docs: add deployment and api cookbook

Author: haasonsaas

README.md

@@ -222,9 +222,11 @@ The same process works against forks or sandboxes—helpful when validating new
 ## Additional Documentation
 
 - [CI Integration Guide](docs/ci-integration.md) – Configure GitHub Actions, upload SARIF, archive decision bundles, and adapt the workflow to other CI systems.
+- [API Cookbook](docs/api-cookbook.md) – Use curl/Python snippets to ingest analyses, poll decisions, and pull evidence or analytics.
 - [Governance & Risk Model](docs/governance-and-risk-model.md) – Understand decision flow, thresholds, and tuning guidance.
 - [Configuration Reference](docs/configuration.md) – Environment variables grouped by subsystem with defaults and usage tips.
 - [Detector Authoring Guide](docs/detector-authoring.md) – Build custom detectors, register modules, and manage rule packs.
+- [Deployment & Operations Guide](docs/deployment-guide.md) – Deploy with Docker/Kubernetes, scale detectors, and instrument observability.
 - [SARIF Reporting](docs/sarif-reporting.md) – Understand the SARIF 2.1.0 output, severity mapping, and customization hooks.
 - [DSSE Decision Bundles](docs/dsse-decision-bundles.md) – Inspect the envelope schema, verify signatures, and integrate with transparency logs.
 

docs/README.md

@@ -3,8 +3,10 @@
 This directory contains task-focused guides that go deeper than the root `README.md`.
 
 - [CI Integration Guide](ci-integration.md) — Automate Provenance evaluations in GitHub Actions and other CI pipelines, upload SARIF findings, and archive DSSE bundles.
+- [API Cookbook](api-cookbook.md) — Practical curl and Python examples for submitting analyses, polling decisions, and retrieving evidence.
 - [Governance & Risk Model](governance-and-risk-model.md) — Learn how policy decisions are made and how to tune thresholds.
 - [Configuration Reference](configuration.md) — Environment variables grouped by subsystem with defaults and usage tips.
 - [Detector Authoring Guide](detector-authoring.md) — Extend Provenance with custom detectors and rule packs.
+- [Deployment & Operations Guide](deployment-guide.md) — Deploy the API with Docker or Kubernetes and operate it in production.
 - [SARIF Reporting](sarif-reporting.md) — Understand the SARIF 2.1.0 output and tailor it for downstream scanners.
 - [DSSE Decision Bundles](dsse-decision-bundles.md) — Inspect the DSSE envelope, verify signatures, and extend transparency workflows.

