diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d23e81..969f247 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,73 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] — 2026-05-14
+
+### Added
+- **YAML interpreter mechanism (v0.4.0).** The notifier now reads small
+  YAML files that teach it how to interpret labels written by
+  third-party tools (Traefik, Dockflare, ...) and forward them to STD
+  as structured exposure observations on a new
+  `exposure_observations` field. Two interpreters ship baked into the
+  image (`traefik.yml`, `dockflare.yml`) and fire automatically for
+  any container reported to STD — no opt-in label required. Operators
+  who want to extend or override the built-ins mount a directory of
+  their own YAMLs at `/app/interpreters/user/`; a user file whose
+  `name:` matches a builtin overrides the builtin. Bad YAMLs log a
+  warning and are skipped; the notifier continues with whatever
+  loaded successfully. A new `docs/community-interpreters/` directory
+  holds contributed reference YAMLs (PRs welcome — they are examples,
+  not curated products). Full format reference is in `docs/PRD.md`
+  §11. **Requires STD v0.6.0 or later**; earlier STD versions reject
+  the unknown `exposure_observations` key.
+- Debug-only env var `INTERPRETER_RELOAD_ON_EACH_EVENT`. When truthy,
+  re-reads the YAML interpreter directories on every dispatch instead
+  of once at startup. For iterating on a YAML; not for production
+  use.
+- New env var `STD_REPORT_ALL_CONTAINERS`. When set to a truthy value
+  (`true`, `1`, `yes` — case-insensitive), the notifier reports every
+  running container on the host to STD, regardless of whether the
+  container has the `dockernotifier.notifiers=service-tracker-dashboard`
+  opt-in label. Default off — existing per-container opt-in behavior
+  is unchanged for operators who don't set the variable. **Only STD
+  dispatch is affected**: the DNS notifier still requires explicit
+  per-container opt-in via labels, because DNS records are an external
+  side effect that shouldn't fire for containers that didn't ask.
+  Unrecognized values (e.g. `maybe`) log a warning at startup and are
+  treated as off. The wire payload to STD is identical whether the
+  trigger came from a label or from this env var.
+- STD payloads now include `networks`, `exposed_ports`, and
+  `published_ports` read directly from the Docker API. `networks` is a
+  list of `{"name", "aliases"}` objects, one per Docker network the
+  container is on. `exposed_ports` is a list of `"<port>/<proto>"`
+  strings from the container's `ExposedPorts` config. `published_ports`
+  is a list of `{"container_port", "protocol", "host_ip", "host_port"}`
+  objects, one per port binding. Empty values are emitted as explicit
+  empty lists so STD can distinguish "nothing to report" from "not yet
+  reported". No new env vars or labels — capture is automatic for every
+  container reported to STD. **Requires STD v0.6.0 or later**; STD
+  v0.5.x's strict validator will reject payloads carrying these keys.
+
+### Changed
+- **Design principles softened (v0.4.0).** Previously, PRD §1.3 stated
+  "no state" and "all configuration is via environment variables.
+  There is no config file." Both are now narrower. The notifier still
+  holds no per-event state and still has no central config file, but
+  it now loads YAML interpreter files at startup. Operators upgrading
+  from v0.3.x do not need to take any action — the YAML loader works
+  out of the box with the two baked-in interpreters, and the
+  filesystem footprint is fully contained inside the notifier
+  container.
+
+### Fixed
+- Docker event loop no longer logs `Failed to handle <action> event for
+  None: Resource ID was not provided` errors. The container ID is now
+  read from `event["Actor"]["ID"]` (newer Docker daemons no longer
+  populate the legacy top-level `id` field), non-container events
+  (network/volume/service) are filtered out before lookup, and the
+  expected `NotFound` raised when querying an already-removed container
+  on a `destroy` event is swallowed silently.
+
 ---
 
 ## [0.3.0] — 2026-05-12
@@ -101,7 +168,8 @@ Released.
 
 Initial public release.
 
-[Unreleased]: https://github.com/crzykidd/docker-api-notifier/compare/v0.3.0...HEAD
+[Unreleased]: https://github.com/crzykidd/docker-api-notifier/compare/v0.4.0...HEAD
+[0.4.0]: https://github.com/crzykidd/docker-api-notifier/releases/tag/v0.4.0
 [0.3.0]: https://github.com/crzykidd/docker-api-notifier/releases/tag/v0.3.0
 [0.2.3]: https://github.com/crzykidd/docker-api-notifier/releases/tag/v0.2.3
 [0.2.2]: https://github.com/crzykidd/docker-api-notifier/releases/tag/v0.2.2
diff --git a/Dockerfile b/Dockerfile
index 791153c..7ab4ee8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,6 +3,7 @@ FROM python:3.11-slim
 WORKDIR /app
 
 COPY . /app
-RUN pip install --no-cache-dir -r requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt \
+    && mkdir -p /app/interpreters/user
 ENV PYTHONUNBUFFERED=1
 CMD ["python", "main.py"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 91a96bf..f4a531c 100644
--- a/README.md
+++ b/README.md
@@ -26,9 +26,10 @@ every Docker host without it touching things you didn't ask it to touch.
 1. [What It Does](#what-it-does)
 2. [Environment Variables](#environment-variables)
 3. [Container Labels](#container-labels)
-4. [Docker Compose Example](#docker-compose-example)
-5. [How It Works](#how-it-works)
-6. [Building Locally](#building-locally)
+4. [Interpreters](#interpreters)
+5. [Docker Compose Example](#docker-compose-example)
+6. [How It Works](#how-it-works)
+7. [Building Locally](#building-locally)
 
 ---
 
@@ -80,11 +81,19 @@ notifier targets can be added without touching the core event loop.
 > notifier posts to STD's `/api/v1/register` endpoint using STD's
 > canonical schema. Earlier STD versions do not expose that endpoint
 > and will return 404.
-
-| Variable          | Required | Description |
-|-------------------|----------|-------------|
-| `STD_URL`         | Yes (for STD) | Base URL of the STD instance, e.g. `http://std.example.com:8815`. |
-| `STD_API_TOKEN`   | Yes (for STD) | Bearer token configured on the STD side. |
+>
+> **Notifier v0.4.0 requires STD v0.6.0 or later.** Starting in v0.4.0
+> the notifier emits `networks`, `exposed_ports`, `published_ports`,
+> and `exposure_observations` on every STD payload. STD v0.5.x's
+> strict pydantic validator rejects unknown keys and will return 422
+> for these payloads — upgrade STD first.
+
+| Variable                     | Required | Default | Description |
+|------------------------------|----------|---------|-------------|
+| `STD_URL`                    | Yes (for STD) | —       | Base URL of the STD instance, e.g. `http://std.example.com:8815`. |
+| `STD_API_TOKEN`              | Yes (for STD) | —       | Bearer token configured on the STD side. |
+| `STD_REPORT_ALL_CONTAINERS`  | No       | `false` | When truthy (`true`, `1`, `yes` — case-insensitive), report **every running container on this host** to STD regardless of whether it has the `dockernotifier.notifiers=service-tracker-dashboard` opt-in label. Default off preserves per-container opt-in behavior. **Only affects STD** — the DNS notifier still requires explicit per-container opt-in via labels. Unrecognized values log a warning at startup and are treated as off. |
+| `INTERPRETER_RELOAD_ON_EACH_EVENT` | No       | `false` | Debug-only. When truthy, re-reads YAML interpreters from disk on every dispatch instead of once at startup. Use while iterating on a new YAML; do not leave on in production. |
 
 If a notifier's required env vars are missing, that notifier silently
 no-ops — the container won't fail to start. This is intentional so you
@@ -138,6 +147,79 @@ applies its own defaults for anything you don't.
 > coercion happens at the same boundary, so the values STD receives
 > are actual `bool`/`int` rather than strings.
 
+> **Network and port data.** As of notifier v0.4.0, every STD payload
+> also carries `networks`, `exposed_ports`, and `published_ports`
+> read straight from the Docker API. No new labels or env vars are
+> required to enable this — it is automatic for every container
+> reported to STD. Requires STD v0.6.0+.
+
+---
+
+## Interpreters
+
+> **New in v0.4.0. Requires STD v0.6.0 or later.** STD v0.5.x's strict
+> validator will reject payloads carrying `exposure_observations`.
+
+Interpreters are small YAML files that teach the notifier how to read
+labels written by third-party tools (Traefik, Dockflare, Caddy, ...)
+and forward them to STD as structured **exposure observations**. The
+goal is to stop operators from having to duplicate hostnames into
+`dockernotifier.std.internalurl` when the same fact is already
+encoded in their Traefik/Dockflare labels.
+
+### What ships built in
+
+Two interpreters live inside the container image at
+`/app/interpreters/builtin/`:
+
+- `traefik.yml` — reads `traefik.http.routers.<router>.rule`
+  (hostname), `.tls`, and `.entrypoints`. Emits one observation per
+  router on the container.
+- `dockflare.yml` — fires when `dockflare.enable=true`; reads
+  `dockflare.hostname` and optional Access policy labels. Emits a
+  single observation with `tls: true` (Cloudflare Tunnel implies
+  HTTPS).
+
+Both fire automatically for any container reported to STD. There is
+no opt-in label — if the labels are there, the interpreter reads
+them.
