docs consolidation work

2025-12-25 10:53:53 +02:00
parent b9f71fc7e9
commit deb82b4f03
117 changed files with 852 additions and 847 deletions
--- a/docs/modules/export-center/api.md
+++ b/docs/modules/export-center/api.md
@@ -16,8 +16,8 @@ This reference describes the Export Center API introduced in Export Center Phase
  - `export:download` for bundle downloads and manifests.
 - **Tenant context:** Provide `X-Stella-Tenant` when the token carries multiple tenants; defaults to token tenant otherwise.
 - **Idempotency:** Mutating endpoints accept `Idempotency-Key` (UUID). Retrying with the same key returns the original result.
- **Rate limits and quotas:** Responses include `X-Stella-Quota-Limit`, `X-Stella-Quota-Remaining`, and `X-Stella-Quota-Reset`. Exceeding quotas returns `429 Too Many Requests` with `ERR_EXPORT_QUOTA`.
- **Integrity headers (downloads):** `Digest: sha-256=<base64>`, `X-Stella-Signature: dsse-b64=<payload>`, and `X-Stella-Immutability: true` accompany bundle/manifest downloads; clients must validate before use.
+- **Rate limits and quotas:** Responses include `X-Stella-Quota-Limit`, `X-Stella-Quota-Remaining`, and `X-Stella-Quota-Reset`. Exceeding quotas returns `429 Too Many Requests` with `ERR_EXPORT_QUOTA`.
+- **Integrity headers (downloads):** `Digest: sha-256=<base64>`, `X-Stella-Signature: dsse-b64=<payload>`, and `X-Stella-Immutability: true` accompany bundle/manifest downloads; clients must validate before use.
 - **Content negotiation:** Requests and responses use `application/json; charset=utf-8` unless otherwise stated. Downloads stream binary content with profile-specific media types.
 - **SSE:** Event streams set `Content-Type: text/event-stream` and keep connections alive with comment heartbeats every 15 seconds.

@@ -101,29 +101,29 @@ Scopes: export:profile:manage
 **Request**

 ```json
-{  
-  "profileId": "prof-airgap-mirror",
-  "name": "Airgap Mirror Weekly",
-  "kind": "mirror",
-  "variant": "full",
-  "include": ["advisories", "vex", "sboms", "policy"],
-  "distribution": ["http", "object"],
-  "encryption": {
-    "enabled": true,
-    "recipientKeys": ["age1tenantkey..."],
-    "strict": false
-  },
-  "retention": {"mode": "days", "value": 30},
-  "limits": {
-    "maxActiveRuns": 4,
-    "maxQueuedRuns": 50,
-    "backpressureMode": "reject"
-  },
-  "approval": {
-    "required": false
-  }
-}
-```
+{  
+  "profileId": "prof-airgap-mirror",
+  "name": "Airgap Mirror Weekly",
+  "kind": "mirror",
+  "variant": "full",
+  "include": ["advisories", "vex", "sboms", "policy"],
+  "distribution": ["http", "object"],
+  "encryption": {
+    "enabled": true,
+    "recipientKeys": ["age1tenantkey..."],
+    "strict": false
+  },
+  "retention": {"mode": "days", "value": 30},
+  "limits": {
+    "maxActiveRuns": 4,
+    "maxQueuedRuns": 50,
+    "backpressureMode": "reject"
+  },
+  "approval": {
+    "required": false
+  }
+}
+```

 **Response 201**

@@ -192,24 +192,24 @@ Scopes: export:run
 {
  "runId": "run-20251029-01",
  "status": "pending",
-  "profileId": "prof-json-raw",
-  "createdAt": "2025-10-29T12:12:11Z",
-  "createdBy": "user:ops",
-  "selectors": { "...": "..." },
-  "links": {
-    "self": "/api/export/runs/run-20251029-01",
-    "events": "/api/export/runs/run-20251029-01/events"
-  },
-  "quotas": {
-    "maxActiveRuns": 4,
-    "maxQueuedRuns": 50,
-    "backpressureMode": "reject"
-  },
-  "approval": {
-    "required": false
-  }
-}
-```
+  "profileId": "prof-json-raw",
+  "createdAt": "2025-10-29T12:12:11Z",
+  "createdBy": "user:ops",
+  "selectors": { "...": "..." },
+  "links": {
+    "self": "/api/export/runs/run-20251029-01",
+    "events": "/api/export/runs/run-20251029-01/events"
+  },
+  "quotas": {
+    "maxActiveRuns": 4,
+    "maxQueuedRuns": 50,
+    "backpressureMode": "reject"
+  },
+  "approval": {
+    "required": false
+  }
+}
+```

 ### 4.2 List runs

@@ -231,15 +231,15 @@ Response fields:

 | Field | Description |
 |-------|-------------|
-| `status` | `pending`, `running`, `success`, `failed`, `canceled`. |
-| `progress` | Object with `adapters`, `bytesWritten`, `recordsProcessed`. |
-| `errorCode` | Populated when `status=failed` (`signing`, `distribution`, etc). |
-| `policySnapshotId` | Returned for policy-aware profiles. |
-| `distributions` | List of available distribution descriptors (type, location, sha256, expiresAt). |
-| `rerunHash` | SHA-256 over sorted `contents[*].digest`; used for determinism checks. |
-| `integrity` | Expected HTTP headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and OCI annotations (`io.stellaops.export.*`). |
-| `quotas` | Active limits/backpressure settings returned with the run. |
-| `approval` | Cross-tenant approval ticket when selectors span multiple tenants/wildcards. |
+| `status` | `pending`, `running`, `success`, `failed`, `canceled`. |
+| `progress` | Object with `adapters`, `bytesWritten`, `recordsProcessed`. |
+| `errorCode` | Populated when `status=failed` (`signing`, `distribution`, etc). |
+| `policySnapshotId` | Returned for policy-aware profiles. |
+| `distributions` | List of available distribution descriptors (type, location, sha256, expiresAt). |
+| `rerunHash` | SHA-256 over sorted `contents[*].digest`; used for determinism checks. |
+| `integrity` | Expected HTTP headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and OCI annotations (`io.stellaops.export.*`). |
+| `quotas` | Active limits/backpressure settings returned with the run. |
+| `approval` | Cross-tenant approval ticket when selectors span multiple tenants/wildcards. |

 ### 4.4 Cancel a run

@@ -294,16 +294,16 @@ GET /api/export/runs/{runId}/download
 Scopes: export:download
 ```

