docs improve

Author: Jeadie

website/docs/components/data-accelerators/cayenne/index.md

@@ -48,6 +48,7 @@ Use [S3 Express One Zone](#aws-s3-express-one-zone-storage) when persistence of
 
 ## Advanced Internals
 
+
 ### Sequence-based Upserts and Deletes
 Cayenne uses Iceberg-style sequence numbers to enable upsert and delete semantics. Each row is tagged with a sequence number, allowing efficient handling of row-level changes without rewriting entire files. Deletes are tracked as tombstones, and upserts are resolved at query time.
 

website/docs/reference/spicepod/runtime.md

@@ -215,6 +215,15 @@ The TLS section specifies the configuration for enabling Transport Layer Securit
 
 In addition to configuring TLS via the manifest, TLS can also be configured via `spiced` command line arguments using the `--tls-enabled true` flag along with `--tls-certificate`/`--tls-certificate-file` and `--tls-key`/`--tls-key-file`.
 
+### Certificate Hot-Reload
+
+Spice can hot-reload TLS certificates and client CA files for runtime endpoints. Update the certificate, key, or CA file on disk, then send `SIGHUP` to the Spice process to reload without restart. Only file-based certificates/keys/CA are hot-reloaded (not inline PEM). Existing connections are not interrupted; only new connections use the updated files. If reload fails, the previous certificate remains active and a warning is logged.
+
+**Steps:**
+1. Replace the certificate/key/CA file on disk.
+2. Send `SIGHUP` to the Spice process (e.g., `kill -SIGHUP <pid>`).
+3. Check logs for reload confirmation or errors.
+
 ### `runtime.tls.enabled`
 
 Enables or disables TLS for the runtime endpoints.
@@ -233,10 +242,9 @@ The TLS certificate to use for securing the runtime endpoints. The certificate c
 ```yaml
 runtime:
   tls:
-    ...
     certificate: |
       -----BEGIN CERTIFICATE-----
-      ...
+      (certificate contents)
       -----END CERTIFICATE-----
 ```
 
@@ -254,7 +262,6 @@ The path to the TLS PEM-encoded certificate file. Only one of `certificate` or `
 ```yaml
 runtime:
   tls:
-    ...
     certificate_file: /path/to/cert.pem
 ```
 
@@ -265,10 +272,9 @@ The TLS key to use for securing the runtime endpoints. The key can also come fro
 ```yaml
 runtime:
   tls:
-    ...
     key: |
       -----BEGIN PRIVATE KEY-----
-      ...
+      (private key contents)
       -----END PRIVATE KEY-----
 ```
 
@@ -286,7 +292,6 @@ The path to the TLS PEM-encoded key file. Only one of `key` or `key_file` must b
 ```yaml
 runtime:
   tls:
-    ...
     key_file: /path/to/key.pem
 ```
 
@@ -323,7 +328,6 @@ Path to a PEM-encoded CA bundle used to verify client certificates. The file is
 ```yaml
 runtime:
   tls:
-    ...
     client_auth_ca_file: /path/to/client-ca.pem
 ```
 
@@ -334,10 +338,9 @@ Inline PEM (or `${ secrets:... }`) form of the client CA bundle. Mutually exclus
 ```yaml
 runtime:
   tls:
-    ...
     client_auth_ca: |
       -----BEGIN CERTIFICATE-----
-      ...
+      (CA certificate contents)
       -----END CERTIFICATE-----
 ```
 

website/docs/reference/sql/dml.md

@@ -7,8 +7,8 @@ sidebar_position: 30
 
 Data Manipulation Language (DML) statements are used to insert, update, and delete data in tables. Spice supports DML operations on [write-capable data connectors](../../tags/write) configured with `access: read_write`.
 
-:::warning[Supported Operations]
-Spice supports `INSERT` for write-capable connectors and `MERGE INTO` for [Spice Cayenne](../../components/data-accelerators/cayenne) catalog tables. `UPDATE` and `DELETE` statements are not yet supported as standalone operations. For data modifications, use `MERGE INTO` or the source database directly.
+:::info[Supported Operations]
+Spice supports `INSERT`, `UPDATE`, and `DELETE` for write-capable connectors that support these operations. As of v2.0.0-rc.5, the [Snowflake](../../components/data-connectors/snowflake) connector supports all three DML operations when `access: read_write` is set. For Cayenne, use `MERGE INTO` for updates and deletes.
 :::
 
 :::info