up

src/Mirror/StellaOps.Mirror.Creator/TASKS.md

@@ -8,3 +8,4 @@
 | MIRROR-CRT-57-002 | DONE | Time-anchor DSSE emitted when SIGN_KEY is set; bundle meta + verifier check anchor integrity. |
 | MIRROR-CRT-58-001 | DONE | CLI wrappers (`mirror-create.sh`, `mirror-verify.sh`) for deterministic build/verify flows; uses existing assembler + verifier. |
 | MIRROR-CRT-58-002 | DOING (dev) | Export Center scheduling helper (`src/Mirror/StellaOps.Mirror.Creator/schedule-export-center-run.sh`) added; production signing still pending MIRROR-CRT-56-002 key. |
+| EXPORT-OBS-51-001 / 54-001 | DONE | Export Center handoff scripted via `export-center-wire.sh`, scheduler payload now carries bundle metadata, and mirror-sign CI uploads handoff outputs. |

src/Mirror/StellaOps.Mirror.Creator/schedule-export-center-run.sh

@@ -3,6 +3,18 @@ set -euo pipefail
 
 # Schedule an Export Center run for mirror bundles and emit an audit log entry.
 # Requires curl. Uses bearer token auth for simplicity; swap to DPoP if/when gateway enforces it.
+# Usage:
+#   EXPORT_CENTER_BASE_URL=https://export.example.com \
+#   EXPORT_CENTER_TENANT=tenant-a \
+#   EXPORT_CENTER_TOKEN=token123 \
+#   ./schedule-export-center-run.sh mirror:thin '["vex","advisory"]' '["tar.gz","json"]'
+# Env:
+#   EXPORT_CENTER_BASE_URL   (default: http://localhost:8080)
+#   EXPORT_CENTER_TENANT     (default: tenant-default)
+#   EXPORT_CENTER_PROJECT    (optional header)
+#   EXPORT_CENTER_TOKEN      (optional Bearer token)
+#   EXPORT_CENTER_ARTIFACTS_JSON (optional JSON array of {name,path,sha256} to include in payload)
+#   AUDIT_LOG_PATH           (default: ./logs/export-center-schedule.log)
 
 BASE_URL="${EXPORT_CENTER_BASE_URL:-http://localhost:8080}"
 TENANT="${EXPORT_CENTER_TENANT:-tenant-default}"
@@ -19,6 +31,7 @@ fi
 
 TARGETS_JSON="${2:-[\"vex\",\"advisory\",\"policy\"]}"
 FORMATS_JSON="${3:-[\"json\",\"ndjson\"]}"
+ARTIFACTS_JSON="${EXPORT_CENTER_ARTIFACTS_JSON:-}"
 
 mkdir -p "$(dirname "$AUDIT_LOG")"
 
@@ -27,15 +40,39 @@ if [[ -n "$TOKEN" ]]; then
   AUTH_HEADER=(-H "Authorization: Bearer ${TOKEN}")
 fi
 
-payload="$(cat <<JSON
-{
-  "profileId": "${PROFILE_ID}",
-  "targets": ${TARGETS_JSON},
-  "formats": ${FORMATS_JSON},
-  "retentionDays": 30,
-  "priority": "normal"
+payload="$(PROFILE_ID="${PROFILE_ID}" TARGETS_JSON="${TARGETS_JSON}" FORMATS_JSON="${FORMATS_JSON}" ARTIFACTS_JSON="${ARTIFACTS_JSON}" python3 - <<'PY'
+import json
+import os
+import sys
+
+def parse_json(env_key: str) -> object:
+    try:
+        return json.loads(os.environ[env_key])
+    except KeyError:
+        print(f"missing env: {env_key}", file=sys.stderr)
+        sys.exit(1)
+    except json.JSONDecodeError as exc:
+        print(f"invalid JSON in {env_key}: {exc}", file=sys.stderr)
+        sys.exit(1)
+
+payload = {
+    "profileId": os.environ["PROFILE_ID"],
+    "targets": parse_json("TARGETS_JSON"),
+    "formats": parse_json("FORMATS_JSON"),
+    "retentionDays": 30,
+    "priority": "normal",
 }
-JSON
+
+artifacts_raw = os.environ.get("ARTIFACTS_JSON", "").strip()
+if artifacts_raw:
+    try:
+        payload["artifacts"] = json.loads(artifacts_raw)
+    except json.JSONDecodeError as exc:
+        print(f"invalid JSON in EXPORT_CENTER_ARTIFACTS_JSON: {exc}", file=sys.stderr)
+        sys.exit(1)
+
+print(json.dumps(payload))
+PY
 )"
 
 response="$(curl -sS -X POST "${BASE_URL}/export-center/runs" \