docs/api-cookbook.md

@@ -0,0 +1,197 @@
+# API Cookbook
+
+This cookbook provides practical examples for interacting with the Provenance API—submitting analyses, polling decisions, retrieving evidence, and querying analytics.
+
+## Authentication
+
+All examples assume bearer token authentication:
+
+```bash
+export PROVENANCE_API_URL="https://provenance.example.com"
+export PROVENANCE_API_TOKEN="your-api-token"
+```
+
+Headers:
+
+```bash
+-H "Authorization: Bearer ${PROVENANCE_API_TOKEN}"
+```
+
+## Submit an Analysis
+
+### cURL
+
+```bash
+cat <<'JSON' > payload.json
+{
+  "repo": "acme/shop",
+  "pr_number": "77",
+  "base_sha": "abc123",
+  "head_sha": "def456",
+  "branch": "feature/harden",
+  "provenance_data": {
+    "metadata": {
+      "attestation_url": "https://evidence.example.com/claims/123"
+    },
+    "changed_lines": [
+      {
+        "file_path": "services/orders.py",
+        "line_number": 10,
+        "change_type": "added",
+        "language": "python",
+        "content": "result = eval(user_input)",
+        "attribution": {
+          "agent_id": "github-copilot",
+          "agent_session_id": "sess-1"
+        }
+      }
+    ]
+  }
+}
+JSON
+
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d @payload.json \
+  "${PROVENANCE_API_URL}/v1/analysis"
+```
+
+Response:
+
+```json
+{
+  "analysis_id": "an_b83b21d984f34c8f9abc0f2c82d4b79d",
+  "status": "pending",
+  "status_url": "https://provenance.example.com/v1/analysis/an_b83b21d984f34c8f9abc0f2c82d4b79d"
+}
+```
+
+### Python (httpx)
+
+```python
+import httpx
+
+client = httpx.Client(base_url="https://provenance.example.com", headers={
+    "Authorization": f"Bearer {TOKEN}",
+})
+
+resp = client.post(
+    "/v1/analysis",
+    json={...}  # same payload as above
+)
+resp.raise_for_status()
+analysis_id = resp.json()["analysis_id"]
+```
+
+## Poll Analysis Status
+
+```bash
+ANALYSIS_ID="an_b83b21d984f34c8f9abc0f2c82d4b79d"
+
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  "${PROVENANCE_API_URL}/v1/analysis/${ANALYSIS_ID}"
+```
+
+Key fields:
+
+- `status`: `pending`, `running`, `completed`, or `failed`.
+- `findings_total`: Number of findings recorded.
+- `risk_summary`: Aggregated findings and coverage.
+- `decision`: Serialized policy decision (`outcome`, `rationale`, etc.).
+
+## Fetch Governance Decision Evidence
+
+```bash
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  "${PROVENANCE_API_URL}/v1/analysis/${ANALYSIS_ID}/decision"
+```
+
+Use this if you need a pure decision payload (without the surrounding status data).
+
+## Download DSSE Decision Bundle
+
+```bash
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  "${PROVENANCE_API_URL}/v1/analysis/${ANALYSIS_ID}/bundle" \
+  -o decision-bundle.json
+```
+
+Verify the signature with the public key (see [DSSE Decision Bundles](dsse-decision-bundles.md)).
+
+## Retrieve SARIF Report
+
+```bash
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  "${PROVENANCE_API_URL}/v1/analysis/${ANALYSIS_ID}/sarif" \
+  -o provenance.sarif
+```
+
+Upload the SARIF to GitHub or other scanners using the workflow in the [CI Integration Guide](ci-integration.md).
+
+## Query Analytics Summary
+
+```bash
+curl -sSf \
+  -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+  "${PROVENANCE_API_URL}/v1/analytics/summary?metric=code_volume&time_window=7d"
+```
+
+Response snippet:
+
+```json
+{
+  "result": {
+    "metric": "code_volume",
+    "data": [
+      {"agent_id": "github-copilot", "value": 12.0},
+      {"agent_id": "claude-3-opus", "value": 4.0}
+    ]
+  }
+}
+```
+
+## Python Client Snippets
+
+Use the bundled client (`clients/python`):
+
+```python
+from clients.python import ProvenanceClient
+
+client = ProvenanceClient(
+    base_url="https://provenance.example.com",
+    api_token=TOKEN,
+)
+
+analysis = client.submit_analysis(payload)
+decision = client.wait_for_decision(analysis.analysis_id, timeout_s=300)
+bundle = client.get_decision_bundle(analysis.analysis_id)
+sarif = client.get_sarif(analysis.analysis_id)
+```
+
+## Error Handling Tips
+
+- **401 Unauthorized** – Check token validity and that the header is passed correctly.
+- **404 Not Found** – Analysis ID is unknown or still processing (bundle/SARIF endpoints return 404 until `completed`).
+- **429 Too Many Requests** – Implement exponential backoff when polling status.
+- **5xx Errors** – Inspect server logs; detectors may have crashed or external services (Redis, ClickHouse) might be unavailable.
+
+## Sample Script
+
+`clients/github-action/run.py` contains a ready-made CLI for CI. You can run it locally:
+
+```bash
+uv run -- python clients/github-action/run.py \
+  --api-url "${PROVENANCE_API_URL}" \
+  --api-token "${PROVENANCE_API_TOKEN}" \
+  --repo "acme/shop" \
+  --pr "77" \
+  --head-sha "$(git rev-parse HEAD)" \
+  --base-sha "$(git merge-base HEAD origin/main)"
+```
+
+This script drives the same endpoints showcased above and serves as a reference for bespoke integrations.

