old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

docs/modules/advisory-ai/guides/api.md

@@ -143,14 +143,62 @@ Produce remediation plan with fix versions and verification steps.
 - **Response extensions:** `content.format` Markdown plus `context.remediation` with recommended fix versions (`package`, `fixedVersion`, `rationale`).
 - **Errors:** `422 advisory.remediation.noFixAvailable` (vendor has not published fix), `409 advisory.remediation.policyHold` (policy forbids automated remediation).
 
-### 7.4 `GET /v1/advisory-ai/outputs/{{outputHash}}`
+### 7.4 `POST /v1/advisory-ai/remediation/apply`
+
+Apply a remediation plan by creating a PR/MR in the target SCM. Requires `advisory-ai:operate` and tenant SCM connector configuration.
+
+- **Request body:**
+```json
+{
+  "planId": "plan-abc123",
+  "scmType": "github"
+}
+```
+- **Response:**
+```json
+{
+  "prId": "gh-pr-42",
+  "prNumber": 42,
+  "url": "https://github.com/owner/repo/pull/42",
+  "branchName": "stellaops/security-fix/plan-abc123",
+  "status": "Open",
+  "statusMessage": "Pull request created successfully",
+  "prBody": "## Security Remediation\n\n**Plan ID:** `plan-abc123`\n...",
+  "createdAt": "2026-01-14T12:00:00Z",
+  "updatedAt": "2026-01-14T12:00:00Z"
+}
+```
+- **PR body includes:**
+  - Summary with vulnerability and component info
+  - Remediation steps (file changes)
+  - Expected SBOM changes (upgrades, additions, removals)
+  - Test requirements
+  - Rollback steps
+  - VEX claim context
+  - Evidence references
+- **Supported SCM types:** `github`, `gitlab`, `azure-devops`, `gitea`
+- **Errors:**
+  - `404 remediation.planNotFound` – plan does not exist
+  - `400 remediation.scmTypeNotSupported` – requested SCM type not configured
+  - `409 remediation.planNotReady` – plan is not PR-ready (see `notReadyReason`)
+  - `502 remediation.scmError` – SCM connector error (branch/file/PR creation failed)
+
+### 7.5 `GET /v1/advisory-ai/remediation/status/{prId}`
+
+Check the status of a PR created by the remediation apply endpoint.
+
+- **Query parameters:** `scmType` (optional, defaults to `github`)
+- **Response:** Same envelope as `POST /remediation/apply`
+- **Errors:** `404 remediation.prNotFound`
+
+### 7.6 `GET /v1/advisory-ai/outputs/{{outputHash}}`
 
 Fetch cached artefact (same envelope as §6). Requires `advisory-ai:view`.
 
 - **Headers:** Supports `If-None-Match` with the `outputHash` (Etag) for cache validation.
 - **Errors:** `404 advisory.output.notFound` if cache expired or tenant lacks access.
 
-### 7.5 `GET /v1/advisory-ai/plans/{{cacheKey}}` (optional)
+### 7.7 `GET /v1/advisory-ai/plans/{{cacheKey}}` (optional)
 
 When plan preview is enabled (feature flag `advisoryAi.planPreview.enabled`), this endpoint returns the orchestration plan using `AdvisoryPipelinePlanResponse` (task metadata, chunk/vector counts). Requires `advisory-ai:operate`.
 
@@ -208,3 +256,4 @@ Limits are enforced at the gateway; the API returns `429` with standard `Retry-A
 | Date (UTC) | Change |
 |------------|--------|
 | 2025-11-03 | Initial sprint-110 preview covering summary/conflict/remediation endpoints, cache retrieval, plan preview, and error/rate limit model. |
+| 2026-01-14 | Added PR generation endpoints (7.4, 7.5): `POST /remediation/apply` and `GET /remediation/status/{prId}`. PR body includes security remediation template with steps, expected changes, tests, rollback, VEX claim. Supported SCM types: github, gitlab, azure-devops, gitea. (SPRINT_20260112_007_BE_remediation_pr_generator) |