+
+### Adding your own
+
+Mount a directory of YAML files into the container at
+`/app/interpreters/user/`:
+
+```yaml
+volumes:
+  - ./my-interpreters:/app/interpreters/user:ro
+```
+
+User files load alongside builtins. A user file whose `name:` matches
+a builtin **overrides** the builtin — drop in a tweaked `traefik.yml`
+without rebuilding the image.
+
+### Format
+
+Every interpreter has three sections: `match` (which containers
+fire), `extract` (which labels to read), `emit` (what to send to
+STD). See [`docs/PRD.md` §11](docs/PRD.md) for the full reference,
+or `docs/community-interpreters/template.yml` for an annotated
+skeleton.
+
+### Community reference
+
+`docs/community-interpreters/` collects contributed YAMLs for tools
+the maintainer doesn't necessarily run. Examples there may or may
+not match your environment — read before mounting. PRs welcome.
+
+### Empty list vs. absent on the wire
+
+The notifier sends `exposure_observations` as a list when any
+interpreter is loaded, even if no interpreter matched (empty list
+tells STD to clear existing exposure rows for the container). If no
+interpreters are loaded at all, the field is omitted, which STD
+treats as "no update" — existing exposure rows are preserved.
+
 ---
 
 ## Docker Compose Example
@@ -159,6 +241,8 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - /etc/hostname:/etc/host_hostname:ro
       - /var/docker/docker-api-notifier:/config
+      # Optional — drop your own interpreter YAMLs in here.
+      # - /etc/docker-api-notifier/interpreters:/app/interpreters/user:ro
     restart: unless-stopped
 ```
 
@@ -170,6 +254,9 @@ Volumes:
   notifier reports the **host's** hostname, not the container's, when
   posting to downstream notifiers.
 - `/config` — log file lives here (`notifier.log`, rotated at 10 MB).
+- `/app/interpreters/user` — optional. Mount a directory of operator
+  YAMLs here to extend or override the built-in interpreters
+  (Traefik, Dockflare). See [Interpreters](#interpreters) above.
 
 ---
 
diff --git a/docs/PRD.md b/docs/PRD.md
index 3bdbee6..3384dba 100644
--- a/docs/PRD.md
+++ b/docs/PRD.md
@@ -9,6 +9,9 @@
 | Version | Date       | Changes |
 |---------|------------|---------|
 | 0.1     | 2026-05-10 | Initial PRD. Documents current shipped behavior at v0.2.3 and the planned v0.3.0 cleanup. |
+| 0.2     | 2026-05-13 | v0.3.1 — STD reporting opt-out mode via `STD_REPORT_ALL_CONTAINERS` env var. §1.3 softened to reflect per-host opt-out scope. |
+| 0.3     | 2026-05-13 | v0.3.2 — capture container network membership and port information from the Docker API and forward to STD. §3.3 base kwargs contract grows three rows (`networks`, `exposed_ports`, `published_ports`). |
+| 0.4     | 2026-05-14 | v0.4.0 — YAML interpreter mechanism, STD opt-out env var (`STD_REPORT_ALL_CONTAINERS`), network/ports capture, and design-principle softening. Originally planned as v0.3.1 / v0.3.2 / v0.4.0; consolidated into a single v0.4.0 release. §1.3 softens "no state" and "env vars only" to reflect YAML configuration. §3 architecture grows an interpreter component. §4 documents the interpreter loader paths and volume-mount convention. §11 fully documents the YAML format and wire emission. |
 
 ---
 
@@ -18,11 +21,13 @@
 2. [Scope](#2-scope)
 3. [Architecture](#3-architecture)
 4. [Configuration Model](#4-configuration-model)
-5. [Current State (v0.2.3)](#5-current-state-v023)
+5. [Current State (v0.4.0)](#5-current-state-v040)
 6. [v0.3.0 — Cleanup Release](#6-v030--cleanup-release)
-7. [Versioning, Branches, and Releases](#7-versioning-branches-and-releases)
-8. [Cross-Repo Coordination](#8-cross-repo-coordination)
-9. [Open Questions](#9-open-questions)
+7. [Delivered in v0.4.0](#7-delivered-in-v040)
+8. [Versioning, Branches, and Releases](#8-versioning-branches-and-releases)
+9. [Cross-Repo Coordination](#9-cross-repo-coordination)
+10. [Open Questions](#10-open-questions)
+11. [YAML Interpreter Format Reference](#11-yaml-interpreter-format-reference)
 
 ---
 
@@ -44,17 +49,35 @@ systems so they stay in sync with reality without a human in the loop.
   container wants.
 - Fan out to one or more notifier modules (DNS, dashboard, future).
 
-The notifier deliberately holds no state. Each event is processed
-independently against current container metadata.
+The notifier deliberately holds no per-event runtime state. Each
+event is processed independently against current container metadata.
+The only on-disk inputs are YAML interpreter files loaded once at
+startup (see §1.3 and §11).
 
 ### 1.3 Design principles
 
-- **Opt-in per container.** No labels means no notification. Run safely
-  alongside containers that don't know or care about this notifier.
+- **Opt-in per container by default.** No labels means no notification —
+  run safely alongside containers that don't know or care about this
+  notifier. STD reporting can be flipped to opt-out on a per-host basis
+  via the `STD_REPORT_ALL_CONTAINERS` env var (see §7.2); other notifier
+  targets remain per-container opt-in regardless, because they create
+  external side effects (DNS records, etc.) that should not fire for
+  containers that didn't ask.
 - **Independent notifier modules.** Each downstream system is its own
   module under `notifiers/` with its own auth, retry, and payload shape.
-- **No state.** No database, no cache, no queue. Everything is derived
-  from the live Docker socket plus environment variables.
+- **No runtime state.** No database, no cache, no queue. Per-event work
+  is derived from the live Docker socket. As of v0.4.0 the notifier
+  does load YAML interpreter files at startup (see §11) — this is
+  configuration, not per-event memory, and it is read once into a
+  module-level structure that does not change as events flow through.
+  The "no per-event state" half of the principle still holds.
+- **Configuration via env vars and labels, plus YAML for interpreters.**
+  Through v0.3.x, env vars and container labels were the only inputs.
+  v0.4.0 adds optional YAML interpreter files mounted into the
+  container; they exist because expressing match/extract logic for
+  third-party label schemes (Traefik, Dockflare, ...) as Python forks
+  is heavier than necessary. See §4 for the loader layout and §11 for
+  the full format.
 - **One instance per host.** Multi-host coordination is out of scope.
 
 ---
@@ -101,6 +124,10 @@ independently against current container metadata.
 │  │   ├─ event subscription│    │
 │  │   └─ periodic re-scan  │    │
 │  │                        │    │
+│  │   interpreter_loader   │    │
+│  │   ├─ builtin YAMLs     │    │
+│  │   └─ user YAMLs (mount)│    │
+│  │                        │    │
 │  │   notifiers/           │    │
 │  │   ├─ technitium_dns    │    │
 │  │   └─ service_tracker_  │    │
@@ -122,6 +149,12 @@ independently against current container metadata.
 - **Common concerns** that should live outside individual notifier
   modules: logging configuration, retry helpers, label-to-payload
   mapping. (Today these are partially duplicated; see §5.)
+- **`interpreter_loader.py`** — loads and evaluates the YAML
+  interpreters introduced in v0.4.0. Runs once at startup to load
+  YAMLs from `/app/interpreters/builtin/` and `/app/interpreters/user/`
+  into a module-level structure; runs once per dispatch event to
+  produce the list of `ExposureObservation` dicts forwarded to STD as
+  `exposure_observations`. See §11 for the full design.
 
 ### 3.2 Event flow
 
@@ -177,6 +210,15 @@ arguments guaranteed present:
 | `stack_name` | Optional[str] | `com.docker.compose.project` label or `None` |
 | `started_at` | str | ISO timestamp from container state |
 | `action` | str | The action that triggered this call (e.g. "start", "boot", "refresh") |
+| `networks` | list[dict] | One entry per Docker network the container is on: `{"name": str, "aliases": [str, ...]}`. Empty list if the container is on no networks. Added in v0.4.0. |
+| `exposed_ports` | list[str] | Container's `ExposedPorts` config as a list of `"<port>/<proto>"` strings (e.g. `"5173/tcp"`). Empty list if none. Added in v0.4.0. |
+| `published_ports` | list[dict] | One entry per `(container_port, host_port)` mapping: `{"container_port": int, "protocol": str, "host_ip": str, "host_port": int}`. Empty list if no published ports. Added in v0.4.0. |
+
+The last three (`networks`, `exposed_ports`, `published_ports`) live
+in `base_kwargs` because they are inherent container facts read off
+the Docker API, not per-target extras derived from labels. STD is
+the only consumer today; other notifiers receive them via
+`**kwargs` and may ignore them.
 
 Modules may additionally receive notifier-specific extras (typically
 from stripped label namespaces). A module reading any extra should
@@ -219,32 +261,71 @@ A reference implementation lives at `notifiers/_template.py`.
 
 ## 4. Configuration Model
 
-All configuration is via environment variables. There is no config file.
+Most configuration is via environment variables and container labels.
