fix(docs): correct Console API reference accuracy issues

[baktun14]

Summary

The Stripe-style Console API reference (#1226) was generated from Swagger with AI assistance and shipped a handful of hallucinated or incorrect claims that broke copy-paste-ability of the snippets. All eight fixes verified against the canonical zod schemas in console (apps/api + apps/provider-proxy) and the @akashnetwork/chain-sdk source.

Provider lease-ops (status / logs / kubeevents / shell)

• Drop the fake import { CertificateValidator } from "@akashnetwork/chain-sdk" from all 4 JS snippets. The package doesn't export that symbol, and even if it did, CertificateValidator.validate() is async — it can't run inside Node's synchronous checkServerIdentity callback (it would resolve to a Promise, which Node treats as truthy/non-error, silently bypassing validation). Replace with rejectUnauthorized: false and a comment pointing to the preface.
• Rewrite the TLS / cert pinning prose. The real pin: cert CN must be the provider's bech32 wallet address, and the chain's MsgCreateCertificate record for (address, serial number) must match the leaf cert fingerprint. The lookup is a chain query, so it has to happen async, after the TLS handshake. Link to the provider-proxy CertificateValidator for a reference implementation.

GET /lease/{dseq}/{gseq}/{oseq}/status response shape

• Rewrite responseFields and responseExample. The previous version put forwarded_ports and ips under each service, but the real response (verified against LeaseStatusResponseSchema + the lease-status.seeder.ts test fixture) has them as top-level keys map of service name → array. The phantom restart_count and total_replicas are removed; the actual fields (name, available, total, uris, observed_generation, replicas, updated_replicas, ready_replicas, available_replicas) are documented.

JWT endpoint

• POST /v1/create-jwt-token returns 201 Created, not 200 OK (jwt-token.router.ts:47).
• The JWT scope enumeration in both the JWT preface and the request-params description was missing hostname-migrate and ip-migrate. @akashnetwork/chain-sdk's AccessScope type lists 9 values; the docs listed 7. Verified pass-through: Console's ProviderJwtTokenService.generateJwtToken validates via jwtTokenManager.validatePayload, so any chain-sdk scope is accepted.

Audit summary

Every Console API endpoint's HTTP method, URL, request body, response body, response status, and request params was cross-checked against console2/apps/api/src/**/*.schema.ts and route handlers. The fixes above are the complete delta; all other endpoints' shapes match their zod schemas as-shipped.

Out of scope

• Snippet validation tooling — Serhii's idea of a tsc/eslint check on extracted snippets would catch this class of regression in CI. Tracking separately.
• Line 833's claim that self-custody users sign JWTs locally with @akashnetwork/chain-sdk — verified accurate (JwtTokenManager.generateToken exists and is used by console2/apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.ts).

Test plan

• npm run build passes (588 pages, 35.84s on local)
• Cross-reference: git grep "CertificateValidator\|chain-sdk" src/lib/docs/console-api-endpoints.ts returns only the intentional references (the link to provider-proxy CertificateValidator + the line-833 JwtTokenManager mention)
• Rendered HTML at /docs/api-documentation/console-api/api-reference no longer contains total_replicas, restart_count, or the broken CertificateValidator import inside any code block
• Rendered HTML contains MsgCreateCertificate (in prose), 201 Created (in JWT response pill), and hostname-migrate / ip-migrate (in both JWT scope lists)
• Manual visual review of /docs/api-documentation/console-api/api-reference in dev preview