docs: publish Track F sprint2 portal and transport ops guidance

README.md

@@ -18,6 +18,15 @@ Canonical positioning for all materials:
 - AXME App docs:
   - reserved section for consumer product docs as they are published
 
+## Product Doc Lanes
+
+- AXME Cloud (product docs in this repo):
+  - enterprise runtime, API families, deployment/operations, and integration guides under `docs/`
+- AXP Protocol (spec and semantics):
+  - canonical protocol contracts live in `axp-spec` and conformance in `axp-conformance`
+- AXME App (consumer surface):
+  - consumer-facing documentation lane reserved and expanded as public app docs are published
+
 ## Status
 
 Track B extraction in progress.
@@ -47,6 +56,7 @@ Canonical OpenAPI specifications live under `docs/openapi/`:
   - `docs/external-integrator-dry-run.md`
   - `docs/enterprise-scoped-credentials-migration-note.md`
   - `docs/enterprise-runtime-model-and-placement.md`
+  - `docs/enterprise-routing-transport-operations.md`
   - `docs/migration-and-deprecation-policy.md`
   - `docs/supported-limits-and-error-model.md`
   - `docs/MVP_SCOPE.md`

docs/enterprise-routing-transport-operations.md

@@ -0,0 +1,45 @@
+# Enterprise Routing and Transport Operations
+
+This document captures Track F architecture alignment for naming/routing foundation (`F9`) and transport/operations readiness (`F10`, `F11`).
+
+## Canonical Model
+
+Four layers are treated independently:
+
+1. `principal_id` (immutable subject)
+2. alias (`max@ax`, `agent://<tenant>/<service>`)
+3. transport projection (Matrix now, optional HTTP/Queue later)
+4. endpoint routing metadata (route id, auth posture, placement, health)
+
+## Runtime Baseline in Gateway
+
+- Tenant placement metadata is resolved per request (`deployment_mode`, `cluster_id`, `region`).
+- Intent submission writes routing metadata into lifecycle events and usage ledger.
+- Usage events include transport and route attributes for later analytics and policy.
+- Enterprise quota enforcement is performed before expensive write paths.
+
+## Portal and Governance Surfaces
+
+- Enterprise governance APIs (`organizations`, `workspaces`, `members`, `access_requests`, `quotas`, `usage`, `service_accounts`) are exposed on `/v1/*`.
+- Portal backend-for-frontend endpoints:
+  - `GET /v1/portal/enterprise/overview`
+  - `GET /v1/portal/enterprise/access-requests`
+
+## Transport Expansion Policy
+
+- Matrix remains default managed transport.
+- HTTP/Queue adapters remain optional and policy-gated.
+- MCP is treated as integration protocol layer, not a routing-core transport identity.
+
+## Observability and Replay Readiness
+
+- Route and region metadata is persisted in `usage_ledger`.
+- Daily rollups are available through `POST /v1/usage/rollups/daily`.
+- Audit trail for enterprise admin actions is available via enterprise admin audit events.
+
+## Operator Checklist
+
+- Verify auth scope checks on all enterprise/portal endpoints.
+- Validate quota policy behavior with hard block mode.
+- Validate usage summary/timeseries consistency before billing/reporting workflows.
+- Keep rollback-ready domain and WAF configs aligned with infra runbooks.

docs/public-api-families-d6-enterprise-governance.md

@@ -1,4 +1,4 @@
-# Public API Families D6: Enterprise Governance (Sprint 1)
+# Public API Families D6: Enterprise Governance (Sprint 1 + Sprint 2)
 
 This guide publishes Sprint 1 Track F contract docs for:
 
@@ -9,6 +9,10 @@ This guide publishes Sprint 1 Track F contract docs for:
 - `quotas.*`
 - `usage.summary.get`
 - `usage.timeseries.get`
+- `usage.rollups.daily`
+- `service_accounts.*`
+- `service_accounts.keys.*`
+- `portal.enterprise.*` (BFF overview + request queue)
 
 Use this guide with:
 
@@ -49,6 +53,16 @@ Published operation groups:
   - `PATCH /v1/quotas`
   - `GET /v1/usage/summary`
   - `GET /v1/usage/timeseries`
+  - `POST /v1/usage/rollups/daily`
+- service accounts:
+  - `POST /v1/service-accounts`
+  - `GET /v1/service-accounts`
+  - `GET /v1/service-accounts/{service_account_id}`
+  - `POST /v1/service-accounts/{service_account_id}/keys`
+  - `POST /v1/service-accounts/{service_account_id}/keys/{key_id}/revoke`
+- portal backend-for-frontend:
+  - `GET /v1/portal/enterprise/overview`
+  - `GET /v1/portal/enterprise/access-requests`
 
 ## 2) Canonical Schema Contracts
 
@@ -84,6 +98,13 @@ Quotas and usage:
 - `axp-spec/schemas/public_api/api.quotas.update.response.v1.json`
 - `axp-spec/schemas/public_api/api.usage.summary.get.response.v1.json`
 - `axp-spec/schemas/public_api/api.usage.timeseries.get.response.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.create.request.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.create.response.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.list.response.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.get.response.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.keys.create.request.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.keys.create.response.v1.json`
+- `axp-spec/schemas/public_api/api.service_accounts.keys.revoke.response.v1.json`
 
 ## 3) Permission and Scope Matrix (Sprint 1)
 
@@ -113,6 +134,9 @@ Permission matrix:
 | quotas.update | allow | allow | deny | deny | deny | deny |
 | quotas.get | allow | allow | allow | deny | allow | allow |
 | usage.summary.get and usage.timeseries.get | allow | allow | allow | deny | allow | allow |
+| usage.rollups.daily | allow | allow | allow | deny | deny | deny |
+| service_accounts.create/get/list and service_accounts.keys.* | allow | allow | allow | deny | read-only list/get | read-only list/get |
+| portal.enterprise.overview and portal.enterprise.access_requests | allow | allow | allow | deny | allow | allow |
 
 Notes: