columns = append(_spec.Node.Columns, attestationpolicy.ForeignKeys...)
+	}
+	_spec.ScanValues = func(columns []string) ([]any, error) {
+		return (*AttestationPolicy).scanValues(nil, columns)
+	}
+	_spec.Assign = func(columns []string, values []any) error {
+		node := &AttestationPolicy{config: apq.config}
+		nodes = append(nodes, node)
+		node.Edges.loadedTypes = loadedTypes
+		return node.assignValues(columns, values)
+	}
+	if len(apq.modifiers) > 0 {
+		_spec.Modifiers = apq.modifiers
+	}
+	for i := range hooks {
+		hooks[i](ctx, _spec)
+	}
+	if err := sqlgraph.QueryNodes(ctx, apq.driver, _spec); err != nil {
+		return nil, err
+	}
+	if len(nodes) == 0 {
+		return nodes, nil
+	}
+	if query := apq.withStatement; query != nil {
+		if err := apq.loadStatement(ctx, query, nodes, nil,
+			func(n *AttestationPolicy, e *Statement) { n.Edges.Statement = e }); err != nil {
+			return nil, err
+		}
+	}
+	for i := range apq.loadTotal {
+		if err := apq.loadTotal[i](ctx, nodes); err != nil {
+			return nil, err
+		}
+	}
+	return nodes, nil
+}
+
+func (apq *AttestationPolicyQuery) loadStatement(ctx context.Context, query *StatementQuery, nodes []*AttestationPolicy, init func(*AttestationPolicy), assign func(*AttestationPolicy, *Statement)) error {
+	ids := make([]uuid.UUID, 0, len(nodes))
+	nodeids := make(map[uuid.UUID][]*AttestationPolicy)
+	for i := range nodes {
+		if nodes[i].statement_policy == nil {
+			continue
+		}
+		fk := *nodes[i].statement_policy
+		if _, ok := nodeids[fk]; !ok {
+			ids = append(ids, fk)
+		}
+		nodeids[fk] = append(nodeids[fk], nodes[i])
+	}
+	if len(ids) == 0 {
+		return nil
+	}
+	query.Where(statement.IDIn(ids...))
+	neighbors, err := query.All(ctx)
+	if err != nil {
+		return err
+	}
+	for _, n := range neighbors {
+		nodes, ok := nodeids[n.ID]
+		if !ok {
+			return fmt.Errorf(`unexpected foreign-key "statement_policy" returned %v`, n.ID)
+		}
+		for i := range nodes {
+			assign(nodes[i], n)
+		}
+	}
+	return nil
+}
+
+func (apq *AttestationPolicyQuery) sqlCount(ctx context.Context) (int, error) {
+	_spec := apq.querySpec()
+	if len(apq.modifiers) > 0 {
+		_spec.Modifiers = apq.modifiers
+	}
+	_spec.Node.Columns = apq.ctx.Fields
+	if len(apq.ctx.Fields) > 0 {
+		_spec.Unique = apq.ctx.Unique != nil && *apq.ctx.Unique
+	}
+	return sqlgraph.CountNodes(ctx, apq.driver, _spec)
+}
+
+func (apq *AttestationPolicyQuery) querySpec() *sqlgraph.QuerySpec {
+	_spec := sqlgraph.NewQuerySpec(attestationpolicy.Table, attestationpolicy.Columns, sqlgraph.NewFieldSpec(attestationpolicy.FieldID, field.TypeUUID))
+	_spec.From = apq.sql
+	if unique := apq.ctx.Unique; unique != nil {
+		_spec.Unique = *unique
+	} else if apq.path != nil {
+		_spec.Unique = true
+	}
+	if fields := apq.ctx.Fields; len(fields) > 0 {
+		_spec.Node.Columns = make([]string, 0, len(fields))
+		_spec.Node.Columns = append(_spec.Node.Columns, attestationpolicy.FieldID)
+		for i := range fields {
+			if fields[i] != attestationpolicy.FieldID {
+				_spec.Node.Columns = append(_spec.Node.Columns, fields[i])
+			}
+		}
+	}
+	if ps := apq.predicates; len(ps) > 0 {
+		_spec.Predicate = func(selector *sql.Selector) {
+			for i := range ps {
+				ps[i](selector)
+			}
+		}
+	}
+	if limit := apq.ctx.Limit; limit != nil {
+		_spec.Limit = *limit
+	}
+	if offset := apq.ctx.Offset; offset != nil {
+		_spec.Offset = *offset
+	}
+	if ps := apq.order; len(ps) > 0 {
+		_spec.Order = func(selector *sql.Selector) {
+			for i := range ps {
+				ps[i](selector)
+			}
+		}
+	}
+	return _spec
+}
+
+func (apq *AttestationPolicyQuery) sqlQuery(ctx context.Context) *sql.Selector {
+	builder := sql.Dialect(apq.driver.Dialect())
+	t1 := builder.Table(attestationpolicy.Table)
+	columns := apq.ctx.Fields
+	if len(columns) == 0 {
+		columns = attestationpolicy.Columns
+	}
+	selector := builder.Select(t1.Columns(columns...)...).From(t1)
+	if apq.sql != nil {
+		selector = apq.sql
+		selector.Select(selector.Columns(columns...)...)
+	}
+	if apq.ctx.Unique != nil && *apq.ctx.Unique {
+		selector.Distinct()
+	}
+	for _, p := range apq.predicates {
+		p(selector)
+	}
+	for _, p := range apq.order {
+		p(selector)
+	}
+	if offset := apq.ctx.Offset; offset != nil {
+		// limit is mandatory for offset clause. We start
+		// with default value, and override it below if needed.
+		selector.Offset(*offset).Limit(math.MaxInt32)
+	}
+	if limit := apq.ctx.Limit; limit != nil {
+		selector.Limit(*limit)
+	}
+	return selector
+}
+
+// AttestationPolicyGroupBy is the group-by builder for AttestationPolicy entities.
+type AttestationPolicyGroupBy struct {
+	selector
+	build *AttestationPolicyQuery
+}
+
+// Aggregate adds the given aggregation functions to the group-by query.
+func (apgb *AttestationPolicyGroupBy) Aggregate(fns ...AggregateFunc) *AttestationPolicyGroupBy {
+	apgb.fns = append(apgb.fns, fns...)
+	return apgb
+}
+
+// Scan applies the selector query and scans the result into the given value.
+func (apgb *AttestationPolicyGroupBy) Scan(ctx context.Context, v any) error {
+	ctx = setContextOp(ctx, apgb.build.ctx, ent.OpQueryGroupBy)
+	if err := apgb.build.prepareQuery(ctx); err != nil {
+		return err
+	}
+	return scanWithInterceptors[*AttestationPolicyQuery, *AttestationPolicyGroupBy](ctx, apgb.build, apgb, apgb.build.inters, v)
+}
+
+func (apgb *AttestationPolicyGroupBy) sqlScan(ctx context.Context, root *AttestationPolicyQuery, v any) error {
+	selector := root.sqlQuery(ctx).Select()
+	aggregation := make([]string, 0, len(apgb.fns))
+	for _, fn := range apgb.fns {
+		aggregation = append(aggregation, fn(selector))
+	}
+	if len(selector.SelectedColumns()) == 0 {
+		columns := make([]string, 0, len(*apgb.flds)+len(apgb.fns))
+		for _, f := range *apgb.flds {
+			columns = append(columns, selector.C(f))
+		}
+		columns = append(columns, aggregation...)
+		selector.Select(columns...)
+	}
+	selector.GroupBy(selector.Columns(*apgb.flds...)...)
+	if err := selector.Err(); err != nil {
+		return err
+	}
+	rows := &sql.Rows{}
+	query, args := selector.Query()
+	if err := apgb.build.driver.Query(ctx, query, args, rows); err != nil {
+		return err
+	}
+	defer rows.Close()
+	return sql.ScanSlice(rows, v)
+}
+
+// AttestationPolicySelect is the builder for selecting fields of AttestationPolicy entities.
+type AttestationPolicySelect struct {
+	*AttestationPolicyQuery
+	selector
+}
+
+// Aggregate adds the given aggregation functions to the selector query.
+func (aps *AttestationPolicySelect) Aggregate(fns ...AggregateFunc) *AttestationPolicySelect {
+	aps.fns = append(aps.fns, fns...)
+	return aps
+}
+
+// Scan applies the selector query and scans the result into the given value.
+func (aps *AttestationPolicySelect) Scan(ctx context.Context, v any) error {
+	ctx = setContextOp(ctx, aps.ctx, ent.OpQuerySelect)
+	if err := aps.prepareQuery(ctx); err != nil {
+		return err
+	}
+	return scanWithInterceptors[*AttestationPolicyQuery, *AttestationPolicySelect](ctx, aps.AttestationPolicyQuery, aps, aps.inters, v)
+}
+
+func (aps *AttestationPolicySelect) sqlScan(ctx context.Context, root *AttestationPolicyQuery, v any) error {
+	selector := root.sqlQuery(ctx)
+	aggregation := make([]string, 0, len(aps.fns))
+	for _, fn := range aps.fns {
+		aggregation = append(aggregation, fn(selector))
+	}
+	switch n := len(*aps.selector.flds); {
+	case n == 0 && len(aggregation) > 0:
+		selector.Select(aggregation...)
+	case n != 0 && len(aggregation) > 0:
+		selector.AppendSelect(aggregation...)
+	}
+	rows := &sql.Rows{}
+	query, args := selector.Query()
+	if err := aps.driver.Query(ctx, query, args, rows); err != nil {
+		return err
+	}
+	defer rows.Close()
+	return sql.ScanSlice(rows, v)
+}
--- a/ent/attestationpolicy_update.go
+++ b/ent/attestationpolicy_update.go
@ -0,0 +1,345 @@
+// Code generated by ent, DO NOT EDIT.
+
+package ent
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"entgo.io/ent/dialect/sql"
+	"entgo.io/ent/dialect/sql/sqlgraph"
+	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
+	"github.com/in-toto/archivista/ent/predicate"
+	"github.com/in-toto/archivista/ent/statement"
+)
+
+// AttestationPolicyUpdate is the builder for updating AttestationPolicy entities.
+type AttestationPolicyUpdate struct {
+	config
+	hooks    []Hook
+	mutation *AttestationPolicyMutation
+}
+
+// Where appends a list predicates to the AttestationPolicyUpdate builder.
+func (apu *AttestationPolicyUpdate) Where(ps ...predicate.AttestationPolicy) *AttestationPolicyUpdate {
+	apu.mutation.Where(ps...)
+	return apu
+}
+
+// SetName sets the "name" field.
+func (apu *AttestationPolicyUpdate) SetName(s string) *AttestationPolicyUpdate {
+	apu.mutation.SetName(s)
+	return apu
+}
+
+// SetNillableName sets the "name" field if the given value is not nil.
+func (apu *AttestationPolicyUpdate) SetNillableName(s *string) *AttestationPolicyUpdate {
+	if s != nil {
+		apu.SetName(*s)
+	}
+	return apu
+}
+
+// SetStatementID sets the "statement" edge to the Statement entity by ID.
+func (apu *AttestationPolicyUpdate) SetStatementID(id uuid.UUID) *AttestationPolicyUpdate {
+	apu.mutation.SetStatementID(id)
+	return apu
+}
+
+// SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
+func (apu *AttestationPolicyUpdate) SetNillableStatementID(id *uuid.UUID) *AttestationPolicyUpdate {
+	if id != nil {
+		apu = apu.SetStatementID(*id)
+	}
+	return apu
+}
+
+// SetStatement sets the "statement" edge to the Statement entity.
+func (apu *AttestationPolicyUpdate) SetStatement(s *Statement) *AttestationPolicyUpdate {
+	return apu.SetStatementID(s.ID)
+}
+
+// Mutation returns the AttestationPolicyMutation object of the builder.
+func (apu *AttestationPolicyUpdate) Mutation() *AttestationPolicyMutation {
+	return apu.mutation
+}
+
+// ClearStatement clears the "statement" edge to the Statement entity.
+func (apu *AttestationPolicyUpdate) ClearStatement() *AttestationPolicyUpdate {
+	apu.mutation.ClearStatement()
+	return apu
+}
+
+// Save executes the query and returns the number of nodes affected by the update operation.
+func (apu *AttestationPolicyUpdate) Save(ctx context.Context) (int, error) {
+	return withHooks(ctx, apu.sqlSave, apu.mutation, apu.hooks)
+}
+
+// SaveX is like Save, but panics if an error occurs.
+func (apu *AttestationPolicyUpdate) SaveX(ctx context.Context) int {
+	affected, err := apu.Save(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return affected
+}
+
+// Exec executes the query.
+func (apu *AttestationPolicyUpdate) Exec(ctx context.Context) error {
+	_, err := apu.Save(ctx)
+	return err
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apu *AttestationPolicyUpdate) ExecX(ctx context.Context) {
+	if err := apu.Exec(ctx); err != nil {
+		panic(err)
+	}
+}
+
+// check runs all checks and user-defined validators on the builder.
+func (apu *AttestationPolicyUpdate) check() error {
+	if v, ok := apu.mutation.Name(); ok {
+		if err := attestationpolicy.NameValidator(v); err != nil {
+			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationPolicy.name": %w`, err)}
+		}
+	}
+	return nil
+}
+
+func (apu *AttestationPolicyUpdate) sqlSave(ctx context.Context) (n int, err error) {
+	if err := apu.check(); err != nil {
+		return n, err
+	}
+	_spec := sqlgraph.NewUpdateSpec(attestationpolicy.Table, attestationpolicy.Columns, sqlgraph.NewFieldSpec(attestationpolicy.FieldID, field.TypeUUID))
+	if ps := apu.mutation.predicates; len(ps) > 0 {
+		_spec.Predicate = func(selector *sql.Selector) {
+			for i := range ps {
+				ps[i](selector)
+			}
+		}
+	}
+	if value, ok := apu.mutation.Name(); ok {
+		_spec.SetField(attestationpolicy.FieldName, field.TypeString, value)
+	}
+	if apu.mutation.StatementCleared() {
+		edge := &sqlgraph.EdgeSpec{
+			Rel:     sqlgraph.O2O,
+			Inverse: true,
+			Table:   attestationpolicy.StatementTable,
+			Columns: []string{attestationpolicy.StatementColumn},
+			Bidi:    false,
+			Target: &sqlgraph.EdgeTarget{
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
+			},
+		}
+		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
+	}
+	if nodes := apu.mutation.StatementIDs(); len(nodes) > 0 {
+		edge := &sqlgraph.EdgeSpec{
+			Rel:     sqlgraph.O2O,
+			Inverse: true,
+			Table:   attestationpolicy.StatementTable,
+			Columns: []string{attestationpolicy.StatementColumn},
+			Bidi:    false,
+			Target: &sqlgraph.EdgeTarget{
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
+			},
+		}
+		for _, k := range nodes {
+			edge.Target.Nodes = append(edge.Target.Nodes, k)
+		}
+		_spec.Edges.Add = append(_spec.Edges.Add, edge)
+	}
+	if n, err = sqlgraph.UpdateNodes(ctx, apu.driver, _spec); err != nil {
+		if _, ok := err.(*sqlgraph.NotFoundError); ok {
+			err = &NotFoundError{attestationpolicy.Label}
+		} else if sqlgraph.IsConstraintError(err) {
+			err = &ConstraintError{msg: err.Error(), wrap: err}
+		}
+		return 0, err
+	}
+	apu.mutation.done = true
+	return n, nil
+}
+
+// AttestationPolicyUpdateOne is the builder for updating a single AttestationPolicy entity.
+type AttestationPolicyUpdateOne struct {
+	config
+	fields   []string
+	hooks    []Hook
+	mutation *AttestationPolicyMutation
+}
+
+// SetName sets the "name" field.
+func (apuo *AttestationPolicyUpdateOne) SetName(s string) *AttestationPolicyUpdateOne {
+	apuo.mutation.SetName(s)
+	return apuo
+}
+
+// SetNillableName sets the "name" field if the given value is not nil.
+func (apuo *AttestationPolicyUpdateOne) SetNillableName(s *string) *AttestationPolicyUpdateOne {
+	if s != nil {
+		apuo.SetName(*s)
+	}
+	return apuo
+}
+
+// SetStatementID sets the "statement" edge to the Statement entity by ID.
+func (apuo *AttestationPolicyUpdateOne) SetStatementID(id uuid.UUID) *AttestationPolicyUpdateOne {
+	apuo.mutation.SetStatementID(id)
+	return apuo
+}
+
+// SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
+func (apuo *AttestationPolicyUpdateOne) SetNillableStatementID(id *uuid.UUID) *AttestationPolicyUpdateOne {
+	if id != nil {
+		apuo = apuo.SetStatementID(*id)
+	}
+	return apuo
+}
+
+// SetStatement sets the "statement" edge to the Statement entity.
+func (apuo *AttestationPolicyUpdateOne) SetStatement(s *Statement) *AttestationPolicyUpdateOne {
+	return apuo.SetStatementID(s.ID)
+}
+
+// Mutation returns the AttestationPolicyMutation object of the builder.
+func (apuo *AttestationPolicyUpdateOne) Mutation() *AttestationPolicyMutation {
+	return apuo.mutation
+}
+
+// ClearStatement clears the "statement" edge to the Statement entity.
+func (apuo *AttestationPolicyUpdateOne) ClearStatement() *AttestationPolicyUpdateOne {
+	apuo.mutation.ClearStatement()
+	return apuo
+}
+
+// Where appends a list predicates to the AttestationPolicyUpdate builder.
+func (apuo *AttestationPolicyUpdateOne) Where(ps ...predicate.AttestationPolicy) *AttestationPolicyUpdateOne {
+	apuo.mutation.Where(ps...)
+	return apuo
+}
+
+// Select allows selecting one or more fields (columns) of the returned entity.
+// The default is selecting all fields defined in the entity schema.
+func (apuo *AttestationPolicyUpdateOne) Select(field string, fields ...string) *AttestationPolicyUpdateOne {
+	apuo.fields = append([]string{field}, fields...)
+	return apuo
+}
+
+// Save executes the query and returns the updated AttestationPolicy entity.
+func (apuo *AttestationPolicyUpdateOne) Save(ctx context.Context) (*AttestationPolicy, error) {
+	return withHooks(ctx, apuo.sqlSave, apuo.mutation, apuo.hooks)
+}
+
+// SaveX is like Save, but panics if an error occurs.
+func (apuo *AttestationPolicyUpdateOne) SaveX(ctx context.Context) *AttestationPolicy {
+	node, err := apuo.Save(ctx)
+	if err != nil {
+		panic(err)
+	}
+	return node
+}
+
+// Exec executes the query on the entity.
+func (apuo *AttestationPolicyUpdateOne) Exec(ctx context.Context) error {
+	_, err := apuo.Save(ctx)
+	return err
+}
+
+// ExecX is like Exec, but panics if an error occurs.
+func (apuo *AttestationPolicyUpdateOne) ExecX(ctx context.Context) {
+	if err := apuo.Exec(ctx); err != nil {
+		panic(err)
+	}
+}
+
+// check runs all checks and user-defined validators on the builder.
+func (apuo *AttestationPolicyUpdateOne) check() error {
+	if v, ok := apuo.mutation.Name(); ok {
+		if err := attestationpolicy.NameValidator(v); err != nil {
+			return &ValidationError{Name: "name", err: fmt.Errorf(`ent: validator failed for field "AttestationPolicy.name": %w`, err)}
+		}
+	}
+	return nil
+}
+
+func (apuo *AttestationPolicyUpdateOne) sqlSave(ctx context.Context) (_node *AttestationPolicy, err error) {
+	if err := apuo.check(); err != nil {
+		return _node, err
+	}
+	_spec := sqlgraph.NewUpdateSpec(attestationpolicy.Table, attestationpolicy.Columns, sqlgraph.NewFieldSpec(attestationpolicy.FieldID, field.TypeUUID))
+	id, ok := apuo.mutation.ID()
+	if !ok {
+		return nil, &ValidationError{Name: "id", err: errors.New(`ent: missing "AttestationPolicy.id" for update`)}
+	}
+	_spec.Node.ID.Value = id
+	if fields := apuo.fields; len(fields) > 0 {
+		_spec.Node.Columns = make([]string, 0, len(fields))
+		_spec.Node.Columns = append(_spec.Node.Columns, attestationpolicy.FieldID)
+		for _, f := range fields {
+			if !attestationpolicy.ValidColumn(f) {
+				return nil, &ValidationError{Name: f, err: fmt.Errorf("ent: invalid field %q for query", f)}
+			}
+			if f != attestationpolicy.FieldID {
+				_spec.Node.Columns = append(_spec.Node.Columns, f)
+			}
+		}
+	}
+	if ps := apuo.mutation.predicates; len(ps) > 0 {
+		_spec.Predicate = func(selector *sql.Selector) {
+			for i := range ps {
+				ps[i](selector)
+			}
+		}
+	}
+	if value, ok := apuo.mutation.Name(); ok {
+		_spec.SetField(attestationpolicy.FieldName, field.TypeString, value)
+	}
+	if apuo.mutation.StatementCleared() {
+		edge := &sqlgraph.EdgeSpec{
+			Rel:     sqlgraph.O2O,
+			Inverse: true,
+			Table:   attestationpolicy.StatementTable,
+			Columns: []string{attestationpolicy.StatementColumn},
+			Bidi:    false,
+			Target: &sqlgraph.EdgeTarget{
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
+			},
+		}
+		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
+	}
+	if nodes := apuo.mutation.StatementIDs(); len(nodes) > 0 {
+		edge := &sqlgraph.EdgeSpec{
+			Rel:     sqlgraph.O2O,
+			Inverse: true,
+			Table:   attestationpolicy.StatementTable,
+			Columns: []string{attestationpolicy.StatementColumn},
+			Bidi:    false,
+			Target: &sqlgraph.EdgeTarget{
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
+			},
+		}
+		for _, k := range nodes {
+			edge.Target.Nodes = append(edge.Target.Nodes, k)
+		}
+		_spec.Edges.Add = append(_spec.Edges.Add, edge)
+	}
+	_node = &AttestationPolicy{config: apuo.config}
+	_spec.Assign = _node.assignValues
+	_spec.ScanValues = _node.scanValues
+	if err = sqlgraph.UpdateNode(ctx, apuo.driver, _spec); err != nil {
+		if _, ok := err.(*sqlgraph.NotFoundError); ok {
+			err = &NotFoundError{attestationpolicy.Label}
+		} else if sqlgraph.IsConstraintError(err) {
+			err = &ConstraintError{msg: err.Error(), wrap: err}
+		}
+		return nil, err
+	}
+	apuo.mutation.done = true
+	return _node, nil
+}
--- a/ent/client.go
+++ b/ent/client.go
@ -9,6 +9,7 @@ import (
 	"log"
 	"reflect"

+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/migrate"

 	"entgo.io/ent"
@ -17,6 +18,7 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -35,6 +37,8 @@ type Client struct {
 	Attestation *AttestationClient
 	// AttestationCollection is the client for interacting with the AttestationCollection builders.
 	AttestationCollection *AttestationCollectionClient
+	// AttestationPolicy is the client for interacting with the AttestationPolicy builders.
+	AttestationPolicy *AttestationPolicyClient
 	// Dsse is the client for interacting with the Dsse builders.
 	Dsse *DsseClient
 	// PayloadDigest is the client for interacting with the PayloadDigest builders.
@ -49,8 +53,6 @@ type Client struct {
 	SubjectDigest *SubjectDigestClient
 	// Timestamp is the client for interacting with the Timestamp builders.
 	Timestamp *TimestampClient
-	// additional fields for node api
-	tables tables
 }

 // NewClient creates a new client configured with the given options.
@ -64,6 +66,7 @@ func (c *Client) init() {
 	c.Schema = migrate.NewSchema(c.driver)
 	c.Attestation = NewAttestationClient(c.config)
 	c.AttestationCollection = NewAttestationCollectionClient(c.config)
+	c.AttestationPolicy = NewAttestationPolicyClient(c.config)
 	c.Dsse = NewDsseClient(c.config)
 	c.PayloadDigest = NewPayloadDigestClient(c.config)
 	c.Signature = NewSignatureClient(c.config)
@ -165,6 +168,7 @@ func (c *Client) Tx(ctx context.Context) (*Tx, error) {
 		config:                cfg,
 		Attestation:           NewAttestationClient(cfg),
 		AttestationCollection: NewAttestationCollectionClient(cfg),
+		AttestationPolicy:     NewAttestationPolicyClient(cfg),
 		Dsse:                  NewDsseClient(cfg),
 		PayloadDigest:         NewPayloadDigestClient(cfg),
 		Signature:             NewSignatureClient(cfg),
@ -193,6 +197,7 @@ func (c *Client) BeginTx(ctx context.Context, opts *sql.TxOptions) (*Tx, error)
 		config:                cfg,
 		Attestation:           NewAttestationClient(cfg),
 		AttestationCollection: NewAttestationCollectionClient(cfg),
+		AttestationPolicy:     NewAttestationPolicyClient(cfg),
 		Dsse:                  NewDsseClient(cfg),
 		PayloadDigest:         NewPayloadDigestClient(cfg),
 		Signature:             NewSignatureClient(cfg),
@ -229,8 +234,9 @@ func (c *Client) Close() error {
 // In order to add hooks to a specific client, call: `client.Node.Use(...)`.
 func (c *Client) Use(hooks ...Hook) {
 	for _, n := range []interface{ Use(...Hook) }{
-		c.Attestation, c.AttestationCollection, c.Dsse, c.PayloadDigest, c.Signature,
-		c.Statement, c.Subject, c.SubjectDigest, c.Timestamp,
+		c.Attestation, c.AttestationCollection, c.AttestationPolicy, c.Dsse,
+		c.PayloadDigest, c.Signature, c.Statement, c.Subject, c.SubjectDigest,
+		c.Timestamp,
 	} {
 		n.Use(hooks...)
 	}
@ -240,8 +246,9 @@ func (c *Client) Use(hooks ...Hook) {
 // In order to add interceptors to a specific client, call: `client.Node.Intercept(...)`.
 func (c *Client) Intercept(interceptors ...Interceptor) {
 	for _, n := range []interface{ Intercept(...Interceptor) }{
-		c.Attestation, c.AttestationCollection, c.Dsse, c.PayloadDigest, c.Signature,
-		c.Statement, c.Subject, c.SubjectDigest, c.Timestamp,
+		c.Attestation, c.AttestationCollection, c.AttestationPolicy, c.Dsse,
+		c.PayloadDigest, c.Signature, c.Statement, c.Subject, c.SubjectDigest,
+		c.Timestamp,
 	} {
 		n.Intercept(interceptors...)
 	}
@ -254,6 +261,8 @@ func (c *Client) Mutate(ctx context.Context, m Mutation) (Value, error) {
 		return c.Attestation.mutate(ctx, m)
 	case *AttestationCollectionMutation:
 		return c.AttestationCollection.mutate(ctx, m)
+	case *AttestationPolicyMutation:
+		return c.AttestationPolicy.mutate(ctx, m)
 	case *DsseMutation:
 		return c.Dsse.mutate(ctx, m)
 	case *PayloadDigestMutation:
@ -334,7 +343,7 @@ func (c *AttestationClient) UpdateOne(a *Attestation) *AttestationUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *AttestationClient) UpdateOneID(id int) *AttestationUpdateOne {
+func (c *AttestationClient) UpdateOneID(id uuid.UUID) *AttestationUpdateOne {
 	mutation := newAttestationMutation(c.config, OpUpdateOne, withAttestationID(id))
 	return &AttestationUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -351,7 +360,7 @@ func (c *AttestationClient) DeleteOne(a *Attestation) *AttestationDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *AttestationClient) DeleteOneID(id int) *AttestationDeleteOne {
+func (c *AttestationClient) DeleteOneID(id uuid.UUID) *AttestationDeleteOne {
 	builder := c.Delete().Where(attestation.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -368,12 +377,12 @@ func (c *AttestationClient) Query() *AttestationQuery {
 }

