feat(api): Implement Console Export Client and Models

- Added ConsoleExportClient for managing export requests and responses.
- Introduced ConsoleExportRequest and ConsoleExportResponse models.
- Implemented methods for creating and retrieving exports with appropriate headers.

feat(crypto): Add Software SM2/SM3 Cryptography Provider

- Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography.
- Added support for signing and verification using SM2 algorithm.
- Included hashing functionality with SM3 algorithm.
- Configured options for loading keys from files and environment gate checks.

test(crypto): Add unit tests for SmSoftCryptoProvider

- Created comprehensive tests for signing, verifying, and hashing functionalities.
- Ensured correct behavior for key management and error handling.

feat(api): Enhance Console Export Models

- Expanded ConsoleExport models to include detailed status and event types.
- Added support for various export formats and notification options.

test(time): Implement TimeAnchorPolicyService tests

- Developed tests for TimeAnchorPolicyService to validate time anchors.
- Covered scenarios for anchor validation, drift calculation, and policy enforcement.

docs/api/console/workspaces.md

@@ -310,42 +310,84 @@ data: {
 
 > Until backend implementations ship, use the examples above to unblock DOCS-AIAI-31-004; replace them with live captures once the gateway endpoints are available in staging.
 
-## Exports (draft contract)
+## Exports (draft contract v0.3)
 
-Routes
+### Routes
 - `POST /console/exports` — start an evidence bundle export job.
 - `GET /console/exports/{exportId}` — fetch job status and download locations.
 - `GET /console/exports/{exportId}/events` — SSE stream of job progress (optional).
 
-Headers
-- `Authorization: Bearer <token>`
+### Security / headers
+- `Authorization: DPoP <token>`
+- `DPoP: <proof>`
 - `X-StellaOps-Tenant: <tenantId>`
 - `Idempotency-Key: <uuid>` (recommended for POST)
 - `Accept: application/json` (status) or `text/event-stream` (events)
+- Required scopes: `console:read` AND `console:export` (proposal).
 
-Request body (POST /console/exports)
-- `scope`: `{ tenantId, projectId? }`
-- `sources`: array of `{ type: "advisory"|"vex"|"policy"|"scan", ids: string[] }`
-- `formats`: array of `"json"|"csv"|"ndjson"|"pdf"`
-- `attestations`: `{ include: boolean, sigstoreBundle?: boolean }`
-- `notify`: `{ webhooks?: string[], email?: string[] }`
-- `priority`: `"low"|"normal"|"high"`
+### Request body (POST)
+```jsonc
+{
+  "scope": { "tenantId": "t1", "projectId": "p1" },
+  "sources": [ { "type": "advisory", "ids": ["CVE-2024-12345"] } ],
+  "formats": ["json", "ndjson", "csv"],
+  "attestations": { "include": true, "sigstoreBundle": true },
+  "notify": { "webhooks": ["https://hooks.local/export"], "email": ["secops@example.com"] },
+  "priority": "normal"
+}
+```
 
-Responses
-- `202 Accepted` with `exportId`, `status: queued|running|succeeded|failed|expired`, `estimateSeconds`, `retryAfter`.
-- Status payload includes presigned download URLs, checksum manifest, and error list when failed.
-- SSE events emit `started`, `progress` (percent, item counts), `asset_ready` (uri, sha256), `completed`, `failed` (code, message).
+### Response: 202 Accepted
+- `exportId`: string
+- `status`: `queued|running|succeeded|failed|expired`
+- `estimateSeconds`: int
+- `retryAfter`: int seconds (for polling)
+- `links`: `{ status: url, events?: url }`
 
-Proposed limits
+### Response: GET status
+```jsonc
+{
+  "exportId": "console-export::tenant-default::2025-12-06::0007",
+  "status": "running",
+  "estimateSeconds": 420,
+  "outputs": [
+    { "type": "manifest", "format": "json", "url": "https://.../manifest.json?sig=...", "sha256": "...", "expiresAt": "2025-12-06T13:10:00Z" }
+  ],
+  "progress": { "percent": 42, "itemsCompleted": 210, "itemsTotal": 500, "assetsReady": 12 },
+  "errors": []
+}
+```
+
+### Response: SSE events
+- `started`: `{ exportId, status }`
+- `progress`: `{ exportId, percent, itemsCompleted, itemsTotal }`
+- `asset_ready`: `{ exportId, type, id, url, sha256 }`
+- `completed`: `{ exportId, status: "succeeded", manifestUrl }`
+- `failed`: `{ exportId, status: "failed", code, message }`
+
+### Manifest shape (downloaded via outputs)
+- `version`: string (date)
+- `exportId`, `tenantId`, `generatedAt`
+- `items[]`: `{ type: advisory|vex|policy|scan, id, url, sha256 }`
+- `checksums`: `{ manifest, bundle }`
+
+### Limits (proposed)
 - Max request body 256 KiB; max sources 50; max outputs 1000 assets/export.
-- Default job timeout 30 minutes; idle SSE timeout 60s; backoff header `Retry-After`.
+- Default job timeout 30 minutes; idle SSE timeout 60s; backoff via `Retry-After`.
 
-Samples (draft)
+### Error codes (proposal)
+- `ERR_CONSOLE_EXPORT_INVALID_SOURCE`
+- `ERR_CONSOLE_EXPORT_TOO_LARGE`
+- `ERR_CONSOLE_EXPORT_RATE_LIMIT`
+- `ERR_CONSOLE_EXPORT_UNAVAILABLE`
+
+### Samples
 - Request: `docs/api/console/samples/console-export-request.json`
 - Status: `docs/api/console/samples/console-export-status.json`
 - Manifest: `docs/api/console/samples/console-export-manifest.json`
 - Events: `docs/api/console/samples/console-export-events.ndjson`
 
-Open items (needs owner sign-off)
-- Final schema (fields, limits, error codes), checksum manifest format, attestation options.
+### Open items (needs guild sign-off)
+- Final scopes list (`console:export` vs broader `console:*`).
+- Final limits and error codes; checksum manifest format; attestation options.
 - Caching/tie-break rules for downstream `/console/search` and `/console/downloads`.