# AOC guardrails

AOC guardrails enforce deterministic, policy-neutral ingestion in Concelier and
Excititor. Ingestion writes raw facts only and never computes precedence,
severity, or policy hints.

Guardrail rules
- Ingestion writes immutable observations and linksets only.
- Derived semantics belong to Policy Engine and downstream views.
- Provenance metadata is mandatory for every ingested record.
- Outputs must be deterministic for identical inputs.
- CI and analyzers should fail builds that violate these rules.

Guard library (StellaOps.Aoc)
- IAocGuard validates payloads and returns structured violations.
- AocGuardOptions toggles signature and tenant requirements.
- AocError carries machine-readable error codes for APIs and CLI.
- AspNetCore filters enforce guardrails on Minimal API endpoints.

Allowed fields and validation
- Top-level allowlist enforces schema boundaries.
- Required fields are configurable for staged schema changes.
- Unknown fields produce ERR_AOC violations.

Usage guidance
- Register the guard in ingestion services before repositories.
- Validate payloads before any persistence.
- Use RFC 7807 problem responses for consistent errors.

Related references
- docs/aoc/aoc-guardrails.md
- docs/aoc/guard-library.md
- docs/ingestion/aggregation-only-contract.md