 // Get returns a Attestation entity by its id.
-func (c *AttestationClient) Get(ctx context.Context, id int) (*Attestation, error) {
+func (c *AttestationClient) Get(ctx context.Context, id uuid.UUID) (*Attestation, error) {
 	return c.Query().Where(attestation.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *AttestationClient) GetX(ctx context.Context, id int) *Attestation {
+func (c *AttestationClient) GetX(ctx context.Context, id uuid.UUID) *Attestation {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -483,7 +492,7 @@ func (c *AttestationCollectionClient) UpdateOne(ac *AttestationCollection) *Atte
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *AttestationCollectionClient) UpdateOneID(id int) *AttestationCollectionUpdateOne {
+func (c *AttestationCollectionClient) UpdateOneID(id uuid.UUID) *AttestationCollectionUpdateOne {
 	mutation := newAttestationCollectionMutation(c.config, OpUpdateOne, withAttestationCollectionID(id))
 	return &AttestationCollectionUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -500,7 +509,7 @@ func (c *AttestationCollectionClient) DeleteOne(ac *AttestationCollection) *Atte
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *AttestationCollectionClient) DeleteOneID(id int) *AttestationCollectionDeleteOne {
+func (c *AttestationCollectionClient) DeleteOneID(id uuid.UUID) *AttestationCollectionDeleteOne {
 	builder := c.Delete().Where(attestationcollection.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -517,12 +526,12 @@ func (c *AttestationCollectionClient) Query() *AttestationCollectionQuery {
 }

 // Get returns a AttestationCollection entity by its id.
-func (c *AttestationCollectionClient) Get(ctx context.Context, id int) (*AttestationCollection, error) {
+func (c *AttestationCollectionClient) Get(ctx context.Context, id uuid.UUID) (*AttestationCollection, error) {
 	return c.Query().Where(attestationcollection.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *AttestationCollectionClient) GetX(ctx context.Context, id int) *AttestationCollection {
+func (c *AttestationCollectionClient) GetX(ctx context.Context, id uuid.UUID) *AttestationCollection {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -587,6 +596,155 @@ func (c *AttestationCollectionClient) mutate(ctx context.Context, m *Attestation
 	}
 }

+// AttestationPolicyClient is a client for the AttestationPolicy schema.
+type AttestationPolicyClient struct {
+	config
+}
+
+// NewAttestationPolicyClient returns a client for the AttestationPolicy from the given config.
+func NewAttestationPolicyClient(c config) *AttestationPolicyClient {
+	return &AttestationPolicyClient{config: c}
+}
+
+// Use adds a list of mutation hooks to the hooks stack.
+// A call to `Use(f, g, h)` equals to `attestationpolicy.Hooks(f(g(h())))`.
+func (c *AttestationPolicyClient) Use(hooks ...Hook) {
+	c.hooks.AttestationPolicy = append(c.hooks.AttestationPolicy, hooks...)
+}
+
+// Intercept adds a list of query interceptors to the interceptors stack.
+// A call to `Intercept(f, g, h)` equals to `attestationpolicy.Intercept(f(g(h())))`.
+func (c *AttestationPolicyClient) Intercept(interceptors ...Interceptor) {
+	c.inters.AttestationPolicy = append(c.inters.AttestationPolicy, interceptors...)
+}
+
+// Create returns a builder for creating a AttestationPolicy entity.
+func (c *AttestationPolicyClient) Create() *AttestationPolicyCreate {
+	mutation := newAttestationPolicyMutation(c.config, OpCreate)
+	return &AttestationPolicyCreate{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// CreateBulk returns a builder for creating a bulk of AttestationPolicy entities.
+func (c *AttestationPolicyClient) CreateBulk(builders ...*AttestationPolicyCreate) *AttestationPolicyCreateBulk {
+	return &AttestationPolicyCreateBulk{config: c.config, builders: builders}
+}
+
+// MapCreateBulk creates a bulk creation builder from the given slice. For each item in the slice, the function creates
+// a builder and applies setFunc on it.
+func (c *AttestationPolicyClient) MapCreateBulk(slice any, setFunc func(*AttestationPolicyCreate, int)) *AttestationPolicyCreateBulk {
+	rv := reflect.ValueOf(slice)
+	if rv.Kind() != reflect.Slice {
+		return &AttestationPolicyCreateBulk{err: fmt.Errorf("calling to AttestationPolicyClient.MapCreateBulk with wrong type %T, need slice", slice)}
+	}
+	builders := make([]*AttestationPolicyCreate, rv.Len())
+	for i := 0; i < rv.Len(); i++ {
+		builders[i] = c.Create()
+		setFunc(builders[i], i)
+	}
+	return &AttestationPolicyCreateBulk{config: c.config, builders: builders}
+}
+
+// Update returns an update builder for AttestationPolicy.
+func (c *AttestationPolicyClient) Update() *AttestationPolicyUpdate {
+	mutation := newAttestationPolicyMutation(c.config, OpUpdate)
+	return &AttestationPolicyUpdate{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// UpdateOne returns an update builder for the given entity.
+func (c *AttestationPolicyClient) UpdateOne(ap *AttestationPolicy) *AttestationPolicyUpdateOne {
+	mutation := newAttestationPolicyMutation(c.config, OpUpdateOne, withAttestationPolicy(ap))
+	return &AttestationPolicyUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// UpdateOneID returns an update builder for the given id.
+func (c *AttestationPolicyClient) UpdateOneID(id uuid.UUID) *AttestationPolicyUpdateOne {
+	mutation := newAttestationPolicyMutation(c.config, OpUpdateOne, withAttestationPolicyID(id))
+	return &AttestationPolicyUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// Delete returns a delete builder for AttestationPolicy.
+func (c *AttestationPolicyClient) Delete() *AttestationPolicyDelete {
+	mutation := newAttestationPolicyMutation(c.config, OpDelete)
+	return &AttestationPolicyDelete{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// DeleteOne returns a builder for deleting the given entity.
+func (c *AttestationPolicyClient) DeleteOne(ap *AttestationPolicy) *AttestationPolicyDeleteOne {
+	return c.DeleteOneID(ap.ID)
+}
+
+// DeleteOneID returns a builder for deleting the given entity by its id.
+func (c *AttestationPolicyClient) DeleteOneID(id uuid.UUID) *AttestationPolicyDeleteOne {
+	builder := c.Delete().Where(attestationpolicy.ID(id))
+	builder.mutation.id = &id
+	builder.mutation.op = OpDeleteOne
+	return &AttestationPolicyDeleteOne{builder}
+}
+
+// Query returns a query builder for AttestationPolicy.
+func (c *AttestationPolicyClient) Query() *AttestationPolicyQuery {
+	return &AttestationPolicyQuery{
+		config: c.config,
+		ctx:    &QueryContext{Type: TypeAttestationPolicy},
+		inters: c.Interceptors(),
+	}
+}
+
+// Get returns a AttestationPolicy entity by its id.
+func (c *AttestationPolicyClient) Get(ctx context.Context, id uuid.UUID) (*AttestationPolicy, error) {
+	return c.Query().Where(attestationpolicy.ID(id)).Only(ctx)
+}
+
+// GetX is like Get, but panics if an error occurs.
+func (c *AttestationPolicyClient) GetX(ctx context.Context, id uuid.UUID) *AttestationPolicy {
+	obj, err := c.Get(ctx, id)
+	if err != nil {
+		panic(err)
+	}
+	return obj
+}
+
+// QueryStatement queries the statement edge of a AttestationPolicy.
+func (c *AttestationPolicyClient) QueryStatement(ap *AttestationPolicy) *StatementQuery {
+	query := (&StatementClient{config: c.config}).Query()
+	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
+		id := ap.ID
+		step := sqlgraph.NewStep(
+			sqlgraph.From(attestationpolicy.Table, attestationpolicy.FieldID, id),
+			sqlgraph.To(statement.Table, statement.FieldID),
+			sqlgraph.Edge(sqlgraph.O2O, true, attestationpolicy.StatementTable, attestationpolicy.StatementColumn),
+		)
+		fromV = sqlgraph.Neighbors(ap.driver.Dialect(), step)
+		return fromV, nil
+	}
+	return query
+}
+
+// Hooks returns the client hooks.
+func (c *AttestationPolicyClient) Hooks() []Hook {
+	return c.hooks.AttestationPolicy
+}
+
+// Interceptors returns the client interceptors.
+func (c *AttestationPolicyClient) Interceptors() []Interceptor {
+	return c.inters.AttestationPolicy
+}
+
+func (c *AttestationPolicyClient) mutate(ctx context.Context, m *AttestationPolicyMutation) (Value, error) {
+	switch m.Op() {
+	case OpCreate:
+		return (&AttestationPolicyCreate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpUpdate:
+		return (&AttestationPolicyUpdate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpUpdateOne:
+		return (&AttestationPolicyUpdateOne{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpDelete, OpDeleteOne:
+		return (&AttestationPolicyDelete{config: c.config, hooks: c.Hooks(), mutation: m}).Exec(ctx)
+	default:
+		return nil, fmt.Errorf("ent: unknown AttestationPolicy mutation op: %q", m.Op())
+	}
+}
+
 // DsseClient is a client for the Dsse schema.
 type DsseClient struct {
 	config
@ -648,7 +806,7 @@ func (c *DsseClient) UpdateOne(d *Dsse) *DsseUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *DsseClient) UpdateOneID(id int) *DsseUpdateOne {
+func (c *DsseClient) UpdateOneID(id uuid.UUID) *DsseUpdateOne {
 	mutation := newDsseMutation(c.config, OpUpdateOne, withDsseID(id))
 	return &DsseUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -665,7 +823,7 @@ func (c *DsseClient) DeleteOne(d *Dsse) *DsseDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *DsseClient) DeleteOneID(id int) *DsseDeleteOne {
+func (c *DsseClient) DeleteOneID(id uuid.UUID) *DsseDeleteOne {
 	builder := c.Delete().Where(dsse.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -682,12 +840,12 @@ func (c *DsseClient) Query() *DsseQuery {
 }

 // Get returns a Dsse entity by its id.
-func (c *DsseClient) Get(ctx context.Context, id int) (*Dsse, error) {
+func (c *DsseClient) Get(ctx context.Context, id uuid.UUID) (*Dsse, error) {
 	return c.Query().Where(dsse.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *DsseClient) GetX(ctx context.Context, id int) *Dsse {
+func (c *DsseClient) GetX(ctx context.Context, id uuid.UUID) *Dsse {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -829,7 +987,7 @@ func (c *PayloadDigestClient) UpdateOne(pd *PayloadDigest) *PayloadDigestUpdateO
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *PayloadDigestClient) UpdateOneID(id int) *PayloadDigestUpdateOne {
+func (c *PayloadDigestClient) UpdateOneID(id uuid.UUID) *PayloadDigestUpdateOne {
 	mutation := newPayloadDigestMutation(c.config, OpUpdateOne, withPayloadDigestID(id))
 	return &PayloadDigestUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -846,7 +1004,7 @@ func (c *PayloadDigestClient) DeleteOne(pd *PayloadDigest) *PayloadDigestDeleteO
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *PayloadDigestClient) DeleteOneID(id int) *PayloadDigestDeleteOne {
+func (c *PayloadDigestClient) DeleteOneID(id uuid.UUID) *PayloadDigestDeleteOne {
 	builder := c.Delete().Where(payloaddigest.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -863,12 +1021,12 @@ func (c *PayloadDigestClient) Query() *PayloadDigestQuery {
 }

 // Get returns a PayloadDigest entity by its id.
-func (c *PayloadDigestClient) Get(ctx context.Context, id int) (*PayloadDigest, error) {
+func (c *PayloadDigestClient) Get(ctx context.Context, id uuid.UUID) (*PayloadDigest, error) {
 	return c.Query().Where(payloaddigest.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *PayloadDigestClient) GetX(ctx context.Context, id int) *PayloadDigest {
+func (c *PayloadDigestClient) GetX(ctx context.Context, id uuid.UUID) *PayloadDigest {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -978,7 +1136,7 @@ func (c *SignatureClient) UpdateOne(s *Signature) *SignatureUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *SignatureClient) UpdateOneID(id int) *SignatureUpdateOne {
+func (c *SignatureClient) UpdateOneID(id uuid.UUID) *SignatureUpdateOne {
 	mutation := newSignatureMutation(c.config, OpUpdateOne, withSignatureID(id))
 	return &SignatureUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -995,7 +1153,7 @@ func (c *SignatureClient) DeleteOne(s *Signature) *SignatureDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *SignatureClient) DeleteOneID(id int) *SignatureDeleteOne {
+func (c *SignatureClient) DeleteOneID(id uuid.UUID) *SignatureDeleteOne {
 	builder := c.Delete().Where(signature.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -1012,12 +1170,12 @@ func (c *SignatureClient) Query() *SignatureQuery {
 }

 // Get returns a Signature entity by its id.
-func (c *SignatureClient) Get(ctx context.Context, id int) (*Signature, error) {
+func (c *SignatureClient) Get(ctx context.Context, id uuid.UUID) (*Signature, error) {
 	return c.Query().Where(signature.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *SignatureClient) GetX(ctx context.Context, id int) *Signature {
+func (c *SignatureClient) GetX(ctx context.Context, id uuid.UUID) *Signature {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -1143,7 +1301,7 @@ func (c *StatementClient) UpdateOne(s *Statement) *StatementUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *StatementClient) UpdateOneID(id int) *StatementUpdateOne {
+func (c *StatementClient) UpdateOneID(id uuid.UUID) *StatementUpdateOne {
 	mutation := newStatementMutation(c.config, OpUpdateOne, withStatementID(id))
 	return &StatementUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -1160,7 +1318,7 @@ func (c *StatementClient) DeleteOne(s *Statement) *StatementDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *StatementClient) DeleteOneID(id int) *StatementDeleteOne {
+func (c *StatementClient) DeleteOneID(id uuid.UUID) *StatementDeleteOne {
 	builder := c.Delete().Where(statement.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -1177,12 +1335,12 @@ func (c *StatementClient) Query() *StatementQuery {
 }

 // Get returns a Statement entity by its id.
-func (c *StatementClient) Get(ctx context.Context, id int) (*Statement, error) {
+func (c *StatementClient) Get(ctx context.Context, id uuid.UUID) (*Statement, error) {
 	return c.Query().Where(statement.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *StatementClient) GetX(ctx context.Context, id int) *Statement {
+func (c *StatementClient) GetX(ctx context.Context, id uuid.UUID) *Statement {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -1206,6 +1364,22 @@ func (c *StatementClient) QuerySubjects(s *Statement) *SubjectQuery {
 	return query
 }

+// QueryPolicy queries the policy edge of a Statement.
+func (c *StatementClient) QueryPolicy(s *Statement) *AttestationPolicyQuery {
+	query := (&AttestationPolicyClient{config: c.config}).Query()
+	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
+		id := s.ID
+		step := sqlgraph.NewStep(
+			sqlgraph.From(statement.Table, statement.FieldID, id),
+			sqlgraph.To(attestationpolicy.Table, attestationpolicy.FieldID),
+			sqlgraph.Edge(sqlgraph.O2O, false, statement.PolicyTable, statement.PolicyColumn),
+		)
+		fromV = sqlgraph.Neighbors(s.driver.Dialect(), step)
+		return fromV, nil
+	}
+	return query
+}
+
 // QueryAttestationCollections queries the attestation_collections edge of a Statement.
 func (c *StatementClient) QueryAttestationCollections(s *Statement) *AttestationCollectionQuery {
 	query := (&AttestationCollectionClient{config: c.config}).Query()
@ -1324,7 +1498,7 @@ func (c *SubjectClient) UpdateOne(s *Subject) *SubjectUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *SubjectClient) UpdateOneID(id int) *SubjectUpdateOne {
+func (c *SubjectClient) UpdateOneID(id uuid.UUID) *SubjectUpdateOne {
 	mutation := newSubjectMutation(c.config, OpUpdateOne, withSubjectID(id))
 	return &SubjectUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -1341,7 +1515,7 @@ func (c *SubjectClient) DeleteOne(s *Subject) *SubjectDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *SubjectClient) DeleteOneID(id int) *SubjectDeleteOne {
+func (c *SubjectClient) DeleteOneID(id uuid.UUID) *SubjectDeleteOne {
 	builder := c.Delete().Where(subject.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -1358,12 +1532,12 @@ func (c *SubjectClient) Query() *SubjectQuery {
 }

 // Get returns a Subject entity by its id.
-func (c *SubjectClient) Get(ctx context.Context, id int) (*Subject, error) {
+func (c *SubjectClient) Get(ctx context.Context, id uuid.UUID) (*Subject, error) {
 	return c.Query().Where(subject.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *SubjectClient) GetX(ctx context.Context, id int) *Subject {
+func (c *SubjectClient) GetX(ctx context.Context, id uuid.UUID) *Subject {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -1489,7 +1663,7 @@ func (c *SubjectDigestClient) UpdateOne(sd *SubjectDigest) *SubjectDigestUpdateO
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *SubjectDigestClient) UpdateOneID(id int) *SubjectDigestUpdateOne {
+func (c *SubjectDigestClient) UpdateOneID(id uuid.UUID) *SubjectDigestUpdateOne {
 	mutation := newSubjectDigestMutation(c.config, OpUpdateOne, withSubjectDigestID(id))
 	return &SubjectDigestUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -1506,7 +1680,7 @@ func (c *SubjectDigestClient) DeleteOne(sd *SubjectDigest) *SubjectDigestDeleteO
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *SubjectDigestClient) DeleteOneID(id int) *SubjectDigestDeleteOne {
+func (c *SubjectDigestClient) DeleteOneID(id uuid.UUID) *SubjectDigestDeleteOne {
 	builder := c.Delete().Where(subjectdigest.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -1523,12 +1697,12 @@ func (c *SubjectDigestClient) Query() *SubjectDigestQuery {
 }

 // Get returns a SubjectDigest entity by its id.
-func (c *SubjectDigestClient) Get(ctx context.Context, id int) (*SubjectDigest, error) {
+func (c *SubjectDigestClient) Get(ctx context.Context, id uuid.UUID) (*SubjectDigest, error) {
 	return c.Query().Where(subjectdigest.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *SubjectDigestClient) GetX(ctx context.Context, id int) *SubjectDigest {
+func (c *SubjectDigestClient) GetX(ctx context.Context, id uuid.UUID) *SubjectDigest {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -1638,7 +1812,7 @@ func (c *TimestampClient) UpdateOne(t *Timestamp) *TimestampUpdateOne {
 }

 // UpdateOneID returns an update builder for the given id.
-func (c *TimestampClient) UpdateOneID(id int) *TimestampUpdateOne {
+func (c *TimestampClient) UpdateOneID(id uuid.UUID) *TimestampUpdateOne {
 	mutation := newTimestampMutation(c.config, OpUpdateOne, withTimestampID(id))
 	return &TimestampUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
 }
@ -1655,7 +1829,7 @@ func (c *TimestampClient) DeleteOne(t *Timestamp) *TimestampDeleteOne {
 }

 // DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *TimestampClient) DeleteOneID(id int) *TimestampDeleteOne {
+func (c *TimestampClient) DeleteOneID(id uuid.UUID) *TimestampDeleteOne {
 	builder := c.Delete().Where(timestamp.ID(id))
 	builder.mutation.id = &id
 	builder.mutation.op = OpDeleteOne
@ -1672,12 +1846,12 @@ func (c *TimestampClient) Query() *TimestampQuery {
 }

 // Get returns a Timestamp entity by its id.
-func (c *TimestampClient) Get(ctx context.Context, id int) (*Timestamp, error) {
+func (c *TimestampClient) Get(ctx context.Context, id uuid.UUID) (*Timestamp, error) {
 	return c.Query().Where(timestamp.ID(id)).Only(ctx)
 }

 // GetX is like Get, but panics if an error occurs.
-func (c *TimestampClient) GetX(ctx context.Context, id int) *Timestamp {
+func (c *TimestampClient) GetX(ctx context.Context, id uuid.UUID) *Timestamp {
 	obj, err := c.Get(ctx, id)
 	if err != nil {
 		panic(err)
@ -1729,11 +1903,11 @@ func (c *TimestampClient) mutate(ctx context.Context, m *TimestampMutation) (Val
 // hooks and interceptors per client, for fast access.
 type (
 	hooks struct {
-		Attestation, AttestationCollection, Dsse, PayloadDigest, Signature, Statement,
-		Subject, SubjectDigest, Timestamp []ent.Hook
+		Attestation, AttestationCollection, AttestationPolicy, Dsse, PayloadDigest,
+		Signature, Statement, Subject, SubjectDigest, Timestamp []ent.Hook
 	}
 	inters struct {
-		Attestation, AttestationCollection, Dsse, PayloadDigest, Signature, Statement,
-		Subject, SubjectDigest, Timestamp []ent.Interceptor
+		Attestation, AttestationCollection, AttestationPolicy, Dsse, PayloadDigest,
+		Signature, Statement, Subject, SubjectDigest, Timestamp []ent.Interceptor
 	}
 )
--- a/ent/dsse.go
+++ b/ent/dsse.go
@ -8,6 +8,7 @@ import (

 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/statement"
 )
@ -16,7 +17,7 @@ import (
 type Dsse struct {
 	config `json:"-"`
 	// ID of the ent.
-	ID int `json:"id,omitempty"`
+	ID uuid.UUID `json:"id,omitempty"`
 	// GitoidSha256 holds the value of the "gitoid_sha256" field.
 	GitoidSha256 string `json:"gitoid_sha256,omitempty"`
 	// PayloadType holds the value of the "payload_type" field.
@ -24,7 +25,7 @@ type Dsse struct {
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the DsseQuery when eager-loading is set.
 	Edges          DsseEdges `json:"edges"`
-	dsse_statement *int
+	dsse_statement *uuid.UUID
 	selectValues   sql.SelectValues
 }

@ -49,12 +50,10 @@ type DsseEdges struct {
 // StatementOrErr returns the Statement value or an error if the edge
 // was not loaded in eager-loading, or loaded but was not found.
 func (e DsseEdges) StatementOrErr() (*Statement, error) {
-	if e.loadedTypes[0] {
-		if e.Statement == nil {
-			// Edge was loaded but was not found.
-			return nil, &NotFoundError{label: statement.Label}
-		}
+	if e.Statement != nil {
 		return e.Statement, nil
+	} else if e.loadedTypes[0] {
+		return nil, &NotFoundError{label: statement.Label}
 	}
 	return nil, &NotLoadedError{edge: "statement"}
 }
@ -82,12 +81,12 @@ func (*Dsse) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case dsse.FieldID:
-			values[i] = new(sql.NullInt64)
 		case dsse.FieldGitoidSha256, dsse.FieldPayloadType:
 			values[i] = new(sql.NullString)
+		case dsse.FieldID:
+			values[i] = new(uuid.UUID)
 		case dsse.ForeignKeys[0]: // dsse_statement
-			values[i] = new(sql.NullInt64)
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
 		default:
 			values[i] = new(sql.UnknownType)
 		}
@ -104,11 +103,11 @@ func (d *Dsse) assignValues(columns []string, values []any) error {
 	for i := range columns {
 		switch columns[i] {
 		case dsse.FieldID:
-			value, ok := values[i].(*sql.NullInt64)
-			if !ok {
-				return fmt.Errorf("unexpected type %T for field id", value)
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				d.ID = *value
 			}
-			d.ID = int(value.Int64)
 		case dsse.FieldGitoidSha256:
 			if value, ok := values[i].(*sql.NullString); !ok {
 				return fmt.Errorf("unexpected type %T for field gitoid_sha256", values[i])
@ -122,11 +121,11 @@ func (d *Dsse) assignValues(columns []string, values []any) error {
 				d.PayloadType = value.String
 			}
 		case dsse.ForeignKeys[0]:
-			if value, ok := values[i].(*sql.NullInt64); !ok {
-				return fmt.Errorf("unexpected type %T for edge-field dsse_statement", value)
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field dsse_statement", values[i])
 			} else if value.Valid {
-				d.dsse_statement = new(int)
-				*d.dsse_statement = int(value.Int64)
+				d.dsse_statement = new(uuid.UUID)
+				*d.dsse_statement = *value.S.(*uuid.UUID)
 			}
 		default:
 			d.selectValues.Set(columns[i], values[i])
--- a/ent/dsse/dsse.go
+++ b/ent/dsse/dsse.go
@ -5,6 +5,7 @@ package dsse
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 )

 const (
@ -80,6 +81,8 @@ var (
 	GitoidSha256Validator func(string) error
 	// PayloadTypeValidator is a validator for the "payload_type" field. It is called by the builders before save.
 	PayloadTypeValidator func(string) error
+	// DefaultID holds the default value on creation for the "id" field.
+	DefaultID func() uuid.UUID
 )