+Through v0.3.x there was no config file at all. As of v0.4.0 there is
+one narrow exception: **YAML interpreter files** loaded from two
+on-disk paths inside the container.
 
-Two reasons:
+Two reasons env vars + labels remain the default:
 
 1. The notifier is meant to be one-line-deployable on every host. A
-   shared config file would be one more thing to template and sync.
+   shared config file for general behavior would be one more thing to
+   template and sync.
 2. Per-container behavior comes from labels on those containers, which
    is the right place for it — the people writing the compose files
    know what they want.
 
 Environment variables are documented in the `README.md`.
 
+### 4.1 Interpreter YAML loader (v0.4.0+)
+
+The notifier reads YAML files from two paths at startup:
+
+- `/app/interpreters/builtin/` — baked into the container image. Ships
+  `traefik.yml` and `dockflare.yml`.
+- `/app/interpreters/user/` — empty by default; operators mount their
+  own YAMLs here:
+
+  ```yaml
+  volumes:
+    - ./my-interpreters:/app/interpreters/user:ro
+  ```
+
+A user file whose `name:` matches a builtin **overrides** the builtin
+(useful for tweaking the shipped Traefik/Dockflare logic without
+forking). Files that fail to parse or validate are logged at warning
+level and skipped; the notifier continues with whatever loaded
+successfully.
+
+The set of loaded interpreters is read once at startup into a
+module-level structure. No reload-on-change. The debug-only
+`INTERPRETER_RELOAD_ON_EACH_EVENT` env var bypasses the cache and
+reloads on every dispatch — useful when iterating on a YAML, not
+intended for production.
+
+See §11 for the YAML format and emission semantics.
+
 ---
 
-## 5. Current State (v0.2.3)
+## 5. Current State (v0.4.0)
 
-Tags shipped on `main`: v0.1.0 → v0.2.3.
+Tags shipped on `main`: v0.1.0 → v0.4.0. v0.3.0 (2026-05-12) resolved
+every issue listed in §5.2 below. v0.4.0 (2026-05-14) shipped the
+work originally scoped across three separate releases
+(v0.3.1 / v0.3.2 / v0.4.0); the consolidation is summarized in §7.
 
 ### 5.1 What works today
 
 - Docker event subscription with a fixed action whitelist.
 - Boot-time full scan.
 - Periodic re-scan thread.
-- DNS notifier with no retry, requests-based, fire-and-forget.
+- DNS notifier with retry, requests-based, raises on HTTP 4xx/5xx.
 - STD notifier with `tenacity`-backed retry, bearer-token auth.
 - Label-driven notifier opt-in via `dockernotifier.notifiers`.
+- Per-host STD opt-out via `STD_REPORT_ALL_CONTAINERS` (see §7.2).
+- Network and port capture forwarded to STD on every payload (see §7.3).
+- YAML-driven interpreter layer producing `exposure_observations` for
+  STD (see §7.4 for the v0.4.0 summary, §11 for the format reference).
 - Per-notifier label namespaces (`dockernotifier.dns.*`,
   `dockernotifier.std.*`).
 
@@ -308,11 +389,235 @@ window.
   these easier later, but none ship in v0.3.0.
 - Multi-host coordination.
 - A config file. Env vars + labels remain the only inputs.
-- Test suite. Worth doing eventually (see §9), not in v0.3.0.
+- Test suite. Worth doing eventually (see §10), not in v0.3.0.
+
+---
+
+## 7. Delivered in v0.4.0
+
+Originally planned as three separate releases — v0.3.1
+(STD opt-out env var), v0.3.2 (network & port capture), and v0.4.0
+(YAML interpreter mechanism) — consolidated into a single v0.4.0
+release. The full operator-facing changelog lives in `CHANGELOG.md`;
+this section captures the design intent and scope decisions for each
+piece so they remain part of the PRD record.
+
+The whole bundle is **paired with STD v0.6.0**, which adds the
+consumer side: it accepts `networks`, `exposed_ports`,
+`published_ports`, and `exposure_observations` on `/api/v1/register`
+and ships the synthesizer that turns observations into rendered
+exposure rows. STD v0.5.x's strict pydantic validator rejects all
+four keys, so operators must upgrade STD before the notifier.
+
+### 7.1 Design principle reconciliation
+
+This release deliberately softens principles previously stated in
+§1.3:
+
+- "No state." → "No runtime state." Configuration is now loaded from
+  YAML at startup. Per-event state still does not exist.
+- "All configuration is via environment variables." → no longer
+  literally true. Env vars + labels remain the default, with a narrow
+  exception for interpreter YAMLs.
+- "Opt-in per container." → still the default, but STD reporting can
+  be flipped to per-host opt-out via `STD_REPORT_ALL_CONTAINERS`. DNS
+  and other side-effect notifiers remain per-container opt-in.
+
+§1.3 has been updated to reflect all three softenings.
+
+### 7.2 STD reporting opt-out mode (`STD_REPORT_ALL_CONTAINERS`)
+
+A single env var flips STD reporting from per-container opt-in to
+per-host opt-out.
+
+- **STD only.** The env var affects only the STD notifier dispatch.
+  The DNS notifier (and any future notifier that creates external
+  side effects) continues to require explicit per-container opt-in
+  via `dockernotifier.notifiers=...`.
+- **Per-host, not per-container.** The env var is read once at
+  startup on each notifier instance. There is intentionally no
+  per-container override label — that would defeat the purpose.
+- **Running containers only.** Behavior matches existing dispatch:
+  the boot pass and periodic refresh loop iterate
+  `client.containers.list()`. Stopped containers are not retroactively
+  reported.
+- Truthy values: `true`, `1`, `yes` (case-insensitive). Anything
+  else (including unrecognized strings like `maybe`) is treated as
+  off; unrecognized values log a single warning at startup.
+- When on, every running container on the host is reported to STD
+  on boot, on watched Docker events, and on each periodic refresh
+  tick — regardless of whether the container's
+  `dockernotifier.notifiers` label includes
+  `service-tracker-dashboard` (or even exists at all).
+- `dockernotifier.std.*` labels on individual containers are still
+  honored. Containers without those labels are reported with the
+  minimum information available; STD's wire contract makes most
+  fields optional and applies its own defaults.
+- A container with `dockernotifier.notifiers=dns` only (no STD
+  opt-in) AND the env var set: STD fires (env-var path) **and** DNS
+  fires (label path). The env var adds STD; it does not subtract
+  anything.
+- Wire contract unchanged. STD receives identical
+  `/api/v1/register` payloads regardless of whether the trigger came
+  from a label or from the env var.
+
+Out of scope: per-container opt-out (a label like
+`dockernotifier.std.skip=true` to suppress reporting even when the
+env var is set), changing DNS opt-in semantics, reporting
+non-running containers.
+
+### 7.3 Network & port capture
+
+Container network membership and port information are read directly
+from the Docker API and forwarded to STD as canonical fields, so
+STD's UI can render badges/links without re-reading the Docker
+socket itself. Pure capture — no interpretation, no derived
+semantics.
+
+Captured fields (added to the base kwargs contract; see §3.3 table):
+
+- `networks` — list of `{"name": str, "aliases": [str, ...]}`. One
+  entry per Docker network the container is on. Read from
+  `container.attrs["NetworkSettings"]["Networks"]`. Aliases is an
+  empty list (not null) when a network has no aliases.
+- `exposed_ports` — list of `"<port>/<proto>"` strings. Read from
+  `container.attrs["Config"]["ExposedPorts"]`. Just the keys.
+- `published_ports` — list of `{"container_port": int, "protocol":
+  str, "host_ip": str, "host_port": int}`. One entry per
+  `(container_port, host_port)` binding. Read from
+  `container.attrs["NetworkSettings"]["Ports"]`. Entries with a null
+  binding list (exposed-but-not-published) are skipped.
+
+Coercion at the boundary:
+
+- `host_port` arrives from Docker as a string (`"5173"`); coerced
+  to `int`.
+- `container_port` is parsed from the `"<port>/<proto>"` key and
+  cast to `int`.
+- `protocol` is the string after the slash (typically `"tcp"` or
+  `"udp"`), kept as-is.
+
+Empty values are emitted as explicit empty lists, not null. This
+lets STD's UI distinguish "we know there's nothing" from "the
+notifier hasn't reported yet" (where the field is absent / null).
+The STD notifier's `_PASSTHROUGH` set covers all three new fields;
+no translation is needed because they are already in canonical
+shape.
+
+Only the STD notifier consumes these fields today. The DNS notifier
+receives them through `**kwargs` and ignores them. Storing them in
+`base_kwargs` rather than as STD-specific extras keeps them
+available for any future notifier (e.g. a Traefik-config emitter)
+without rerunning the Docker API call.
+
+Out of scope: per-network detail beyond name and aliases (no IPs,
+gateways, MAC addresses); per-host filtering of which networks to
+report; sending the data anywhere besides STD.
+
+### 7.4 YAML interpreter mechanism
+
+A YAML-driven interpreter layer reads labels written by third-party
+tools (Traefik, Dockflare, ...) and emits structured exposure
+observations to STD as `exposure_observations`. Eliminates the need
+for operators to duplicate hostnames into
+`dockernotifier.std.internalurl` when the same fact is already
+encoded in their Traefik/Dockflare labels.
