AlexMercedCoder
diff --git a/‎docs/README.md‎
Lines changed: 53 additions & 33 deletions b/‎docs/README.md‎
Lines changed: 53 additions & 33 deletions
diff --git a/‎docs/api/api_overview.md‎
Lines changed: 52 additions & 92 deletions b/‎docs/api/api_overview.md‎
Lines changed: 52 additions & 92 deletions
diff --git a/‎docs/architecture/README.md‎
Lines changed: 20 additions & 7 deletions b/‎docs/architecture/README.md‎
Lines changed: 20 additions & 7 deletions
@@ -1,51 +1,71 @@
-# Pangolin Documentation Index
+# Pangolin Documentation
 
-Welcome to the comprehensive documentation for Pangolin. Use the index below to find guides for setup, core concepts, feature deep-dives, and tool references.
+Welcome to the comprehensive documentation for **Pangolin**, the cloud-native Apache Iceberg REST Catalog. Use the categories below to navigate the guides, feature deep-dives, and tool references.
+
+---
 
 ## 🏁 1. Getting Started
-*Everything you need to get up and running.*
+*Quickest path from zero to a running lakehouse.*
 
+- **[Onboarding Index](./getting-started/README.md)** - **Start Here!**
 - **[Installation Guide](./getting-started/getting_started.md)** - Run Pangolin in 5 minutes.
-- **[Authentication Modes](./authentication.md)** - Auth vs No-Auth and OAuth setup.
-- **[User Scopes](./getting-started/getting_started.md#user-scopes)** - Root, Tenant Admin, and Tenant User roles.
-- **[Environment Variables](./getting-started/env_vars.md)** - Complete reference for all settings.
-- **[Configuration](./getting-started/configuration.md)** - Server and storage configuration.
-- **[Client Configuration](./getting-started/client_configuration.md)** - Connecting PyIceberg, Spark, and Trino.
-- **[Deployment](./getting-started/deployment.md)** - Docker and production setup.
+- **[Evaluating Pangolin](./getting-started/evaluating-pangolin.md)** - Rapid local testing with `NO_AUTH` mode.
+- **[Deployment Guide](./getting-started/deployment.md)** - Local, Docker, and Production setup.
+- **[Environment Variables](./getting-started/env_vars.md)** - Complete system configuration reference.
+
+---
 
 ## 🏗️ 2. Core Infrastructure
-*Managing warehouses, catalogs, and metadata storage.*
+*Managing the foundations: storage and metadata.*
+
+- **[Infrastructure Features](./features/README.md)** - Index of all platform capabilities.
+- **[Warehouse Management](./warehouse/README.md)** - Configuring S3, Azure, and GCS storage.
+- **[Metadata Backends](./backend_storage/README.md)** - Memory, Postgres, MongoDB, and SQLite.
+- **[Asset Management](./features/asset_management.md)** - Tables, Views, and CRUD operations.
+- **[Federated Catalogs](./features/federated_catalogs.md)** - Proxying external REST catalogs.
+
+---
 
-- **[Warehouse Management](./warehouse/README.md)** - Configuring S3, Azure, and GCS.
-- **[Catalog Assets](./features/asset_management.md)** - Tables, Views, and Federated proxying.
-- **[Backend Metadata](./backend_storage/README.md)** - Postgres, MongoDB, and SQLite backends.
+## ⚖️ 3. Governance & Security
+*Multi-tenancy, RBAC, and auditing.*
 
-## 🧪 3. Data & Governance
-*Managing data lifecycle and security.*
+- **[Security Concepts](./features/security_vending.md)** - Identity and Credential Vending principles.
+- **[Credential Vending (IAM Roles)](./features/iam_roles.md)** - Scoped cloud access (STS, SAS, Downscoped).
+- **[Permission System](./permissions.md)** - Understanding RBAC and granular grants.
+- **[Service Users](./features/service_users.md)** - Programmatic access and API key management.
+- **[Audit Logging](./features/audit_logs.md)** - Global action tracking and compliance.
 
