feat: Implement BerkeleyDB reader for RPM databases

- Added BerkeleyDbReader class to read and extract RPM header blobs from BerkeleyDB hash databases.
- Implemented methods to detect BerkeleyDB format and extract values, including handling of page sizes and magic numbers.
- Added tests for BerkeleyDbReader to ensure correct functionality and header extraction.

feat: Add Yarn PnP data tests

- Created YarnPnpDataTests to validate package resolution and data loading from Yarn PnP cache.
- Implemented tests for resolved keys, package presence, and loading from cache structure.

test: Add egg-info package fixtures for Python tests

- Created egg-info package fixtures for testing Python analyzers.
- Included PKG-INFO, entry_points.txt, and installed-files.txt for comprehensive coverage.

test: Enhance RPM database reader tests

- Added tests for RpmDatabaseReader to validate fallback to legacy packages when SQLite is missing.
- Implemented helper methods to create legacy package files and RPM headers for testing.

test: Implement dual signing tests

- Added DualSignTests to validate secondary signature addition when configured.
- Created stub implementations for crypto providers and key resolvers to facilitate testing.

chore: Update CI script for Playwright Chromium installation

- Modified ci-console-exports.sh to ensure deterministic Chromium binary installation for console exports tests.
- Added checks for Windows compatibility and environment variable setups for Playwright browsers.

docs/api/gateway/export-center.md

@@ -1,26 +1,23 @@
-# Export Center Gateway Contract (draft placeholder)
+# Export Center Gateway Contract (draft v0.9)
 
-**Status:** Draft v0.2 · owner-proposed
+Scope: proxy Export Center APIs through the Web gateway with tenant scoping, deterministic responses, sealed-mode readiness, and offline-friendly signed URL handling.
 
-## Scope
-- Profile, run, download, and distribution routes proxied via Web gateway.
-- Tenant scoping, RBAC/ABAC, streaming limits, retention/encryption parameters, signed URL policy.
+## Security / headers
+- `Authorization: DPoP <token>`, `DPoP: <proof>`
+- `X-StellaOps-Tenant: <tenantId>` (required)
+- `X-StellaOps-Project: <projectId>` (optional)
+- `Idempotency-Key: <uuid>` (recommended for POST)
+- `Accept: application/json` (or `text/event-stream` for SSE)
+- Scopes (proposal): `export:read` for GET, `export:write` for POST.
 
 ## Endpoints
 - `GET /export-center/profiles` — list export profiles (tenant-scoped).
 - `POST /export-center/runs` — start an export run.
-- `GET /export-center/runs/{runId}` — run status and artifacts.
-- `GET /export-center/runs/{runId}/events` — SSE for run progress.
-- `GET /export-center/distributions/{id}` — fetch signed URLs for OCI/object storage distribution.
+- `GET /export-center/runs/{runId}` — run status + outputs.
+- `GET /export-center/runs/{runId}/events` — SSE progress stream.
+- `GET /export-center/distributions/{id}` — signed URLs for OCI/object storage distribution.
 
-## Security / headers
-- `Authorization: DPoP <token>`; `DPoP: <proof>`
-- `X-StellaOps-Tenant: <tenantId>` (required)
-- `X-StellaOps-Project: <projectId>` (optional)
-- `Idempotency-Key` (recommended for POST)
-- Required scopes (proposal): `export:read`, `export:write`.
-
-## Request: POST /export-center/runs
+## POST /export-center/runs (request)
 ```jsonc
 {
   "profileId": "export-profile::tenant-default::daily-vex",
@@ -37,10 +34,21 @@
 }
 ```
 
-## Response: 202 Accepted
-- `runId`, `status: queued|running|succeeded|failed|expired`, `estimateSeconds`, `retryAfter`.
+## 202 Accepted
+```jsonc
+{
+  "runId": "export-run::tenant-default::2025-12-06::0003",
+  "status": "queued",
+  "estimateSeconds": 420,
+  "links": {
+    "status": "/export-center/runs/export-run::tenant-default::2025-12-06::0003",
+    "events": "/export-center/runs/export-run::tenant-default::2025-12-06::0003/events"
+  },
+  "retryAfter": 5
+}
+```
 