+
+Goals:
+
+- Translate third-party label schemes into a uniform shape STD
+  understands, without operators having to fork the notifier for
+  each new tool.
+- Ship sensible defaults for the two tools the maintainer actually
+  runs (Traefik, Dockflare).
+- Offer operators a path to add new interpreters without rebuilding
+  the image: drop a YAML in a mounted directory.
+- Maintain a community-reference directory in the repo for sharing
+  contributed interpreters.
+
+Loader (`interpreter_loader.py`):
+
+- `load_interpreters()` returns a `LoadResult(interpreters, ...)`
+  containing the compiled interpreters and a flag indicating whether
+  any directories were even found.
+- `evaluate(interpreters, labels)` runs every interpreter against a
+  container's labels and returns the concatenated list of emitted
+  observations.
+- `/app/interpreters/builtin/` is read first. Then
+  `/app/interpreters/user/` — user files with a `name:` matching a
+  builtin override the builtin and the override is logged.
+- Files that fail YAML parsing, validation, or regex compilation
+  log a warning and are skipped. The loader does not raise; bad
+  files do not block startup.
+- Loaded interpreters are stored in a module-level dict keyed by
+  name. Not re-read per event. The debug-only
+  `INTERPRETER_RELOAD_ON_EACH_EVENT=true` env var re-reads both
+  directories on every dispatch — useful when iterating on a YAML,
+  not for production.
+
+Wire emission: the STD notifier passes `exposure_observations`
+through unchanged via `_PASSTHROUGH`. The value is one of:
+
+- A **list** (possibly empty) — emitted when at least one
+  interpreter is loaded. An empty list means "interpreters ran and
+  nothing matched"; STD interprets this as "clear all exposure rows
+  for this container."
+- **`None`** — emitted when no interpreters are loaded (empty dirs
+  or all failed validation). STD treats null as "no update;
+  preserve existing exposure rows." This distinction matters when
+  an operator disables interpreters at runtime — STD doesn't
+  suddenly forget exposure data.
+
+The STD notifier's `_to_canonical` filter drops `None` values from
+outgoing payloads, so `None` becomes "field absent" on the wire.
+
+Baked-in interpreters (`/app/interpreters/builtin/`):
+
+- `traefik.yml` — regex-match flavor. Captures router names, reads
+  the rule for `Host(...)`, reads `tls` and `entrypoints`. Emits
+  one observation per router.
+- `dockflare.yml` — fixed-key match (`dockflare.enable=true`).
+  Reads `dockflare.hostname`, optional `dockflare.access.policy`
+  and `dockflare.access.group`. Emits a single observation with
+  `tls: true` (Cloudflare Tunnel implies HTTPS) and an `auth`
+  string of the form `cloudflare_access:<policy>` (or `null` if no
+  policy is set, thanks to the null-propagation rule).
+
+Community-reference directory (`docs/community-interpreters/`):
+
+- `README.md` — explains the directory, the format, and the
+  explicit non-guarantee.
+- `traefik.yml`, `dockflare.yml` — reference copies of the
+  builtins. Operators starting a new interpreter from scratch read
+  these to see the format in practice.
+- `template.yml` — heavily annotated skeleton.
+
+PRs that add new interpreters are welcome. The maintainer does not
+QA every contribution — examples may or may not work for a given
+operator's setup. Operators adapt and mount as needed.
+
+The full YAML format reference (match flavors, extract semantics,
+emit substitution rules, null propagation) lives in §11.
+
+Out of scope: reloading interpreters at runtime without notifier
+restart (`INTERPRETER_RELOAD_ON_EACH_EVENT` is a debugging
+affordance, not a feature); per-container interpreter selection;
+per-host curation of which YAMLs apply (mount different files on
+different hosts is the answer); network-membership-based matching
+inside the notifier (STD's synthesizer handles that on its side);
+a web UI for managing interpreters; validating emit outputs against
+STD's `ExposureObservation` schema beyond basic structure.
+
+### 7.5 Dependencies
+
+- Hard pairing: **STD v0.6.0** must be deployed before notifier
+  v0.4.0 is rolled out. STD v0.5.x's strict pydantic validator
+  rejects payloads carrying `networks`, `exposed_ports`,
+  `published_ports`, or `exposure_observations`.
 
 ---
 
-## 7. Versioning, Branches, and Releases
+## 8. Versioning, Branches, and Releases
 
 - `main` is the default branch and the source of truth for releases.
 - All work happens on `dev`. PR `dev` → `main` when ready to release.
@@ -326,18 +631,18 @@ window.
 
 ---
 
-## 8. Cross-Repo Coordination
+## 9. Cross-Repo Coordination
 
 This project is paired with
 [service-tracker-dashboard](https://github.com/crzykidd/service-tracker-dashboard).
 
-### 8.1 Contract ownership
+### 9.1 Contract ownership
 
 STD owns the wire contract for the register endpoint. The notifier is
 a producer — it sends what STD documents. Wire-format changes start in
 STD; the notifier follows.
 
-### 8.2 Release ordering for the v0.5.0 / v0.3.0 cycle
+### 9.2 Release ordering for the v0.5.0 / v0.3.0 cycle
 
 1. STD v0.5.0 ships with `/api/v1/register` (canonical keys) and the
    compat shim on `/api/register` (legacy keys, deprecated).
@@ -347,9 +652,22 @@ STD; the notifier follows.
 
 Operators must upgrade the notifier to v0.3.0+ before STD v0.6.0.
 
+### 9.3 Release ordering for the v0.6.0 / v0.4.0 cycle
+
+1. STD v0.6.0 ships with `networks`, `exposed_ports`,
+   `published_ports`, and `exposure_observations` accepted on
+   `/api/v1/register`, plus the synthesizer that turns observations
+   into rendered exposure rows.
+2. Notifier v0.4.0 ships emitting all four fields and loading the
+   YAML interpreter layer that produces `exposure_observations`.
+
+If notifier v0.4.0 is deployed against STD v0.5.x, STD's strict
+pydantic validator rejects the payload (unknown keys). Operators
+must upgrade STD before the notifier.
+
 ---
 
-## 9. Open Questions
+## 10. Open Questions
 
 - **Test coverage.** No tests exist today. Worth investing in a small
   suite that fakes the Docker client and asserts dispatch behavior?
@@ -362,3 +680,89 @@ Operators must upgrade the notifier to v0.3.0+ before STD v0.6.0.
 - **New notifier targets.** Likely candidates if needed: Slack, Discord,
   ntfy, generic webhook. Each one is ~1 module under `notifiers/` plus
   env vars.
+
+---
+
+## 11. YAML Interpreter Format Reference
+
+This is the format contract for YAML interpreter files loaded by
+`interpreter_loader.py`. Community contributors and operators
+writing their own interpreters should treat this section as
+authoritative. See §7.4 for the surrounding release notes and
+design intent.
+
+### 11.1 File structure
+
+One file per interpreter, one interpreter per file. Top-level keys:
+
+```yaml
+name: <identifier>          # required
+description: <free text>    # optional
+match:                      # required, exactly one flavor
+  any_label_key_matches: '<regex with named captures>'
+  # or
+  label_key: '<exact key>'
+  label_value_equals: '<value>'   # optional, case-insensitive
+extract:                    # required (may be empty)
+  <local_var>:
+    from_label: '<key, may reference {captures}>'
+    value_pattern: '<regex over the label value>'   # optional
+    capture: '<named group from value_pattern>'      # optional
+    coerce: bool | int                               # optional
+    default: <value if missing or extraction fails>  # optional
+emit:                       # required
+  layer: <required string>
+  <field>: '<literal or {local_var}>'
+  details:
+    <field>: '<literal or {local_var}>'
+```
+
+### 11.2 Match
+
+- `any_label_key_matches` — regex applied to every label key on the
+  container with `fullmatch`. Named captures `(?P<name>...)` become
+  available in `extract` via `{name}` substitution. If multiple
+  label keys match, the interpreter fires once per match — useful
+  for tools that namespace per-router (Traefik).
+- `label_key` + optional `label_value_equals` — fires once if the
+  exact label key exists. With `label_value_equals`, the value is
+  compared case-insensitively after stripping.
+
+A single interpreter must pick exactly one flavor.
+
+### 11.3 Extract
+
+Each entry defines a local variable. The notifier:
+
+1. Substitutes `{capture}` placeholders in `from_label` with values
+   from the match step.
+2. Looks up that label key on the container.
+3. If a `value_pattern` is set, runs `re.search` over the value. If
+   `capture` is set, the named group is used; otherwise the whole
+   match is the result.
+4. Applies `coerce` (`bool` or `int`). Boolean truthy strings are
+   `true`, `1`, `yes` (case-insensitive). Failed int coercion falls
+   back to `default`.
+5. If anything in steps 2–4 fails (label missing, pattern doesn't
+   match, capture missing), the variable takes its `default` (or
+   `None` if no default was set).
+
+### 11.4 Emit
+
+Each key in `emit` becomes a field on the resulting observation.
+String values may reference `{local_var}` placeholders from the
+extract step.
+
+Null propagation rules:
+
+- A **bare** placeholder like `'{var}'` resolves to the variable's
+  value verbatim — bools stay bools, ints stay ints, lists stay
+  lists, `None` passes through as `None`.
