docs(cloud): add PUBLIC_EVIDENCE_INDEX.md — closes #13

Single-entry-point document for CISO/auditor due diligence.
9 sections: supply chain, IAM, cryptography, data governance,
infrastructure hardening, observability, pentests, public artifacts,
NDA data room. Links all existing lumatrace-cloud governance docs.
Add link in TRUST_CENTER.md.

docs(cloud): document JPEG output contract for /protect — closes #14

openapi.yaml /api/v1/photos/protect: explicit note that output is
always image/jpeg regardless of input format. Prevents integration
friction for clients uploading PNG/WEBP assets.

Author: Cyrah2R

PUBLIC_EVIDENCE_INDEX.md

@@ -0,0 +1,149 @@
+# LumaTrace — Public Evidence Index
+
+**Version:** 1.0  
+**Classification:** Public  
+**Audience:** CISO, InfoSec Auditors, Procurement Teams, Legal Counsel  
+**Maintained by:** LumaTrace Security & Engineering Team  
+**Contact:** enterprise@lumatrace.es
+
+> This document is the single entry point for enterprise due diligence.
+> It enumerates all publicly available security controls, compliance artifacts,
+> and engineering evidence. Sensitive materials (full pentest reports, internal
+> control matrices, SBOM archives) are available under a signed NDA.
+
+---
+
+## 1. Supply Chain Security
+
+| Control                                | Evidence                                                | Status      |
+|:---------------------------------------|:--------------------------------------------------------|:------------|
+| Automated SAST (CodeQL)                | GitHub Actions CI — every commit                        | ✅ Active    |
+| Dependency vulnerability scan (Trivy)  | CI Pipeline — blocks on CRITICAL CVEs                   | ✅ Active    |
+| Software Bill of Materials (CycloneDX) | `bom.json` generated per release                        | ✅ Active    |
+| License compliance check               | No GPL/AGPL in proprietary modules                      | ✅ Verified  |
+| Container supply chain                 | c2patool binary hash validated at startup (`LT-SEC-05`) | ✅ Active    |
+| Secret scanning                        | Trivy filesystem scan — no hardcoded secrets            | ✅ Active    |
+
+---
+
+## 2. Identity, Authentication & Multi-Tenant Isolation
+
+| Control                             | Evidence                                                                          | Status   |
+|:------------------------------------|:----------------------------------------------------------------------------------|:---------|
+| Multi-tenant login isolation        | `tenantId + username` composite lookup — prevents cross-tenant identity collision | ✅ Active |
+| JWT Zero-Trust claims               | Strict `iss`, `aud`, `exp`, `nbf`, `jti` validation on every request              | ✅ Active |
+| Active session revocation           | Redis-backed JWT blocklist (`LT-SEC-02`)                                          | ✅ Active |
+| Tenant data isolation               | `findByIdAndTenantId` — DB-level scoping on all asset queries                     | ✅ Active |
+| RBAC enforcement                    | Spring `@EnableMethodSecurity` — `ROLE_USER / ROLE_AUDITOR / ROLE_ADMIN`          | ✅ Active |
+| Rate limiting (Fail-Closed)         | Redis distributed token-bucket — fails closed if Redis unavailable                | ✅ Active |
+| X-Forwarded-For spoofing protection | CIDR-trusted proxy whitelist in `LoginRateLimitFilter`                            | ✅ Active |
+
+Reference: [Architecture & Trust Boundaries](./ARCHITECTURE.md) · [SOC2 Control Mapping](./SOC2_MAPPING.md)
+
+---
+
+## 3. Cryptographic Integrity
+
+| Control                     | Evidence                                                                     | Status   |
+|:----------------------------|:-----------------------------------------------------------------------------|:---------|
+| Watermark seed derivation   | RFC 5869 strict HKDF (HmacSHA256) with tenant + user + asset + nonce + keyId | ✅ Active |
+| Key rotation support        | `keyId` parameter in HKDF info string — verifiable across key generations    | ✅ Active |
+| C2PA hard-binding           | JUMBF manifest signed with X.509 v3 PKI (RSA ps384)                          | ✅ Active |
+| Time-stamping authority     | DigiCert TSA over **HTTPS** — temporal non-repudiation                       | ✅ Active |
+| PKI fail-closed             | Self-signed certificates prohibited in `prod` profile                        | ✅ Active |
+| CSPRNG                      | AES-CTR deterministic PRNG (replaces `java.util.Random`)                     | ✅ Active |
+| Payload integrity           | SHA-256 content hash verified before processing                              | ✅ Active |
+| Certificate rotation policy | 90-day C2PA signing key rotation                                             | ✅ Active |
+
+Reference: [Security Whitepaper](./SECURITY_WHITEPAPER.md) · [Security Assurance](./ASSURANCE.md)
+
+---
+
+## 4. Data Governance & Zero-Retention
+
+| Control                     | Evidence                                                            | Status   |
+|:----------------------------|:--------------------------------------------------------------------|:---------|
+| Zero image retention        | Processing on ephemeral `tmpfs` RAM-disk (`LT-SEC-04`)              | ✅ Active |
+| No persistent binary assets | Only cryptographic metadata (hash, nonce, tenantId) persisted in DB | ✅ Active |
+| GDPR compliance             | Erasure-by-design architecture — no PII in image pipeline           | ✅ Active |