 // OrderOption defines the ordering options for the Dsse queries.
--- a/ent/dsse/where.go
+++ b/ent/dsse/where.go
@ -5,51 +5,52 @@ package dsse
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/predicate"
 )

 // ID filters vertices based on their ID field.
-func ID(id int) predicate.Dsse {
+func ID(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldEQ(FieldID, id))
 }

 // IDEQ applies the EQ predicate on the ID field.
-func IDEQ(id int) predicate.Dsse {
+func IDEQ(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldEQ(FieldID, id))
 }

 // IDNEQ applies the NEQ predicate on the ID field.
-func IDNEQ(id int) predicate.Dsse {
+func IDNEQ(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldNEQ(FieldID, id))
 }

 // IDIn applies the In predicate on the ID field.
-func IDIn(ids ...int) predicate.Dsse {
+func IDIn(ids ...uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldIn(FieldID, ids...))
 }

 // IDNotIn applies the NotIn predicate on the ID field.
-func IDNotIn(ids ...int) predicate.Dsse {
+func IDNotIn(ids ...uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldNotIn(FieldID, ids...))
 }

 // IDGT applies the GT predicate on the ID field.
-func IDGT(id int) predicate.Dsse {
+func IDGT(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldGT(FieldID, id))
 }

 // IDGTE applies the GTE predicate on the ID field.
-func IDGTE(id int) predicate.Dsse {
+func IDGTE(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldGTE(FieldID, id))
 }

 // IDLT applies the LT predicate on the ID field.
-func IDLT(id int) predicate.Dsse {
+func IDLT(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldLT(FieldID, id))
 }

 // IDLTE applies the LTE predicate on the ID field.
-func IDLTE(id int) predicate.Dsse {
+func IDLTE(id uuid.UUID) predicate.Dsse {
 	return predicate.Dsse(sql.FieldLTE(FieldID, id))
 }

--- a/ent/dsse_create.go
+++ b/ent/dsse_create.go
@ -9,6 +9,7 @@ import (

 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -34,14 +35,28 @@ func (dc *DsseCreate) SetPayloadType(s string) *DsseCreate {
 	return dc
 }

+// SetID sets the "id" field.
+func (dc *DsseCreate) SetID(u uuid.UUID) *DsseCreate {
+	dc.mutation.SetID(u)
+	return dc
+}
+
+// SetNillableID sets the "id" field if the given value is not nil.
+func (dc *DsseCreate) SetNillableID(u *uuid.UUID) *DsseCreate {
+	if u != nil {
+		dc.SetID(*u)
+	}
+	return dc
+}
+
 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (dc *DsseCreate) SetStatementID(id int) *DsseCreate {
+func (dc *DsseCreate) SetStatementID(id uuid.UUID) *DsseCreate {
 	dc.mutation.SetStatementID(id)
 	return dc
 }

 // SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
-func (dc *DsseCreate) SetNillableStatementID(id *int) *DsseCreate {
+func (dc *DsseCreate) SetNillableStatementID(id *uuid.UUID) *DsseCreate {
 	if id != nil {
 		dc = dc.SetStatementID(*id)
 	}
@ -54,14 +69,14 @@ func (dc *DsseCreate) SetStatement(s *Statement) *DsseCreate {
 }

 // AddSignatureIDs adds the "signatures" edge to the Signature entity by IDs.
-func (dc *DsseCreate) AddSignatureIDs(ids ...int) *DsseCreate {
+func (dc *DsseCreate) AddSignatureIDs(ids ...uuid.UUID) *DsseCreate {
 	dc.mutation.AddSignatureIDs(ids...)
 	return dc
 }

 // AddSignatures adds the "signatures" edges to the Signature entity.
 func (dc *DsseCreate) AddSignatures(s ...*Signature) *DsseCreate {
-	ids := make([]int, len(s))
+	ids := make([]uuid.UUID, len(s))
 	for i := range s {
 		ids[i] = s[i].ID
 	}
@ -69,14 +84,14 @@ func (dc *DsseCreate) AddSignatures(s ...*Signature) *DsseCreate {
 }

 // AddPayloadDigestIDs adds the "payload_digests" edge to the PayloadDigest entity by IDs.
-func (dc *DsseCreate) AddPayloadDigestIDs(ids ...int) *DsseCreate {
+func (dc *DsseCreate) AddPayloadDigestIDs(ids ...uuid.UUID) *DsseCreate {
 	dc.mutation.AddPayloadDigestIDs(ids...)
 	return dc
 }

 // AddPayloadDigests adds the "payload_digests" edges to the PayloadDigest entity.
 func (dc *DsseCreate) AddPayloadDigests(p ...*PayloadDigest) *DsseCreate {
-	ids := make([]int, len(p))
+	ids := make([]uuid.UUID, len(p))
 	for i := range p {
 		ids[i] = p[i].ID
 	}
@ -90,6 +105,7 @@ func (dc *DsseCreate) Mutation() *DsseMutation {

 // Save creates the Dsse in the database.
 func (dc *DsseCreate) Save(ctx context.Context) (*Dsse, error) {
+	dc.defaults()
 	return withHooks(ctx, dc.sqlSave, dc.mutation, dc.hooks)
 }

@ -115,6 +131,14 @@ func (dc *DsseCreate) ExecX(ctx context.Context) {
 	}
 }

+// defaults sets the default values of the builder before save.
+func (dc *DsseCreate) defaults() {
+	if _, ok := dc.mutation.ID(); !ok {
+		v := dsse.DefaultID()
+		dc.mutation.SetID(v)
+	}
+}
+
 // check runs all checks and user-defined validators on the builder.
 func (dc *DsseCreate) check() error {
 	if _, ok := dc.mutation.GitoidSha256(); !ok {
@ -147,8 +171,13 @@ func (dc *DsseCreate) sqlSave(ctx context.Context) (*Dsse, error) {
 		}
 		return nil, err
 	}
-	id := _spec.ID.Value.(int64)
-	_node.ID = int(id)
+	if _spec.ID.Value != nil {
+		if id, ok := _spec.ID.Value.(*uuid.UUID); ok {
+			_node.ID = *id
+		} else if err := _node.ID.Scan(_spec.ID.Value); err != nil {
+			return nil, err
+		}
+	}
 	dc.mutation.id = &_node.ID
 	dc.mutation.done = true
 	return _node, nil
@ -157,8 +186,12 @@ func (dc *DsseCreate) sqlSave(ctx context.Context) (*Dsse, error) {
 func (dc *DsseCreate) createSpec() (*Dsse, *sqlgraph.CreateSpec) {
 	var (
 		_node = &Dsse{config: dc.config}
-		_spec = sqlgraph.NewCreateSpec(dsse.Table, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt))
+		_spec = sqlgraph.NewCreateSpec(dsse.Table, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID))
 	)
+	if id, ok := dc.mutation.ID(); ok {
+		_node.ID = id
+		_spec.ID.Value = &id
+	}
 	if value, ok := dc.mutation.GitoidSha256(); ok {
 		_spec.SetField(dsse.FieldGitoidSha256, field.TypeString, value)
 		_node.GitoidSha256 = value
@ -175,7 +208,7 @@ func (dc *DsseCreate) createSpec() (*Dsse, *sqlgraph.CreateSpec) {
 			Columns: []string{dsse.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -192,7 +225,7 @@ func (dc *DsseCreate) createSpec() (*Dsse, *sqlgraph.CreateSpec) {
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -208,7 +241,7 @@ func (dc *DsseCreate) createSpec() (*Dsse, *sqlgraph.CreateSpec) {
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -237,6 +270,7 @@ func (dcb *DsseCreateBulk) Save(ctx context.Context) ([]*Dsse, error) {
 	for i := range dcb.builders {
 		func(i int, root context.Context) {
 			builder := dcb.builders[i]
+			builder.defaults()
 			var mut Mutator = MutateFunc(func(ctx context.Context, m Mutation) (Value, error) {
 				mutation, ok := m.(*DsseMutation)
 				if !ok {
@ -263,10 +297,6 @@ func (dcb *DsseCreateBulk) Save(ctx context.Context) ([]*Dsse, error) {
 					return nil, err
 				}
 				mutation.id = &nodes[i].ID
-				if specs[i].ID.Value != nil {
-					id := specs[i].ID.Value.(int64)
-					nodes[i].ID = int(id)
-				}
 				mutation.done = true
 				return nodes[i], nil
 			})
--- a/ent/dsse_delete.go
+++ b/ent/dsse_delete.go
@ -40,7 +40,7 @@ func (dd *DsseDelete) ExecX(ctx context.Context) int {
 }

 func (dd *DsseDelete) sqlExec(ctx context.Context) (int, error) {
-	_spec := sqlgraph.NewDeleteSpec(dsse.Table, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewDeleteSpec(dsse.Table, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID))
 	if ps := dd.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
--- a/ent/dsse_query.go
+++ b/ent/dsse_query.go
@ -8,9 +8,11 @@ import (
 	"fmt"
 	"math"

+	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/predicate"
@ -138,7 +140,7 @@ func (dq *DsseQuery) QueryPayloadDigests() *PayloadDigestQuery {
 // First returns the first Dsse entity from the query.
 // Returns a *NotFoundError when no Dsse was found.
 func (dq *DsseQuery) First(ctx context.Context) (*Dsse, error) {
-	nodes, err := dq.Limit(1).All(setContextOp(ctx, dq.ctx, "First"))
+	nodes, err := dq.Limit(1).All(setContextOp(ctx, dq.ctx, ent.OpQueryFirst))
 	if err != nil {
 		return nil, err
 	}
@ -159,9 +161,9 @@ func (dq *DsseQuery) FirstX(ctx context.Context) *Dsse {

 // FirstID returns the first Dsse ID from the query.
 // Returns a *NotFoundError when no Dsse ID was found.
-func (dq *DsseQuery) FirstID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = dq.Limit(1).IDs(setContextOp(ctx, dq.ctx, "FirstID")); err != nil {
+func (dq *DsseQuery) FirstID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = dq.Limit(1).IDs(setContextOp(ctx, dq.ctx, ent.OpQueryFirstID)); err != nil {
 		return
 	}
 	if len(ids) == 0 {
@ -172,7 +174,7 @@ func (dq *DsseQuery) FirstID(ctx context.Context) (id int, err error) {
 }

 // FirstIDX is like FirstID, but panics if an error occurs.
-func (dq *DsseQuery) FirstIDX(ctx context.Context) int {
+func (dq *DsseQuery) FirstIDX(ctx context.Context) uuid.UUID {
 	id, err := dq.FirstID(ctx)
 	if err != nil && !IsNotFound(err) {
 		panic(err)
@ -184,7 +186,7 @@ func (dq *DsseQuery) FirstIDX(ctx context.Context) int {
 // Returns a *NotSingularError when more than one Dsse entity is found.
 // Returns a *NotFoundError when no Dsse entities are found.
 func (dq *DsseQuery) Only(ctx context.Context) (*Dsse, error) {
-	nodes, err := dq.Limit(2).All(setContextOp(ctx, dq.ctx, "Only"))
+	nodes, err := dq.Limit(2).All(setContextOp(ctx, dq.ctx, ent.OpQueryOnly))
 	if err != nil {
 		return nil, err
 	}
@ -210,9 +212,9 @@ func (dq *DsseQuery) OnlyX(ctx context.Context) *Dsse {
 // OnlyID is like Only, but returns the only Dsse ID in the query.
 // Returns a *NotSingularError when more than one Dsse ID is found.
 // Returns a *NotFoundError when no entities are found.
-func (dq *DsseQuery) OnlyID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = dq.Limit(2).IDs(setContextOp(ctx, dq.ctx, "OnlyID")); err != nil {
+func (dq *DsseQuery) OnlyID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = dq.Limit(2).IDs(setContextOp(ctx, dq.ctx, ent.OpQueryOnlyID)); err != nil {
 		return
 	}
 	switch len(ids) {
@ -227,7 +229,7 @@ func (dq *DsseQuery) OnlyID(ctx context.Context) (id int, err error) {
 }

 // OnlyIDX is like OnlyID, but panics if an error occurs.
-func (dq *DsseQuery) OnlyIDX(ctx context.Context) int {
+func (dq *DsseQuery) OnlyIDX(ctx context.Context) uuid.UUID {
 	id, err := dq.OnlyID(ctx)
 	if err != nil {
 		panic(err)
@ -237,7 +239,7 @@ func (dq *DsseQuery) OnlyIDX(ctx context.Context) int {

 // All executes the query and returns a list of Dsses.
 func (dq *DsseQuery) All(ctx context.Context) ([]*Dsse, error) {
-	ctx = setContextOp(ctx, dq.ctx, "All")
+	ctx = setContextOp(ctx, dq.ctx, ent.OpQueryAll)
 	if err := dq.prepareQuery(ctx); err != nil {
 		return nil, err
 	}
@ -255,11 +257,11 @@ func (dq *DsseQuery) AllX(ctx context.Context) []*Dsse {
 }

 // IDs executes the query and returns a list of Dsse IDs.
-func (dq *DsseQuery) IDs(ctx context.Context) (ids []int, err error) {
+func (dq *DsseQuery) IDs(ctx context.Context) (ids []uuid.UUID, err error) {
 	if dq.ctx.Unique == nil && dq.path != nil {
 		dq.Unique(true)
 	}
-	ctx = setContextOp(ctx, dq.ctx, "IDs")
+	ctx = setContextOp(ctx, dq.ctx, ent.OpQueryIDs)
 	if err = dq.Select(dsse.FieldID).Scan(ctx, &ids); err != nil {
 		return nil, err
 	}
@ -267,7 +269,7 @@ func (dq *DsseQuery) IDs(ctx context.Context) (ids []int, err error) {
 }

 // IDsX is like IDs, but panics if an error occurs.
-func (dq *DsseQuery) IDsX(ctx context.Context) []int {
+func (dq *DsseQuery) IDsX(ctx context.Context) []uuid.UUID {
 	ids, err := dq.IDs(ctx)
 	if err != nil {
 		panic(err)
@ -277,7 +279,7 @@ func (dq *DsseQuery) IDsX(ctx context.Context) []int {

 // Count returns the count of the given query.
 func (dq *DsseQuery) Count(ctx context.Context) (int, error) {
-	ctx = setContextOp(ctx, dq.ctx, "Count")
+	ctx = setContextOp(ctx, dq.ctx, ent.OpQueryCount)
 	if err := dq.prepareQuery(ctx); err != nil {
 		return 0, err
 	}
@ -295,7 +297,7 @@ func (dq *DsseQuery) CountX(ctx context.Context) int {

 // Exist returns true if the query has elements in the graph.
 func (dq *DsseQuery) Exist(ctx context.Context) (bool, error) {
-	ctx = setContextOp(ctx, dq.ctx, "Exist")
+	ctx = setContextOp(ctx, dq.ctx, ent.OpQueryExist)
 	switch _, err := dq.FirstID(ctx); {
 	case IsNotFound(err):
 		return false, nil
@ -524,8 +526,8 @@ func (dq *DsseQuery) sqlAll(ctx context.Context, hooks ...queryHook) ([]*Dsse, e
 }

 func (dq *DsseQuery) loadStatement(ctx context.Context, query *StatementQuery, nodes []*Dsse, init func(*Dsse), assign func(*Dsse, *Statement)) error {
-	ids := make([]int, 0, len(nodes))
-	nodeids := make(map[int][]*Dsse)
+	ids := make([]uuid.UUID, 0, len(nodes))
+	nodeids := make(map[uuid.UUID][]*Dsse)
 	for i := range nodes {
 		if nodes[i].dsse_statement == nil {
 			continue
@ -557,7 +559,7 @@ func (dq *DsseQuery) loadStatement(ctx context.Context, query *StatementQuery, n
 }
 func (dq *DsseQuery) loadSignatures(ctx context.Context, query *SignatureQuery, nodes []*Dsse, init func(*Dsse), assign func(*Dsse, *Signature)) error {
 	fks := make([]driver.Value, 0, len(nodes))
-	nodeids := make(map[int]*Dsse)
+	nodeids := make(map[uuid.UUID]*Dsse)
 	for i := range nodes {
 		fks = append(fks, nodes[i].ID)
 		nodeids[nodes[i].ID] = nodes[i]
@ -588,7 +590,7 @@ func (dq *DsseQuery) loadSignatures(ctx context.Context, query *SignatureQuery,
 }
 func (dq *DsseQuery) loadPayloadDigests(ctx context.Context, query *PayloadDigestQuery, nodes []*Dsse, init func(*Dsse), assign func(*Dsse, *PayloadDigest)) error {
 	fks := make([]driver.Value, 0, len(nodes))
-	nodeids := make(map[int]*Dsse)
+	nodeids := make(map[uuid.UUID]*Dsse)
 	for i := range nodes {
 		fks = append(fks, nodes[i].ID)
 		nodeids[nodes[i].ID] = nodes[i]
@ -631,7 +633,7 @@ func (dq *DsseQuery) sqlCount(ctx context.Context) (int, error) {
 }

 func (dq *DsseQuery) querySpec() *sqlgraph.QuerySpec {
-	_spec := sqlgraph.NewQuerySpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewQuerySpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID))
 	_spec.From = dq.sql
 	if unique := dq.ctx.Unique; unique != nil {
 		_spec.Unique = *unique
@ -744,7 +746,7 @@ func (dgb *DsseGroupBy) Aggregate(fns ...AggregateFunc) *DsseGroupBy {

 // Scan applies the selector query and scans the result into the given value.
 func (dgb *DsseGroupBy) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, dgb.build.ctx, "GroupBy")
+	ctx = setContextOp(ctx, dgb.build.ctx, ent.OpQueryGroupBy)
 	if err := dgb.build.prepareQuery(ctx); err != nil {
 		return err
 	}
@ -792,7 +794,7 @@ func (ds *DsseSelect) Aggregate(fns ...AggregateFunc) *DsseSelect {

 // Scan applies the selector query and scans the result into the given value.
 func (ds *DsseSelect) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, ds.ctx, "Select")
+	ctx = setContextOp(ctx, ds.ctx, ent.OpQuerySelect)
 	if err := ds.prepareQuery(ctx); err != nil {
 		return err
 	}
--- a/ent/dsse_update.go
+++ b/ent/dsse_update.go
@ -10,6 +10,7 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/predicate"
@ -59,13 +60,13 @@ func (du *DsseUpdate) SetNillablePayloadType(s *string) *DsseUpdate {
 }

 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (du *DsseUpdate) SetStatementID(id int) *DsseUpdate {
+func (du *DsseUpdate) SetStatementID(id uuid.UUID) *DsseUpdate {
 	du.mutation.SetStatementID(id)
 	return du
 }

 // SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
-func (du *DsseUpdate) SetNillableStatementID(id *int) *DsseUpdate {
+func (du *DsseUpdate) SetNillableStatementID(id *uuid.UUID) *DsseUpdate {
 	if id != nil {
 		du = du.SetStatementID(*id)
 	}
@ -78,14 +79,14 @@ func (du *DsseUpdate) SetStatement(s *Statement) *DsseUpdate {
 }

 // AddSignatureIDs adds the "signatures" edge to the Signature entity by IDs.
-func (du *DsseUpdate) AddSignatureIDs(ids ...int) *DsseUpdate {
+func (du *DsseUpdate) AddSignatureIDs(ids ...uuid.UUID) *DsseUpdate {
 	du.mutation.AddSignatureIDs(ids...)
 	return du
 }

 // AddSignatures adds the "signatures" edges to the Signature entity.
 func (du *DsseUpdate) AddSignatures(s ...*Signature) *DsseUpdate {
-	ids := make([]int, len(s))
+	ids := make([]uuid.UUID, len(s))
 	for i := range s {
 		ids[i] = s[i].ID
 	}
@ -93,14 +94,14 @@ func (du *DsseUpdate) AddSignatures(s ...*Signature) *DsseUpdate {
 }

 // AddPayloadDigestIDs adds the "payload_digests" edge to the PayloadDigest entity by IDs.
-func (du *DsseUpdate) AddPayloadDigestIDs(ids ...int) *DsseUpdate {
+func (du *DsseUpdate) AddPayloadDigestIDs(ids ...uuid.UUID) *DsseUpdate {
 	du.mutation.AddPayloadDigestIDs(ids...)
 	return du
 }

 // AddPayloadDigests adds the "payload_digests" edges to the PayloadDigest entity.
 func (du *DsseUpdate) AddPayloadDigests(p ...*PayloadDigest) *DsseUpdate {
-	ids := make([]int, len(p))
+	ids := make([]uuid.UUID, len(p))
 	for i := range p {
 		ids[i] = p[i].ID
 	}
@ -125,14 +126,14 @@ func (du *DsseUpdate) ClearSignatures() *DsseUpdate {
 }

 // RemoveSignatureIDs removes the "signatures" edge to Signature entities by IDs.
-func (du *DsseUpdate) RemoveSignatureIDs(ids ...int) *DsseUpdate {
+func (du *DsseUpdate) RemoveSignatureIDs(ids ...uuid.UUID) *DsseUpdate {
 	du.mutation.RemoveSignatureIDs(ids...)
 	return du
 }

 // RemoveSignatures removes "signatures" edges to Signature entities.
 func (du *DsseUpdate) RemoveSignatures(s ...*Signature) *DsseUpdate {
-	ids := make([]int, len(s))
+	ids := make([]uuid.UUID, len(s))
 	for i := range s {
 		ids[i] = s[i].ID
 	}
@ -146,14 +147,14 @@ func (du *DsseUpdate) ClearPayloadDigests() *DsseUpdate {
 }

 // RemovePayloadDigestIDs removes the "payload_digests" edge to PayloadDigest entities by IDs.
-func (du *DsseUpdate) RemovePayloadDigestIDs(ids ...int) *DsseUpdate {
+func (du *DsseUpdate) RemovePayloadDigestIDs(ids ...uuid.UUID) *DsseUpdate {
 	du.mutation.RemovePayloadDigestIDs(ids...)
 	return du
 }

 // RemovePayloadDigests removes "payload_digests" edges to PayloadDigest entities.
 func (du *DsseUpdate) RemovePayloadDigests(p ...*PayloadDigest) *DsseUpdate {
-	ids := make([]int, len(p))
+	ids := make([]uuid.UUID, len(p))
 	for i := range p {
 		ids[i] = p[i].ID
 	}
@ -206,7 +207,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 	if err := du.check(); err != nil {
 		return n, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID))
 	if ps := du.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
@ -228,7 +229,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -241,7 +242,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -257,7 +258,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -270,7 +271,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -286,7 +287,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -302,7 +303,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -315,7 +316,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -331,7 +332,7 @@ func (du *DsseUpdate) sqlSave(ctx context.Context) (n int, err error) {
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -388,13 +389,13 @@ func (duo *DsseUpdateOne) SetNillablePayloadType(s *string) *DsseUpdateOne {
 }

 // SetStatementID sets the "statement" edge to the Statement entity by ID.
-func (duo *DsseUpdateOne) SetStatementID(id int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) SetStatementID(id uuid.UUID) *DsseUpdateOne {
 	duo.mutation.SetStatementID(id)
 	return duo
 }

 // SetNillableStatementID sets the "statement" edge to the Statement entity by ID if the given value is not nil.
-func (duo *DsseUpdateOne) SetNillableStatementID(id *int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) SetNillableStatementID(id *uuid.UUID) *DsseUpdateOne {
 	if id != nil {
 		duo = duo.SetStatementID(*id)
 	}
@ -407,14 +408,14 @@ func (duo *DsseUpdateOne) SetStatement(s *Statement) *DsseUpdateOne {
 }

 // AddSignatureIDs adds the "signatures" edge to the Signature entity by IDs.
-func (duo *DsseUpdateOne) AddSignatureIDs(ids ...int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) AddSignatureIDs(ids ...uuid.UUID) *DsseUpdateOne {
 	duo.mutation.AddSignatureIDs(ids...)
 	return duo
 }

 // AddSignatures adds the "signatures" edges to the Signature entity.
 func (duo *DsseUpdateOne) AddSignatures(s ...*Signature) *DsseUpdateOne {
-	ids := make([]int, len(s))
+	ids := make([]uuid.UUID, len(s))
 	for i := range s {
 		ids[i] = s[i].ID
 	}
@ -422,14 +423,14 @@ func (duo *DsseUpdateOne) AddSignatures(s ...*Signature) *DsseUpdateOne {
 }

 // AddPayloadDigestIDs adds the "payload_digests" edge to the PayloadDigest entity by IDs.
-func (duo *DsseUpdateOne) AddPayloadDigestIDs(ids ...int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) AddPayloadDigestIDs(ids ...uuid.UUID) *DsseUpdateOne {
 	duo.mutation.AddPayloadDigestIDs(ids...)
 	return duo
 }

 // AddPayloadDigests adds the "payload_digests" edges to the PayloadDigest entity.
 func (duo *DsseUpdateOne) AddPayloadDigests(p ...*PayloadDigest) *DsseUpdateOne {
-	ids := make([]int, len(p))
+	ids := make([]uuid.UUID, len(p))
 	for i := range p {
 		ids[i] = p[i].ID
 	}
@ -454,14 +455,14 @@ func (duo *DsseUpdateOne) ClearSignatures() *DsseUpdateOne {
 }

 // RemoveSignatureIDs removes the "signatures" edge to Signature entities by IDs.
-func (duo *DsseUpdateOne) RemoveSignatureIDs(ids ...int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) RemoveSignatureIDs(ids ...uuid.UUID) *DsseUpdateOne {
 	duo.mutation.RemoveSignatureIDs(ids...)
 	return duo
 }

 // RemoveSignatures removes "signatures" edges to Signature entities.
 func (duo *DsseUpdateOne) RemoveSignatures(s ...*Signature) *DsseUpdateOne {
-	ids := make([]int, len(s))
+	ids := make([]uuid.UUID, len(s))
 	for i := range s {
 		ids[i] = s[i].ID
 	}
@ -475,14 +476,14 @@ func (duo *DsseUpdateOne) ClearPayloadDigests() *DsseUpdateOne {
 }