-Streams the primary bundle (tarball, zip, or profile-specific layout). Headers:
-
- `Content-Disposition: attachment; filename="export-run-20251029-01.tar.zst"`
- `Digest: sha-256=<base64>` (EC5)
- `X-Stella-Signature: dsse-b64:<payload>` (EC3/EC5)
- `X-Stella-Immutability: true`
- `X-Export-Size: 73482019`
- `X-Export-Encryption: age` (when mirror encryption enabled)
-
-Supports HTTP range requests for resume functionality. If no bundle exists yet, responds `409` with `ERR_EXPORT_007`.
+Streams the primary bundle (tarball, zip, or profile-specific layout). Headers:
+
+- `Content-Disposition: attachment; filename="export-run-20251029-01.tar.zst"`
+- `Digest: sha-256=<base64>` (EC5)
+- `X-Stella-Signature: dsse-b64:<payload>` (EC3/EC5)
+- `X-Stella-Immutability: true`
+- `X-Export-Size: 73482019`
+- `X-Export-Encryption: age` (when mirror encryption enabled)
+
+Supports HTTP range requests for resume functionality. If no bundle exists yet, responds `409` with `ERR_EXPORT_007`.

 ### 6.2 Manifest download

@@ -312,8 +312,8 @@ GET /api/export/runs/{runId}/manifest
 Scopes: export:download
 ```

-Returns signed `export.json`. To fetch the detached signature, append `?signature=true`.
- Integrity annotations are mirrored in response headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and in the manifest `integrity` block to keep rerun-hash deterministic.
+Returns signed `export.json`. To fetch the detached signature, append `?signature=true`.
+- Integrity annotations are mirrored in response headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and in the manifest `integrity` block to keep rerun-hash deterministic.

 ### 6.3 Provenance download

@@ -322,7 +322,7 @@ GET /api/export/runs/{runId}/provenance
 Scopes: export:download
 ```

-Returns signed `provenance.json`. Supports `?signature=true`. Provenance includes attestation subject digests, policy snapshot ids, adapter versions, and KMS key identifiers.
+Returns signed `provenance.json`. Supports `?signature=true`. Provenance includes attestation subject digests, policy snapshot ids, adapter versions, and KMS key identifiers.

 ### 6.4 Distribution descriptors

@@ -356,6 +356,6 @@ Payload includes `targetUrl`, `events` (e.g., `run.succeeded`), and optional sec
 - [Export Center Architecture](architecture.md)
 - [Export Center Profiles](profiles.md)
 - [Export Center CLI Guide](cli.md) *(companion document)*
- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../aoc/aggregation-only-contract.md)

 > **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.