-- **[Git-like Branching](./features/branch_management.md)** - Branching, tagging, and forking logic.
-- **[Permission System](./permissions.md)** - RBAC, TBAC, and cascading grants.
-- **[Merge Operations](./features/merge_operations.md)** - Reconciliation and conflict handling.
-- **[Audit Logging](./features/audit_logs.md)** - Tracking actions via API, CLI, and UI.
-- **[Maintenance Utilities](./features/maintenance.md)** - Snapshots and orphan file management.
-- **[Business Metadata](./features/business_catalog.md)** - Tags, discovery, and search.
+---
+
+## 🧪 4. Data Life Cycle
+*Git-for-Data and maintenance workflows.*
 
-## 🛠️ 4. Tools & References
-*Direct guides for our interfaces and APIs.*
+- **[Branch Management](./features/branch_management.md)** - Working with isolated data environments.
+- **[Merge Operations](./features/merge_operations.md)** - The 3-way merge workflow.
+- **[Merge Conflicts](./features/merge_conflicts.md)** - Theory and resolution strategies.
+- **[Business Metadata & Discovery](./features/business_catalog.md)** - Search, tags, and access requests.
+- **[Maintenance Utilities](./features/maintenance.md)** - Snapshot expiration and compaction.
+
+---
 
-- **[CLI Reference](./cli/overview.md)** - Admin and User command guides.
-- **[API Reference](./api/api_overview.md)** - Iceberg REST and Management endpoints.
-- **[Management UI](./ui/overview.md)** - Visual guide to the administration portal.
-- **[Service Users](./service_users.md)** - Programmatic access and API keys.
+## 🛠️ 5. Interfaces & Integration
+*Connecting tools and using our management layers.*
+
+- **[Management UI](./ui/README.md)** - Visual guide to the administration portal.
+- **[PyIceberg Integration](./pyiceberg/README.md)** - Native Python client configuration.
+- **[CLI Reference](./cli/overview.md)** - Documentation for `pangolin-admin` and `pangolin-user`.
+- **[API Reference](./api/api_overview.md)** - Iceberg REST and Management API specs.
+
+---
 
-## 🏗️ 5. Architecture & Extending
-*Internal design for developers.*
+## 🏗️ 6. Architecture & Internals
+*Deep-dives for developers and contributors.*
 
-- **[System Architecture](./architecture/architecture.md)** - Design and components.
-- **[Data Models](./architecture/models.md)** - Core entity definitions.
-- **[Storage Abstractions](./architecture/catalog-store-trait.md)** - Implementation traits.
+- **[System Architecture](./architecture/architecture.md)** - Design and component interaction.
+- **[Data Models](./architecture/models.md)** - Understanding the internal schema.
+- **[CatalogStore Trait](./architecture/catalog-store-trait.md)** - Extending Pangolin storage.
 
 ---
 
 **Last Updated**: December 2025  
-**Version**: Alpha  
+**Project Status**: Alpha
@@ -1,119 +1,79 @@
-# API Overview
+# API Reference Overview
 
-Pangolin provides a rich set of APIs for catalog management, branching, merging, and authentication.
+Pangolin exposes a multi-tenant REST API split into three core functional areas: The Standard Iceberg REST API, the Pangolin Management API, and the Identity/Security API.
 
-## Authentication
+---
 
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/api/v1/users/login` | POST | Authenticate and receive a JWT token. |
-| `/api/v1/users/logout` | POST | Invalidate current session (optional). |
-| `/api/v1/users/me` | GET | Get current user information. |
-| `/api/v1/tokens` | POST | Generate a long-lived JWT token for a specific tenant/user. |
-
-## Iceberg REST API
-
-Pangolin implements the standard Apache Iceberg REST Catalog API.
+## 🔐 Authentication & Identity
+*Base Path: `/api/v1/`*
 
 | Endpoint | Method | Description |
 | :--- | :--- | :--- |
-| `/v1/config` | GET | Get Iceberg client configuration. |
-| `/v1/{tenant}/config` | GET | Get tenant-specific Iceberg client configuration. |
-| `/v1/{prefix}/namespaces` | GET/POST | List and create namespaces. |
-| `/v1/{prefix}/namespaces/{namespace}/tables` | GET/POST | List and create tables. |
-| `/v1/{prefix}/namespaces/{namespace}/tables/{table}` | GET/POST/DELETE | Manage table metadata and snapshots. |
+| `users/login` | POST | Authenticate and receive a JWT session. |
+| `tokens` | POST | Generate a long-lived JWT token for a specific user. |
+| `auth/revoke` | POST | Invalidate current user token. |
+| `service-users` | GET/POST | Manage programmatic API identities. |
+| `service-users/{id}/rotate` | POST | Rotate API key for a service user. |
 
-**Note**: Branching is supported via the `table@branch` syntax (e.g., `GET .../tables/my_table@dev`).
+---
 