 // RemovePayloadDigestIDs removes the "payload_digests" edge to PayloadDigest entities by IDs.
-func (duo *DsseUpdateOne) RemovePayloadDigestIDs(ids ...int) *DsseUpdateOne {
+func (duo *DsseUpdateOne) RemovePayloadDigestIDs(ids ...uuid.UUID) *DsseUpdateOne {
 	duo.mutation.RemovePayloadDigestIDs(ids...)
 	return duo
 }

 // RemovePayloadDigests removes "payload_digests" edges to PayloadDigest entities.
 func (duo *DsseUpdateOne) RemovePayloadDigests(p ...*PayloadDigest) *DsseUpdateOne {
-	ids := make([]int, len(p))
+	ids := make([]uuid.UUID, len(p))
 	for i := range p {
 		ids[i] = p[i].ID
 	}
@ -548,7 +549,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 	if err := duo.check(); err != nil {
 		return _node, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(dsse.Table, dsse.Columns, sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID))
 	id, ok := duo.mutation.ID()
 	if !ok {
 		return nil, &ValidationError{Name: "id", err: errors.New(`ent: missing "Dsse.id" for update`)}
@ -587,7 +588,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -600,7 +601,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.StatementColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(statement.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -616,7 +617,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -629,7 +630,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -645,7 +646,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.SignaturesColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(signature.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -661,7 +662,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -674,7 +675,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -690,7 +691,7 @@ func (duo *DsseUpdateOne) sqlSave(ctx context.Context) (_node *Dsse, err error)
 			Columns: []string{dsse.PayloadDigestsColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
--- a/ent/ent.go
+++ b/ent/ent.go
@ -14,6 +14,7 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -77,12 +78,13 @@ var (
 	columnCheck sql.ColumnCheck
 )

-// columnChecker checks if the column exists in the given table.
+// checkColumn checks if the column exists in the given table.
 func checkColumn(table, column string) error {
 	initCheck.Do(func() {
 		columnCheck = sql.NewColumnCheck(map[string]func(string) bool{
 			attestation.Table:           attestation.ValidColumn,
 			attestationcollection.Table: attestationcollection.ValidColumn,
+			attestationpolicy.Table:     attestationpolicy.ValidColumn,
 			dsse.Table:                  dsse.ValidColumn,
 			payloaddigest.Table:         payloaddigest.ValidColumn,
 			signature.Table:             signature.ValidColumn,
--- a/ent/gql_collection.go
+++ b/ent/gql_collection.go
@ -7,10 +7,13 @@ import (
 	"database/sql/driver"
 	"fmt"

+	"entgo.io/contrib/entgql"
 	"entgo.io/ent/dialect/sql"
 	"github.com/99designs/gqlgen/graphql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -26,13 +29,13 @@ func (a *AttestationQuery) CollectFields(ctx context.Context, satisfies ...strin
 	if fc == nil {
 		return a, nil
 	}
-	if err := a.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := a.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return a, nil
 }

-func (a *AttestationQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (a *AttestationQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -41,13 +44,14 @@ func (a *AttestationQuery) collectField(ctx context.Context, opCtx *graphql.Oper
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "attestationCollection":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&AttestationCollectionClient{config: a.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, attestationcollectionImplementors)...); err != nil {
 				return err
 			}
 			a.withAttestationCollection = query
@ -103,13 +107,13 @@ func (ac *AttestationCollectionQuery) CollectFields(ctx context.Context, satisfi
 	if fc == nil {
 		return ac, nil
 	}
-	if err := ac.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := ac.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return ac, nil
 }

-func (ac *AttestationCollectionQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (ac *AttestationCollectionQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -118,25 +122,27 @@ func (ac *AttestationCollectionQuery) collectField(ctx context.Context, opCtx *g
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "attestations":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&AttestationClient{config: ac.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, attestationImplementors)...); err != nil {
 				return err
 			}
 			ac.WithNamedAttestations(alias, func(wq *AttestationQuery) {
 				*wq = *query
 			})
+
 		case "statement":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&StatementClient{config: ac.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, statementImplementors)...); err != nil {
 				return err
 			}
 			ac.withStatement = query
@ -186,19 +192,97 @@ func newAttestationCollectionPaginateArgs(rv map[string]any) *attestationcollect
 	return args
 }

+// CollectFields tells the query-builder to eagerly load connected nodes by resolver context.
+func (ap *AttestationPolicyQuery) CollectFields(ctx context.Context, satisfies ...string) (*AttestationPolicyQuery, error) {
+	fc := graphql.GetFieldContext(ctx)
+	if fc == nil {
+		return ap, nil
+	}
+	if err := ap.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+		return nil, err
+	}
+	return ap, nil
+}
+
+func (ap *AttestationPolicyQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+	path = append([]string(nil), path...)
+	var (
+		unknownSeen    bool
+		fieldSeen      = make(map[string]struct{}, len(attestationpolicy.Columns))
+		selectedFields = []string{attestationpolicy.FieldID}
+	)
+	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
+		switch field.Name {
+
+		case "statement":
+			var (
+				alias = field.Alias
+				path  = append(path, alias)
+				query = (&StatementClient{config: ap.config}).Query()
+			)
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, statementImplementors)...); err != nil {
+				return err
+			}
+			ap.withStatement = query
+		case "name":
+			if _, ok := fieldSeen[attestationpolicy.FieldName]; !ok {
+				selectedFields = append(selectedFields, attestationpolicy.FieldName)
+				fieldSeen[attestationpolicy.FieldName] = struct{}{}
+			}
+		case "id":
+		case "__typename":
+		default:
+			unknownSeen = true
+		}
+	}
+	if !unknownSeen {
+		ap.Select(selectedFields...)
+	}
+	return nil
+}
+
+type attestationpolicyPaginateArgs struct {
+	first, last   *int
+	after, before *Cursor
+	opts          []AttestationPolicyPaginateOption
+}
+
+func newAttestationPolicyPaginateArgs(rv map[string]any) *attestationpolicyPaginateArgs {
+	args := &attestationpolicyPaginateArgs{}
+	if rv == nil {
+		return args
+	}
+	if v := rv[firstField]; v != nil {
+		args.first = v.(*int)
+	}
+	if v := rv[lastField]; v != nil {
+		args.last = v.(*int)
+	}
+	if v := rv[afterField]; v != nil {
+		args.after = v.(*Cursor)
+	}
+	if v := rv[beforeField]; v != nil {
+		args.before = v.(*Cursor)
+	}
+	if v, ok := rv[whereField].(*AttestationPolicyWhereInput); ok {
+		args.opts = append(args.opts, WithAttestationPolicyFilter(v.Filter))
+	}
+	return args
+}
+
 // CollectFields tells the query-builder to eagerly load connected nodes by resolver context.
 func (d *DsseQuery) CollectFields(ctx context.Context, satisfies ...string) (*DsseQuery, error) {
 	fc := graphql.GetFieldContext(ctx)
 	if fc == nil {
 		return d, nil
 	}
-	if err := d.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := d.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return d, nil
 }

-func (d *DsseQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (d *DsseQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -207,35 +291,38 @@ func (d *DsseQuery) collectField(ctx context.Context, opCtx *graphql.OperationCo
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "statement":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&StatementClient{config: d.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, statementImplementors)...); err != nil {
 				return err
 			}
 			d.withStatement = query
+
 		case "signatures":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&SignatureClient{config: d.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, signatureImplementors)...); err != nil {
 				return err
 			}
 			d.WithNamedSignatures(alias, func(wq *SignatureQuery) {
 				*wq = *query
 			})
+
 		case "payloadDigests":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&PayloadDigestClient{config: d.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, payloaddigestImplementors)...); err != nil {
 				return err
 			}
 			d.WithNamedPayloadDigests(alias, func(wq *PayloadDigestQuery) {
@ -298,13 +385,13 @@ func (pd *PayloadDigestQuery) CollectFields(ctx context.Context, satisfies ...st
 	if fc == nil {
 		return pd, nil
 	}
-	if err := pd.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := pd.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return pd, nil
 }

-func (pd *PayloadDigestQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (pd *PayloadDigestQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -313,13 +400,14 @@ func (pd *PayloadDigestQuery) collectField(ctx context.Context, opCtx *graphql.O
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "dsse":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&DsseClient{config: pd.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, dsseImplementors)...); err != nil {
 				return err
 			}
 			pd.withDsse = query
@ -380,13 +468,13 @@ func (s *SignatureQuery) CollectFields(ctx context.Context, satisfies ...string)
 	if fc == nil {
 		return s, nil
 	}
-	if err := s.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := s.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return s, nil
 }

-func (s *SignatureQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (s *SignatureQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -395,23 +483,25 @@ func (s *SignatureQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "dsse":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&DsseClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, dsseImplementors)...); err != nil {
 				return err
 			}
 			s.withDsse = query
+
 		case "timestamps":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&TimestampClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, timestampImplementors)...); err != nil {
 				return err
 			}
 			s.WithNamedTimestamps(alias, func(wq *TimestampQuery) {
@ -474,13 +564,13 @@ func (s *StatementQuery) CollectFields(ctx context.Context, satisfies ...string)
 	if fc == nil {
 		return s, nil
 	}
-	if err := s.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := s.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return s, nil
 }

-func (s *StatementQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (s *StatementQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -489,6 +579,7 @@ func (s *StatementQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "subjects":
 			var (
 				alias = field.Alias
@ -517,8 +608,8 @@ func (s *StatementQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 							ids[i] = nodes[i].ID
 						}
 						var v []struct {
-							NodeID int `sql:"statement_subjects"`
-							Count  int `sql:"count"`
+							NodeID uuid.UUID `sql:"statement_subjects"`
+							Count  int       `sql:"count"`
 						}
 						query.Where(func(s *sql.Selector) {
 							s.Where(sql.InValues(s.C(statement.SubjectsColumn), ids...))
@ -526,7 +617,7 @@ func (s *StatementQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 						if err := query.GroupBy(statement.SubjectsColumn).Aggregate(Count()).Scan(ctx, &v); err != nil {
 							return err
 						}
-						m := make(map[int]int, len(v))
+						m := make(map[uuid.UUID]int, len(v))
 						for i := range v {
 							m[v[i].NodeID] = v[i].Count
 						}
@ -560,36 +651,53 @@ func (s *StatementQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 			}
 			path = append(path, edgesField, nodeField)
 			if field := collectedField(ctx, path...); field != nil {
-				if err := query.collectField(ctx, opCtx, *field, path, mayAddCondition(satisfies, "Subject")...); err != nil {
+				if err := query.collectField(ctx, false, opCtx, *field, path, mayAddCondition(satisfies, subjectImplementors)...); err != nil {
 					return err
 				}
 			}
 			if limit := paginateLimit(args.first, args.last); limit > 0 {
-				modify := limitRows(statement.SubjectsColumn, limit, pager.orderExpr(query))
-				query.modifiers = append(query.modifiers, modify)
+				if oneNode {
+					pager.applyOrder(query.Limit(limit))
+				} else {
+					modify := entgql.LimitPerRow(statement.SubjectsColumn, limit, pager.orderExpr(query))
+					query.modifiers = append(query.modifiers, modify)
+				}
 			} else {
 				query = pager.applyOrder(query)
 			}
 			s.WithNamedSubjects(alias, func(wq *SubjectQuery) {
 				*wq = *query
 			})
+
+		case "policy":
+			var (
+				alias = field.Alias
+				path  = append(path, alias)
+				query = (&AttestationPolicyClient{config: s.config}).Query()
+			)
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, attestationpolicyImplementors)...); err != nil {
+				return err
+			}
+			s.withPolicy = query
+
 		case "attestationCollections":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&AttestationCollectionClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, attestationcollectionImplementors)...); err != nil {
 				return err
 			}
 			s.withAttestationCollections = query
+
 		case "dsse":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&DsseClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, dsseImplementors)...); err != nil {
 				return err
 			}
 			s.WithNamedDsse(alias, func(wq *DsseQuery) {
@ -647,13 +755,13 @@ func (s *SubjectQuery) CollectFields(ctx context.Context, satisfies ...string) (
 	if fc == nil {
 		return s, nil
 	}
-	if err := s.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := s.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return s, nil
 }

-func (s *SubjectQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (s *SubjectQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -662,25 +770,27 @@ func (s *SubjectQuery) collectField(ctx context.Context, opCtx *graphql.Operatio
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "subjectDigests":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&SubjectDigestClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, false, opCtx, field, path, mayAddCondition(satisfies, subjectdigestImplementors)...); err != nil {
 				return err
 			}
 			s.WithNamedSubjectDigests(alias, func(wq *SubjectDigestQuery) {
 				*wq = *query
 			})
+
 		case "statement":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&StatementClient{config: s.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, statementImplementors)...); err != nil {
 				return err
 			}
 			s.withStatement = query
@ -736,13 +846,13 @@ func (sd *SubjectDigestQuery) CollectFields(ctx context.Context, satisfies ...st
 	if fc == nil {
 		return sd, nil
 	}
-	if err := sd.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := sd.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return sd, nil
 }

-func (sd *SubjectDigestQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (sd *SubjectDigestQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -751,13 +861,14 @@ func (sd *SubjectDigestQuery) collectField(ctx context.Context, opCtx *graphql.O
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "subject":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&SubjectClient{config: sd.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, subjectImplementors)...); err != nil {
 				return err
 			}
 			sd.withSubject = query
@ -818,13 +929,13 @@ func (t *TimestampQuery) CollectFields(ctx context.Context, satisfies ...string)
 	if fc == nil {
 		return t, nil
 	}
-	if err := t.collectField(ctx, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
+	if err := t.collectField(ctx, false, graphql.GetOperationContext(ctx), fc.Field, nil, satisfies...); err != nil {
 		return nil, err
 	}
 	return t, nil
 }

-func (t *TimestampQuery) collectField(ctx context.Context, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
+func (t *TimestampQuery) collectField(ctx context.Context, oneNode bool, opCtx *graphql.OperationContext, collected graphql.CollectedField, path []string, satisfies ...string) error {
 	path = append([]string(nil), path...)
 	var (
 		unknownSeen    bool
@ -833,13 +944,14 @@ func (t *TimestampQuery) collectField(ctx context.Context, opCtx *graphql.Operat
 	)
 	for _, field := range graphql.CollectFields(opCtx, collected.Selections, satisfies) {
 		switch field.Name {
+
 		case "signature":
 			var (
 				alias = field.Alias
 				path  = append(path, alias)
 				query = (&SignatureClient{config: t.config}).Query()
 			)
-			if err := query.collectField(ctx, opCtx, field, path, satisfies...); err != nil {
+			if err := query.collectField(ctx, oneNode, opCtx, field, path, mayAddCondition(satisfies, signatureImplementors)...); err != nil {
 				return err
 			}
 			t.withSignature = query
@ -946,39 +1058,17 @@ func unmarshalArgs(ctx context.Context, whereInput any, args map[string]any) map
 	return args
 }

-func limitRows(partitionBy string, limit int, orderBy ...sql.Querier) func(s *sql.Selector) {
-	return func(s *sql.Selector) {
-		d := sql.Dialect(s.Dialect())
-		s.SetDistinct(false)
-		with := d.With("src_query").
-			As(s.Clone()).
-			With("limited_query").
-			As(
-				d.Select("*").
-					AppendSelectExprAs(
-						sql.RowNumber().PartitionBy(partitionBy).OrderExpr(orderBy...),
-						"row_number",
-					).
-					From(d.Table("src_query")),
-			)
-		t := d.Table("limited_query").As(s.TableName())
-		*s = *d.Select(s.UnqualifiedColumns()...).
-			From(t).
-			Where(sql.LTE(t.C("row_number"), limit)).
-			Prefix(with)
-	}
-}
-
 // mayAddCondition appends another type condition to the satisfies list
-// if condition is enabled (Node/Nodes) and it does not exist in the list.
-func mayAddCondition(satisfies []string, typeCond string) []string {
-	if len(satisfies) == 0 {
-		return satisfies
-	}
-	for _, s := range satisfies {
-		if typeCond == s {
-			return satisfies
+// if it does not exist in the list.
+func mayAddCondition(satisfies []string, typeCond []string) []string {
+Cond:
+	for _, c := range typeCond {
+		for _, s := range satisfies {
+			if c == s {
+				continue Cond
+			}
 		}
+		satisfies = append(satisfies, c)
 	}
-	return append(satisfies, typeCond)
+	return satisfies
 }
--- a/ent/gql_edge.go
+++ b/ent/gql_edge.go
@ -36,6 +36,14 @@ func (ac *AttestationCollection) Statement(ctx context.Context) (*Statement, err
 	return result, err
 }

+func (ap *AttestationPolicy) Statement(ctx context.Context) (*Statement, error) {
+	result, err := ap.Edges.StatementOrErr()
+	if IsNotLoaded(err) {
+		result, err = ap.QueryStatement().Only(ctx)
+	}
+	return result, MaskNotFound(err)
+}
+
 func (d *Dsse) Statement(ctx context.Context) (*Statement, error) {
 	result, err := d.Edges.StatementOrErr()
 	if IsNotLoaded(err) {
@ -116,6 +124,14 @@ func (s *Statement) Subjects(
 	return s.QuerySubjects().Paginate(ctx, after, first, before, last, opts...)
 }

+func (s *Statement) Policy(ctx context.Context) (*AttestationPolicy, error) {
+	result, err := s.Edges.PolicyOrErr()
+	if IsNotLoaded(err) {
+		result, err = s.QueryPolicy().Only(ctx)
+	}
+	return result, MaskNotFound(err)
+}
+
 func (s *Statement) AttestationCollections(ctx context.Context) (*AttestationCollection, error) {
 	result, err := s.Edges.AttestationCollectionsOrErr()
 	if IsNotLoaded(err) {
--- a/ent/gql_node.go
+++ b/ent/gql_node.go
@ -5,17 +5,14 @@ package ent
 import (
 	"context"
 	"fmt"
-	"sync"
-	"sync/atomic"

 	"entgo.io/contrib/entgql"
-	"entgo.io/ent/dialect"
-	"entgo.io/ent/dialect/sql"
-	"entgo.io/ent/dialect/sql/schema"
 	"github.com/99designs/gqlgen/graphql"
+	"github.com/google/uuid"
 	"github.com/hashicorp/go-multierror"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -23,7 +20,6 @@ import (
 	"github.com/in-toto/archivista/ent/subject"
 	"github.com/in-toto/archivista/ent/subjectdigest"
 	"github.com/in-toto/archivista/ent/timestamp"
-	"golang.org/x/sync/semaphore"
 )

 // Noder wraps the basic Node method.
@ -31,32 +27,55 @@ type Noder interface {
 	IsNode()
 }

-// IsNode implements the Node interface check for GQLGen.
-func (n *Attestation) IsNode() {}
+var attestationImplementors = []string{"Attestation", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *AttestationCollection) IsNode() {}
+func (*Attestation) IsNode() {}
+
+var attestationcollectionImplementors = []string{"AttestationCollection", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *Dsse) IsNode() {}
+func (*AttestationCollection) IsNode() {}
+
+var attestationpolicyImplementors = []string{"AttestationPolicy", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *PayloadDigest) IsNode() {}
+func (*AttestationPolicy) IsNode() {}
+
+var dsseImplementors = []string{"Dsse", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *Signature) IsNode() {}
+func (*Dsse) IsNode() {}
+
+var payloaddigestImplementors = []string{"PayloadDigest", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *Statement) IsNode() {}
+func (*PayloadDigest) IsNode() {}
+
+var signatureImplementors = []string{"Signature", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *Subject) IsNode() {}
+func (*Signature) IsNode() {}
+
+var statementImplementors = []string{"Statement", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *SubjectDigest) IsNode() {}
+func (*Statement) IsNode() {}
+
+var subjectImplementors = []string{"Subject", "Node"}

 // IsNode implements the Node interface check for GQLGen.
-func (n *Timestamp) IsNode() {}
+func (*Subject) IsNode() {}
+
+var subjectdigestImplementors = []string{"SubjectDigest", "Node"}
+
+// IsNode implements the Node interface check for GQLGen.
+func (*SubjectDigest) IsNode() {}
+
+var timestampImplementors = []string{"Timestamp", "Node"}
+
+// IsNode implements the Node interface check for GQLGen.
+func (*Timestamp) IsNode() {}

 var errNodeInvalidID = &NotFoundError{"node"}

@ -66,7 +85,7 @@ type NodeOption func(*nodeOptions)
 // WithNodeType sets the node Type resolver function (i.e. the table to query).
 // If was not provided, the table will be derived from the universal-id
 // configuration as described in: https://entgo.io/docs/migrate/#universal-ids.
-func WithNodeType(f func(context.Context, int) (string, error)) NodeOption {
+func WithNodeType(f func(context.Context, uuid.UUID) (string, error)) NodeOption {
 	return func(o *nodeOptions) {
 		o.nodeType = f
 	}
@ -74,13 +93,13 @@ func WithNodeType(f func(context.Context, int) (string, error)) NodeOption {

 // WithFixedNodeType sets the Type of the node to a fixed value.
 func WithFixedNodeType(t string) NodeOption {
-	return WithNodeType(func(context.Context, int) (string, error) {
+	return WithNodeType(func(context.Context, uuid.UUID) (string, error) {
 		return t, nil
 	})
 }

 type nodeOptions struct {
-	nodeType func(context.Context, int) (string, error)
+	nodeType func(context.Context, uuid.UUID) (string, error)
 }

 func (c *Client) newNodeOpts(opts []NodeOption) *nodeOptions {
@ -89,8 +108,8 @@ func (c *Client) newNodeOpts(opts []NodeOption) *nodeOptions {
 		opt(nopts)
 	}
 	if nopts.nodeType == nil {
-		nopts.nodeType = func(ctx context.Context, id int) (string, error) {
-			return c.tables.nodeType(ctx, c.driver, id)
+		nopts.nodeType = func(ctx context.Context, id uuid.UUID) (string, error) {
+			return "", fmt.Errorf("cannot resolve noder (%v) without its type", id)
 		}
 	}
 	return nopts
@ -101,7 +120,7 @@ func (c *Client) newNodeOpts(opts []NodeOption) *nodeOptions {
 //
 //	c.Noder(ctx, id)
 //	c.Noder(ctx, id, ent.WithNodeType(typeResolver))
-func (c *Client) Noder(ctx context.Context, id int, opts ...NodeOption) (_ Noder, err error) {
+func (c *Client) Noder(ctx context.Context, id uuid.UUID, opts ...NodeOption) (_ Noder, err error) {
 	defer func() {
 		if IsNotFound(err) {
 			err = multierror.Append(err, entgql.ErrNodeNotFound(id))
@ -114,122 +133,104 @@ func (c *Client) Noder(ctx context.Context, id int, opts ...NodeOption) (_ Noder
 	return c.noder(ctx, table, id)
 }

-func (c *Client) noder(ctx context.Context, table string, id int) (Noder, error) {
+func (c *Client) noder(ctx context.Context, table string, id uuid.UUID) (Noder, error) {
 	switch table {
 	case attestation.Table:
 		query := c.Attestation.Query().
 			Where(attestation.ID(id))
-		query, err := query.CollectFields(ctx, "Attestation")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, attestationImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case attestationcollection.Table:
 		query := c.AttestationCollection.Query().
 			Where(attestationcollection.ID(id))
-		query, err := query.CollectFields(ctx, "AttestationCollection")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, attestationcollectionImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
+		return query.Only(ctx)
+	case attestationpolicy.Table:
+		query := c.AttestationPolicy.Query().
+			Where(attestationpolicy.ID(id))
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, attestationpolicyImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		return n, nil
+		return query.Only(ctx)
 	case dsse.Table:
 		query := c.Dsse.Query().
 			Where(dsse.ID(id))
-		query, err := query.CollectFields(ctx, "Dsse")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, dsseImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case payloaddigest.Table:
 		query := c.PayloadDigest.Query().
 			Where(payloaddigest.ID(id))
-		query, err := query.CollectFields(ctx, "PayloadDigest")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, payloaddigestImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case signature.Table:
 		query := c.Signature.Query().
 			Where(signature.ID(id))
-		query, err := query.CollectFields(ctx, "Signature")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, signatureImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case statement.Table:
 		query := c.Statement.Query().
 			Where(statement.ID(id))
-		query, err := query.CollectFields(ctx, "Statement")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, statementImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case subject.Table:
 		query := c.Subject.Query().
 			Where(subject.ID(id))
-		query, err := query.CollectFields(ctx, "Subject")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, subjectImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case subjectdigest.Table:
 		query := c.SubjectDigest.Query().
 			Where(subjectdigest.ID(id))
-		query, err := query.CollectFields(ctx, "SubjectDigest")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, subjectdigestImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	case timestamp.Table:
 		query := c.Timestamp.Query().
 			Where(timestamp.ID(id))
-		query, err := query.CollectFields(ctx, "Timestamp")
-		if err != nil {
-			return nil, err
+		if fc := graphql.GetFieldContext(ctx); fc != nil {
+			if err := query.collectField(ctx, true, graphql.GetOperationContext(ctx), fc.Field, nil, timestampImplementors...); err != nil {
+				return nil, err
+			}
 		}
-		n, err := query.Only(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return n, nil
+		return query.Only(ctx)
 	default:
 		return nil, fmt.Errorf("cannot resolve noder from table %q: %w", table, errNodeInvalidID)
 	}
 }

-func (c *Client) Noders(ctx context.Context, ids []int, opts ...NodeOption) ([]Noder, error) {
+func (c *Client) Noders(ctx context.Context, ids []uuid.UUID, opts ...NodeOption) ([]Noder, error) {
 	switch len(ids) {
 	case 1:
 		noder, err := c.Noder(ctx, ids[0], opts...)
@ -243,8 +244,8 @@ func (c *Client) Noders(ctx context.Context, ids []int, opts ...NodeOption) ([]N

 	noders := make([]Noder, len(ids))
 	errors := make([]error, len(ids))
-	tables := make(map[string][]int)
-	id2idx := make(map[int][]int, len(ids))
+	tables := make(map[string][]uuid.UUID)
+	id2idx := make(map[uuid.UUID][]int, len(ids))
 	nopts := c.newNodeOpts(opts)
 	for i, id := range ids {
 		table, err := nopts.nodeType(ctx, id)
@ -290,9 +291,9 @@ func (c *Client) Noders(ctx context.Context, ids []int, opts ...NodeOption) ([]N
 	return noders, nil
 }

