stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
bca02ec295ccab24de1c3e89be4606fa64e2d952
git.stella-ops.org/docs/specs/symbols/api.md
StellaOps Bot d63af51f84
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-26 20:23:28 +02:00

36 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Symbol Server API
> **Imposed rule:** All API responses must include tenant scoping and content digests; cross-tenant symbol access is forbidden.
Base path: `/api/v1/symbols` (service: Symbol Server / Export Center plugin).
## Endpoints
- `GET /manifest` returns `SYMBOL_MANIFEST/v1` for the tenant.
- Headers: `X-Stella-Tenant` (required)
- Query: `image_digest` (optional filter), `build_id` (exact match)
- `GET /files/{path}` stream a symbol file by relative path in manifest.
- Headers: `X-Stella-Tenant`
- Responds with `Content-SHA256` header and ETag; 404 if tenant mismatch.
- `POST /ingest` upload a symbol bundle (tar or OCI artifact) and manifest.
- Headers: `X-Stella-Tenant`, `X-Stella-Attestation` (optional DSSE digest)
- Validates manifest checksum, entry digests, and tenant.
- `GET /health` readiness/liveness.
## Error model
- Problem+JSON; include `tenant`, `correlation_id`, and `policy` fields when access is denied.
- Rate limits: `429` with `Retry-After`; deterministic budget per tenant.
## Security
- Auth via Authority-issued JWT; enforce `symbols:read`/`symbols:write` scopes.
- Tenant check on every request; manifest tenant must equal header.
- Optional DSSE attestation digest header is recorded and surfaced in `/manifest` under `source.attestation`.
## Caching & offline
- Console/CLI cache manifest + files in CAS; revalidate via `If-None-Match` on `GET /manifest`.
- Offline kits mount symbol bundle read-only; API client can be pointed at `file://` CAS handler for air-gapped use.
## Observability
- Emit counters per tenant: `symbol_manifest_requests`, `symbol_file_bytes_served`, `symbol_ingest_failures`.
- Logs include `build_id`, `image_digest`, `tenant`, `attested` flag.
Reference in New Issue View Git Blame Copy Permalink