+- A **mixed** template like `'cloudflare_access:{policy}'` is built
+  by string concatenation. If any referenced variable is `None`,
+  the whole field resolves to `None` (rather than substituting the
+  literal string `"None"`).
+
+`emit.layer` is required and identifies the source tool on the wire.
+All other emit fields are optional; STD treats missing fields as
+"no information."
diff --git a/docs/community-interpreters/README.md b/docs/community-interpreters/README.md
new file mode 100644
index 0000000..c0b1402
--- /dev/null
+++ b/docs/community-interpreters/README.md
@@ -0,0 +1,92 @@
+# Community Interpreters
+
+This directory holds **reference YAML interpreters** contributed by
+operators of `docker-api-notifier`. Each file teaches the notifier how
+to read labels written by a third-party tool (Traefik, Dockflare,
+Caddy, Pangolin, NPM, etc.) and emit them as structured exposure
+observations to STD.
+
+## Status: examples, not products
+
+Files here are community-contributed. They may or may not work for
+your specific environment. The maintainer does not QA every
+contribution — operators are expected to read the YAML, understand
+what it captures, and adapt it before mounting it into a notifier
+instance.
+
+If a file here works for your setup as-is, great. If it doesn't,
+edit it locally; PRs that improve an example are welcome.
+
+## Using an interpreter
+
+1. Copy the `.yml` file to a directory on your Docker host
+   (e.g. `/etc/docker-api-notifier/interpreters/`).
+2. Mount that directory into the notifier container at
+   `/app/interpreters/user`:
+
+   ```yaml
+   volumes:
+     - /etc/docker-api-notifier/interpreters:/app/interpreters/user:ro
+   ```
+
+3. Restart the notifier. On startup it will log which interpreters
+   were loaded.
+
+User-supplied files with the same `name:` as a builtin **override**
+the builtin. That is intentional — drop in a tweaked `traefik.yml`
+to customise capture without forking the notifier.
+
+## Writing a new interpreter
+
+See `docs/PRD.md` §12 for the full YAML format reference. The two
+builtin interpreters are also mirrored here as references:
+
+- `traefik.yml` — regex-match flavor, captures router names with a
+  named group and reads multiple labels per router.
+- `dockflare.yml` — fixed-key match flavor, simpler structure.
+
+At a glance, every interpreter has three sections:
+
+```yaml
+name: <identifier>
+description: <human-readable>
+
+match:
+  # Exactly one of:
+  any_label_key_matches: '<regex with (?P<name>...) captures>'
+  # or
+  label_key: '<exact label key>'
+  label_value_equals: '<expected value>'
+
+extract:
+  <local_var>:
+    from_label: '<label key, may reference {captures}>'
+    value_pattern: '<optional regex over the label value>'
+    capture: '<named group from value_pattern>'
+    coerce: bool | int
+    default: <value if missing>
+
+emit:
+  layer: <required identifier>
+  <field>: '<literal or {local_var}>'
+  details:
+    <field>: '<literal or {local_var}>'
+```
+
+**Null propagation in `emit`:** if any `{var}` referenced in a string
+template resolves to `None`, the whole field becomes `None`. For a
+bare placeholder (`'{var}'`), the value is passed through verbatim —
+bools, ints, and lists keep their type.
+
+## Contributing
+
+PRs welcome. When adding a new file:
+
+- Pick a `name:` that matches the tool being interpreted
+  (e.g. `caddy`, `pangolin`, `npm`).
+- Include a `description:` that names the labels read and the
+  observations emitted.
+- Test the YAML against a real container running the tool before
+  opening the PR.
+- Note any caveats in a comment near the top (e.g. "only handles
+  HTTP routers, not TCP").
diff --git a/docs/community-interpreters/dockflare.yml b/docs/community-interpreters/dockflare.yml
new file mode 100644
index 0000000..f15270c
--- /dev/null
+++ b/docs/community-interpreters/dockflare.yml
@@ -0,0 +1,26 @@
+name: dockflare
+description: |
+  Reads Dockflare labels and emits exposure observations for
+  Cloudflare Tunnel ingress. Dockflare always implies HTTPS.
+
+match:
+  label_key: 'dockflare.enable'
+  label_value_equals: 'true'
+
+extract:
+  hostname:
+    from_label: 'dockflare.hostname'
+  auth_policy:
+    from_label: 'dockflare.access.policy'
+    default: null
+  auth_group:
+    from_label: 'dockflare.access.group'
+    default: null
+
+emit:
+  layer: dockflare
+  hostname: '{hostname}'
+  tls: true
+  auth: 'cloudflare_access:{auth_policy}'
+  details:
+    auth_group: '{auth_group}'
diff --git a/docs/community-interpreters/template.yml b/docs/community-interpreters/template.yml
new file mode 100644
index 0000000..6e1d534
--- /dev/null
+++ b/docs/community-interpreters/template.yml
@@ -0,0 +1,77 @@
+# Heavily-annotated template for a new interpreter.
+#
+# Copy this file, replace `<placeholders>`, and mount it into the
+# notifier container at /app/interpreters/user/<name>.yml.
+
+# Required. Identifier used for logging and for the wire `layer`
+# value if the interpreter doesn't override it. Should match the
+# tool the interpreter reads.
+name: <tool>
+
+# Optional. Human-readable summary. Shown in startup logs.
+description: |
+  <one or two sentences naming the labels this interpreter reads
+  and what it emits>
+
+# The match step decides whether this interpreter fires for a given
+# container. Pick exactly ONE of the two flavors.
+match:
+  # Flavor 1: regex-match a label KEY. Use named captures
+  # (?P<name>...) for any variable portion you want to reference
+  # in the extract step. If the regex matches multiple distinct
+  # label keys on the same container, the interpreter fires once
+  # per match (e.g. a container with multiple Traefik routers
+  # produces multiple observations).
+  any_label_key_matches: '<regex>'
+
+  # Flavor 2: a fixed label key with an optional exact-value match.
+  # Use this for tools that have a single "enable" label.
+  # label_key: '<exact.label.key>'
+  # label_value_equals: 'true'   # optional; case-insensitive
+
+# The extract step reads the labels you care about. Each entry
+# defines a local variable that the emit step can reference as
+# `{name}`.
+extract:
+  <local_var>:
+    # The label key to read. May contain {captures} from a
+    # regex-match — substituted before lookup.
+    from_label: '<exact.label.key or template>'
+
+    # Optional. Regex applied to the label VALUE. If set, the
+    # extracted value is either the named capture group below or
+    # the entire match.
+    # value_pattern: '<regex over the label value>'
+    # capture: '<named group from value_pattern>'
+
+    # Optional. Coerce the string label value into a typed value.
+    # Supported: bool, int.
+    # coerce: bool
+
+    # Optional. Used when the label is missing or extraction fails.
+    # default: false
+
+# The emit step assembles one ExposureObservation. Keys become
+# fields on the resulting observation; string values may reference
+# `{local_var}` placeholders from the extract step.
+#
+# Null propagation: if any {var} in a string template resolves to
+# null, the whole field becomes null. For a bare placeholder
+# (`'{var}'`), the value is preserved verbatim (bool stays bool,
+# int stays int).
+emit:
+  # Required. Identifies which "layer" the observation came from.
+  # STD uses this to disambiguate sources when multiple
+  # interpreters fire on the same container.
+  layer: <tool>
+
+  # Standard fields. All optional; include whichever the tool
+  # actually tells you about.
+  hostname: '{<local_var>}'
+  tls: '{<local_var>}'
+  # path_prefix: ...
+  # auth: ...
+
+  # Free-form bag for tool-specific extras.
+  details:
+    <key>: '{<local_var>}'
diff --git a/docs/community-interpreters/traefik.yml b/docs/community-interpreters/traefik.yml
new file mode 100644
index 0000000..4e163b8
--- /dev/null
+++ b/docs/community-interpreters/traefik.yml
@@ -0,0 +1,27 @@
+name: traefik
+description: |
+  Reads Traefik router labels and emits one exposure observation per
+  router defined on the container.
+
+match:
+  any_label_key_matches: 'traefik\.http\.routers\.(?P<router>[^.]+)\.rule'
+
+extract:
+  hostname:
+    from_label: 'traefik.http.routers.{router}.rule'
+    value_pattern: 'Host\(`(?P<host>[^`]+)`\)'
+    capture: 'host'
+  tls:
+    from_label: 'traefik.http.routers.{router}.tls'
+    coerce: bool
+    default: false
+  entrypoints:
+    from_label: 'traefik.http.routers.{router}.entrypoints'
+    default: null
+
+emit:
+  layer: traefik
+  hostname: '{hostname}'
+  tls: '{tls}'
+  details:
+    entrypoints: '{entrypoints}'
diff --git a/interpreter_loader.py b/interpreter_loader.py
new file mode 100644
index 0000000..5366450
--- /dev/null
+++ b/interpreter_loader.py
@@ -0,0 +1,487 @@
+"""
+YAML interpreter loader and evaluator for docker-api-notifier.
+
+Interpreters read labels written by third-party tools (Traefik,
+Dockflare, etc.) and emit structured exposure observations that the
+notifier forwards to STD. See PRD §12 for the full design and YAML
+format reference.