-## Response: GET run
+## GET /export-center/runs/{runId}
 ```jsonc
 {
   "runId": "export-run::tenant-default::2025-12-06::0003",
@@ -48,7 +56,14 @@
   "profileId": "export-profile::tenant-default::daily-vex",
   "startedAt": "2025-12-06T10:00:00Z",
   "outputs": [
-    { "type": "manifest", "format": "json", "url": "https://exports.local/.../manifest.json?sig=...", "sha256": "...", "expiresAt": "2025-12-06T16:00:00Z" }
+    {
+      "type": "manifest",
+      "format": "json",
+      "url": "https://exports.local/tenant-default/0003/manifest.json?sig=...",
+      "sha256": "sha256:c0ffee...",
+      "dsseUrl": "https://exports.local/tenant-default/0003/manifest.dsse?sig=...",
+      "expiresAt": "2025-12-06T16:00:00Z"
+    }
   ],
   "progress": { "percent": 35, "itemsCompleted": 70, "itemsTotal": 200 },
   "errors": []
@@ -56,11 +71,22 @@
 ```
 
 ## SSE events
-- `started`, `progress`, `artifact_ready` (url, sha256, type), `completed`, `failed` (code, message).
+- `started`: `{ runId, status }`
+- `progress`: `{ runId, percent, itemsCompleted, itemsTotal }`
+- `artifact_ready`: `{ runId, type, id, url, sha256, format }`
+- `completed`: `{ runId, status: "succeeded", manifestUrl, manifestDsseUrl? }`
+- `failed`: `{ runId, status: "failed", code, message, retryAfterSeconds? }`
 
-## Limits (proposal)
-- Max request body 256 KiB; max targets 50; default timeout 60 minutes.
-- Idle SSE timeout 60s; backoff with `Retry-After`.
+## Distributions
+- `GET /export-center/distributions/{id}` returns signed URLs, expiry, checksum, and optional DSSE envelope reference.
+- Response headers: `Cache-Control: private, max-age=60, stale-if-error=300`; `ETag` over sorted payload.
+- Signed URL rels: `self`, `alternate` (DSSE), `bundle` when tar/zip produced.
+
+## Determinism & limits
+- Max request body 256 KiB; max targets 50; max outputs 1000 assets/export; max bundle size 500 MiB compressed.
+- Default job timeout 60 minutes; idle SSE timeout 60s; client backoff `1s,2s,4s,8s` capped at 30s; honor `Retry-After`.
+- Ordering: manifest items sorted `(type asc, id asc, format asc, url asc)`.
+- Timestamps: ISO-8601 UTC; stable SHA-256 hashes only.
 
 ## Error codes (proposal)
 - `ERR_EXPORT_PROFILE_NOT_FOUND`
@@ -68,12 +94,13 @@
 - `ERR_EXPORT_TOO_LARGE`
 - `ERR_EXPORT_RATE_LIMIT`
 - `ERR_EXPORT_DISTRIBUTION_FAILED`
+- `ERR_EXPORT_EXPIRED`
 
 ## Samples
-- Profile list sample: _todo_
-- Run request/response: see above snippets.
-- Events NDJSON: _todo_
+- Run request/response: see blocks above.
+- Status/manifest/events: reuse Console manifest sample (`docs/api/console/samples/console-export-manifest.json`) until Export Center publishes dedicated samples.
 
-## Outstanding (for finalization)
-- Confirm scopes, limits, distribution signing rules, and manifest checksum requirements.
-- Provide full OpenAPI/JSON schema and sample artifacts for OCI/object storage distributions.
+## Outstanding for sign-off
+- Final scope/limit numbers (targets, bundle cap, timeouts).
+- Whether DSSE is mandatory for sealed tenants.
+- Distribution signing rules (key source, validity duration) and retention defaults.