Frontend gaps fill work. Testing fixes work. Auditing in progress.

docs/modules/sbomservice/architecture.md

@@ -105,6 +105,53 @@ Operational rules:
 - Logs: structured, include tenant + artifact digest + sbomVersion; classify ingest failures (schema, storage, orchestrator, validation).
 - Alerts: backlog thresholds for outbox/event delivery; high latency on path/timeline endpoints.
 
+## 8.1) Registry Source Management (Sprint 012)
+
+The service manages container registry sources for automated image discovery and scanning:
+
+### Models
+- `RegistrySource` — registry connection with URL, filters, schedule, credentials (via AuthRef).
+- `RegistrySourceRun` — run history with status, discovered images, triggered scans, error details.
+- `RegistrySourceStatus` — `Draft`, `Active`, `Paused`, `Error`, `Deleted`.
+- `RegistrySourceProvider` — `Generic`, `Harbor`, `DockerHub`, `ACR`, `ECR`, `GCR`, `GHCR`.
+
+### APIs
+- `GET/POST/PUT/DELETE /api/v1/registry-sources` — CRUD operations.
+- `POST /api/v1/registry-sources/{id}/test` — test registry connection and credentials.
+- `POST /api/v1/registry-sources/{id}/trigger` — manually trigger discovery and scanning.
+- `POST /api/v1/registry-sources/{id}/pause` / `/resume` — pause/resume scheduled scans.
+- `GET /api/v1/registry-sources/{id}/runs` — run history with health metrics.
+- `GET /api/v1/registry-sources/{id}/discover/repositories` — discover repositories matching filters.
+- `GET /api/v1/registry-sources/{id}/discover/tags/{repository}` — discover tags for a repository.
+- `GET /api/v1/registry-sources/{id}/discover/images` — full image discovery.
+- `POST /api/v1/registry-sources/{id}/discover-and-scan` — discover and submit scan jobs.
+
+### Webhook Ingestion
+- `POST /api/v1/webhooks/registry/{sourceId}` — receive push notifications from registries.
+- Supported providers: Harbor, DockerHub, ACR, ECR, GCR, GHCR.
+- HMAC-SHA256 signature validation using webhook secret from AuthRef.
+- Auto-detection of provider from request headers.
+
+### Discovery Service
+- OCI Distribution Spec compliant repository/tag enumeration.
+- Pagination via RFC 5988 Link headers.
+- Allowlist/denylist filtering for repositories and tags (glob patterns).
+- Manifest digest retrieval via HEAD requests.
+
+### Scan Job Emission
+- Batch submission to Scanner service with rate limiting.
+- Deduplication (skips if job already exists).
+- Metadata includes source ID, trigger type, client request ID.
+
+### Configuration
+- `SbomService:ScannerUrl` — Scanner service endpoint (default: `http://localhost:5100`).
+- `SbomService:BatchScanSize` — max images per batch (default: 10).
+- `SbomService:BatchScanDelayMs` — delay between batch submissions (default: 100ms).
+
+### Credentials
+- All credentials via AuthRef URIs: `authref://{vault}/{path}#{key}`.
+- Supports basic auth (`basic:user:pass`) and bearer tokens (`bearer:token`) for development.
+
 ## 9) Configuration (PostgreSQL-backed catalog & lookup)
 - Enable PostgreSQL storage for `/console/sboms` and `/components/lookup` by setting `SbomService:PostgreSQL:ConnectionString` (env: `SBOM_SbomService__PostgreSQL__ConnectionString`).
 - Optional overrides: `SbomService:PostgreSQL:Schema`, `SbomService:PostgreSQL:CatalogTable`, `SbomService:PostgreSQL:ComponentLookupTable`; defaults are `sbom_service`, `sbom_catalog`, `sbom_component_neighbors`.