Interfaces, Contracts & Schemas

Specifications covering APIs, data contracts, event envelopes, and enforcement models.

External & Internal APIs

• …/09_API_CLI_REFERENCE.md – canonical REST and CLI surface (scan, policy, auth, health).
• …/api/policy.md – Policy Engine REST endpoints.
• Module APIs: see relevant module architecture docs (e.g., …/…/modules/export-center/api.md).

Policy & Decisioning

• …/policy/overview.md – Policy Engine fundamentals.
• …/policy/dsl.md – stella-dsl@1 grammar.
• …/policy/lifecycle.md – creation, promotion, approval flows.
• …/policy/runs.md – execution orchestrations.
• …/policy/exception-effects.md – waiver semantics.
• …/policy/gateway.md – gateway service contract.
• …/60_POLICY_TEMPLATES.md – YAML/Rego samples.

Data Schemas & Storage Contracts

• …/11_DATA_SCHEMAS.md – MongoDB/Redis/document shapes.
• JSON schemas under …/schemas/ – policy diff, explain trace, run request, run status, preview sample, report sample.
• …/…/modules/scanner/architecture.md – SBOM cache and scan job contracts.
• …/…/scanner-core-contracts.md – shared scanner DTOs.

Events & Messaging

• …/events/README.md – event catalogue (scanner.scan.completed@1, scheduler.rescan.delta@1, etc.).
• Payload schemas in …/events/*.json and samples in …/events/samples/.
• …/observability/policy.md and …/observability/ui-telemetry.md – telemetry event guidance.

Ingestion & Evidence Contracts

• …/ingestion/aggregation-only-contract.md – Aggregation-Only Contract reference.
• …/aoc/aoc-guardrails.md – guardrails checklist.
• …/advisories/aggregation.md – advisory observation schema.
• …/vex/aggregation.md – VEX observation schema.
• …/…/modules/concelier/operations/connectors/ – connector-specific payload notes.

Identity, Quota & Licence Enforcement

• …/license-jwt-quota.md – offline quota token design.
• …/30_QUOTA_ENFORCEMENT_FLOW1.md – enforcement sequence diagram.
• …/33_333_QUOTA_OVERVIEW.md – free tier policy.
• …/30_QUOTA_ENFORCEMENT_FLOW1.md and …/33_333_QUOTA_OVERVIEW.md – pair with …/29_LEGAL_FAQ_QUOTA.md for legal framing.
• …/…/modules/authority/architecture.md – OpTok issuance & validation contracts.
• …/…/modules/registry/architecture.md – token service scope and audit requirements.

Transparency & Attestation

• …/…/modules/attestor/architecture.md – DSSE/Rekor bundle contracts.
• …/…/modules/signer/architecture.md – signing workflow contracts.
• …/…/modules/export-center/provenance-and-signing.md – export bundle evidence artefacts.