-## Pangolin Extended APIs
+## 📋 Standard Iceberg API (REST Catalog)
+*Base Path: `/v1/`*
 
-### Branch Operations
+Pangolin is 100% compliant with the [Apache Iceberg REST Specification](https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml).
 
 | Endpoint | Method | Description |
 | :--- | :--- | :--- |
-| `/api/v1/branches` | GET/POST | List all branches or create a new branch. |
-| `/api/v1/branches/merge` | POST | Initiate a merge from a source branch to a target branch. |
-| `/api/v1/branches/{name}/commits` | GET | List commit history for a specific branch. |
-
-### Tag Management
-
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/api/v1/tags` | GET/POST | List all tags or create a new tag. |
-| `/api/v1/tags/{name}` | GET/DELETE | View or delete a specific tag. |
-
-### Merge Operations (Conflict Resolution)
-
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/api/v1/catalogs/{catalog}/merge-operations` | GET | List merge operations for a catalog. |
-| `/api/v1/merge-operations/{id}` | GET | Get merge operation details and status. |
-| `/api/v1/merge-operations/{id}/conflicts` | GET | List conflicts for a merge operation. |
-| `/api/v1/conflicts/{id}/resolve` | POST | Resolve a specific conflict with a strategy. |
-| `/api/v1/merge-operations/{id}/complete` | POST | Complete a merge after resolving all conflicts. |
-| `/api/v1/merge-operations/{id}/abort` | POST | Abort a pending merge operation. |
-
-### Management CRUD
-
-| Entity | Endpoints | Methods |
-| :--- | :--- | :--- |
-| **Tenants** | `/api/v1/tenants` | GET, POST, PUT, DELETE |
-| **Warehouses** | `/api/v1/warehouses` | GET, POST, PUT, DELETE |
-| **Catalogs** | `/api/v1/catalogs` | GET, POST, PUT, DELETE |
-| **Federated Catalogs** | `/api/v1/federated-catalogs` | GET, POST, DELETE, TEST |
-| **Users** | `/api/v1/users` | GET, POST, PUT, DELETE |
-| **Service Users**| `/api/v1/service-users` | GET, POST, PUT, DELETE, ROTATE |
-| **Roles** | `/api/v1/roles` | GET, POST, PUT, DELETE |
-| **Permissions** | `/api/v1/permissions` | GET, POST, DELETE |
+| `config` | GET | Get client configuration. |
+| `{prefix}/namespaces` | GET/POST | Manage catalog namespaces. |
+| `{prefix}/namespaces/{ns}/tables` | GET/POST | Manage tables (Standard Iceberg). |
+| `{prefix}/namespaces/{ns}/tables/{table}` | GET/POST | Table metadata and schema evolution. |
 
-### Token Management
+> [!TIP]
+> **Branching**: Use the `@` suffix in the table name (e.g., `my_table@dev`) to redirect Iceberg operations to a specific Pangolin branch.
 
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/api/v1/tokens` | POST | Generate a long-lived JWT token for scripts/automation. |
-| `/api/v1/auth/revoke` | POST | Revoke current user's token. |
-| `/api/v1/auth/revoke/{token_id}` | POST | Revoke a specific token (admin only). |
-| `/api/v1/auth/cleanup-tokens` | POST | Clean up expired tokens (admin only). |
-| `/api/v1/users/{user_id}/tokens` | GET | List all tokens for a specific user (admin only). |
-| `/api/v1/tokens/{token_id}` | DELETE | Delete a specific token by ID (admin only). |
+---
 
-### System Configuration
+## 🏗️ Management & Data Governance
+*Base Path: `/api/v1/`*
 
-| Endpoint | Method | Description |
+### 1. Multi-Tenancy (Root Only)
+| Endpoint | Method | Use Case |
 | :--- | :--- | :--- |
-| `/api/v1/config/settings` | GET | Get system configuration settings (admin only). |
-| `/api/v1/config/settings` | PUT | Update system configuration settings (admin only). |
-
-### Federated Catalog Operations
+| `tenants` | GET/POST/PUT | Onboard new organizations to the platform. |
+| `config/settings` | GET/PUT | Manage global platform defaults. |
 
