# Surface FS Pointer Contract (Draft) — PREP-SCHED-SURFACE-01

Status: Draft (2025-11-20)
Owners: Scheduler Worker Guild
Scope: Define pointer model for Surface FS to unblock scheduler worker planning.

## Pointer model
- Identifier: `surfacefs://<tenant>/<dataset>/<version>`.
- Fields:
  - `tenant_id`
  - `dataset` (e.g., `sbom`, `findings`, `reachability`)
  - `version` (content hash or monotonic version)
  - `storage_uri` (unset/relative in sealed mode; content-addressed path recommended)
  - `created_at` (RFC3339 UTC)
- Deterministic JSON serialization with sorted keys.

## Scheduler usage
- Workers receive pointer in job payload; pointer is immutable per job.
- Cache key = `surface_fs_pointer`.
- Validation: ensure `dataset` is allowlisted; reject untrusted storage_uri when sealed mode is on.

## Open decisions
- Final allowlist of datasets.
- Whether inline `storage_uri` is permitted under sealed mode or requires local mirror resolution.

## Handoff
Use this doc as the PREP artefact for PREP-SCHED-SURFACE-01; update once datasets and sealed-mode rule are agreed.