docs/deployment-guide.md

@@ -0,0 +1,151 @@
+# Deployment & Operations Guide
+
+This guide outlines supported deployment patterns for Provenance, from local Docker runs to production-ready Kubernetes clusters, and highlights operational concerns such as scaling detectors, managing secrets, and monitoring.
+
+## Architecture Overview
+
+Core services:
+
+- **API** – FastAPI application (ASGI) served by `uvicorn`.
+- **Redis** – Primary datastore for analyses, findings, and decisions.
+- **Optional analytics sinks** – ClickHouse, Snowflake, BigQuery, or file-based JSONL exports.
+- **Optional observability** – Prometheus/OTLP exporters for metrics.
+
+Background work (detector execution, governance, analytics) happens inline today; no external workers are required.
+
+## Local & Docker Compose
+
+Use Docker when validating changes locally or running against mocked dependencies:
+
+```bash
+docker compose up --build
+```
+
+The compose stack includes:
+
+- API container (`provenance-api`) exposing `8000`.
+- Redis (`redis:7-alpine`) with a persistent volume.
+- Optional ClickHouse (if you enable `docker-compose.clickhouse.yml`).
+
+Override environment variables in `.env` or `docker-compose.override.yml`. See the [Configuration Reference](configuration.md) for available settings.
+
+## Container Image
+
+Build a production image with:
+
+```bash
+docker build -t your-registry/provenance:<tag> .
+```
+
+Key build arguments:
+
+- `UV_LOCKFILE=uv.lock` – Install pinned dependencies.
+- `TARGET_ENV=production` – (Optional) adjust if you customize the Dockerfile stages.
+
+Run the container:
+
+```bash
+docker run --rm \
+  -p 8000:8000 \
+  -e PROVENANCE_REDIS_URL=redis://host.docker.internal:6379/0 \
+  your-registry/provenance:<tag>
+```
+
+## Kubernetes (Helm/Manifests)
+
+There is no bundled Helm chart yet, but a basic deployment involves:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: provenance-api
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: provenance-api
+  template:
+    metadata:
+      labels:
+        app: provenance-api
+    spec:
+      containers:
+        - name: api
+          image: your-registry/provenance:<tag>
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+          envFrom:
+            - configMapRef:
+                name: provenance-config
+            - secretRef:
+                name: provenance-secrets
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          resources:
+            requests:
+              cpu: 250m
+              memory: 512Mi
+            limits:
+              cpu: 1
+              memory: 1Gi
+```
+
+- Provide Redis as a managed service (e.g., AWS Elasticache) and set `PROVENANCE_REDIS_URL` accordingly.
+- Mount ConfigMaps/Secrets for policy thresholds, API tokens, signing keys, and GitHub credentials.
+- Use a HorizontalPodAutoscaler to scale API pods based on CPU or custom metrics.
+
+### Ingress & TLS
+
+- Expose the API via an ingress controller (NGINX, Traefik, ALB).
+- Terminate TLS at the ingress or use a service mesh (Linkerd, Istio). Ensure `PROVENANCE_SERVICE_BASE_URL` matches the external HTTPS endpoint.
+
+## Scaling Considerations
+
+- **Detector Throughput** – Detector execution happens synchronously per request. Increase pod count to parallelize analyses, or shard workflows by repo/team. Monitoring request latency via Prometheus helps identify bottlenecks.
+- **Redis Capacity** – Tune persistence and memory policy. For large analyses, configure snapshotting and `maxmemory-policy` (e.g., `volatile-lru`) to avoid eviction of hot keys.
+- **Background Tasks** – FastAPI `BackgroundTasks` are used for asynchronous operations (analytics writes). Ensure pods have enough CPU headroom to handle background work without delaying responses.
+- **Analytics Warehouse** – When using ClickHouse/Snowflake/BigQuery, provision connectivity (service accounts, network policies) and monitor ingest failure logs.
+
+## Observability
+
+- Enable Prometheus exporter by installing the `opentelemetry-exporter-prometheus` package and setting `PROVENANCE_OTEL_ENABLED=true`, `PROVENANCE_OTEL_EXPORTER=prometheus`.
+- Scrape `/metrics` and create alerts on:
+  - Request latency (P95 > SLO).
+  - Detector capability mismatches.
+  - Decision outcome imbalance (e.g., spike in `block`).
+- For OTLP, configure `PROVENANCE_OTEL_ENDPOINT` and deploy a collector.
+
+## Secrets Management
+
+- Store API tokens, signing keys, and GitHub credentials in Kubernetes Secrets, HashiCorp Vault, AWS Secrets Manager, etc.
+- Encode Ed25519 signing keys in base64 before storing (matches app expectations).
+- Rotate secrets regularly and redeploy pods to refresh environment variables.
+
+## Disaster Recovery
+
+- Redis is the system of record for analyses. Enable AOF/RDB snapshots and backup to durable storage.
+- Export DSSE decision bundles to long-term storage (S3, GCS) via CI to preserve audit trails.
+- For analytics warehouses, rely on built-in backups; events can always be regenerated by replaying DSSE bundles and analysis inputs if needed.
+
+## Deployment Checklist
+
+1. Configure `PROVENANCE_*` variables (see [Configuration Reference](configuration.md)).
+2. Provision Redis with sufficient memory and persistence.
+3. Deploy API (Docker/K8s) with health checks and readiness probes.
+4. Configure ingress/TLS and update `PROVENANCE_SERVICE_BASE_URL`.
+5. Wire CI to submit analyses (see [CI Integration Guide](ci-integration.md)).
+6. Enable observability exporters and set up dashboards/alerts.
+7. Archive DSSE bundles and SARIF outputs for compliance/audits.