-func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder, error) {
+func (c *Client) noders(ctx context.Context, table string, ids []uuid.UUID) ([]Noder, error) {
 	noders := make([]Noder, len(ids))
-	idmap := make(map[int][]*Noder, len(ids))
+	idmap := make(map[uuid.UUID][]*Noder, len(ids))
 	for i, id := range ids {
 		idmap[id] = append(idmap[id], &noders[i])
 	}
@ -300,7 +301,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case attestation.Table:
 		query := c.Attestation.Query().
 			Where(attestation.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Attestation")
+		query, err := query.CollectFields(ctx, attestationImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -316,7 +317,23 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case attestationcollection.Table:
 		query := c.AttestationCollection.Query().
 			Where(attestationcollection.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "AttestationCollection")
+		query, err := query.CollectFields(ctx, attestationcollectionImplementors...)
+		if err != nil {
+			return nil, err
+		}
+		nodes, err := query.All(ctx)
+		if err != nil {
+			return nil, err
+		}
+		for _, node := range nodes {
+			for _, noder := range idmap[node.ID] {
+				*noder = node
+			}
+		}
+	case attestationpolicy.Table:
+		query := c.AttestationPolicy.Query().
+			Where(attestationpolicy.IDIn(ids...))
+		query, err := query.CollectFields(ctx, attestationpolicyImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -332,7 +349,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case dsse.Table:
 		query := c.Dsse.Query().
 			Where(dsse.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Dsse")
+		query, err := query.CollectFields(ctx, dsseImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -348,7 +365,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case payloaddigest.Table:
 		query := c.PayloadDigest.Query().
 			Where(payloaddigest.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "PayloadDigest")
+		query, err := query.CollectFields(ctx, payloaddigestImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -364,7 +381,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case signature.Table:
 		query := c.Signature.Query().
 			Where(signature.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Signature")
+		query, err := query.CollectFields(ctx, signatureImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -380,7 +397,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case statement.Table:
 		query := c.Statement.Query().
 			Where(statement.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Statement")
+		query, err := query.CollectFields(ctx, statementImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -396,7 +413,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case subject.Table:
 		query := c.Subject.Query().
 			Where(subject.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Subject")
+		query, err := query.CollectFields(ctx, subjectImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -412,7 +429,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case subjectdigest.Table:
 		query := c.SubjectDigest.Query().
 			Where(subjectdigest.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "SubjectDigest")
+		query, err := query.CollectFields(ctx, subjectdigestImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -428,7 +445,7 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	case timestamp.Table:
 		query := c.Timestamp.Query().
 			Where(timestamp.IDIn(ids...))
-		query, err := query.CollectFields(ctx, "Timestamp")
+		query, err := query.CollectFields(ctx, timestampImplementors...)
 		if err != nil {
 			return nil, err
 		}
@ -446,55 +463,3 @@ func (c *Client) noders(ctx context.Context, table string, ids []int) ([]Noder,
 	}
 	return noders, nil
 }
-
-type tables struct {
-	once  sync.Once
-	sem   *semaphore.Weighted
-	value atomic.Value
-}
-
-func (t *tables) nodeType(ctx context.Context, drv dialect.Driver, id int) (string, error) {
-	tables, err := t.Load(ctx, drv)
-	if err != nil {
-		return "", err
-	}
-	idx := int(id / (1<<32 - 1))
-	if idx < 0 || idx >= len(tables) {
-		return "", fmt.Errorf("cannot resolve table from id %v: %w", id, errNodeInvalidID)
-	}
-	return tables[idx], nil
-}
-
-func (t *tables) Load(ctx context.Context, drv dialect.Driver) ([]string, error) {
-	if tables := t.value.Load(); tables != nil {
-		return tables.([]string), nil
-	}
-	t.once.Do(func() { t.sem = semaphore.NewWeighted(1) })
-	if err := t.sem.Acquire(ctx, 1); err != nil {
-		return nil, err
-	}
-	defer t.sem.Release(1)
-	if tables := t.value.Load(); tables != nil {
-		return tables.([]string), nil
-	}
-	tables, err := t.load(ctx, drv)
-	if err == nil {
-		t.value.Store(tables)
-	}
-	return tables, err
-}
-
-func (*tables) load(ctx context.Context, drv dialect.Driver) ([]string, error) {
-	rows := &sql.Rows{}
-	query, args := sql.Dialect(drv.Dialect()).
-		Select("type").
-		From(sql.Table(schema.TypeTable)).
-		OrderBy(sql.Asc("id")).
-		Query()
-	if err := drv.Query(ctx, query, args, rows); err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	var tables []string
-	return tables, sql.ScanSlice(rows, &tables)
-}
--- a/ent/gql_pagination.go
+++ b/ent/gql_pagination.go
@ -11,8 +11,10 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"github.com/99designs/gqlgen/graphql"
 	"github.com/99designs/gqlgen/graphql/errcode"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/signature"
@ -25,8 +27,8 @@ import (

 // Common entgql types.
 type (
-	Cursor         = entgql.Cursor[int]
-	PageInfo       = entgql.PageInfo[int]
+	Cursor         = entgql.Cursor[uuid.UUID]
+	PageInfo       = entgql.PageInfo[uuid.UUID]
 	OrderDirection = entgql.OrderDirection
 )

@ -278,7 +280,9 @@ func (a *AttestationQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = a.Clone().Count(ctx); err != nil {
+			c := a.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -291,11 +295,12 @@ func (a *AttestationQuery) Paginate(
 	if a, err = pager.applyCursors(a, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		a.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := a.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := a.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -524,7 +529,9 @@ func (ac *AttestationCollectionQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = ac.Clone().Count(ctx); err != nil {
+			c := ac.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -537,11 +544,12 @@ func (ac *AttestationCollectionQuery) Paginate(
 	if ac, err = pager.applyCursors(ac, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		ac.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := ac.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := ac.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -595,6 +603,255 @@ func (ac *AttestationCollection) ToEdge(order *AttestationCollectionOrder) *Atte
 	}
 }

+// AttestationPolicyEdge is the edge representation of AttestationPolicy.
+type AttestationPolicyEdge struct {
+	Node   *AttestationPolicy `json:"node"`
+	Cursor Cursor             `json:"cursor"`
+}
+
+// AttestationPolicyConnection is the connection containing edges to AttestationPolicy.
+type AttestationPolicyConnection struct {
+	Edges      []*AttestationPolicyEdge `json:"edges"`
+	PageInfo   PageInfo                 `json:"pageInfo"`
+	TotalCount int                      `json:"totalCount"`
+}
+
+func (c *AttestationPolicyConnection) build(nodes []*AttestationPolicy, pager *attestationpolicyPager, after *Cursor, first *int, before *Cursor, last *int) {
+	c.PageInfo.HasNextPage = before != nil
+	c.PageInfo.HasPreviousPage = after != nil
+	if first != nil && *first+1 == len(nodes) {
+		c.PageInfo.HasNextPage = true
+		nodes = nodes[:len(nodes)-1]
+	} else if last != nil && *last+1 == len(nodes) {
+		c.PageInfo.HasPreviousPage = true
+		nodes = nodes[:len(nodes)-1]
+	}
+	var nodeAt func(int) *AttestationPolicy
+	if last != nil {
+		n := len(nodes) - 1
+		nodeAt = func(i int) *AttestationPolicy {
+			return nodes[n-i]
+		}
+	} else {
+		nodeAt = func(i int) *AttestationPolicy {
+			return nodes[i]
+		}
+	}
+	c.Edges = make([]*AttestationPolicyEdge, len(nodes))
+	for i := range nodes {
+		node := nodeAt(i)
+		c.Edges[i] = &AttestationPolicyEdge{
+			Node:   node,
+			Cursor: pager.toCursor(node),
+		}
+	}
+	if l := len(c.Edges); l > 0 {
+		c.PageInfo.StartCursor = &c.Edges[0].Cursor
+		c.PageInfo.EndCursor = &c.Edges[l-1].Cursor
+	}
+	if c.TotalCount == 0 {
+		c.TotalCount = len(nodes)
+	}
+}
+
+// AttestationPolicyPaginateOption enables pagination customization.
+type AttestationPolicyPaginateOption func(*attestationpolicyPager) error
+
+// WithAttestationPolicyOrder configures pagination ordering.
+func WithAttestationPolicyOrder(order *AttestationPolicyOrder) AttestationPolicyPaginateOption {
+	if order == nil {
+		order = DefaultAttestationPolicyOrder
+	}
+	o := *order
+	return func(pager *attestationpolicyPager) error {
+		if err := o.Direction.Validate(); err != nil {
+			return err
+		}
+		if o.Field == nil {
+			o.Field = DefaultAttestationPolicyOrder.Field
+		}
+		pager.order = &o
+		return nil
+	}
+}
+
+// WithAttestationPolicyFilter configures pagination filter.
+func WithAttestationPolicyFilter(filter func(*AttestationPolicyQuery) (*AttestationPolicyQuery, error)) AttestationPolicyPaginateOption {
+	return func(pager *attestationpolicyPager) error {
+		if filter == nil {
+			return errors.New("AttestationPolicyQuery filter cannot be nil")
+		}
+		pager.filter = filter
+		return nil
+	}
+}
+
+type attestationpolicyPager struct {
+	reverse bool
+	order   *AttestationPolicyOrder
+	filter  func(*AttestationPolicyQuery) (*AttestationPolicyQuery, error)
+}
+
+func newAttestationPolicyPager(opts []AttestationPolicyPaginateOption, reverse bool) (*attestationpolicyPager, error) {
+	pager := &attestationpolicyPager{reverse: reverse}
+	for _, opt := range opts {
+		if err := opt(pager); err != nil {
+			return nil, err
+		}
+	}
+	if pager.order == nil {
+		pager.order = DefaultAttestationPolicyOrder
+	}
+	return pager, nil
+}
+
+func (p *attestationpolicyPager) applyFilter(query *AttestationPolicyQuery) (*AttestationPolicyQuery, error) {
+	if p.filter != nil {
+		return p.filter(query)
+	}
+	return query, nil
+}
+
+func (p *attestationpolicyPager) toCursor(ap *AttestationPolicy) Cursor {
+	return p.order.Field.toCursor(ap)
+}
+
+func (p *attestationpolicyPager) applyCursors(query *AttestationPolicyQuery, after, before *Cursor) (*AttestationPolicyQuery, error) {
+	direction := p.order.Direction
+	if p.reverse {
+		direction = direction.Reverse()
+	}
+	for _, predicate := range entgql.CursorsPredicate(after, before, DefaultAttestationPolicyOrder.Field.column, p.order.Field.column, direction) {
+		query = query.Where(predicate)
+	}
+	return query, nil
+}
+
+func (p *attestationpolicyPager) applyOrder(query *AttestationPolicyQuery) *AttestationPolicyQuery {
+	direction := p.order.Direction
+	if p.reverse {
+		direction = direction.Reverse()
+	}
+	query = query.Order(p.order.Field.toTerm(direction.OrderTermOption()))
+	if p.order.Field != DefaultAttestationPolicyOrder.Field {
+		query = query.Order(DefaultAttestationPolicyOrder.Field.toTerm(direction.OrderTermOption()))
+	}
+	if len(query.ctx.Fields) > 0 {
+		query.ctx.AppendFieldOnce(p.order.Field.column)
+	}
+	return query
+}
+
+func (p *attestationpolicyPager) orderExpr(query *AttestationPolicyQuery) sql.Querier {
+	direction := p.order.Direction
+	if p.reverse {
+		direction = direction.Reverse()
+	}
+	if len(query.ctx.Fields) > 0 {
+		query.ctx.AppendFieldOnce(p.order.Field.column)
+	}
+	return sql.ExprFunc(func(b *sql.Builder) {
+		b.Ident(p.order.Field.column).Pad().WriteString(string(direction))
+		if p.order.Field != DefaultAttestationPolicyOrder.Field {
+			b.Comma().Ident(DefaultAttestationPolicyOrder.Field.column).Pad().WriteString(string(direction))
+		}
+	})
+}
+
+// Paginate executes the query and returns a relay based cursor connection to AttestationPolicy.
+func (ap *AttestationPolicyQuery) Paginate(
+	ctx context.Context, after *Cursor, first *int,
+	before *Cursor, last *int, opts ...AttestationPolicyPaginateOption,
+) (*AttestationPolicyConnection, error) {
+	if err := validateFirstLast(first, last); err != nil {
+		return nil, err
+	}
+	pager, err := newAttestationPolicyPager(opts, last != nil)
+	if err != nil {
+		return nil, err
+	}
+	if ap, err = pager.applyFilter(ap); err != nil {
+		return nil, err
+	}
+	conn := &AttestationPolicyConnection{Edges: []*AttestationPolicyEdge{}}
+	ignoredEdges := !hasCollectedField(ctx, edgesField)
+	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
+		hasPagination := after != nil || first != nil || before != nil || last != nil
+		if hasPagination || ignoredEdges {
+			c := ap.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
+				return nil, err
+			}
+			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
+			conn.PageInfo.HasPreviousPage = last != nil && conn.TotalCount > 0
+		}
+	}
+	if ignoredEdges || (first != nil && *first == 0) || (last != nil && *last == 0) {
+		return conn, nil
+	}
+	if ap, err = pager.applyCursors(ap, after, before); err != nil {
+		return nil, err
+	}
+	limit := paginateLimit(first, last)
+	if limit != 0 {
+		ap.Limit(limit)
+	}
+	if field := collectedField(ctx, edgesField, nodeField); field != nil {
+		if err := ap.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+			return nil, err
+		}
+	}
+	ap = pager.applyOrder(ap)
+	nodes, err := ap.All(ctx)
+	if err != nil {
+		return nil, err
+	}
+	conn.build(nodes, pager, after, first, before, last)
+	return conn, nil
+}
+
+// AttestationPolicyOrderField defines the ordering field of AttestationPolicy.
+type AttestationPolicyOrderField struct {
+	// Value extracts the ordering value from the given AttestationPolicy.
+	Value    func(*AttestationPolicy) (ent.Value, error)
+	column   string // field or computed.
+	toTerm   func(...sql.OrderTermOption) attestationpolicy.OrderOption
+	toCursor func(*AttestationPolicy) Cursor
+}
+
+// AttestationPolicyOrder defines the ordering of AttestationPolicy.
+type AttestationPolicyOrder struct {
+	Direction OrderDirection               `json:"direction"`
+	Field     *AttestationPolicyOrderField `json:"field"`
+}
+
+// DefaultAttestationPolicyOrder is the default ordering of AttestationPolicy.
+var DefaultAttestationPolicyOrder = &AttestationPolicyOrder{
+	Direction: entgql.OrderDirectionAsc,
+	Field: &AttestationPolicyOrderField{
+		Value: func(ap *AttestationPolicy) (ent.Value, error) {
+			return ap.ID, nil
+		},
+		column: attestationpolicy.FieldID,
+		toTerm: attestationpolicy.ByID,
+		toCursor: func(ap *AttestationPolicy) Cursor {
+			return Cursor{ID: ap.ID}
+		},
+	},
+}
+
+// ToEdge converts AttestationPolicy into AttestationPolicyEdge.
+func (ap *AttestationPolicy) ToEdge(order *AttestationPolicyOrder) *AttestationPolicyEdge {
+	if order == nil {
+		order = DefaultAttestationPolicyOrder
+	}
+	return &AttestationPolicyEdge{
+		Node:   ap,
+		Cursor: order.Field.toCursor(ap),
+	}
+}
+
 // DsseEdge is the edge representation of Dsse.
 type DsseEdge struct {
 	Node   *Dsse  `json:"node"`
@ -770,7 +1027,9 @@ func (d *DsseQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = d.Clone().Count(ctx); err != nil {
+			c := d.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -783,11 +1042,12 @@ func (d *DsseQuery) Paginate(
 	if d, err = pager.applyCursors(d, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		d.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := d.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := d.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -1016,7 +1276,9 @@ func (pd *PayloadDigestQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = pd.Clone().Count(ctx); err != nil {
+			c := pd.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -1029,11 +1291,12 @@ func (pd *PayloadDigestQuery) Paginate(
 	if pd, err = pager.applyCursors(pd, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		pd.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := pd.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := pd.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -1262,7 +1525,9 @@ func (s *SignatureQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = s.Clone().Count(ctx); err != nil {
+			c := s.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -1275,11 +1540,12 @@ func (s *SignatureQuery) Paginate(
 	if s, err = pager.applyCursors(s, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		s.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := s.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := s.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -1508,7 +1774,9 @@ func (s *StatementQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = s.Clone().Count(ctx); err != nil {
+			c := s.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -1521,11 +1789,12 @@ func (s *StatementQuery) Paginate(
 	if s, err = pager.applyCursors(s, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		s.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := s.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := s.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -1754,7 +2023,9 @@ func (s *SubjectQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = s.Clone().Count(ctx); err != nil {
+			c := s.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -1767,11 +2038,12 @@ func (s *SubjectQuery) Paginate(
 	if s, err = pager.applyCursors(s, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		s.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := s.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := s.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -2000,7 +2272,9 @@ func (sd *SubjectDigestQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = sd.Clone().Count(ctx); err != nil {
+			c := sd.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -2013,11 +2287,12 @@ func (sd *SubjectDigestQuery) Paginate(
 	if sd, err = pager.applyCursors(sd, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		sd.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := sd.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := sd.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
@ -2246,7 +2521,9 @@ func (t *TimestampQuery) Paginate(
 	if hasCollectedField(ctx, totalCountField) || hasCollectedField(ctx, pageInfoField) {
 		hasPagination := after != nil || first != nil || before != nil || last != nil
 		if hasPagination || ignoredEdges {
-			if conn.TotalCount, err = t.Clone().Count(ctx); err != nil {
+			c := t.Clone()
+			c.ctx.Fields = nil
+			if conn.TotalCount, err = c.Count(ctx); err != nil {
 				return nil, err
 			}
 			conn.PageInfo.HasNextPage = first != nil && conn.TotalCount > 0
@ -2259,11 +2536,12 @@ func (t *TimestampQuery) Paginate(
 	if t, err = pager.applyCursors(t, after, before); err != nil {
 		return nil, err
 	}
-	if limit := paginateLimit(first, last); limit != 0 {
+	limit := paginateLimit(first, last)
+	if limit != 0 {
 		t.Limit(limit)
 	}
 	if field := collectedField(ctx, edgesField, nodeField); field != nil {
-		if err := t.collectField(ctx, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
+		if err := t.collectField(ctx, limit == 1, graphql.GetOperationContext(ctx), *field, []string{edgesField, nodeField}); err != nil {
 			return nil, err
 		}
 	}
--- a/ent/gql_where_input.go
+++ b/ent/gql_where_input.go
@ -7,8 +7,10 @@ import (
 	"fmt"
 	"time"

+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/predicate"
@ -27,14 +29,14 @@ type AttestationWhereInput struct {
 	And        []*AttestationWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "type" field predicates.
 	Type             *string  `json:"type,omitempty"`
@ -227,14 +229,14 @@ type AttestationCollectionWhereInput struct {
 	And        []*AttestationCollectionWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "name" field predicates.
 	Name             *string  `json:"name,omitempty"`
@ -441,6 +443,206 @@ func (i *AttestationCollectionWhereInput) P() (predicate.AttestationCollection,
 	}
 }

+// AttestationPolicyWhereInput represents a where input for filtering AttestationPolicy queries.
+type AttestationPolicyWhereInput struct {
+	Predicates []predicate.AttestationPolicy  `json:"-"`
+	Not        *AttestationPolicyWhereInput   `json:"not,omitempty"`
+	Or         []*AttestationPolicyWhereInput `json:"or,omitempty"`
+	And        []*AttestationPolicyWhereInput `json:"and,omitempty"`
+
+	// "id" field predicates.
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`
+
+	// "name" field predicates.
+	Name             *string  `json:"name,omitempty"`
+	NameNEQ          *string  `json:"nameNEQ,omitempty"`
+	NameIn           []string `json:"nameIn,omitempty"`
+	NameNotIn        []string `json:"nameNotIn,omitempty"`
+	NameGT           *string  `json:"nameGT,omitempty"`
+	NameGTE          *string  `json:"nameGTE,omitempty"`
+	NameLT           *string  `json:"nameLT,omitempty"`
+	NameLTE          *string  `json:"nameLTE,omitempty"`
+	NameContains     *string  `json:"nameContains,omitempty"`
+	NameHasPrefix    *string  `json:"nameHasPrefix,omitempty"`
+	NameHasSuffix    *string  `json:"nameHasSuffix,omitempty"`
+	NameEqualFold    *string  `json:"nameEqualFold,omitempty"`
+	NameContainsFold *string  `json:"nameContainsFold,omitempty"`
+
+	// "statement" edge predicates.
+	HasStatement     *bool                  `json:"hasStatement,omitempty"`
+	HasStatementWith []*StatementWhereInput `json:"hasStatementWith,omitempty"`
+}
+
+// AddPredicates adds custom predicates to the where input to be used during the filtering phase.
+func (i *AttestationPolicyWhereInput) AddPredicates(predicates ...predicate.AttestationPolicy) {
+	i.Predicates = append(i.Predicates, predicates...)
+}
+
+// Filter applies the AttestationPolicyWhereInput filter on the AttestationPolicyQuery builder.
+func (i *AttestationPolicyWhereInput) Filter(q *AttestationPolicyQuery) (*AttestationPolicyQuery, error) {
+	if i == nil {
+		return q, nil
+	}
+	p, err := i.P()
+	if err != nil {
+		if err == ErrEmptyAttestationPolicyWhereInput {
+			return q, nil
+		}
+		return nil, err
+	}
+	return q.Where(p), nil
+}
+
+// ErrEmptyAttestationPolicyWhereInput is returned in case the AttestationPolicyWhereInput is empty.
+var ErrEmptyAttestationPolicyWhereInput = errors.New("ent: empty predicate AttestationPolicyWhereInput")
+
+// P returns a predicate for filtering attestationpolicies.
+// An error is returned if the input is empty or invalid.
+func (i *AttestationPolicyWhereInput) P() (predicate.AttestationPolicy, error) {
+	var predicates []predicate.AttestationPolicy
+	if i.Not != nil {
+		p, err := i.Not.P()
+		if err != nil {
+			return nil, fmt.Errorf("%w: field 'not'", err)
+		}
+		predicates = append(predicates, attestationpolicy.Not(p))
+	}
+	switch n := len(i.Or); {
+	case n == 1:
+		p, err := i.Or[0].P()
+		if err != nil {
+			return nil, fmt.Errorf("%w: field 'or'", err)
+		}
+		predicates = append(predicates, p)
+	case n > 1:
+		or := make([]predicate.AttestationPolicy, 0, n)
+		for _, w := range i.Or {
+			p, err := w.P()
+			if err != nil {
+				return nil, fmt.Errorf("%w: field 'or'", err)
+			}
+			or = append(or, p)
+		}
+		predicates = append(predicates, attestationpolicy.Or(or...))
+	}
+	switch n := len(i.And); {
+	case n == 1:
+		p, err := i.And[0].P()
+		if err != nil {
+			return nil, fmt.Errorf("%w: field 'and'", err)
+		}
+		predicates = append(predicates, p)
+	case n > 1:
+		and := make([]predicate.AttestationPolicy, 0, n)
+		for _, w := range i.And {
+			p, err := w.P()
+			if err != nil {
+				return nil, fmt.Errorf("%w: field 'and'", err)
+			}
+			and = append(and, p)
+		}
+		predicates = append(predicates, attestationpolicy.And(and...))
+	}
+	predicates = append(predicates, i.Predicates...)
+	if i.ID != nil {
+		predicates = append(predicates, attestationpolicy.IDEQ(*i.ID))
+	}
+	if i.IDNEQ != nil {
+		predicates = append(predicates, attestationpolicy.IDNEQ(*i.IDNEQ))
+	}
+	if len(i.IDIn) > 0 {
+		predicates = append(predicates, attestationpolicy.IDIn(i.IDIn...))
+	}
+	if len(i.IDNotIn) > 0 {
+		predicates = append(predicates, attestationpolicy.IDNotIn(i.IDNotIn...))
+	}
+	if i.IDGT != nil {
+		predicates = append(predicates, attestationpolicy.IDGT(*i.IDGT))
+	}
+	if i.IDGTE != nil {
+		predicates = append(predicates, attestationpolicy.IDGTE(*i.IDGTE))
+	}
+	if i.IDLT != nil {
+		predicates = append(predicates, attestationpolicy.IDLT(*i.IDLT))
+	}
+	if i.IDLTE != nil {
+		predicates = append(predicates, attestationpolicy.IDLTE(*i.IDLTE))
+	}
+	if i.Name != nil {
+		predicates = append(predicates, attestationpolicy.NameEQ(*i.Name))
+	}
+	if i.NameNEQ != nil {
+		predicates = append(predicates, attestationpolicy.NameNEQ(*i.NameNEQ))
+	}
+	if len(i.NameIn) > 0 {
+		predicates = append(predicates, attestationpolicy.NameIn(i.NameIn...))
+	}
+	if len(i.NameNotIn) > 0 {
+		predicates = append(predicates, attestationpolicy.NameNotIn(i.NameNotIn...))
+	}
+	if i.NameGT != nil {
+		predicates = append(predicates, attestationpolicy.NameGT(*i.NameGT))
+	}
+	if i.NameGTE != nil {
+		predicates = append(predicates, attestationpolicy.NameGTE(*i.NameGTE))
+	}
+	if i.NameLT != nil {
+		predicates = append(predicates, attestationpolicy.NameLT(*i.NameLT))
+	}
+	if i.NameLTE != nil {
+		predicates = append(predicates, attestationpolicy.NameLTE(*i.NameLTE))
+	}
+	if i.NameContains != nil {
+		predicates = append(predicates, attestationpolicy.NameContains(*i.NameContains))
+	}
+	if i.NameHasPrefix != nil {
+		predicates = append(predicates, attestationpolicy.NameHasPrefix(*i.NameHasPrefix))
+	}
+	if i.NameHasSuffix != nil {
+		predicates = append(predicates, attestationpolicy.NameHasSuffix(*i.NameHasSuffix))
+	}
+	if i.NameEqualFold != nil {
+		predicates = append(predicates, attestationpolicy.NameEqualFold(*i.NameEqualFold))
+	}
+	if i.NameContainsFold != nil {
+		predicates = append(predicates, attestationpolicy.NameContainsFold(*i.NameContainsFold))
+	}
+
+	if i.HasStatement != nil {
+		p := attestationpolicy.HasStatement()
+		if !*i.HasStatement {
+			p = attestationpolicy.Not(p)
+		}
+		predicates = append(predicates, p)
+	}
+	if len(i.HasStatementWith) > 0 {
+		with := make([]predicate.Statement, 0, len(i.HasStatementWith))
+		for _, w := range i.HasStatementWith {
+			p, err := w.P()
+			if err != nil {
+				return nil, fmt.Errorf("%w: field 'HasStatementWith'", err)
+			}
+			with = append(with, p)
+		}
+		predicates = append(predicates, attestationpolicy.HasStatementWith(with...))
+	}
+	switch len(predicates) {
+	case 0:
+		return nil, ErrEmptyAttestationPolicyWhereInput
+	case 1:
+		return predicates[0], nil
+	default:
+		return attestationpolicy.And(predicates...), nil
+	}
+}
+
 // DsseWhereInput represents a where input for filtering Dsse queries.
 type DsseWhereInput struct {
 	Predicates []predicate.Dsse  `json:"-"`
@ -449,14 +651,14 @@ type DsseWhereInput struct {
 	And        []*DsseWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "gitoid_sha256" field predicates.
 	GitoidSha256             *string  `json:"gitoidSha256,omitempty"`
@ -747,14 +949,14 @@ type PayloadDigestWhereInput struct {
 	And        []*PayloadDigestWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "algorithm" field predicates.
 	Algorithm             *string  `json:"algorithm,omitempty"`
@ -1001,14 +1203,14 @@ type SignatureWhereInput struct {
 	And        []*SignatureWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "key_id" field predicates.
 	KeyID             *string  `json:"keyID,omitempty"`
@ -1277,14 +1479,14 @@ type StatementWhereInput struct {
 	And        []*StatementWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "predicate" field predicates.
 	Predicate             *string  `json:"predicate,omitempty"`
@ -1305,6 +1507,10 @@ type StatementWhereInput struct {
 	HasSubjects     *bool                `json:"hasSubjects,omitempty"`
 	HasSubjectsWith []*SubjectWhereInput `json:"hasSubjectsWith,omitempty"`

