# Policy + Exceptions Gateway Contract (draft v0.1)

Scope: expose policy evaluation results that include exception metadata, plus simulation endpoints that accept exception overrides for what-if analysis.

## Security / headers
- `Authorization: Bearer <token>` (or `DPoP` where configured)
- `X-StellaOps-Tenant: <tenantId>` (required)
- `X-Stella-Project: <projectId>` (optional)
- `X-Stella-Trace-Id: <traceId>` (optional; clients SHOULD send one)
- Scopes:
  - `POST /policy/effective`: `policy:read` AND `exception:read`
  - `POST /policy/simulate`: `policy:simulate` AND `exception:read`

## Endpoints
- `POST /policy/effective` — deterministic effective policy view over a list of findings.
- `POST /policy/simulate` — simulate policy result changes with exception overrides.

## Request/response notes
- Requests MUST remain deterministic: stable ordering, ISO-8601 UTC timestamps only.
- Pagination uses `limit` (max `200`) and `continuationToken` (opaque string).
- Exception metadata SHOULD reuse the Exception schema (`docs/api/console/exception-schema.md`) but MAY omit large fields like audit trails.

## Samples
- `docs/api/gateway/samples/policy-effective-sample.json`
- `docs/api/gateway/samples/policy-simulate-sample.json`