+
+Public surface:
+    load_interpreters() -> LoadResult
+    evaluate(interpreters, labels) -> list[dict]
+
+The module is named `interpreter_loader` (not `interpreters`) to
+avoid a name collision with the on-disk `interpreters/builtin/` and
+`interpreters/user/` directories used as the YAML search roots:
+Python's namespace-package mechanism would otherwise shadow the
+module file with the directory.
+
+`load_interpreters()` is called once at notifier startup. The returned
+LoadResult carries the list of compiled interpreters plus a flag
+indicating whether any directory was even searched / loaded — this
+distinguishes "interpreters ran and nothing matched" (empty list on
+the wire) from "interpreters disabled" (null on the wire).
+
+`evaluate()` is called per container event with the container's
+labels dict. It runs every loaded interpreter against the labels and
+returns the union of their emitted observations.
+"""
+
+import os
+import re
+from dataclasses import dataclass, field
+from typing import Any, Optional
+
+import yaml
+
+from logging_setup import get_logger
+
+logger = get_logger("interpreters")
+
+BUILTIN_DIR = "/app/interpreters/builtin"
+USER_DIR = "/app/interpreters/user"
+
+_TRUTHY = {"true", "1", "yes"}
+
+
+@dataclass
+class ExtractSpec:
+    """One entry in the `extract:` section."""
+    name: str
+    from_label_template: str
+    value_pattern: Optional[re.Pattern] = None
+    value_capture: Optional[str] = None
+    coerce: Optional[str] = None  # "bool" or "int"
+    default: Any = None
+
+
+@dataclass
+class Interpreter:
+    name: str
+    description: str
+    # Match — exactly one flavor is populated.
+    match_any_label_key: Optional[re.Pattern] = None
+    match_label_key: Optional[str] = None
+    match_label_value_equals: Optional[str] = None
+    extract: list = field(default_factory=list)  # list[ExtractSpec]
+    emit: dict = field(default_factory=dict)
+    source_path: str = ""
+
+
+@dataclass
+class LoadResult:
+    interpreters: list  # list[Interpreter]
+    directories_searched: bool  # True if either builtin/user dir was found
+
+    @property
+    def any_loaded(self) -> bool:
+        return bool(self.interpreters)
+
+
+# ---------------------------------------------------------------------------
+# Loading & validation
+# ---------------------------------------------------------------------------
+
+def load_interpreters(
+    builtin_dir: str = BUILTIN_DIR,
+    user_dir: str = USER_DIR,
+) -> LoadResult:
+    """
+    Load YAML interpreters from builtin and user directories.
+
+    User-supplied interpreters with the same `name` as a builtin
+    override the builtin. Invalid files log a warning and are
+    skipped; the loader continues with the rest.
+    """
+    by_name: dict = {}
+    directories_searched = False
+
+    if os.path.isdir(builtin_dir):
+        directories_searched = True
+        for interp in _load_dir(builtin_dir, "builtin"):
+            by_name[interp.name] = interp
+
+    if os.path.isdir(user_dir):
+        directories_searched = True
+        for interp in _load_dir(user_dir, "user"):
+            if interp.name in by_name:
+                logger.info(
+                    f"[interpreter:{interp.name}] user file {interp.source_path} "
+                    f"overrides builtin"
+                )
+            by_name[interp.name] = interp
+
+    interpreters = sorted(by_name.values(), key=lambda i: i.name)
+    if interpreters:
+        names = ", ".join(i.name for i in interpreters)
+        logger.info(f"Loaded {len(interpreters)} interpreter(s): {names}")
+    elif directories_searched:
+        logger.info("No interpreters loaded (directories present but empty or all invalid)")
+    else:
+        logger.info("No interpreters loaded (no interpreter directories present)")
+
+    return LoadResult(
+        interpreters=interpreters,
+        directories_searched=directories_searched,
+    )
+
+
+def _load_dir(path: str, source_label: str):
+    """Yield validated Interpreter objects from every *.yml file in path."""
+    try:
+        entries = sorted(os.listdir(path))
+    except OSError as e:
+        logger.warning(f"Could not list interpreter dir {path}: {e}")
+        return
+    for entry in entries:
+        if not (entry.endswith(".yml") or entry.endswith(".yaml")):
+            continue
+        full = os.path.join(path, entry)
+        try:
+            with open(full, "r", encoding="utf-8") as f:
+                doc = yaml.safe_load(f)
+        except (OSError, yaml.YAMLError) as e:
+            logger.warning(f"Failed to read {source_label} interpreter {full}: {e}")
+            continue
+        interp = _validate_and_compile(doc, full)
+        if interp is not None:
+            yield interp
+
+
+def _validate_and_compile(doc: Any, source_path: str) -> Optional[Interpreter]:
+    """Return a compiled Interpreter, or None if the document is invalid."""
+    prefix = f"[interpreter @ {source_path}]"
+    if not isinstance(doc, dict):
+        logger.warning(f"{prefix} top-level YAML must be a mapping; skipping")
+        return None
+
+    name = doc.get("name")
+    if not isinstance(name, str) or not name.strip():
+        logger.warning(f"{prefix} missing or invalid `name`; skipping")
+        return None
+    name = name.strip()
+
+    description = doc.get("description") or ""
+    if not isinstance(description, str):
+        description = str(description)
+
+    match = doc.get("match")
+    if not isinstance(match, dict):
+        logger.warning(f"[interpreter:{name}] missing or invalid `match` section; skipping")
+        return None
+
+    interp = Interpreter(
+        name=name,
+        description=description.strip(),
+        source_path=source_path,
+    )
+
+    has_regex = "any_label_key_matches" in match
+    has_fixed = "label_key" in match
+    if has_regex and has_fixed:
+        logger.warning(
+            f"[interpreter:{name}] match section has both regex and fixed-key flavors; "
+            f"only one is allowed. Skipping."
+        )
+        return None
+    if not has_regex and not has_fixed:
+        logger.warning(
+            f"[interpreter:{name}] match section must define either "
+            f"`any_label_key_matches` or `label_key`. Skipping."
+        )
+        return None
+
+    if has_regex:
+        pattern_str = match["any_label_key_matches"]
+        if not isinstance(pattern_str, str):
+            logger.warning(f"[interpreter:{name}] `any_label_key_matches` must be a string; skipping")
+            return None
+        try:
+            interp.match_any_label_key = re.compile(pattern_str)
+        except re.error as e:
+            logger.warning(
+                f"[interpreter:{name}] could not compile `any_label_key_matches` "
+                f"regex {pattern_str!r}: {e}. Skipping."
+            )
+            return None
+    else:
+        key = match["label_key"]
+        if not isinstance(key, str) or not key.strip():
+            logger.warning(f"[interpreter:{name}] `label_key` must be a non-empty string; skipping")
+            return None
+        interp.match_label_key = key
+        value_equals = match.get("label_value_equals")
+        if value_equals is not None and not isinstance(value_equals, str):
+            value_equals = str(value_equals)
+        interp.match_label_value_equals = value_equals
+
+    extract_section = doc.get("extract") or {}
+    if not isinstance(extract_section, dict):
+        logger.warning(f"[interpreter:{name}] `extract` must be a mapping; skipping")
+        return None
+    for var_name, spec in extract_section.items():
+        compiled = _compile_extract(name, var_name, spec)
+        if compiled is None:
+            return None
+        interp.extract.append(compiled)
+
+    emit_section = doc.get("emit")
+    if not isinstance(emit_section, dict):
+        logger.warning(f"[interpreter:{name}] missing or invalid `emit` section; skipping")
+        return None
+    if "layer" not in emit_section:
+        logger.warning(f"[interpreter:{name}] `emit` must include a `layer` field; skipping")
+        return None
+    interp.emit = emit_section
+
+    logger.debug(f"[interpreter:{name}] loaded from {source_path}")
+    return interp
+
+
+def _compile_extract(interp_name: str, var_name: str, spec: Any) -> Optional[ExtractSpec]:
+    if not isinstance(spec, dict):
+        logger.warning(
+            f"[interpreter:{interp_name}] extract.{var_name} must be a mapping; skipping interpreter"
+        )
+        return None
+    from_label = spec.get("from_label")
+    if not isinstance(from_label, str) or not from_label.strip():
+        logger.warning(
+            f"[interpreter:{interp_name}] extract.{var_name}.from_label must be a non-empty string; "
+            f"skipping interpreter"
+        )
+        return None
+    coerce = spec.get("coerce")
+    if coerce is not None and coerce not in ("bool", "int"):
+        logger.warning(
+            f"[interpreter:{interp_name}] extract.{var_name}.coerce={coerce!r} must be 'bool' or 'int'; "
+            f"skipping interpreter"
+        )
+        return None
+    value_pattern_str = spec.get("value_pattern")
+    value_pattern = None
+    value_capture = spec.get("capture")
+    if value_pattern_str is not None:
+        if not isinstance(value_pattern_str, str):
+            logger.warning(
+                f"[interpreter:{interp_name}] extract.{var_name}.value_pattern must be a string; "
+                f"skipping interpreter"
+            )
+            return None
+        try:
+            value_pattern = re.compile(value_pattern_str)
+        except re.error as e:
+            logger.warning(
+                f"[interpreter:{interp_name}] extract.{var_name}.value_pattern {value_pattern_str!r} "
+                f"could not compile: {e}. Skipping interpreter."