+	// "policy" edge predicates.
+	HasPolicy     *bool                          `json:"hasPolicy,omitempty"`
+	HasPolicyWith []*AttestationPolicyWhereInput `json:"hasPolicyWith,omitempty"`
+
 	// "attestation_collections" edge predicates.
 	HasAttestationCollections     *bool                              `json:"hasAttestationCollections,omitempty"`
 	HasAttestationCollectionsWith []*AttestationCollectionWhereInput `json:"hasAttestationCollectionsWith,omitempty"`
@ -1467,6 +1673,24 @@ func (i *StatementWhereInput) P() (predicate.Statement, error) {
 		}
 		predicates = append(predicates, statement.HasSubjectsWith(with...))
 	}
+	if i.HasPolicy != nil {
+		p := statement.HasPolicy()
+		if !*i.HasPolicy {
+			p = statement.Not(p)
+		}
+		predicates = append(predicates, p)
+	}
+	if len(i.HasPolicyWith) > 0 {
+		with := make([]predicate.AttestationPolicy, 0, len(i.HasPolicyWith))
+		for _, w := range i.HasPolicyWith {
+			p, err := w.P()
+			if err != nil {
+				return nil, fmt.Errorf("%w: field 'HasPolicyWith'", err)
+			}
+			with = append(with, p)
+		}
+		predicates = append(predicates, statement.HasPolicyWith(with...))
+	}
 	if i.HasAttestationCollections != nil {
 		p := statement.HasAttestationCollections()
 		if !*i.HasAttestationCollections {
@ -1521,14 +1745,14 @@ type SubjectWhereInput struct {
 	And        []*SubjectWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "name" field predicates.
 	Name             *string  `json:"name,omitempty"`
@ -1743,14 +1967,14 @@ type SubjectDigestWhereInput struct {
 	And        []*SubjectDigestWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "algorithm" field predicates.
 	Algorithm             *string  `json:"algorithm,omitempty"`
@ -1997,14 +2221,14 @@ type TimestampWhereInput struct {
 	And        []*TimestampWhereInput `json:"and,omitempty"`

 	// "id" field predicates.
-	ID      *int  `json:"id,omitempty"`
-	IDNEQ   *int  `json:"idNEQ,omitempty"`
-	IDIn    []int `json:"idIn,omitempty"`
-	IDNotIn []int `json:"idNotIn,omitempty"`
-	IDGT    *int  `json:"idGT,omitempty"`
-	IDGTE   *int  `json:"idGTE,omitempty"`
-	IDLT    *int  `json:"idLT,omitempty"`
-	IDLTE   *int  `json:"idLTE,omitempty"`
+	ID      *uuid.UUID  `json:"id,omitempty"`
+	IDNEQ   *uuid.UUID  `json:"idNEQ,omitempty"`
+	IDIn    []uuid.UUID `json:"idIn,omitempty"`
+	IDNotIn []uuid.UUID `json:"idNotIn,omitempty"`
+	IDGT    *uuid.UUID  `json:"idGT,omitempty"`
+	IDGTE   *uuid.UUID  `json:"idGTE,omitempty"`
+	IDLT    *uuid.UUID  `json:"idLT,omitempty"`
+	IDLTE   *uuid.UUID  `json:"idLTE,omitempty"`

 	// "type" field predicates.
 	Type             *string  `json:"type,omitempty"`
--- a/ent/hook/hook.go
+++ b/ent/hook/hook.go
@ -33,6 +33,18 @@ func (f AttestationCollectionFunc) Mutate(ctx context.Context, m ent.Mutation) (
 	return nil, fmt.Errorf("unexpected mutation type %T. expect *ent.AttestationCollectionMutation", m)
 }

+// The AttestationPolicyFunc type is an adapter to allow the use of ordinary
+// function as AttestationPolicy mutator.
+type AttestationPolicyFunc func(context.Context, *ent.AttestationPolicyMutation) (ent.Value, error)
+
+// Mutate calls f(ctx, m).
+func (f AttestationPolicyFunc) Mutate(ctx context.Context, m ent.Mutation) (ent.Value, error) {
+	if mv, ok := m.(*ent.AttestationPolicyMutation); ok {
+		return f(ctx, mv)
+	}
+	return nil, fmt.Errorf("unexpected mutation type %T. expect *ent.AttestationPolicyMutation", m)
+}
+
 // The DsseFunc type is an adapter to allow the use of ordinary
 // function as Dsse mutator.
 type DsseFunc func(context.Context, *ent.DsseMutation) (ent.Value, error)
--- a/ent/migrate/migrations/mysql/20231214165639_mysql.sql
+++ b/ent/migrate/migrations/mysql/20231214165639_mysql.sql
@ -1,18 +0,0 @@
-- Create "statements" table
-CREATE TABLE `statements` (`id` bigint NOT NULL AUTO_INCREMENT, `predicate` varchar(255) NOT NULL, PRIMARY KEY (`id`), INDEX `statement_predicate` (`predicate`)) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "attestation_collections" table
-CREATE TABLE `attestation_collections` (`id` bigint NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `statement_attestation_collections` bigint NOT NULL, PRIMARY KEY (`id`), INDEX `attestationcollection_name` (`name`), UNIQUE INDEX `statement_attestation_collections` (`statement_attestation_collections`), CONSTRAINT `attestation_collections_statements_attestation_collections` FOREIGN KEY (`statement_attestation_collections`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE NO ACTION) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "attestations" table
-CREATE TABLE `attestations` (`id` bigint NOT NULL AUTO_INCREMENT, `type` varchar(255) NOT NULL, `attestation_collection_attestations` bigint NOT NULL, PRIMARY KEY (`id`), INDEX `attestation_type` (`type`), INDEX `attestations_attestation_collections_attestations` (`attestation_collection_attestations`), CONSTRAINT `attestations_attestation_collections_attestations` FOREIGN KEY (`attestation_collection_attestations`) REFERENCES `attestation_collections` (`id`) ON UPDATE NO ACTION ON DELETE NO ACTION) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "dsses" table
-CREATE TABLE `dsses` (`id` bigint NOT NULL AUTO_INCREMENT, `gitoid_sha256` varchar(255) NOT NULL, `payload_type` varchar(255) NOT NULL, `dsse_statement` bigint NULL, PRIMARY KEY (`id`), INDEX `dsses_statements_statement` (`dsse_statement`), UNIQUE INDEX `gitoid_sha256` (`gitoid_sha256`), CONSTRAINT `dsses_statements_statement` FOREIGN KEY (`dsse_statement`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "payload_digests" table
-CREATE TABLE `payload_digests` (`id` bigint NOT NULL AUTO_INCREMENT, `algorithm` varchar(255) NOT NULL, `value` varchar(255) NOT NULL, `dsse_payload_digests` bigint NULL, PRIMARY KEY (`id`), INDEX `payload_digests_dsses_payload_digests` (`dsse_payload_digests`), INDEX `payloaddigest_value` (`value`), CONSTRAINT `payload_digests_dsses_payload_digests` FOREIGN KEY (`dsse_payload_digests`) REFERENCES `dsses` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "signatures" table
-CREATE TABLE `signatures` (`id` bigint NOT NULL AUTO_INCREMENT, `key_id` varchar(255) NOT NULL, `signature` text NOT NULL, `dsse_signatures` bigint NULL, PRIMARY KEY (`id`), INDEX `signature_key_id` (`key_id`), INDEX `signatures_dsses_signatures` (`dsse_signatures`), CONSTRAINT `signatures_dsses_signatures` FOREIGN KEY (`dsse_signatures`) REFERENCES `dsses` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "subjects" table
-CREATE TABLE `subjects` (`id` bigint NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `statement_subjects` bigint NULL, PRIMARY KEY (`id`), INDEX `subject_name` (`name`), INDEX `subjects_statements_subjects` (`statement_subjects`), CONSTRAINT `subjects_statements_subjects` FOREIGN KEY (`statement_subjects`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "subject_digests" table
-CREATE TABLE `subject_digests` (`id` bigint NOT NULL AUTO_INCREMENT, `algorithm` varchar(255) NOT NULL, `value` varchar(255) NOT NULL, `subject_subject_digests` bigint NULL, PRIMARY KEY (`id`), INDEX `subject_digests_subjects_subject_digests` (`subject_subject_digests`), INDEX `subjectdigest_value` (`value`), CONSTRAINT `subject_digests_subjects_subject_digests` FOREIGN KEY (`subject_subject_digests`) REFERENCES `subjects` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
-- Create "timestamps" table
-CREATE TABLE `timestamps` (`id` bigint NOT NULL AUTO_INCREMENT, `type` varchar(255) NOT NULL, `timestamp` timestamp NOT NULL, `signature_timestamps` bigint NULL, PRIMARY KEY (`id`), INDEX `timestamps_signatures_timestamps` (`signature_timestamps`), CONSTRAINT `timestamps_signatures_timestamps` FOREIGN KEY (`signature_timestamps`) REFERENCES `signatures` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
--- a/ent/migrate/migrations/mysql/20240524112613_mysql.sql
+++ b/ent/migrate/migrations/mysql/20240524112613_mysql.sql
@ -0,0 +1,20 @@
+-- Create "statements" table
+CREATE TABLE `statements` (`id` char(36) NOT NULL, `predicate` varchar(255) NOT NULL, PRIMARY KEY (`id`), INDEX `statement_predicate` (`predicate`)) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "attestation_collections" table
+CREATE TABLE `attestation_collections` (`id` char(36) NOT NULL, `name` varchar(255) NOT NULL, `statement_attestation_collections` char(36) NOT NULL, PRIMARY KEY (`id`), INDEX `attestationcollection_name` (`name`), UNIQUE INDEX `statement_attestation_collections` (`statement_attestation_collections`), CONSTRAINT `attestation_collections_statements_attestation_collections` FOREIGN KEY (`statement_attestation_collections`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE NO ACTION) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "attestation_policies" table
+CREATE TABLE `attestation_policies` (`id` char(36) NOT NULL, `name` varchar(255) NOT NULL, `statement_policy` char(36) NULL, PRIMARY KEY (`id`), INDEX `attestationpolicy_name` (`name`), UNIQUE INDEX `statement_policy` (`statement_policy`), CONSTRAINT `attestation_policies_statements_policy` FOREIGN KEY (`statement_policy`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "attestations" table
+CREATE TABLE `attestations` (`id` char(36) NOT NULL, `type` varchar(255) NOT NULL, `attestation_collection_attestations` char(36) NOT NULL, PRIMARY KEY (`id`), INDEX `attestation_type` (`type`), INDEX `attestations_attestation_collections_attestations` (`attestation_collection_attestations`), CONSTRAINT `attestations_attestation_collections_attestations` FOREIGN KEY (`attestation_collection_attestations`) REFERENCES `attestation_collections` (`id`) ON UPDATE NO ACTION ON DELETE NO ACTION) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "dsses" table
+CREATE TABLE `dsses` (`id` char(36) NOT NULL, `gitoid_sha256` varchar(255) NOT NULL, `payload_type` varchar(255) NOT NULL, `dsse_statement` char(36) NULL, PRIMARY KEY (`id`), INDEX `dsses_statements_statement` (`dsse_statement`), UNIQUE INDEX `gitoid_sha256` (`gitoid_sha256`), CONSTRAINT `dsses_statements_statement` FOREIGN KEY (`dsse_statement`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "payload_digests" table
+CREATE TABLE `payload_digests` (`id` char(36) NOT NULL, `algorithm` varchar(255) NOT NULL, `value` varchar(255) NOT NULL, `dsse_payload_digests` char(36) NULL, PRIMARY KEY (`id`), INDEX `payload_digests_dsses_payload_digests` (`dsse_payload_digests`), INDEX `payloaddigest_value` (`value`), CONSTRAINT `payload_digests_dsses_payload_digests` FOREIGN KEY (`dsse_payload_digests`) REFERENCES `dsses` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "signatures" table
+CREATE TABLE `signatures` (`id` char(36) NOT NULL, `key_id` varchar(255) NOT NULL, `signature` text NOT NULL, `dsse_signatures` char(36) NULL, PRIMARY KEY (`id`), INDEX `signature_key_id` (`key_id`), INDEX `signatures_dsses_signatures` (`dsse_signatures`), CONSTRAINT `signatures_dsses_signatures` FOREIGN KEY (`dsse_signatures`) REFERENCES `dsses` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "subjects" table
+CREATE TABLE `subjects` (`id` char(36) NOT NULL, `name` varchar(255) NOT NULL, `statement_subjects` char(36) NULL, PRIMARY KEY (`id`), INDEX `subject_name` (`name`), INDEX `subjects_statements_subjects` (`statement_subjects`), CONSTRAINT `subjects_statements_subjects` FOREIGN KEY (`statement_subjects`) REFERENCES `statements` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "subject_digests" table
+CREATE TABLE `subject_digests` (`id` char(36) NOT NULL, `algorithm` varchar(255) NOT NULL, `value` varchar(255) NOT NULL, `subject_subject_digests` char(36) NULL, PRIMARY KEY (`id`), INDEX `subject_digests_subjects_subject_digests` (`subject_subject_digests`), INDEX `subjectdigest_value` (`value`), CONSTRAINT `subject_digests_subjects_subject_digests` FOREIGN KEY (`subject_subject_digests`) REFERENCES `subjects` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
+-- Create "timestamps" table
+CREATE TABLE `timestamps` (`id` char(36) NOT NULL, `type` varchar(255) NOT NULL, `timestamp` timestamp NOT NULL, `signature_timestamps` char(36) NULL, PRIMARY KEY (`id`), INDEX `timestamps_signatures_timestamps` (`signature_timestamps`), CONSTRAINT `timestamps_signatures_timestamps` FOREIGN KEY (`signature_timestamps`) REFERENCES `signatures` (`id`) ON UPDATE NO ACTION ON DELETE SET NULL) CHARSET utf8mb4 COLLATE utf8mb4_bin;
--- a/ent/migrate/migrations/mysql/atlas.sum
+++ b/ent/migrate/migrations/mysql/atlas.sum
@ -1,2 +1,2 @@
-h1:uz2B9rkm7QWMNJE8Lp0NAr4JOcWFeRO6+MgSc/SBwqY=
-20231214165639_mysql.sql h1:rqSqoXUOtdEpJT04rLCzyyPJC+NYRjQj9jXHZW+Oq9Q=
+h1:hmfy8z9GJo6qsuCUPic5i8LIZpfIF0Phkud7Woix6c4=
+20240524112613_mysql.sql h1:P16hl/ui8F+xn7opuJT+GCQ8vnJEsQkZp8Q9PMOhrRI=
--- a/ent/migrate/migrations/pgsql/20231214165922_pgsql.sql
+++ b/ent/migrate/migrations/pgsql/20231214165922_pgsql.sql
@ -1,36 +0,0 @@
-- Create "statements" table
-CREATE TABLE "statements" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "predicate" character varying NOT NULL, PRIMARY KEY ("id"));
-- Create index "statement_predicate" to table: "statements"
-CREATE INDEX "statement_predicate" ON "statements" ("predicate");
-- Create "attestation_collections" table
-CREATE TABLE "attestation_collections" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "name" character varying NOT NULL, "statement_attestation_collections" bigint NOT NULL, PRIMARY KEY ("id"), CONSTRAINT "attestation_collections_statements_attestation_collections" FOREIGN KEY ("statement_attestation_collections") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION);
-- Create index "attestation_collections_statement_attestation_collections_key" to table: "attestation_collections"
-CREATE UNIQUE INDEX "attestation_collections_statement_attestation_collections_key" ON "attestation_collections" ("statement_attestation_collections");
-- Create index "attestationcollection_name" to table: "attestation_collections"
-CREATE INDEX "attestationcollection_name" ON "attestation_collections" ("name");
-- Create "attestations" table
-CREATE TABLE "attestations" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "type" character varying NOT NULL, "attestation_collection_attestations" bigint NOT NULL, PRIMARY KEY ("id"), CONSTRAINT "attestations_attestation_collections_attestations" FOREIGN KEY ("attestation_collection_attestations") REFERENCES "attestation_collections" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION);
-- Create index "attestation_type" to table: "attestations"
-CREATE INDEX "attestation_type" ON "attestations" ("type");
-- Create "dsses" table
-CREATE TABLE "dsses" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "gitoid_sha256" character varying NOT NULL, "payload_type" character varying NOT NULL, "dsse_statement" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "dsses_statements_statement" FOREIGN KEY ("dsse_statement") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
-- Create index "dsses_gitoid_sha256_key" to table: "dsses"
-CREATE UNIQUE INDEX "dsses_gitoid_sha256_key" ON "dsses" ("gitoid_sha256");
-- Create "payload_digests" table
-CREATE TABLE "payload_digests" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "algorithm" character varying NOT NULL, "value" character varying NOT NULL, "dsse_payload_digests" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "payload_digests_dsses_payload_digests" FOREIGN KEY ("dsse_payload_digests") REFERENCES "dsses" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
-- Create index "payloaddigest_value" to table: "payload_digests"
-CREATE INDEX "payloaddigest_value" ON "payload_digests" ("value");
-- Create "signatures" table
-CREATE TABLE "signatures" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "key_id" character varying NOT NULL, "signature" character varying NOT NULL, "dsse_signatures" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "signatures_dsses_signatures" FOREIGN KEY ("dsse_signatures") REFERENCES "dsses" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
-- Create index "signature_key_id" to table: "signatures"
-CREATE INDEX "signature_key_id" ON "signatures" ("key_id");
-- Create "subjects" table
-CREATE TABLE "subjects" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "name" character varying NOT NULL, "statement_subjects" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "subjects_statements_subjects" FOREIGN KEY ("statement_subjects") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
-- Create index "subject_name" to table: "subjects"
-CREATE INDEX "subject_name" ON "subjects" ("name");
-- Create "subject_digests" table
-CREATE TABLE "subject_digests" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "algorithm" character varying NOT NULL, "value" character varying NOT NULL, "subject_subject_digests" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "subject_digests_subjects_subject_digests" FOREIGN KEY ("subject_subject_digests") REFERENCES "subjects" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
-- Create index "subjectdigest_value" to table: "subject_digests"
-CREATE INDEX "subjectdigest_value" ON "subject_digests" ("value");
-- Create "timestamps" table
-CREATE TABLE "timestamps" ("id" bigint NOT NULL GENERATED BY DEFAULT AS IDENTITY, "type" character varying NOT NULL, "timestamp" timestamptz NOT NULL, "signature_timestamps" bigint NULL, PRIMARY KEY ("id"), CONSTRAINT "timestamps_signatures_timestamps" FOREIGN KEY ("signature_timestamps") REFERENCES "signatures" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
--- a/ent/migrate/migrations/pgsql/20240524112615_pgsql.sql
+++ b/ent/migrate/migrations/pgsql/20240524112615_pgsql.sql
@ -0,0 +1,42 @@
+-- Create "statements" table
+CREATE TABLE "statements" ("id" uuid NOT NULL, "predicate" character varying NOT NULL, PRIMARY KEY ("id"));
+-- Create index "statement_predicate" to table: "statements"
+CREATE INDEX "statement_predicate" ON "statements" ("predicate");
+-- Create "attestation_collections" table
+CREATE TABLE "attestation_collections" ("id" uuid NOT NULL, "name" character varying NOT NULL, "statement_attestation_collections" uuid NOT NULL, PRIMARY KEY ("id"), CONSTRAINT "attestation_collections_statements_attestation_collections" FOREIGN KEY ("statement_attestation_collections") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION);
+-- Create index "attestation_collections_statement_attestation_collections_key" to table: "attestation_collections"
+CREATE UNIQUE INDEX "attestation_collections_statement_attestation_collections_key" ON "attestation_collections" ("statement_attestation_collections");
+-- Create index "attestationcollection_name" to table: "attestation_collections"
+CREATE INDEX "attestationcollection_name" ON "attestation_collections" ("name");
+-- Create "attestation_policies" table
+CREATE TABLE "attestation_policies" ("id" uuid NOT NULL, "name" character varying NOT NULL, "statement_policy" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "attestation_policies_statements_policy" FOREIGN KEY ("statement_policy") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "attestation_policies_statement_policy_key" to table: "attestation_policies"
+CREATE UNIQUE INDEX "attestation_policies_statement_policy_key" ON "attestation_policies" ("statement_policy");
+-- Create index "attestationpolicy_name" to table: "attestation_policies"
+CREATE INDEX "attestationpolicy_name" ON "attestation_policies" ("name");
+-- Create "attestations" table
+CREATE TABLE "attestations" ("id" uuid NOT NULL, "type" character varying NOT NULL, "attestation_collection_attestations" uuid NOT NULL, PRIMARY KEY ("id"), CONSTRAINT "attestations_attestation_collections_attestations" FOREIGN KEY ("attestation_collection_attestations") REFERENCES "attestation_collections" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION);
+-- Create index "attestation_type" to table: "attestations"
+CREATE INDEX "attestation_type" ON "attestations" ("type");
+-- Create "dsses" table
+CREATE TABLE "dsses" ("id" uuid NOT NULL, "gitoid_sha256" character varying NOT NULL, "payload_type" character varying NOT NULL, "dsse_statement" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "dsses_statements_statement" FOREIGN KEY ("dsse_statement") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "dsses_gitoid_sha256_key" to table: "dsses"
+CREATE UNIQUE INDEX "dsses_gitoid_sha256_key" ON "dsses" ("gitoid_sha256");
+-- Create "payload_digests" table
+CREATE TABLE "payload_digests" ("id" uuid NOT NULL, "algorithm" character varying NOT NULL, "value" character varying NOT NULL, "dsse_payload_digests" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "payload_digests_dsses_payload_digests" FOREIGN KEY ("dsse_payload_digests") REFERENCES "dsses" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "payloaddigest_value" to table: "payload_digests"
+CREATE INDEX "payloaddigest_value" ON "payload_digests" ("value");
+-- Create "signatures" table
+CREATE TABLE "signatures" ("id" uuid NOT NULL, "key_id" character varying NOT NULL, "signature" character varying NOT NULL, "dsse_signatures" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "signatures_dsses_signatures" FOREIGN KEY ("dsse_signatures") REFERENCES "dsses" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "signature_key_id" to table: "signatures"
+CREATE INDEX "signature_key_id" ON "signatures" ("key_id");
+-- Create "subjects" table
+CREATE TABLE "subjects" ("id" uuid NOT NULL, "name" character varying NOT NULL, "statement_subjects" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "subjects_statements_subjects" FOREIGN KEY ("statement_subjects") REFERENCES "statements" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "subject_name" to table: "subjects"
+CREATE INDEX "subject_name" ON "subjects" ("name");
+-- Create "subject_digests" table
+CREATE TABLE "subject_digests" ("id" uuid NOT NULL, "algorithm" character varying NOT NULL, "value" character varying NOT NULL, "subject_subject_digests" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "subject_digests_subjects_subject_digests" FOREIGN KEY ("subject_subject_digests") REFERENCES "subjects" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
+-- Create index "subjectdigest_value" to table: "subject_digests"
+CREATE INDEX "subjectdigest_value" ON "subject_digests" ("value");
+-- Create "timestamps" table
+CREATE TABLE "timestamps" ("id" uuid NOT NULL, "type" character varying NOT NULL, "timestamp" timestamptz NOT NULL, "signature_timestamps" uuid NULL, PRIMARY KEY ("id"), CONSTRAINT "timestamps_signatures_timestamps" FOREIGN KEY ("signature_timestamps") REFERENCES "signatures" ("id") ON UPDATE NO ACTION ON DELETE SET NULL);
--- a/ent/migrate/migrations/pgsql/atlas.sum
+++ b/ent/migrate/migrations/pgsql/atlas.sum
@ -1,2 +1,2 @@
-h1:0dyKf7c5dDT+Vk7LvKiAeEQAH9aBJcynyXc0Ru44eDo=
-20231214165922_pgsql.sql h1:AZaZD6/98yKVFL6svm7gPpKlD1EL6fk8juLh+SW765I=
+h1:tRI2n5O6+6fHTOil/e3LGqO1PEcv3D02M3VmEkH00ls=
+20240524112615_pgsql.sql h1:HMRY5DPVr3SjgjpdkCY3+3Us5y5LvtSzNEBwoIND5sY=
--- a/ent/migrate/schema.go
+++ b/ent/migrate/schema.go
@ -10,9 +10,9 @@ import (
 var (
 	// AttestationsColumns holds the columns for the "attestations" table.
 	AttestationsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "type", Type: field.TypeString},
-		{Name: "attestation_collection_attestations", Type: field.TypeInt},
+		{Name: "attestation_collection_attestations", Type: field.TypeUUID},
 	}
 	// AttestationsTable holds the schema information for the "attestations" table.
 	AttestationsTable = &schema.Table{
@ -37,9 +37,9 @@ var (
 	}
 	// AttestationCollectionsColumns holds the columns for the "attestation_collections" table.
 	AttestationCollectionsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "name", Type: field.TypeString},
-		{Name: "statement_attestation_collections", Type: field.TypeInt, Unique: true},
+		{Name: "statement_attestation_collections", Type: field.TypeUUID, Unique: true},
 	}
 	// AttestationCollectionsTable holds the schema information for the "attestation_collections" table.
 	AttestationCollectionsTable = &schema.Table{
@ -62,12 +62,39 @@ var (
 			},
 		},
 	}
+	// AttestationPoliciesColumns holds the columns for the "attestation_policies" table.
+	AttestationPoliciesColumns = []*schema.Column{
+		{Name: "id", Type: field.TypeUUID, Unique: true},
+		{Name: "name", Type: field.TypeString},
+		{Name: "statement_policy", Type: field.TypeUUID, Unique: true, Nullable: true},
+	}
+	// AttestationPoliciesTable holds the schema information for the "attestation_policies" table.
+	AttestationPoliciesTable = &schema.Table{
+		Name:       "attestation_policies",
+		Columns:    AttestationPoliciesColumns,
+		PrimaryKey: []*schema.Column{AttestationPoliciesColumns[0]},
+		ForeignKeys: []*schema.ForeignKey{
+			{
+				Symbol:     "attestation_policies_statements_policy",
+				Columns:    []*schema.Column{AttestationPoliciesColumns[2]},
+				RefColumns: []*schema.Column{StatementsColumns[0]},
+				OnDelete:   schema.SetNull,
+			},
+		},
+		Indexes: []*schema.Index{
+			{
+				Name:    "attestationpolicy_name",
+				Unique:  false,
+				Columns: []*schema.Column{AttestationPoliciesColumns[1]},
+			},
+		},
+	}
 	// DssesColumns holds the columns for the "dsses" table.
 	DssesColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "gitoid_sha256", Type: field.TypeString, Unique: true},
 		{Name: "payload_type", Type: field.TypeString},
-		{Name: "dsse_statement", Type: field.TypeInt, Nullable: true},
+		{Name: "dsse_statement", Type: field.TypeUUID, Nullable: true},
 	}
 	// DssesTable holds the schema information for the "dsses" table.
 	DssesTable = &schema.Table{
@ -85,10 +112,10 @@ var (
 	}
 	// PayloadDigestsColumns holds the columns for the "payload_digests" table.
 	PayloadDigestsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "algorithm", Type: field.TypeString},
 		{Name: "value", Type: field.TypeString},
-		{Name: "dsse_payload_digests", Type: field.TypeInt, Nullable: true},
+		{Name: "dsse_payload_digests", Type: field.TypeUUID, Nullable: true},
 	}
 	// PayloadDigestsTable holds the schema information for the "payload_digests" table.
 	PayloadDigestsTable = &schema.Table{
@ -113,10 +140,10 @@ var (
 	}
 	// SignaturesColumns holds the columns for the "signatures" table.
 	SignaturesColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "key_id", Type: field.TypeString},
 		{Name: "signature", Type: field.TypeString, SchemaType: map[string]string{"mysql": "text"}},
-		{Name: "dsse_signatures", Type: field.TypeInt, Nullable: true},
+		{Name: "dsse_signatures", Type: field.TypeUUID, Nullable: true},
 	}
 	// SignaturesTable holds the schema information for the "signatures" table.
 	SignaturesTable = &schema.Table{
@ -141,7 +168,7 @@ var (
 	}
 	// StatementsColumns holds the columns for the "statements" table.
 	StatementsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "predicate", Type: field.TypeString},
 	}
 	// StatementsTable holds the schema information for the "statements" table.
@ -159,9 +186,9 @@ var (
 	}
 	// SubjectsColumns holds the columns for the "subjects" table.
 	SubjectsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "name", Type: field.TypeString},
-		{Name: "statement_subjects", Type: field.TypeInt, Nullable: true},
+		{Name: "statement_subjects", Type: field.TypeUUID, Nullable: true},
 	}
 	// SubjectsTable holds the schema information for the "subjects" table.
 	SubjectsTable = &schema.Table{
@ -186,10 +213,10 @@ var (
 	}
 	// SubjectDigestsColumns holds the columns for the "subject_digests" table.
 	SubjectDigestsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "algorithm", Type: field.TypeString},
 		{Name: "value", Type: field.TypeString},
-		{Name: "subject_subject_digests", Type: field.TypeInt, Nullable: true},
+		{Name: "subject_subject_digests", Type: field.TypeUUID, Nullable: true},
 	}
 	// SubjectDigestsTable holds the schema information for the "subject_digests" table.
 	SubjectDigestsTable = &schema.Table{
@ -214,10 +241,10 @@ var (
 	}
 	// TimestampsColumns holds the columns for the "timestamps" table.
 	TimestampsColumns = []*schema.Column{
-		{Name: "id", Type: field.TypeInt, Increment: true},
+		{Name: "id", Type: field.TypeUUID, Unique: true},
 		{Name: "type", Type: field.TypeString},
 		{Name: "timestamp", Type: field.TypeTime},
-		{Name: "signature_timestamps", Type: field.TypeInt, Nullable: true},
+		{Name: "signature_timestamps", Type: field.TypeUUID, Nullable: true},
 	}
 	// TimestampsTable holds the schema information for the "timestamps" table.
 	TimestampsTable = &schema.Table{
@ -237,6 +264,7 @@ var (
 	Tables = []*schema.Table{
 		AttestationsTable,
 		AttestationCollectionsTable,
+		AttestationPoliciesTable,
 		DssesTable,
 		PayloadDigestsTable,
 		SignaturesTable,
@ -250,6 +278,7 @@ var (
 func init() {
 	AttestationsTable.ForeignKeys[0].RefTable = AttestationCollectionsTable
 	AttestationCollectionsTable.ForeignKeys[0].RefTable = StatementsTable
+	AttestationPoliciesTable.ForeignKeys[0].RefTable = StatementsTable
 	DssesTable.ForeignKeys[0].RefTable = StatementsTable
 	PayloadDigestsTable.ForeignKeys[0].RefTable = DssesTable
 	SignaturesTable.ForeignKeys[0].RefTable = DssesTable
--- a/ent/mutation.go
+++ b/ent/mutation.go
--- a/ent/payloaddigest.go
+++ b/ent/payloaddigest.go
@ -8,6 +8,7 @@ import (

