# Data and schemas

## Storage layers
- PostgreSQL: canonical store with schema isolation per module.
- Valkey: cache, queues, and event streams.
- RustFS: content-addressed object storage for artifacts and evidence bundles.

## Deterministic data rules
- Use canonical JSON and stable ordering.
- All timestamps are UTC ISO 8601.
- Arrays are sorted by deterministic keys where defined.

## Schema ownership
- Each module owns its PostgreSQL schema and migrations.
- Cross-schema reads are explicit and minimized.

## Typical schemas
- auth: Authority
- vuln: Concelier advisories
- vex: Excititor VEX statements
- policy: policy packs, unknowns, decisions
- scanner: scan manifests, SBOM metadata, reachability
- scheduler: schedules, runs, impact snapshots
- notify: rules, channels, deliveries

## Content-addressed layouts (example)
- layers/<sha256>/sbom.cdx.json.zst
- images/<digest>/inventory.cdx.pb
- indexes/<digest>/bom-index.bin
- attest/<sha256>.dsse.json

## Aggregation-Only Contract (AOC)
- advisory_raw and vex_raw are append-only and immutable.
- Idempotency uses content hash and supersedes chains.
- Derived findings are produced only by the Policy Engine.

## Schema catalogs
- docs/schemas: JSON schemas and OpenAPI fragments.
- docs/contracts: protocol and contract definitions.
- docs/db: schema specs and migration rules.