+            )
+            return None
+    return ExtractSpec(
+        name=var_name,
+        from_label_template=from_label,
+        value_pattern=value_pattern,
+        value_capture=value_capture,
+        coerce=coerce,
+        default=spec.get("default"),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Evaluation
+# ---------------------------------------------------------------------------
+
+def evaluate(interpreters, labels: dict) -> list:
+    """
+    Run every interpreter against the container's labels.
+
+    Returns the concatenated list of observations. An interpreter
+    can produce zero or more observations: a regex-match flavor can
+    fire multiple times (e.g. multiple Traefik routers on one
+    container) and emits one observation per match; a fixed-key
+    flavor emits at most one observation.
+    """
+    results = []
+    for interp in interpreters:
+        try:
+            results.extend(_evaluate_one(interp, labels))
+        except Exception as e:  # defensive — bad regex at runtime, etc.
+            logger.warning(
+                f"[interpreter:{interp.name}] unexpected error during evaluation: {e}; skipping"
+            )
+    return results
+
+
+def _evaluate_one(interp: Interpreter, labels: dict) -> list:
+    """Evaluate a single interpreter against labels; return list of observations."""
+    if interp.match_any_label_key is not None:
+        captures_list = []
+        for key in labels:
+            m = interp.match_any_label_key.fullmatch(key)
+            if m is None:
+                continue
+            captures_list.append(dict(m.groupdict()))
+        if not captures_list:
+            return []
+        out = []
+        for captures in captures_list:
+            obs = _run_extract_and_emit(interp, labels, captures)
+            if obs is not None:
+                out.append(obs)
+        return out
+
+    # Fixed-key match flavor.
+    value = labels.get(interp.match_label_key)
+    if value is None:
+        return []
+    if interp.match_label_value_equals is not None:
+        if str(value).strip().lower() != interp.match_label_value_equals.strip().lower():
+            return []
+    obs = _run_extract_and_emit(interp, labels, {})
+    return [obs] if obs is not None else []
+
+
+def _run_extract_and_emit(interp: Interpreter, labels: dict, captures: dict) -> Optional[dict]:
+    """Run the extract step (using captures) and then the emit step."""
+    local_vars: dict = {}
+    for spec in interp.extract:
+        try:
+            label_key = _substitute(spec.from_label_template, captures)
+        except KeyError as e:
+            logger.debug(
+                f"[interpreter:{interp.name}] extract.{spec.name}: capture {e} not available; "
+                f"using default"
+            )
+            local_vars[spec.name] = spec.default
+            continue
+        raw_value = labels.get(label_key)
+        local_vars[spec.name] = _resolve_extract_value(interp.name, spec, raw_value)
+    return _build_emit(interp, local_vars)
+
+
+def _resolve_extract_value(interp_name: str, spec: ExtractSpec, raw_value: Any) -> Any:
+    """Apply value_pattern, coerce, and default for a single extract spec."""
+    if raw_value is None:
+        return spec.default
+    value: Any = raw_value
+    if spec.value_pattern is not None:
+        m = spec.value_pattern.search(str(raw_value))
+        if m is None:
+            logger.debug(
+                f"[interpreter:{interp_name}] extract.{spec.name}: value_pattern did not match "
+                f"label value {raw_value!r}; using default"
+            )
+            return spec.default
+        if spec.value_capture is not None:
+            try:
+                value = m.group(spec.value_capture)
+            except IndexError as e:
+                logger.warning(
+                    f"[interpreter:{interp_name}] extract.{spec.name}: capture group "
+                    f"{spec.value_capture!r} missing in match: {e}"
+                )
+                return spec.default
+        else:
+            value = m.group(0)
+    if spec.coerce == "bool":
+        value = str(value).strip().lower() in _TRUTHY
+    elif spec.coerce == "int":
+        try:
+            value = int(value)
+        except (TypeError, ValueError):
+            logger.debug(
+                f"[interpreter:{interp_name}] extract.{spec.name}: could not coerce "
+                f"{value!r} to int; using default"
+            )
+            return spec.default
+    return value
+
+
+def _build_emit(interp: Interpreter, local_vars: dict) -> Optional[dict]:
+    """Walk the emit dict recursively, substituting {name} from local_vars."""
+    result = _substitute_value(interp.emit, local_vars, interp.name)
+    if not isinstance(result, dict):
+        logger.warning(
+            f"[interpreter:{interp.name}] emit did not resolve to a mapping; skipping"
+        )
+        return None
+    return result
+
+
+def _substitute_value(value: Any, local_vars: dict, interp_name: str) -> Any:
+    """
+    Recursively walk a value from the emit section, substituting any
+    `{var}` placeholders in string leaves against local_vars.
+
+    Null propagation: if a string template contains a `{var}` whose
+    value is None, the whole string field resolves to None.
+    """
+    if isinstance(value, dict):
+        return {k: _substitute_value(v, local_vars, interp_name) for k, v in value.items()}
+    if isinstance(value, list):
+        return [_substitute_value(v, local_vars, interp_name) for v in value]
+    if isinstance(value, str):
+        return _substitute_string_leaf(value, local_vars, interp_name)
+    return value
+
+
+def _substitute_string_leaf(template: str, local_vars: dict, interp_name: str) -> Any:
+    """
+    Substitute {name} placeholders in a string.
+
+    Special cases:
+      - If the template is exactly `{name}` and `local_vars[name]` is
+        not a string, return that value verbatim (preserves bools,
+        ints, lists).
+      - If any referenced var is None, the whole resolved value is None.
+      - If a referenced var is missing from local_vars, log a debug
+        message and treat as None (null propagation).
+    """
+    refs = list(_FIELD_NAME_RE.finditer(template))
+    if not refs:
+        return template
+
+    # Bare-placeholder shortcut: '{x}' returns x verbatim (preserves type / null).
+    if len(refs) == 1 and refs[0].group(0) == template:
+        name = refs[0].group(1)
+        if name not in local_vars:
+            logger.debug(
+                f"[interpreter:{interp_name}] emit template references unknown var {{{name}}}"
+            )
+            return None
+        return local_vars[name]
+
+    # Multi-placeholder / partial string. Substitute textually.
+    # If any referenced var is None, the whole field becomes None.
+    out_parts = []
+    last = 0
+    for m in refs:
+        out_parts.append(template[last:m.start()])
+        name = m.group(1)
+        val = local_vars.get(name)
+        if val is None:
+            return None
+        out_parts.append(str(val))
+        last = m.end()
+    out_parts.append(template[last:])
+    return "".join(out_parts)
+
+
+_FIELD_NAME_RE = re.compile(r"\{([A-Za-z_][A-Za-z0-9_]*)\}")
+
+
+def _substitute(template: str, mapping: dict) -> str:
+    """
+    Substitute {name} placeholders in a label-key template (extract.from_label).
+
+    Raises KeyError if a referenced name is missing — the caller falls
+    back to the extract spec's default.
+    """
+    def repl(m):
+        name = m.group(1)
+        if name not in mapping:
+            raise KeyError(name)
+        val = mapping[name]
+        if val is None:
+            raise KeyError(name)
+        return str(val)
+    return _FIELD_NAME_RE.sub(repl, template)
diff --git a/interpreters/builtin/dockflare.yml b/interpreters/builtin/dockflare.yml
new file mode 100644
index 0000000..f15270c
--- /dev/null
+++ b/interpreters/builtin/dockflare.yml
@@ -0,0 +1,26 @@
+name: dockflare
+description: |
+  Reads Dockflare labels and emits exposure observations for
+  Cloudflare Tunnel ingress. Dockflare always implies HTTPS.
+
+match:
+  label_key: 'dockflare.enable'
+  label_value_equals: 'true'
+
+extract:
+  hostname:
+    from_label: 'dockflare.hostname'
+  auth_policy:
+    from_label: 'dockflare.access.policy'
+    default: null
+  auth_group:
+    from_label: 'dockflare.access.group'
+    default: null
+
+emit:
+  layer: dockflare
+  hostname: '{hostname}'
+  tls: true
+  auth: 'cloudflare_access:{auth_policy}'
+  details:
+    auth_group: '{auth_group}'
diff --git a/interpreters/builtin/traefik.yml b/interpreters/builtin/traefik.yml
new file mode 100644
index 0000000..4e163b8
--- /dev/null
+++ b/interpreters/builtin/traefik.yml
@@ -0,0 +1,27 @@
+name: traefik
+description: |
+  Reads Traefik router labels and emits one exposure observation per
+  router defined on the container.