+| Data residency              | Processing buffers: Spain/EU                                        | ✅ Active |
+
+Reference: [Data Privacy Policy](./DATA_PRIVACY.md) · [Subprocessors](./SUBPROCESSORS.md)
+
+---
+
+## 5. Infrastructure Hardening
+
+| Control                        | Evidence                                                      | Status   |
+|:-------------------------------|:--------------------------------------------------------------|:---------|
+| Read-only container filesystem | `read_only: true` in docker-compose (`LT-SEC-05`)             | ✅ Active |
+| Capability dropping            | `cap_drop: ALL` + `no-new-privileges:true`                    | ✅ Active |
+| Non-root execution             | Dockerfile runs as user `luma`                                | ✅ Active |
+| PostgreSQL SSL                 | `sslmode=require` on JDBC connection                          | ✅ Active |
+| Redis AUTH                     | `requirepass` enforced — no unauthenticated connections       | ✅ Active |
+| Secret management              | `MASTER_KEY` + `JWT_SECRET` via Docker Secrets (not env vars) | ✅ Active |
+| CORS policy                    | Explicit origin whitelist — wildcard `*` rejected at startup  | ✅ Active |
+| TLS 1.3                        | Enforced at API Gateway / Load Balancer                       | ✅ Active |
+| Certificate pinning (mobile)   | `network_security_config.xml` — production domain pinned      | ✅ Active |
+
+Reference: [STRIDE Threat Model](./docs/THREAT_MODEL_STRIDE.md) · [Compliance Matrix](./docs/COMPLIANCE_MATRIX.md)
+
+---
+
+## 6. Observability & Resilience
+
+| Control             | Evidence                                                              | Status   |
+|:--------------------|:----------------------------------------------------------------------|:---------|
+| Distributed tracing | `x-request-id` + MDC `trace_id` / `tenant_id` on all responses        | ✅ Active |
+| SLA commitments     | 99.9% availability, P95 latency < 800ms (`/verify`)                   | ✅ Active |
+| Prometheus metrics  | `/actuator/prometheus` — protection latency, success/failure counters | ✅ Active |
+| Anti-DoS pre-flight | Pixel count (16MP) + payload size (25MB) checked before memory load   | ✅ Active |
+
+Reference: [SLA & Incident Response](./SLA_AND_INCIDENTS.md) · [Operations Runbook](./docs/OPERATIONS_RUNBOOK.md)
+
+---
+
+## 7. Penetration Testing & Audit
+
+| Engagement                            | Scope                                            | Result                                               | Availability                                                                                           |
+|:--------------------------------------|:-------------------------------------------------|:-----------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
+| Grey-Box API Pentest (2026-01)        | Cloud API, Auth flows, Tenant Isolation          | 0 Critical · 0 High · Medium/Low resolved within SLA | Redacted summary: [PENTEST_SUMMARY_TEMPLATE.md](./PENTEST_SUMMARY_TEMPLATE.md) · Full report under NDA |
+| External Architecture Audit (2026-03) | All 4 repositories — server, core, mobile, cloud | All P0 blockers resolved (H-01, H-02, H-03, B1, B2)  | Available under NDA                                                                                    |
+
+---
+
+## 8. Publicly Available Artifacts
+
+All documents below are published at **[https://cyrah2r.github.io/lumatrace-cloud/](https://cyrah2r.github.io/lumatrace-cloud/)**
+
+| Document                                                                    | Purpose                                  |
+|:----------------------------------------------------------------------------|:-----------------------------------------|
+| [Trust Center](./TRUST_CENTER.md)                                           | Master index of all governance documents |
+| [Security Policy](./SECURITY.md)                                            | Vulnerability disclosure & SLAs          |
+| [Security Whitepaper](./SECURITY_WHITEPAPER.md)                             | Architecture & cryptographic controls    |
+| [SOC2 / ISO27001 Mapping](./SOC2_MAPPING.md)                                | Control-to-implementation matrix         |
+| [Data Privacy Policy](./DATA_PRIVACY.md)                                    | GDPR · Zero-Retention · Data residency   |
+| [SLA & Incident Response](./SLA_AND_INCIDENTS.md)                           | Uptime SLA · RTO/RPO · Severity matrix   |
+| [Evidence Pack Summary](./EVIDENCE_PACK_SUMMARY.md)                         | Pentest status · SBOM · Key management   |
+| [Pentest Summary (Redacted)](./PENTEST_SUMMARY_TEMPLATE.md)                 | Methodology · Findings summary           |
+| [OpenAPI Specification](./api/openapi.yaml)                                 | Full API contract v1.1.0                 |
+| [Postman Collection](./postman/LumaTrace_Cloud_API.postman_collection.json) | Enterprise integration test suite        |
+
+---
+
+## 9. NDA Data Room
+
+Available to qualified enterprise prospects under a signed Mutual NDA:
+
+- Full unredacted Penetration Test report with CVSS scores and remediation evidence
+- Complete SOC2 Type II audit report
+- ISO 27001 internal control matrix with implementation owners
+- SBOM archive (CycloneDX JSON) for all production releases
+- Full C2PA cryptographic profile and PKI hierarchy documentation
+- Internal STRIDE threat model with risk scoring
+
+**Request access:** enterprise@lumatrace.es
+
+---
+
+*© 2026 LumaTrace. This document may be shared with prospective enterprise customers for due diligence purposes.*