 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 )
@ -16,7 +17,7 @@ import (
 type PayloadDigest struct {
 	config `json:"-"`
 	// ID of the ent.
-	ID int `json:"id,omitempty"`
+	ID uuid.UUID `json:"id,omitempty"`
 	// Algorithm holds the value of the "algorithm" field.
 	Algorithm string `json:"algorithm,omitempty"`
 	// Value holds the value of the "value" field.
@ -24,7 +25,7 @@ type PayloadDigest struct {
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the PayloadDigestQuery when eager-loading is set.
 	Edges                PayloadDigestEdges `json:"edges"`
-	dsse_payload_digests *int
+	dsse_payload_digests *uuid.UUID
 	selectValues         sql.SelectValues
 }

@ -42,12 +43,10 @@ type PayloadDigestEdges struct {
 // DsseOrErr returns the Dsse value or an error if the edge
 // was not loaded in eager-loading, or loaded but was not found.
 func (e PayloadDigestEdges) DsseOrErr() (*Dsse, error) {
-	if e.loadedTypes[0] {
-		if e.Dsse == nil {
-			// Edge was loaded but was not found.
-			return nil, &NotFoundError{label: dsse.Label}
-		}
+	if e.Dsse != nil {
 		return e.Dsse, nil
+	} else if e.loadedTypes[0] {
+		return nil, &NotFoundError{label: dsse.Label}
 	}
 	return nil, &NotLoadedError{edge: "dsse"}
 }
@ -57,12 +56,12 @@ func (*PayloadDigest) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case payloaddigest.FieldID:
-			values[i] = new(sql.NullInt64)
 		case payloaddigest.FieldAlgorithm, payloaddigest.FieldValue:
 			values[i] = new(sql.NullString)
+		case payloaddigest.FieldID:
+			values[i] = new(uuid.UUID)
 		case payloaddigest.ForeignKeys[0]: // dsse_payload_digests
-			values[i] = new(sql.NullInt64)
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
 		default:
 			values[i] = new(sql.UnknownType)
 		}
@ -79,11 +78,11 @@ func (pd *PayloadDigest) assignValues(columns []string, values []any) error {
 	for i := range columns {
 		switch columns[i] {
 		case payloaddigest.FieldID:
-			value, ok := values[i].(*sql.NullInt64)
-			if !ok {
-				return fmt.Errorf("unexpected type %T for field id", value)
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				pd.ID = *value
 			}
-			pd.ID = int(value.Int64)
 		case payloaddigest.FieldAlgorithm:
 			if value, ok := values[i].(*sql.NullString); !ok {
 				return fmt.Errorf("unexpected type %T for field algorithm", values[i])
@ -97,11 +96,11 @@ func (pd *PayloadDigest) assignValues(columns []string, values []any) error {
 				pd.Value = value.String
 			}
 		case payloaddigest.ForeignKeys[0]:
-			if value, ok := values[i].(*sql.NullInt64); !ok {
-				return fmt.Errorf("unexpected type %T for edge-field dsse_payload_digests", value)
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field dsse_payload_digests", values[i])
 			} else if value.Valid {
-				pd.dsse_payload_digests = new(int)
-				*pd.dsse_payload_digests = int(value.Int64)
+				pd.dsse_payload_digests = new(uuid.UUID)
+				*pd.dsse_payload_digests = *value.S.(*uuid.UUID)
 			}
 		default:
 			pd.selectValues.Set(columns[i], values[i])
--- a/ent/payloaddigest/payloaddigest.go
+++ b/ent/payloaddigest/payloaddigest.go
@ -5,6 +5,7 @@ package payloaddigest
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 )

 const (
@ -62,6 +63,8 @@ var (
 	AlgorithmValidator func(string) error
 	// ValueValidator is a validator for the "value" field. It is called by the builders before save.
 	ValueValidator func(string) error
+	// DefaultID holds the default value on creation for the "id" field.
+	DefaultID func() uuid.UUID
 )

 // OrderOption defines the ordering options for the PayloadDigest queries.
--- a/ent/payloaddigest/where.go
+++ b/ent/payloaddigest/where.go
@ -5,51 +5,52 @@ package payloaddigest
 import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/predicate"
 )

 // ID filters vertices based on their ID field.
-func ID(id int) predicate.PayloadDigest {
+func ID(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldEQ(FieldID, id))
 }

 // IDEQ applies the EQ predicate on the ID field.
-func IDEQ(id int) predicate.PayloadDigest {
+func IDEQ(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldEQ(FieldID, id))
 }

 // IDNEQ applies the NEQ predicate on the ID field.
-func IDNEQ(id int) predicate.PayloadDigest {
+func IDNEQ(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldNEQ(FieldID, id))
 }

 // IDIn applies the In predicate on the ID field.
-func IDIn(ids ...int) predicate.PayloadDigest {
+func IDIn(ids ...uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldIn(FieldID, ids...))
 }

 // IDNotIn applies the NotIn predicate on the ID field.
-func IDNotIn(ids ...int) predicate.PayloadDigest {
+func IDNotIn(ids ...uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldNotIn(FieldID, ids...))
 }

 // IDGT applies the GT predicate on the ID field.
-func IDGT(id int) predicate.PayloadDigest {
+func IDGT(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldGT(FieldID, id))
 }

 // IDGTE applies the GTE predicate on the ID field.
-func IDGTE(id int) predicate.PayloadDigest {
+func IDGTE(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldGTE(FieldID, id))
 }

 // IDLT applies the LT predicate on the ID field.
-func IDLT(id int) predicate.PayloadDigest {
+func IDLT(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldLT(FieldID, id))
 }

 // IDLTE applies the LTE predicate on the ID field.
-func IDLTE(id int) predicate.PayloadDigest {
+func IDLTE(id uuid.UUID) predicate.PayloadDigest {
 	return predicate.PayloadDigest(sql.FieldLTE(FieldID, id))
 }

--- a/ent/payloaddigest_create.go
+++ b/ent/payloaddigest_create.go
@ -9,6 +9,7 @@ import (

 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 )
@ -32,14 +33,28 @@ func (pdc *PayloadDigestCreate) SetValue(s string) *PayloadDigestCreate {
 	return pdc
 }

+// SetID sets the "id" field.
+func (pdc *PayloadDigestCreate) SetID(u uuid.UUID) *PayloadDigestCreate {
+	pdc.mutation.SetID(u)
+	return pdc
+}
+
+// SetNillableID sets the "id" field if the given value is not nil.
+func (pdc *PayloadDigestCreate) SetNillableID(u *uuid.UUID) *PayloadDigestCreate {
+	if u != nil {
+		pdc.SetID(*u)
+	}
+	return pdc
+}
+
 // SetDsseID sets the "dsse" edge to the Dsse entity by ID.
-func (pdc *PayloadDigestCreate) SetDsseID(id int) *PayloadDigestCreate {
+func (pdc *PayloadDigestCreate) SetDsseID(id uuid.UUID) *PayloadDigestCreate {
 	pdc.mutation.SetDsseID(id)
 	return pdc
 }

 // SetNillableDsseID sets the "dsse" edge to the Dsse entity by ID if the given value is not nil.
-func (pdc *PayloadDigestCreate) SetNillableDsseID(id *int) *PayloadDigestCreate {
+func (pdc *PayloadDigestCreate) SetNillableDsseID(id *uuid.UUID) *PayloadDigestCreate {
 	if id != nil {
 		pdc = pdc.SetDsseID(*id)
 	}
@ -58,6 +73,7 @@ func (pdc *PayloadDigestCreate) Mutation() *PayloadDigestMutation {

 // Save creates the PayloadDigest in the database.
 func (pdc *PayloadDigestCreate) Save(ctx context.Context) (*PayloadDigest, error) {
+	pdc.defaults()
 	return withHooks(ctx, pdc.sqlSave, pdc.mutation, pdc.hooks)
 }

@ -83,6 +99,14 @@ func (pdc *PayloadDigestCreate) ExecX(ctx context.Context) {
 	}
 }

+// defaults sets the default values of the builder before save.
+func (pdc *PayloadDigestCreate) defaults() {
+	if _, ok := pdc.mutation.ID(); !ok {
+		v := payloaddigest.DefaultID()
+		pdc.mutation.SetID(v)
+	}
+}
+
 // check runs all checks and user-defined validators on the builder.
 func (pdc *PayloadDigestCreate) check() error {
 	if _, ok := pdc.mutation.Algorithm(); !ok {
@ -115,8 +139,13 @@ func (pdc *PayloadDigestCreate) sqlSave(ctx context.Context) (*PayloadDigest, er
 		}
 		return nil, err
 	}
-	id := _spec.ID.Value.(int64)
-	_node.ID = int(id)
+	if _spec.ID.Value != nil {
+		if id, ok := _spec.ID.Value.(*uuid.UUID); ok {
+			_node.ID = *id
+		} else if err := _node.ID.Scan(_spec.ID.Value); err != nil {
+			return nil, err
+		}
+	}
 	pdc.mutation.id = &_node.ID
 	pdc.mutation.done = true
 	return _node, nil
@ -125,8 +154,12 @@ func (pdc *PayloadDigestCreate) sqlSave(ctx context.Context) (*PayloadDigest, er
 func (pdc *PayloadDigestCreate) createSpec() (*PayloadDigest, *sqlgraph.CreateSpec) {
 	var (
 		_node = &PayloadDigest{config: pdc.config}
-		_spec = sqlgraph.NewCreateSpec(payloaddigest.Table, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt))
+		_spec = sqlgraph.NewCreateSpec(payloaddigest.Table, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID))
 	)
+	if id, ok := pdc.mutation.ID(); ok {
+		_node.ID = id
+		_spec.ID.Value = &id
+	}
 	if value, ok := pdc.mutation.Algorithm(); ok {
 		_spec.SetField(payloaddigest.FieldAlgorithm, field.TypeString, value)
 		_node.Algorithm = value
@ -143,7 +176,7 @@ func (pdc *PayloadDigestCreate) createSpec() (*PayloadDigest, *sqlgraph.CreateSp
 			Columns: []string{payloaddigest.DsseColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -173,6 +206,7 @@ func (pdcb *PayloadDigestCreateBulk) Save(ctx context.Context) ([]*PayloadDigest
 	for i := range pdcb.builders {
 		func(i int, root context.Context) {
 			builder := pdcb.builders[i]
+			builder.defaults()
 			var mut Mutator = MutateFunc(func(ctx context.Context, m Mutation) (Value, error) {
 				mutation, ok := m.(*PayloadDigestMutation)
 				if !ok {
@ -199,10 +233,6 @@ func (pdcb *PayloadDigestCreateBulk) Save(ctx context.Context) ([]*PayloadDigest
 					return nil, err
 				}
 				mutation.id = &nodes[i].ID
-				if specs[i].ID.Value != nil {
-					id := specs[i].ID.Value.(int64)
-					nodes[i].ID = int(id)
-				}
 				mutation.done = true
 				return nodes[i], nil
 			})
--- a/ent/payloaddigest_delete.go
+++ b/ent/payloaddigest_delete.go
@ -40,7 +40,7 @@ func (pdd *PayloadDigestDelete) ExecX(ctx context.Context) int {
 }

 func (pdd *PayloadDigestDelete) sqlExec(ctx context.Context) (int, error) {
-	_spec := sqlgraph.NewDeleteSpec(payloaddigest.Table, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewDeleteSpec(payloaddigest.Table, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID))
 	if ps := pdd.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
--- a/ent/payloaddigest_query.go
+++ b/ent/payloaddigest_query.go
@ -7,9 +7,11 @@ import (
 	"fmt"
 	"math"

+	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/predicate"
@ -87,7 +89,7 @@ func (pdq *PayloadDigestQuery) QueryDsse() *DsseQuery {
 // First returns the first PayloadDigest entity from the query.
 // Returns a *NotFoundError when no PayloadDigest was found.
 func (pdq *PayloadDigestQuery) First(ctx context.Context) (*PayloadDigest, error) {
-	nodes, err := pdq.Limit(1).All(setContextOp(ctx, pdq.ctx, "First"))
+	nodes, err := pdq.Limit(1).All(setContextOp(ctx, pdq.ctx, ent.OpQueryFirst))
 	if err != nil {
 		return nil, err
 	}
@ -108,9 +110,9 @@ func (pdq *PayloadDigestQuery) FirstX(ctx context.Context) *PayloadDigest {

 // FirstID returns the first PayloadDigest ID from the query.
 // Returns a *NotFoundError when no PayloadDigest ID was found.
-func (pdq *PayloadDigestQuery) FirstID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = pdq.Limit(1).IDs(setContextOp(ctx, pdq.ctx, "FirstID")); err != nil {
+func (pdq *PayloadDigestQuery) FirstID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = pdq.Limit(1).IDs(setContextOp(ctx, pdq.ctx, ent.OpQueryFirstID)); err != nil {
 		return
 	}
 	if len(ids) == 0 {
@ -121,7 +123,7 @@ func (pdq *PayloadDigestQuery) FirstID(ctx context.Context) (id int, err error)
 }

 // FirstIDX is like FirstID, but panics if an error occurs.
-func (pdq *PayloadDigestQuery) FirstIDX(ctx context.Context) int {
+func (pdq *PayloadDigestQuery) FirstIDX(ctx context.Context) uuid.UUID {
 	id, err := pdq.FirstID(ctx)
 	if err != nil && !IsNotFound(err) {
 		panic(err)
@ -133,7 +135,7 @@ func (pdq *PayloadDigestQuery) FirstIDX(ctx context.Context) int {
 // Returns a *NotSingularError when more than one PayloadDigest entity is found.
 // Returns a *NotFoundError when no PayloadDigest entities are found.
 func (pdq *PayloadDigestQuery) Only(ctx context.Context) (*PayloadDigest, error) {
-	nodes, err := pdq.Limit(2).All(setContextOp(ctx, pdq.ctx, "Only"))
+	nodes, err := pdq.Limit(2).All(setContextOp(ctx, pdq.ctx, ent.OpQueryOnly))
 	if err != nil {
 		return nil, err
 	}
@ -159,9 +161,9 @@ func (pdq *PayloadDigestQuery) OnlyX(ctx context.Context) *PayloadDigest {
 // OnlyID is like Only, but returns the only PayloadDigest ID in the query.
 // Returns a *NotSingularError when more than one PayloadDigest ID is found.
 // Returns a *NotFoundError when no entities are found.
-func (pdq *PayloadDigestQuery) OnlyID(ctx context.Context) (id int, err error) {
-	var ids []int
-	if ids, err = pdq.Limit(2).IDs(setContextOp(ctx, pdq.ctx, "OnlyID")); err != nil {
+func (pdq *PayloadDigestQuery) OnlyID(ctx context.Context) (id uuid.UUID, err error) {
+	var ids []uuid.UUID
+	if ids, err = pdq.Limit(2).IDs(setContextOp(ctx, pdq.ctx, ent.OpQueryOnlyID)); err != nil {
 		return
 	}
 	switch len(ids) {
@ -176,7 +178,7 @@ func (pdq *PayloadDigestQuery) OnlyID(ctx context.Context) (id int, err error) {
 }

 // OnlyIDX is like OnlyID, but panics if an error occurs.
-func (pdq *PayloadDigestQuery) OnlyIDX(ctx context.Context) int {
+func (pdq *PayloadDigestQuery) OnlyIDX(ctx context.Context) uuid.UUID {
 	id, err := pdq.OnlyID(ctx)
 	if err != nil {
 		panic(err)
@ -186,7 +188,7 @@ func (pdq *PayloadDigestQuery) OnlyIDX(ctx context.Context) int {

 // All executes the query and returns a list of PayloadDigests.
 func (pdq *PayloadDigestQuery) All(ctx context.Context) ([]*PayloadDigest, error) {
-	ctx = setContextOp(ctx, pdq.ctx, "All")
+	ctx = setContextOp(ctx, pdq.ctx, ent.OpQueryAll)
 	if err := pdq.prepareQuery(ctx); err != nil {
 		return nil, err
 	}
@ -204,11 +206,11 @@ func (pdq *PayloadDigestQuery) AllX(ctx context.Context) []*PayloadDigest {
 }

 // IDs executes the query and returns a list of PayloadDigest IDs.
-func (pdq *PayloadDigestQuery) IDs(ctx context.Context) (ids []int, err error) {
+func (pdq *PayloadDigestQuery) IDs(ctx context.Context) (ids []uuid.UUID, err error) {
 	if pdq.ctx.Unique == nil && pdq.path != nil {
 		pdq.Unique(true)
 	}
-	ctx = setContextOp(ctx, pdq.ctx, "IDs")
+	ctx = setContextOp(ctx, pdq.ctx, ent.OpQueryIDs)
 	if err = pdq.Select(payloaddigest.FieldID).Scan(ctx, &ids); err != nil {
 		return nil, err
 	}
@ -216,7 +218,7 @@ func (pdq *PayloadDigestQuery) IDs(ctx context.Context) (ids []int, err error) {
 }

 // IDsX is like IDs, but panics if an error occurs.
-func (pdq *PayloadDigestQuery) IDsX(ctx context.Context) []int {
+func (pdq *PayloadDigestQuery) IDsX(ctx context.Context) []uuid.UUID {
 	ids, err := pdq.IDs(ctx)
 	if err != nil {
 		panic(err)
@ -226,7 +228,7 @@ func (pdq *PayloadDigestQuery) IDsX(ctx context.Context) []int {

 // Count returns the count of the given query.
 func (pdq *PayloadDigestQuery) Count(ctx context.Context) (int, error) {
-	ctx = setContextOp(ctx, pdq.ctx, "Count")
+	ctx = setContextOp(ctx, pdq.ctx, ent.OpQueryCount)
 	if err := pdq.prepareQuery(ctx); err != nil {
 		return 0, err
 	}
@ -244,7 +246,7 @@ func (pdq *PayloadDigestQuery) CountX(ctx context.Context) int {

 // Exist returns true if the query has elements in the graph.
 func (pdq *PayloadDigestQuery) Exist(ctx context.Context) (bool, error) {
-	ctx = setContextOp(ctx, pdq.ctx, "Exist")
+	ctx = setContextOp(ctx, pdq.ctx, ent.OpQueryExist)
 	switch _, err := pdq.FirstID(ctx); {
 	case IsNotFound(err):
 		return false, nil
@ -419,8 +421,8 @@ func (pdq *PayloadDigestQuery) sqlAll(ctx context.Context, hooks ...queryHook) (
 }

 func (pdq *PayloadDigestQuery) loadDsse(ctx context.Context, query *DsseQuery, nodes []*PayloadDigest, init func(*PayloadDigest), assign func(*PayloadDigest, *Dsse)) error {
-	ids := make([]int, 0, len(nodes))
-	nodeids := make(map[int][]*PayloadDigest)
+	ids := make([]uuid.UUID, 0, len(nodes))
+	nodeids := make(map[uuid.UUID][]*PayloadDigest)
 	for i := range nodes {
 		if nodes[i].dsse_payload_digests == nil {
 			continue
@ -464,7 +466,7 @@ func (pdq *PayloadDigestQuery) sqlCount(ctx context.Context) (int, error) {
 }

 func (pdq *PayloadDigestQuery) querySpec() *sqlgraph.QuerySpec {
-	_spec := sqlgraph.NewQuerySpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewQuerySpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID))
 	_spec.From = pdq.sql
 	if unique := pdq.ctx.Unique; unique != nil {
 		_spec.Unique = *unique
@ -549,7 +551,7 @@ func (pdgb *PayloadDigestGroupBy) Aggregate(fns ...AggregateFunc) *PayloadDigest