+
+match:
+  any_label_key_matches: 'traefik\.http\.routers\.(?P<router>[^.]+)\.rule'
+
+extract:
+  hostname:
+    from_label: 'traefik.http.routers.{router}.rule'
+    value_pattern: 'Host\(`(?P<host>[^`]+)`\)'
+    capture: 'host'
+  tls:
+    from_label: 'traefik.http.routers.{router}.tls'
+    coerce: bool
+    default: false
+  entrypoints:
+    from_label: 'traefik.http.routers.{router}.entrypoints'
+    default: null
+
+emit:
+  layer: traefik
+  hostname: '{hostname}'
+  tls: '{tls}'
+  details:
+    entrypoints: '{entrypoints}'
diff --git a/main.py b/main.py
index 9637535..d49339d 100644
--- a/main.py
+++ b/main.py
@@ -5,6 +5,7 @@
 import threading
 import time
 from logging_setup import get_logger
+import interpreter_loader
 
 logger = get_logger("main")
 
@@ -12,6 +13,42 @@
 logger.debug("main.py is running")
 STD_REFRESH_SECONDS = int(os.environ.get("STD_REFRESH_SECONDS", "60"))  # Default to 60 seconds
 
+
+def _parse_bool_env(name, default=False):
+    raw = os.environ.get(name)
+    if raw is None:
+        return default
+    normalized = raw.strip().lower()
+    if normalized in ("true", "1", "yes"):
+        return True
+    if normalized in ("false", "0", "no", ""):
+        return False
+    logger.warning(
+        f"Unrecognized boolean value for {name}={raw!r}; treating as off"
+    )
+    return False
+
+
+# When True, the STD notifier fires for every running container on this
+# host regardless of whether the container has the
+# `dockernotifier.notifiers=service-tracker-dashboard` opt-in label.
+# Scope is intentionally limited to STD — other notifiers (DNS) still
+# require explicit per-container opt-in.
+STD_REPORT_ALL_CONTAINERS = _parse_bool_env("STD_REPORT_ALL_CONTAINERS")
+if STD_REPORT_ALL_CONTAINERS:
+    logger.info(
+        "STD_REPORT_ALL_CONTAINERS is on — every running container on this host "
+        "will be reported to STD regardless of opt-in label"
+    )
+
+# Debug-only: re-load interpreters on every event instead of once at
+# startup. Not for production use; intended for iterating on YAML
+# files without bouncing the notifier.
+INTERPRETER_RELOAD_ON_EACH_EVENT = _parse_bool_env("INTERPRETER_RELOAD_ON_EACH_EVENT")
+
+# Loaded once at startup. See `interpreter_loader.py`.
+INTERPRETER_LOAD_RESULT = interpreter_loader.load_interpreters()
+
 # Real Docker events the notifier subscribes to.
 WATCHED_DOCKER_ACTIONS = frozenset({
     "start", "stop", "die", "pause", "unpause",
@@ -53,13 +90,72 @@ def get_host_name():
         return os.uname()[1]
 
 
+def _extract_networks(container_attrs):
+    network_settings = container_attrs.get("NetworkSettings") or {}
+    networks_raw = network_settings.get("Networks") or {}
+    return [
+        {"name": name, "aliases": (data.get("Aliases") or []) if isinstance(data, dict) else []}
+        for name, data in networks_raw.items()
+    ]
+
+
+def _extract_exposed_ports(container_attrs):
+    config = container_attrs.get("Config") or {}
+    exposed = config.get("ExposedPorts") or {}
+    return list(exposed.keys())
+
+
+def _extract_published_ports(container_attrs):
+    network_settings = container_attrs.get("NetworkSettings") or {}
+    ports_raw = network_settings.get("Ports") or {}
+    out = []
+    for port_key, bindings in ports_raw.items():
+        if not bindings:
+            continue
+        try:
+            container_port_str, protocol = port_key.split("/", 1)
+            container_port = int(container_port_str)
+        except (ValueError, AttributeError):
+            logger.debug(f"Skipping malformed port key {port_key!r}")
+            continue
+        for binding in bindings:
+            if not isinstance(binding, dict):
+                continue
+            host_port_raw = binding.get("HostPort")
+            try:
+                host_port = int(host_port_raw)
+            except (TypeError, ValueError):
+                logger.debug(
+                    f"Skipping binding with non-integer HostPort={host_port_raw!r} for {port_key}"
+                )
+                continue
+            out.append({
+                "container_port": container_port,
+                "protocol": protocol,
+                "host_ip": binding.get("HostIp", "") or "",
+                "host_port": host_port,
+            })
+    return out
+
+
 def handle_container_event(container, docker_host, action):
-    labels = container.attrs["Config"]["Labels"]
+    labels = container.attrs["Config"]["Labels"] or {}
     notifier_list_raw = labels.get("dockernotifier.notifiers", "").strip()
-    if not notifier_list_raw:
-        return
     notifier_list = [n.strip() for n in notifier_list_raw.split(",") if n.strip()]
 
+    std_via_label = "service-tracker-dashboard" in notifier_list
+    std_via_env = STD_REPORT_ALL_CONTAINERS
+    std_should_fire = (
+        (std_via_label or std_via_env)
+        and action in NOTIFIER_TRIGGERS["service-tracker-dashboard"]
+    )
+    dns_should_fire = (
+        "dns" in notifier_list and action in NOTIFIER_TRIGGERS["dns"]
+    )
+
+    if not std_should_fire and not dns_should_fire:
+        return
+
     base_kwargs = {
         "container_name": container.name,
         "container_id": container.id,
@@ -69,11 +165,14 @@ def handle_container_event(container, docker_host, action):
         "stack_name": labels.get("com.docker.compose.project"),
         "started_at": container.attrs["State"]["StartedAt"],
         "action": action,
+        "networks": _extract_networks(container.attrs),
+        "exposed_ports": _extract_exposed_ports(container.attrs),
+        "published_ports": _extract_published_ports(container.attrs),
     }
 
     logger.info(f"[MATCH] Container {action.upper()}: {container.name}")
 
-    if action in NOTIFIER_TRIGGERS["dns"] and "dns" in notifier_list:
+    if dns_should_fire:
         container_hostname = labels.get("dockernotifier.dns.containerhostname")
         zone_label = labels.get("dockernotifier.dns.containerzone")
         docker_domain = labels.get("dockernotifier.dns.dockerdomain")
@@ -94,15 +193,39 @@ def handle_container_event(container, docker_host, action):
         else:
             logger.warning(f"Missing DNS label info for {container.name}, skipping DNS registration")
 
-    if "service-tracker-dashboard" in notifier_list and action in NOTIFIER_TRIGGERS["service-tracker-dashboard"]:
+    if std_should_fire:
+        if std_via_env and not std_via_label:
+            logger.debug(
+                f"STD notifier firing for {container.name} via "
+                f"STD_REPORT_ALL_CONTAINERS (no opt-in label)"
+            )
         logger.info(f"STD notifier triggered for {container.name} on {action}")
         std_extras = {
             key.replace("dockernotifier.std.", ""): value
             for key, value in labels.items()
             if key.startswith("dockernotifier.std.")
         }
+        std_extras["exposure_observations"] = _run_interpreters(labels)
         service_tracker_dashboard.register(**base_kwargs, **std_extras)
 
+
+def _run_interpreters(labels):
+    """
+    Run all loaded interpreters against a container's labels.
+
+    Returns:
+      - a list of ExposureObservation dicts (possibly empty) if any
+        interpreters were loaded successfully;
+      - None if no interpreters are loaded — STD treats null as
+        "no update; preserve existing exposure rows."
+    """
+    global INTERPRETER_LOAD_RESULT
+    if INTERPRETER_RELOAD_ON_EACH_EVENT:
+        INTERPRETER_LOAD_RESULT = interpreter_loader.load_interpreters()
+    if not INTERPRETER_LOAD_RESULT.any_loaded:
+        return None
+    return interpreter_loader.evaluate(INTERPRETER_LOAD_RESULT.interpreters, labels)
+
 def main():
     client = docker.from_env()
     docker_host = get_host_name()
@@ -118,13 +241,19 @@ def main():
     threading.Thread(target=periodic_update_loop, args=(docker_host,), daemon=True).start()
 
     for event in client.events(decode=True):
+        if event.get("Type") != "container":
+            continue
         action = event.get("Action")
         if action not in WATCHED_DOCKER_ACTIONS:
             continue
-        container_id = event.get("id")
+        container_id = event.get("Actor", {}).get("ID") or event.get("id")
+        if not container_id:
+            continue
         try:
             container = client.containers.get(container_id)
             handle_container_event(container, docker_host, action=action)
+        except docker.errors.NotFound:
+            pass
         except Exception as e:
             logger.error(f"Failed to handle {action} event for {container_id}: {e}")
 
diff --git a/notifiers/service_tracker_dashboard.py b/notifiers/service_tracker_dashboard.py
index 89111e5..b939164 100644
--- a/notifiers/service_tracker_dashboard.py
+++ b/notifiers/service_tracker_dashboard.py
@@ -29,6 +29,15 @@
     "container_name", "container_id", "docker_status", "stack_name",
     "started_at", "image_name", "internalurl", "externalurl",
     "timestamp",
+    # v0.3.2: network/port capture fields. Already in canonical shape;
+    # consumed by STD v0.6.0+.
+    "networks", "exposed_ports", "published_ports",
+    # v0.4.0: interpreter outputs. List of ExposureObservation dicts
+    # (possibly empty); consumed by STD v0.7.0+. An empty list means
+    # "interpreters ran and nothing matched" (STD clears exposure
+    # rows). The notifier omits the field entirely when no
+    # interpreters are loaded (STD preserves existing rows).
+    "exposure_observations",
 }
 
 # Keys in the canonical schema that need type coercion from string.
diff --git a/requirements.txt b/requirements.txt
index 6dbe5ce..ffebd77 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 docker
 requests
 tenacity
+PyYAML