TRUST_CENTER.md

@@ -16,6 +16,7 @@ This section centralizes public governance and security documentation for procur
 - [Authorized Subprocessors & Data Residency](./SUBPROCESSORS.md)
 - [Pentest Executive Summary (Template)](./PENTEST_SUMMARY_TEMPLATE.md)
 - [Public Evidence Pack Summary](./EVIDENCE_PACK_SUMMARY.md)
+- [Public Evidence Index](./PUBLIC_EVIDENCE_INDEX.md)
 
 ---
 

api/openapi.yaml

@@ -20,7 +20,7 @@ info:
     **SLA Targets (Production):**
     - Availability: 99.9%
     - P95 latency: < 800ms (verification)
-  version: 1.1.0
+  version: 1.2.0
   contact:
     name: LumaTrace Enterprise Support
     email: enterprise@lumatrace.es
@@ -69,8 +69,12 @@ paths:
       operationId: loginTenant
       summary: Authenticate Service Account (M2M)
       description: |
-        Validates M2M credentials and returns a signed short-lived JWT. 
+        Validates M2M credentials and returns a signed short-lived JWT.
         This is a Machine-to-Machine flow; the returned token enforces tenant isolation and API quotas.
+
+        **Multi-tenant authentication:** the `tenantId` field is required to scope the
+        authentication to a specific organizational boundary. Two tenants may share the same
+        `username` — the system resolves the identity exclusively within the declared tenant.
       tags: ["Identity & Access"]
       security: []
       requestBody:
@@ -154,7 +158,23 @@ paths:
     post:
       operationId: protectAsset
       summary: Full C2PA & Watermark Protection
-      description: Injects spatial watermark signal and signs C2PA manifest. Enforces 25MB payload and 16MP resolution limits.
+      description: |
+        Injects a spatial spread-spectrum watermark and signs a C2PA JUMBF manifest
+        into the submitted image asset.
+
+        **Output format:** This endpoint **always returns `image/jpeg`** regardless
+        of the input format (JPEG, PNG, or WEBP). The protected asset undergoes an
+        RGB conversion and JPEG re-encoding at quality 0.95 as part of the watermark
+        injection pipeline. Clients must not assume the output format matches the
+        input format.
+
+        **Operational limits:**
+        - Maximum payload: 25 MB
+        - Maximum resolution: 16 Megapixels (e.g. 4000×4000 px)
+        - Supported input formats: `image/jpeg`, `image/png`, `image/webp`
+
+        **Idempotency:** supported via `Idempotency-Key` header. Duplicate requests
+        with the same key within the processing window return the original response.
       tags: ["Provenance"]
       parameters:
         - $ref: '#/components/parameters/IdempotencyKey'
@@ -175,7 +195,9 @@ paths:
                   description: "Stringified JSON payload matching the PhotoRegistrationRequest schema."
       responses:
         '200':
-          description: Protected binary asset.
+          description: |
+            Protected binary asset. **Always returned as `image/jpeg`** regardless
+            of the original input format.
           headers:
             x-request-id:
               $ref: '#/components/headers/x-request-id'
@@ -357,7 +379,7 @@ components:
 
     LoginRequest:
       type: object
-      required: [ tenantId, username, password ]
+      required: [tenantId, username, password]
       properties:
         tenantId:
           type: string
@@ -416,7 +438,7 @@ components:
           example: "550e8400-e29b-41d4-a716-446655440000"
         tenantId:
           type: string
-          description: Contextual Tenant ID derived from the session (For debug/correlation).
+          description: Contextual Tenant ID derived from the session (for debug/correlation).
           example: "tenant_alpha_01"
         signature:
           type: string