From dacebaeeb3309dd880187606e2fe1857f3da2257 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Jun 2026 13:24:46 +0000
Subject: [PATCH 1/2] Initial plan


From 53202dac986540a39a7ed494fbc3b6859ae8a396 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Jun 2026 13:28:45 +0000
Subject: [PATCH 2/2] docs: clarify SCRAPI v09 API-review behavior

---
 docs/scitt.md | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/docs/scitt.md b/docs/scitt.md
index 7aa89073..700fdaf4 100644
--- a/docs/scitt.md
+++ b/docs/scitt.md
@@ -25,3 +25,44 @@ scitt-ccf-ledger returns COSE Receipts, either standalone or embedded in Transpa
 ## API
 
 scitt-ccf-ledger implements the [SCITT Reference API (SCRAPI) Draft 09](https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/09/).
+
+### API review clarifications (SCRAPI draft 09)
+
+The SCRAPI draft-09 alignment is enabled when clients use `api-version=2026-03-26`.
+Without this api-version (or with unknown versions), legacy behavior is preserved for backward compatibility.
+
+#### Key discovery
+
+- Standard SCRAPI draft-09 endpoints:
+  - `GET /.well-known/scitt-keys`
+  - `GET /.well-known/scitt-keys/{kid_value}`
+- Legacy endpoints (`/jwks` and `/.well-known/transparency-configuration`) are still available for existing clients.
+
+#### Registration and polling
+
+- For `api-version=2026-03-26`:
+  - `POST /entries` async flow returns `303 See Other` with `Location: /entries/{txid}`.
+  - `GET /entries/{txid}` returns `302 Found` while pending, then `200` with the receipt.
+  - `POST /entries?waitForCommit=true` returns `201 Created` with the receipt.
+- For legacy clients:
+  - `POST /entries` returns `202 Accepted` with `Location: /operations/{txid}`.
+  - `GET /operations/{txid}` remains the legacy polling endpoint.
+
+#### Content types
+
+- SCRAPI draft-09 flows use:
+  - `application/scitt-receipt+cose` for receipts.
+  - `application/scitt-statement+cose` for transparent statements.
+- Legacy flows continue to use `application/cose`.
+
+#### Implementation-specific extensions
+
+The following endpoints are kept as implementation-specific extensions and are not part of the SCRAPI draft-09 mandatory surface:
+
+- `/configuration`
+- `/version`
+- `/jwks`
+- `/.well-known/transparency-configuration`
+- `/operations/{txid}`
+- `/entries/{txid}/statement`
+- `/entries/txIds`