 // Scan applies the selector query and scans the result into the given value.
 func (pdgb *PayloadDigestGroupBy) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, pdgb.build.ctx, "GroupBy")
+	ctx = setContextOp(ctx, pdgb.build.ctx, ent.OpQueryGroupBy)
 	if err := pdgb.build.prepareQuery(ctx); err != nil {
 		return err
 	}
@ -597,7 +599,7 @@ func (pds *PayloadDigestSelect) Aggregate(fns ...AggregateFunc) *PayloadDigestSe

 // Scan applies the selector query and scans the result into the given value.
 func (pds *PayloadDigestSelect) Scan(ctx context.Context, v any) error {
-	ctx = setContextOp(ctx, pds.ctx, "Select")
+	ctx = setContextOp(ctx, pds.ctx, ent.OpQuerySelect)
 	if err := pds.prepareQuery(ctx); err != nil {
 		return err
 	}
--- a/ent/payloaddigest_update.go
+++ b/ent/payloaddigest_update.go
@ -10,6 +10,7 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/predicate"
@ -57,13 +58,13 @@ func (pdu *PayloadDigestUpdate) SetNillableValue(s *string) *PayloadDigestUpdate
 }

 // SetDsseID sets the "dsse" edge to the Dsse entity by ID.
-func (pdu *PayloadDigestUpdate) SetDsseID(id int) *PayloadDigestUpdate {
+func (pdu *PayloadDigestUpdate) SetDsseID(id uuid.UUID) *PayloadDigestUpdate {
 	pdu.mutation.SetDsseID(id)
 	return pdu
 }

 // SetNillableDsseID sets the "dsse" edge to the Dsse entity by ID if the given value is not nil.
-func (pdu *PayloadDigestUpdate) SetNillableDsseID(id *int) *PayloadDigestUpdate {
+func (pdu *PayloadDigestUpdate) SetNillableDsseID(id *uuid.UUID) *PayloadDigestUpdate {
 	if id != nil {
 		pdu = pdu.SetDsseID(*id)
 	}
@ -132,7 +133,7 @@ func (pdu *PayloadDigestUpdate) sqlSave(ctx context.Context) (n int, err error)
 	if err := pdu.check(); err != nil {
 		return n, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID))
 	if ps := pdu.mutation.predicates; len(ps) > 0 {
 		_spec.Predicate = func(selector *sql.Selector) {
 			for i := range ps {
@ -154,7 +155,7 @@ func (pdu *PayloadDigestUpdate) sqlSave(ctx context.Context) (n int, err error)
 			Columns: []string{payloaddigest.DsseColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -167,7 +168,7 @@ func (pdu *PayloadDigestUpdate) sqlSave(ctx context.Context) (n int, err error)
 			Columns: []string{payloaddigest.DsseColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
@ -224,13 +225,13 @@ func (pduo *PayloadDigestUpdateOne) SetNillableValue(s *string) *PayloadDigestUp
 }

 // SetDsseID sets the "dsse" edge to the Dsse entity by ID.
-func (pduo *PayloadDigestUpdateOne) SetDsseID(id int) *PayloadDigestUpdateOne {
+func (pduo *PayloadDigestUpdateOne) SetDsseID(id uuid.UUID) *PayloadDigestUpdateOne {
 	pduo.mutation.SetDsseID(id)
 	return pduo
 }

 // SetNillableDsseID sets the "dsse" edge to the Dsse entity by ID if the given value is not nil.
-func (pduo *PayloadDigestUpdateOne) SetNillableDsseID(id *int) *PayloadDigestUpdateOne {
+func (pduo *PayloadDigestUpdateOne) SetNillableDsseID(id *uuid.UUID) *PayloadDigestUpdateOne {
 	if id != nil {
 		pduo = pduo.SetDsseID(*id)
 	}
@ -312,7 +313,7 @@ func (pduo *PayloadDigestUpdateOne) sqlSave(ctx context.Context) (_node *Payload
 	if err := pduo.check(); err != nil {
 		return _node, err
 	}
-	_spec := sqlgraph.NewUpdateSpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeInt))
+	_spec := sqlgraph.NewUpdateSpec(payloaddigest.Table, payloaddigest.Columns, sqlgraph.NewFieldSpec(payloaddigest.FieldID, field.TypeUUID))
 	id, ok := pduo.mutation.ID()
 	if !ok {
 		return nil, &ValidationError{Name: "id", err: errors.New(`ent: missing "PayloadDigest.id" for update`)}
@ -351,7 +352,7 @@ func (pduo *PayloadDigestUpdateOne) sqlSave(ctx context.Context) (_node *Payload
 			Columns: []string{payloaddigest.DsseColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID),
 			},
 		}
 		_spec.Edges.Clear = append(_spec.Edges.Clear, edge)
@ -364,7 +365,7 @@ func (pduo *PayloadDigestUpdateOne) sqlSave(ctx context.Context) (_node *Payload
 			Columns: []string{payloaddigest.DsseColumn},
 			Bidi:    false,
 			Target: &sqlgraph.EdgeTarget{
-				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeInt),
+				IDSpec: sqlgraph.NewFieldSpec(dsse.FieldID, field.TypeUUID),
 			},
 		}
 		for _, k := range nodes {
--- a/ent/predicate/predicate.go
+++ b/ent/predicate/predicate.go
@ -12,6 +12,9 @@ type Attestation func(*sql.Selector)
 // AttestationCollection is the predicate function for attestationcollection builders.
 type AttestationCollection func(*sql.Selector)

+// AttestationPolicy is the predicate function for attestationpolicy builders.
+type AttestationPolicy func(*sql.Selector)
+
 // Dsse is the predicate function for dsse builders.
 type Dsse func(*sql.Selector)

--- a/ent/runtime.go
+++ b/ent/runtime.go
@ -3,8 +3,10 @@
 package ent

 import (
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/attestation"
 	"github.com/in-toto/archivista/ent/attestationcollection"
+	"github.com/in-toto/archivista/ent/attestationpolicy"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/payloaddigest"
 	"github.com/in-toto/archivista/ent/schema"
@ -12,6 +14,7 @@ import (
 	"github.com/in-toto/archivista/ent/statement"
 	"github.com/in-toto/archivista/ent/subject"
 	"github.com/in-toto/archivista/ent/subjectdigest"
+	"github.com/in-toto/archivista/ent/timestamp"
 )

 // The init function reads all schema descriptors with runtime code
@ -21,65 +24,109 @@ func init() {
 	attestationFields := schema.Attestation{}.Fields()
 	_ = attestationFields
 	// attestationDescType is the schema descriptor for type field.
-	attestationDescType := attestationFields[0].Descriptor()
+	attestationDescType := attestationFields[1].Descriptor()
 	// attestation.TypeValidator is a validator for the "type" field. It is called by the builders before save.
 	attestation.TypeValidator = attestationDescType.Validators[0].(func(string) error)
+	// attestationDescID is the schema descriptor for id field.
+	attestationDescID := attestationFields[0].Descriptor()
+	// attestation.DefaultID holds the default value on creation for the id field.
+	attestation.DefaultID = attestationDescID.Default.(func() uuid.UUID)
 	attestationcollectionFields := schema.AttestationCollection{}.Fields()
 	_ = attestationcollectionFields
 	// attestationcollectionDescName is the schema descriptor for name field.
-	attestationcollectionDescName := attestationcollectionFields[0].Descriptor()
+	attestationcollectionDescName := attestationcollectionFields[1].Descriptor()
 	// attestationcollection.NameValidator is a validator for the "name" field. It is called by the builders before save.
 	attestationcollection.NameValidator = attestationcollectionDescName.Validators[0].(func(string) error)
+	// attestationcollectionDescID is the schema descriptor for id field.
+	attestationcollectionDescID := attestationcollectionFields[0].Descriptor()
+	// attestationcollection.DefaultID holds the default value on creation for the id field.
+	attestationcollection.DefaultID = attestationcollectionDescID.Default.(func() uuid.UUID)
+	attestationpolicyFields := schema.AttestationPolicy{}.Fields()
+	_ = attestationpolicyFields
+	// attestationpolicyDescName is the schema descriptor for name field.
+	attestationpolicyDescName := attestationpolicyFields[1].Descriptor()
+	// attestationpolicy.NameValidator is a validator for the "name" field. It is called by the builders before save.
+	attestationpolicy.NameValidator = attestationpolicyDescName.Validators[0].(func(string) error)
+	// attestationpolicyDescID is the schema descriptor for id field.
+	attestationpolicyDescID := attestationpolicyFields[0].Descriptor()
+	// attestationpolicy.DefaultID holds the default value on creation for the id field.
+	attestationpolicy.DefaultID = attestationpolicyDescID.Default.(func() uuid.UUID)
 	dsseFields := schema.Dsse{}.Fields()
 	_ = dsseFields
 	// dsseDescGitoidSha256 is the schema descriptor for gitoid_sha256 field.
-	dsseDescGitoidSha256 := dsseFields[0].Descriptor()
+	dsseDescGitoidSha256 := dsseFields[1].Descriptor()
 	// dsse.GitoidSha256Validator is a validator for the "gitoid_sha256" field. It is called by the builders before save.
 	dsse.GitoidSha256Validator = dsseDescGitoidSha256.Validators[0].(func(string) error)
 	// dsseDescPayloadType is the schema descriptor for payload_type field.
-	dsseDescPayloadType := dsseFields[1].Descriptor()
+	dsseDescPayloadType := dsseFields[2].Descriptor()
 	// dsse.PayloadTypeValidator is a validator for the "payload_type" field. It is called by the builders before save.
 	dsse.PayloadTypeValidator = dsseDescPayloadType.Validators[0].(func(string) error)
+	// dsseDescID is the schema descriptor for id field.
+	dsseDescID := dsseFields[0].Descriptor()
+	// dsse.DefaultID holds the default value on creation for the id field.
+	dsse.DefaultID = dsseDescID.Default.(func() uuid.UUID)
 	payloaddigestFields := schema.PayloadDigest{}.Fields()
 	_ = payloaddigestFields
 	// payloaddigestDescAlgorithm is the schema descriptor for algorithm field.
-	payloaddigestDescAlgorithm := payloaddigestFields[0].Descriptor()
+	payloaddigestDescAlgorithm := payloaddigestFields[1].Descriptor()
 	// payloaddigest.AlgorithmValidator is a validator for the "algorithm" field. It is called by the builders before save.
 	payloaddigest.AlgorithmValidator = payloaddigestDescAlgorithm.Validators[0].(func(string) error)
 	// payloaddigestDescValue is the schema descriptor for value field.
-	payloaddigestDescValue := payloaddigestFields[1].Descriptor()
+	payloaddigestDescValue := payloaddigestFields[2].Descriptor()
 	// payloaddigest.ValueValidator is a validator for the "value" field. It is called by the builders before save.
 	payloaddigest.ValueValidator = payloaddigestDescValue.Validators[0].(func(string) error)
+	// payloaddigestDescID is the schema descriptor for id field.
+	payloaddigestDescID := payloaddigestFields[0].Descriptor()
+	// payloaddigest.DefaultID holds the default value on creation for the id field.
+	payloaddigest.DefaultID = payloaddigestDescID.Default.(func() uuid.UUID)
 	signatureFields := schema.Signature{}.Fields()
 	_ = signatureFields
-	// signatureDescKeyID is the schema descriptor for key_id field.
-	signatureDescKeyID := signatureFields[0].Descriptor()
-	// signature.KeyIDValidator is a validator for the "key_id" field. It is called by the builders before save.
-	signature.KeyIDValidator = signatureDescKeyID.Validators[0].(func(string) error)
 	// signatureDescSignature is the schema descriptor for signature field.
-	signatureDescSignature := signatureFields[1].Descriptor()
+	signatureDescSignature := signatureFields[2].Descriptor()
 	// signature.SignatureValidator is a validator for the "signature" field. It is called by the builders before save.
 	signature.SignatureValidator = signatureDescSignature.Validators[0].(func(string) error)
+	// signatureDescID is the schema descriptor for id field.
+	signatureDescID := signatureFields[0].Descriptor()
+	// signature.DefaultID holds the default value on creation for the id field.
+	signature.DefaultID = signatureDescID.Default.(func() uuid.UUID)
 	statementFields := schema.Statement{}.Fields()
 	_ = statementFields
 	// statementDescPredicate is the schema descriptor for predicate field.
-	statementDescPredicate := statementFields[0].Descriptor()
+	statementDescPredicate := statementFields[1].Descriptor()
 	// statement.PredicateValidator is a validator for the "predicate" field. It is called by the builders before save.
 	statement.PredicateValidator = statementDescPredicate.Validators[0].(func(string) error)
+	// statementDescID is the schema descriptor for id field.
+	statementDescID := statementFields[0].Descriptor()
+	// statement.DefaultID holds the default value on creation for the id field.
+	statement.DefaultID = statementDescID.Default.(func() uuid.UUID)
 	subjectFields := schema.Subject{}.Fields()
 	_ = subjectFields
 	// subjectDescName is the schema descriptor for name field.
-	subjectDescName := subjectFields[0].Descriptor()
+	subjectDescName := subjectFields[1].Descriptor()
 	// subject.NameValidator is a validator for the "name" field. It is called by the builders before save.
 	subject.NameValidator = subjectDescName.Validators[0].(func(string) error)
+	// subjectDescID is the schema descriptor for id field.
+	subjectDescID := subjectFields[0].Descriptor()
+	// subject.DefaultID holds the default value on creation for the id field.
+	subject.DefaultID = subjectDescID.Default.(func() uuid.UUID)
 	subjectdigestFields := schema.SubjectDigest{}.Fields()
 	_ = subjectdigestFields
 	// subjectdigestDescAlgorithm is the schema descriptor for algorithm field.
-	subjectdigestDescAlgorithm := subjectdigestFields[0].Descriptor()
+	subjectdigestDescAlgorithm := subjectdigestFields[1].Descriptor()
 	// subjectdigest.AlgorithmValidator is a validator for the "algorithm" field. It is called by the builders before save.
 	subjectdigest.AlgorithmValidator = subjectdigestDescAlgorithm.Validators[0].(func(string) error)
 	// subjectdigestDescValue is the schema descriptor for value field.
-	subjectdigestDescValue := subjectdigestFields[1].Descriptor()
+	subjectdigestDescValue := subjectdigestFields[2].Descriptor()
 	// subjectdigest.ValueValidator is a validator for the "value" field. It is called by the builders before save.
 	subjectdigest.ValueValidator = subjectdigestDescValue.Validators[0].(func(string) error)
+	// subjectdigestDescID is the schema descriptor for id field.
+	subjectdigestDescID := subjectdigestFields[0].Descriptor()
+	// subjectdigest.DefaultID holds the default value on creation for the id field.
+	subjectdigest.DefaultID = subjectdigestDescID.Default.(func() uuid.UUID)
+	timestampFields := schema.Timestamp{}.Fields()
+	_ = timestampFields
+	// timestampDescID is the schema descriptor for id field.
+	timestampDescID := timestampFields[0].Descriptor()
+	// timestamp.DefaultID holds the default value on creation for the id field.
+	timestamp.DefaultID = timestampDescID.Default.(func() uuid.UUID)
 }
--- a/ent/runtime/runtime.go
+++ b/ent/runtime/runtime.go
@ -5,6 +5,6 @@ package runtime
 // The schema-stitching logic is generated in github.com/in-toto/archivista/ent/runtime.go

 const (
-	Version = "v0.12.5"                                         // Version of ent codegen.
-	Sum     = "h1:KREM5E4CSoej4zeGa88Ou/gfturAnpUv0mzAjch1sj4=" // Sum of ent codegen.
+	Version = "v0.14.4"                                         // Version of ent codegen.
+	Sum     = "h1:/DhDraSLXIkBhyiVoJeSshr4ZYi7femzhj6/TckzZuI=" // Sum of ent codegen.
 )
--- a/ent/schema/attestation.go
+++ b/ent/schema/attestation.go
@ -19,6 +19,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // Attestation represents an attestation from a witness attestation collection
@ -28,6 +29,7 @@ type Attestation struct {

 func (Attestation) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("type").NotEmpty(),
 	}
 }
--- a/ent/schema/attestationcollection.go
+++ b/ent/schema/attestationcollection.go
@ -19,6 +19,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // AttestationCollection represents a witness attestation collection
@ -28,6 +29,7 @@ type AttestationCollection struct {

 func (AttestationCollection) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("name").NotEmpty(),
 	}
 }
--- a/ent/schema/attestationpolicy.go
+++ b/ent/schema/attestationpolicy.go
@ -0,0 +1,58 @@
+// Copyright 2024 The Archivista Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package schema
+
+import (
+	"entgo.io/contrib/entgql"
+	"entgo.io/ent"
+	"entgo.io/ent/schema"
+	"entgo.io/ent/schema/edge"
+	"entgo.io/ent/schema/field"
+	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
+)
+
+// Attestation represents an attestation from a witness attestation collection
+type AttestationPolicy struct {
+	ent.Schema
+}
+
+func (AttestationPolicy) Fields() []ent.Field {
+	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
+		field.String("name").NotEmpty(),
+	}
+}
+
+// Edges of the AttestationPolicy.
+func (AttestationPolicy) Edges() []ent.Edge {
+	return []ent.Edge{
+		edge.From("statement", Statement.Type).
+			Ref("policy").Unique(),
+	}
+}
+
+func (AttestationPolicy) Indexes() []ent.Index {
+	return []ent.Index{
+		index.Fields("name"),
+	}
+}
+
+func (AttestationPolicy) Annotations() []schema.Annotation {
+	return []schema.Annotation{
+		entgql.RelayConnection(),
+		entgql.QueryField(),
+	}
+}
--- a/ent/schema/dsse.go
+++ b/ent/schema/dsse.go
@ -20,6 +20,7 @@ import (
 	"entgo.io/ent/schema"
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 )

 // Dsse represents some metadata about an archived DSSE envelope
@ -30,6 +31,7 @@ type Dsse struct {
 // Fields of the Statement.
 func (Dsse) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("gitoid_sha256").NotEmpty().Unique(),
 		field.String("payload_type").NotEmpty(),
 	}
--- a/ent/schema/payloaddigest.go
+++ b/ent/schema/payloaddigest.go
@ -19,6 +19,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // PayloadDigest represents the digest of the payload of a DSSE envelope
@ -29,6 +30,7 @@ type PayloadDigest struct {
 // Fields of the Digest.
 func (PayloadDigest) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("algorithm").NotEmpty(),
 		field.String("value").NotEmpty(),
 	}
--- a/ent/schema/signature.go
+++ b/ent/schema/signature.go
@ -20,6 +20,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // Signature represents signatures on a DSSE envelope
@ -30,7 +31,8 @@ type Signature struct {
 // Fields of the Signature.
 func (Signature) Fields() []ent.Field {
 	return []ent.Field{
-		field.String("key_id").NotEmpty(),
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
+		field.String("key_id"),
 		field.String("signature").NotEmpty().SchemaType(map[string]string{dialect.MySQL: "text"}),
 	}
 }
--- a/ent/schema/statement.go
+++ b/ent/schema/statement.go
@ -20,6 +20,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // Statement represents an in-toto statement from an archived dsse envelope
@ -30,6 +31,7 @@ type Statement struct {
 // Fields of the Statement.
 func (Statement) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("predicate").NotEmpty(),
 	}
 }
@ -38,6 +40,7 @@ func (Statement) Fields() []ent.Field {
 func (Statement) Edges() []ent.Edge {
 	return []ent.Edge{
 		edge.To("subjects", Subject.Type).Annotations(entgql.RelayConnection()),
+		edge.To("policy", AttestationPolicy.Type).Unique(),
 		edge.To("attestation_collections", AttestationCollection.Type).Unique(),

 		edge.From("dsse", Dsse.Type).Ref("statement"),
--- a/ent/schema/subject.go
+++ b/ent/schema/subject.go
@ -21,6 +21,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // Subject represents subjects from an in-toto statement.
@ -31,6 +32,7 @@ type Subject struct {
 // Fields of the Subject.
 func (Subject) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("name").NotEmpty(),
 	}
 }
--- a/ent/schema/subjectdigest.go
+++ b/ent/schema/subjectdigest.go
@ -19,6 +19,7 @@ import (
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
 	"entgo.io/ent/schema/index"
+	"github.com/google/uuid"
 )

 // SubjectDigest represents the digests of a subject from an in-toto statement
@ -29,6 +30,7 @@ type SubjectDigest struct {
 // Fields of the Digest.
 func (SubjectDigest) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("algorithm").NotEmpty(),
 		field.String("value").NotEmpty(),
 	}
--- a/ent/schema/timestamp.go
+++ b/ent/schema/timestamp.go
@ -18,6 +18,7 @@ import (
 	"entgo.io/ent"
 	"entgo.io/ent/schema/edge"
 	"entgo.io/ent/schema/field"
+	"github.com/google/uuid"
 )

 type Timestamp struct {
@ -26,6 +27,7 @@ type Timestamp struct {

 func (Timestamp) Fields() []ent.Field {
 	return []ent.Field{
+		field.UUID("id", uuid.UUID{}).Default(uuid.New).Immutable().Unique(),
 		field.String("type"),
 		field.Time("timestamp"),
 	}
--- a/ent/schema/uuidgql/uuidgql.go
+++ b/ent/schema/uuidgql/uuidgql.go
@ -0,0 +1,38 @@
+// Copyright 2019-present Facebook
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package uuidgql
+
+import (
+	"fmt"
+	"io"
+	"strconv"
+
+	"github.com/99designs/gqlgen/graphql"
+	"github.com/google/uuid"
+)
+
+func MarshalUUID(u uuid.UUID) graphql.Marshaler {
+	return graphql.WriterFunc(func(w io.Writer) {
+		_, _ = io.WriteString(w, strconv.Quote(u.String()))
+	})
+}
+
+func UnmarshalUUID(v interface{}) (u uuid.UUID, err error) {
+	s, ok := v.(string)
+	if !ok {
+		return u, fmt.Errorf("invalid type %T, expect string", v)
+	}
+	return uuid.Parse(s)
+}
--- a/ent/signature.go
+++ b/ent/signature.go
@ -8,6 +8,7 @@ import (

 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
+	"github.com/google/uuid"
 	"github.com/in-toto/archivista/ent/dsse"
 	"github.com/in-toto/archivista/ent/signature"
 )
@ -16,7 +17,7 @@ import (
 type Signature struct {
 	config `json:"-"`
 	// ID of the ent.
-	ID int `json:"id,omitempty"`
+	ID uuid.UUID `json:"id,omitempty"`
 	// KeyID holds the value of the "key_id" field.
 	KeyID string `json:"key_id,omitempty"`
 	// Signature holds the value of the "signature" field.
@ -24,7 +25,7 @@ type Signature struct {
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the SignatureQuery when eager-loading is set.
 	Edges           SignatureEdges `json:"edges"`
-	dsse_signatures *int
+	dsse_signatures *uuid.UUID
 	selectValues    sql.SelectValues
 }

@ -46,12 +47,10 @@ type SignatureEdges struct {
 // DsseOrErr returns the Dsse value or an error if the edge
 // was not loaded in eager-loading, or loaded but was not found.
 func (e SignatureEdges) DsseOrErr() (*Dsse, error) {
-	if e.loadedTypes[0] {
-		if e.Dsse == nil {
-			// Edge was loaded but was not found.
-			return nil, &NotFoundError{label: dsse.Label}
-		}
+	if e.Dsse != nil {
 		return e.Dsse, nil
+	} else if e.loadedTypes[0] {
+		return nil, &NotFoundError{label: dsse.Label}
 	}
 	return nil, &NotLoadedError{edge: "dsse"}
 }
@ -70,12 +69,12 @@ func (*Signature) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case signature.FieldID:
-			values[i] = new(sql.NullInt64)
 		case signature.FieldKeyID, signature.FieldSignature:
 			values[i] = new(sql.NullString)
+		case signature.FieldID:
+			values[i] = new(uuid.UUID)
 		case signature.ForeignKeys[0]: // dsse_signatures
-			values[i] = new(sql.NullInt64)
+			values[i] = &sql.NullScanner{S: new(uuid.UUID)}
 		default:
 			values[i] = new(sql.UnknownType)
 		}
@ -92,11 +91,11 @@ func (s *Signature) assignValues(columns []string, values []any) error {
 	for i := range columns {
 		switch columns[i] {
 		case signature.FieldID:
-			value, ok := values[i].(*sql.NullInt64)
-			if !ok {
-				return fmt.Errorf("unexpected type %T for field id", value)
+			if value, ok := values[i].(*uuid.UUID); !ok {
+				return fmt.Errorf("unexpected type %T for field id", values[i])
+			} else if value != nil {
+				s.ID = *value
 			}
-			s.ID = int(value.Int64)
 		case signature.FieldKeyID:
 			if value, ok := values[i].(*sql.NullString); !ok {
 				return fmt.Errorf("unexpected type %T for field key_id", values[i])
@ -110,11 +109,11 @@ func (s *Signature) assignValues(columns []string, values []any) error {
 				s.Signature = value.String
 			}
 		case signature.ForeignKeys[0]:
-			if value, ok := values[i].(*sql.NullInt64); !ok {
-				return fmt.Errorf("unexpected type %T for edge-field dsse_signatures", value)
+			if value, ok := values[i].(*sql.NullScanner); !ok {
+				return fmt.Errorf("unexpected type %T for field dsse_signatures", values[i])
 			} else if value.Valid {
-				s.dsse_signatures = new(int)
-				*s.dsse_signatures = int(value.Int64)
+				s.dsse_signatures = new(uuid.UUID)
+				*s.dsse_signatures = *value.S.(*uuid.UUID)
 			}
 		default:
 			s.selectValues.Set(columns[i], values[i])
--- a/Show More
+++ b/Show More