# Interfaces, Contracts & Schemas

Specifications covering APIs, data contracts, event envelopes, and enforcement models.

## External & Internal APIs
- [../09_API_CLI_REFERENCE.md](../../09_API_CLI_REFERENCE.md) – canonical REST and CLI surface (scan, policy, auth, health).
- [../api/policy.md](../../api/policy.md) – Policy Engine REST endpoints.
- Module APIs: see relevant module architecture docs (e.g., [../../modules/export-center/api.md](../../modules/export-center/api.md)).

## Policy & Decisioning
- [../policy/overview.md](../../policy/overview.md) – Policy Engine fundamentals.
- [../policy/dsl.md](../../policy/dsl.md) – `stella-dsl@1` grammar.
- [../policy/lifecycle.md](../../policy/lifecycle.md) – creation, promotion, approval flows.
- [../policy/runs.md](../../policy/runs.md) – execution orchestrations.
- [../policy/exception-effects.md](../../policy/exception-effects.md) – waiver semantics.
- [../policy/gateway.md](../../policy/gateway.md) – gateway service contract.
- [../60_POLICY_TEMPLATES.md](../../60_POLICY_TEMPLATES.md) – YAML/Rego samples.

## Data Schemas & Storage Contracts
- [../11_DATA_SCHEMAS.md](../../11_DATA_SCHEMAS.md) – MongoDB/Redis/document shapes.
- JSON schemas under [../schemas/](../../schemas/) – policy diff, explain trace, run request, run status, preview sample, report sample.
- [../../modules/scanner/architecture.md](../../modules/scanner/architecture.md) – SBOM cache and scan job contracts.
- [../../scanner-core-contracts.md](../../scanner-core-contracts.md) – shared scanner DTOs.

## Events & Messaging
- [../events/README.md](../../events/README.md) – event catalogue (`scanner.scan.completed@1`, `scheduler.rescan.delta@1`, etc.).
- Payload schemas in [../events/*.json](../../events/) and samples in [../events/samples/](../../events/samples/).
- [../observability/policy.md](../../observability/policy.md) and [../observability/ui-telemetry.md](../../observability/ui-telemetry.md) – telemetry event guidance.

## Ingestion & Evidence Contracts
- [../ingestion/aggregation-only-contract.md](../../ingestion/aggregation-only-contract.md) – Aggregation-Only Contract reference.
- [../aoc/aoc-guardrails.md](../../aoc/aoc-guardrails.md) – guardrails checklist.
- [../advisories/aggregation.md](../../advisories/aggregation.md) – advisory observation schema.
- [../vex/aggregation.md](../../vex/aggregation.md) – VEX observation schema.
- [../../modules/concelier/operations/connectors/](../../modules/concelier/operations/connectors/) – connector-specific payload notes.

## Identity, Quota & Licence Enforcement
- [../license-jwt-quota.md](../../license-jwt-quota.md) – offline quota token design.
- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – enforcement sequence diagram.
- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – free tier policy.
- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) and [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – pair with [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) for legal framing.
- [../../modules/authority/architecture.md](../../modules/authority/architecture.md) – OpTok issuance & validation contracts.
- [../../modules/registry/architecture.md](../../modules/registry/architecture.md) – token service scope and audit requirements.

## Transparency & Attestation
- [../../modules/attestor/architecture.md](../../modules/attestor/architecture.md) – DSSE/Rekor bundle contracts.
- [../../modules/signer/architecture.md](../../modules/signer/architecture.md) – signing workflow contracts.
- [../../modules/export-center/provenance-and-signing.md](../../modules/export-center/provenance-and-signing.md) – export bundle evidence artefacts.