-| Endpoint | Method | Description |
+### 2. Infrastructure & Data (Tenant Admin)
+| Endpoint | Method | Use Case |
 | :--- | :--- | :--- |
-| `/api/v1/federated-catalogs/{name}/sync` | POST | Trigger immediate metadata sync for federated catalog. |
-| `/api/v1/federated-catalogs/{name}/stats` | GET | Get sync statistics and status for federated catalog. |
+| `warehouses` | GET/POST/PUT | Configure cloud storage containers (S3/GCS/Azure). |
+| `catalogs` | GET/POST/PUT | Create local or federated Iceberg catalogs. |
+| `audit` | GET/POST | Query standard or count audit logs. |
+| `maintenance` | POST | Trigger snapshot expiration or orphan file removal. |
 
-### Data Explorer
-
-| Endpoint | Method | Description |
+### 3. Branching & Merging
+| Endpoint | Method | Use Case |
 | :--- | :--- | :--- |
-| `/api/v1/catalogs/{prefix}/namespaces/tree` | GET | Get hierarchical namespace tree structure for a catalog. |
+| `branches` | GET/POST | List or create feature/ingest branches. |
+| `branches/merge` | POST | Initiate a Git-like merge between two branches. |
+| `merge-operations` | GET | Track progress of active or past merges. |
+| `conflicts/{id}/resolve`| POST | Apply conflict resolution strategies (Source Wins/Target Wins). |
 
-### OAuth
+---
 
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/oauth/authorize/{provider}` | GET | Initiate OAuth flow (Google, GitHub, etc.). |
-| `/oauth/callback/{provider}` | GET | OAuth callback handler. |
+## 🧬 OAuth 2.0 Flow
+Pangolin supports Google, GitHub, and Microsoft OAuth.
 
-## Auditing
+- **Initiate**: `GET /oauth/authorize/{provider}`
+- **Callback**: `GET /oauth/callback/{provider}`
 
-| Endpoint | Method | Description |
-| :--- | :--- | :--- |
-| `/api/v1/audit-logs` | GET | Retrieve audit logs for the current tenant. |
+---
 
-## Other APIs
+## 🚀 Quick Integration
+To use the API, ensure you provide the `Authorization` header and the `X-Pangolin-Tenant` header (unless in `NO_AUTH` mode).
 
-- **Credential Vending**: `/api/v1/credentials` (GET)
-- **S3 Presigning**: `/api/v1/presign` (POST)
-- **Business Metadata**: `/api/v1/metadata/search` (POST)
-- **Access Requests**: `/api/v1/access-requests` (GET/POST)
-- **App Config**: `/api/v1/app-config` (GET)
+```bash
+curl -X GET http://localhost:8080/api/v1/catalogs \
+  -H "Authorization: Bearer <JWT_TOKEN>" \
+  -H "X-Pangolin-Tenant: <TENANT_UUID>"
+```
@@ -4,16 +4,29 @@
 
 Pangolin is a multi-tenant Apache Iceberg REST Catalog with advanced features including federated catalogs, credential vending, fine-grained permissions, and Git-like branching.
 
-## Architecture Documentation
+## Pangolin Architecture Documentation
 
-This directory contains comprehensive architecture documentation for the Pangolin project.
+This directory contains technical documentation for the Pangolin architecture, core data models, and primary abstraction layers.
 
-### Core Documentation
+## Documentation Index
 
-- **[System Architecture](./architecture.md)** - High-level system design and component overview
-- **[Data Models](./models.md)** - Complete catalog of all data models
-- **[CatalogStore Trait](./catalog-store-trait.md)** - Core storage abstraction interface
-- **[Signer Trait](./signer-trait.md)** - Credential vending and pre-signed URL generation
+### 1. [Architecture Overview](./architecture.md)
+High-level system design, core components, security logic, and request flow. Start here to understand how Pangolin works.
+
+### 2. [Data Models](./models.md)
+Detailed reference for all core structs and enums across the `model`, `user`, `permission`, `business_metadata`, and `audit` domains.
+
+### 3. [CatalogStore Trait](./catalog-store-trait.md)
+Reference for the primary storage abstraction layer, covering multi-tenant isolation and metadata lifecycle operations.
+
+### 4. [Signer Trait](./signer-trait.md)
+Documentation of the cloud credential vending logic, used to provide temporary access to S3, GCS, and Azure storage.
+
+## Target Audience
+This documentation is intended for:
+- **Core Contributors**: Developers extending the backend or adding new storage engines.
+- **Security Auditors**: Engineers reviewing tenant isolation and credential vending patterns.
+- **Enterprise Integrators**: Teams deploying Pangolin in custom cloud environments.
 
 ### Quick Links