# Scanner Engine Surface FS/Env/Secrets — Draft Skeleton (2025-12-05 UTC)

Status: draft placeholder. Inputs pending: SCANNER-SURFACE-04 emit notes, Zastava/Scheduler bindings, Ops runbook hooks.

## Workflow Overview
- Surface.FS, Surface.Env, Surface.Secrets capture points.
- How Scanner orchestrates surface capture across jobs.

## Data Flow
- Scanner -> Zastava (signals/alerts pipeline).
- Scanner -> Scheduler (job orchestration, retries, back-pressure).
- Storage/retention expectations.

## Policies & Safety Rails
- Redaction rules, scope boundaries, tenant isolation.
- Determinism/offline posture considerations.

## Operations
- How to enable/disable surface capture per tenant/workspace.
- Observability: metrics, logs, traces to watch.

## Open TODOs
- Insert concrete emit schemas and example payloads when SCANNER-SURFACE-04 lands.
- Add sequencing diagrams per module dossier once available.