{ "openapi": "3.0.3", "info": { "title": "FortisEU API", "version": "1.0.0", "description": "FortisEU REST API for compliance management, asset inventory, vulnerability management, vendor TPRM, evidence, access reviews, offboarding, questionnaires, and webhook integrations.", "contact": { "name": "FortisEU Engineering", "url": "https://fortis.eu", "email": "api@fortis.eu" }, "license": { "name": "Proprietary" } }, "servers": [ { "url": "https://app.fortis.eu", "description": "Production" }, { "url": "https://staging.fortis.eu", "description": "Staging" } ], "security": [ { "BearerAuth": [] } ], "tags": [ { "name": "Root", "description": "API metadata and discovery" }, { "name": "Assets", "description": "Asset inventory and CTEM graph" }, { "name": "Asset Relationships", "description": "Asset-to-asset dependency graph and blast radius" }, { "name": "Compliance", "description": "Frameworks, controls, and compliance status" }, { "name": "Vendors", "description": "Third-party risk management (TPRM)" }, { "name": "Vendor Controls", "description": "Vendor-control linkage and coverage" }, { "name": "Vulnerabilities", "description": "Vulnerability findings and CTEM exposure analysis" }, { "name": "API Keys", "description": "API key lifecycle management" }, { "name": "Webhooks", "description": "Webhook endpoint management and delivery logs" }, { "name": "Evidence", "description": "Automated evidence from integrations" }, { "name": "Audit", "description": "Audit evidence trail" }, { "name": "Access Reviews", "description": "Access review campaigns" }, { "name": "Offboarding", "description": "Offboarding workflows" }, { "name": "Questionnaires", "description": "Security questionnaire requests" }, { "name": "Exposures", "description": "CTEM exposure findings and discovery" }, { "name": "Approvals", "description": "Governance approval requests and SoD-aware decisions" }, { "name": "Segregation of Duties", "description": "SoD policy management and violation tracking" }, { "name": "Data Governance", "description": "Data governance policies and legal holds" }, { "name": "Identity Governance", "description": "Entitlements, identities, and identity risk" }, { "name": "Identity Management", "description": "SSO configuration, SCIM mappings, and token management" }, { "name": "TPRM Signals", "description": "Third-party vendor risk signal ingestion" }, { "name": "Monolith", "description": "Endpoint compliance agent enrollment and install scripts" }, { "name": "Portal", "description": "Auditor portal and report generation" } ], "components": { "securitySchemes": { "BearerAuth": { "type": "http", "scheme": "bearer", "bearerFormat": "API Key", "description": "API key from Settings → API Keys. Pass as `Authorization: Bearer `." } }, "headers": { "X-RateLimit-Limit": { "description": "Maximum requests allowed in the current window", "schema": { "type": "integer", "example": 100 } }, "X-RateLimit-Remaining": { "description": "Requests remaining in the current window", "schema": { "type": "integer", "example": 97 } }, "X-RateLimit-Reset": { "description": "Unix epoch (seconds) when the window resets", "schema": { "type": "integer", "example": 1708099200 } } }, "parameters": { "LimitParam": { "name": "limit", "in": "query", "description": "Maximum number of items to return", "schema": { "type": "integer", "default": 50, "minimum": 1, "maximum": 500 } }, "OffsetParam": { "name": "offset", "in": "query", "description": "Number of items to skip for pagination", "schema": { "type": "integer", "default": 0, "minimum": 0 } } }, "responses": { "BadRequest": { "description": "Invalid request parameters or body", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "Unauthorized": { "description": "Missing or invalid API key", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "Forbidden": { "description": "Insufficient permissions for this action", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "NotFound": { "description": "Resource not found", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "Conflict": { "description": "Resource already exists or conflicts with current state", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "TooManyRequests": { "description": "Rate limit exceeded", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" }, "Retry-After": { "description": "Seconds until the rate limit resets", "schema": { "type": "integer", "example": 60 } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "schemas": { "Error": { "type": "object", "required": [ "error" ], "properties": { "error": { "type": "string", "description": "Machine-readable error code", "example": "Bad Request" }, "message": { "type": "string", "description": "Human-readable error description" }, "details": { "type": "object", "description": "Structured validation errors (Zod flattened)" } } }, "Meta": { "type": "object", "properties": { "total": { "type": "integer", "description": "Total count of matching resources" }, "limit": { "type": "integer" }, "offset": { "type": "integer" }, "timestamp": { "type": "string", "format": "date-time" } } }, "PaginatedResponse": { "type": "object", "required": [ "data", "meta" ], "properties": { "data": { "type": "array", "items": {} }, "meta": { "$ref": "#/components/schemas/Meta" } } }, "Asset": { "type": "object", "required": [ "id", "name", "type", "criticality", "status" ], "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "name": { "type": "string", "example": "Production Database" }, "description": { "type": "string", "nullable": true }, "asset_tag": { "type": "string", "nullable": true }, "type": { "type": "string", "enum": [ "application", "database", "server", "network", "storage", "endpoint", "mobile_device", "iot_device", "cloud_service", "saas_application", "api", "data_repository", "backup_system", "security_tool", "monitoring_tool", "communication_system", "hardware", "people", "process", "other" ] }, "criticality": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] }, "status": { "type": "string", "enum": [ "active", "inactive", "decommissioned", "planned", "under_maintenance" ] }, "business_function": { "type": "string", "nullable": true }, "department": { "type": "string", "nullable": true }, "cost_center": { "type": "string", "nullable": true }, "owner_name": { "type": "string", "nullable": true }, "owner_email": { "type": "string", "format": "email", "nullable": true }, "technical_owner_name": { "type": "string", "nullable": true }, "technical_owner_email": { "type": "string", "format": "email", "nullable": true }, "location": { "type": "string", "nullable": true }, "environment": { "type": "string", "nullable": true }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ], "nullable": true }, "contains_pii": { "type": "boolean" }, "contains_financial_data": { "type": "boolean" }, "rto_hours": { "type": "number", "nullable": true }, "rpo_hours": { "type": "number", "nullable": true }, "mtpd_hours": { "type": "number", "nullable": true }, "ip_address": { "type": "string", "nullable": true }, "hostname": { "type": "string", "nullable": true }, "operating_system": { "type": "string", "nullable": true }, "version": { "type": "string", "nullable": true }, "acquisition_date": { "type": "string", "format": "date", "nullable": true }, "go_live_date": { "type": "string", "format": "date", "nullable": true }, "end_of_life_date": { "type": "string", "format": "date", "nullable": true }, "last_review_date": { "type": "string", "format": "date", "nullable": true }, "next_review_date": { "type": "string", "format": "date", "nullable": true }, "tags": { "type": "array", "items": { "type": "string" }, "nullable": true }, "metadata": { "type": "object" }, "notes": { "type": "string", "nullable": true }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" }, "created_by": { "type": "string", "format": "uuid", "nullable": true } } }, "CreateAssetInput": { "type": "object", "required": [ "name", "type", "criticality" ], "properties": { "name": { "type": "string", "minLength": 1 }, "description": { "type": "string" }, "asset_tag": { "type": "string" }, "type": { "type": "string", "enum": [ "application", "database", "server", "network", "storage", "endpoint", "mobile_device", "iot_device", "cloud_service", "saas_application", "api", "data_repository", "backup_system", "security_tool", "monitoring_tool", "communication_system", "hardware", "people", "process", "other" ] }, "criticality": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] }, "status": { "type": "string", "enum": [ "active", "inactive", "decommissioned", "planned", "under_maintenance" ], "default": "active" }, "business_function": { "type": "string" }, "department": { "type": "string" }, "owner_name": { "type": "string" }, "owner_email": { "type": "string", "format": "email" }, "environment": { "type": "string" }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ] }, "contains_pii": { "type": "boolean", "default": false }, "contains_financial_data": { "type": "boolean", "default": false }, "rto_hours": { "type": "number" }, "rpo_hours": { "type": "number" }, "tags": { "type": "array", "items": { "type": "string" } } } }, "UpdateAssetInput": { "type": "object", "description": "Partial update — all fields optional", "properties": { "name": { "type": "string", "minLength": 1 }, "description": { "type": "string" }, "asset_tag": { "type": "string" }, "type": { "type": "string", "enum": [ "application", "database", "server", "network", "storage", "endpoint", "mobile_device", "iot_device", "cloud_service", "saas_application", "api", "data_repository", "backup_system", "security_tool", "monitoring_tool", "communication_system", "hardware", "people", "process", "other" ] }, "criticality": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] }, "status": { "type": "string", "enum": [ "active", "inactive", "decommissioned", "planned", "under_maintenance" ] }, "business_function": { "type": "string" }, "department": { "type": "string" }, "owner_name": { "type": "string" }, "owner_email": { "type": "string", "format": "email" }, "environment": { "type": "string" }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ] }, "contains_pii": { "type": "boolean" }, "contains_financial_data": { "type": "boolean" }, "rto_hours": { "type": "number" }, "rpo_hours": { "type": "number" }, "tags": { "type": "array", "items": { "type": "string" } } } }, "AssetRelationship": { "type": "object", "required": [ "id", "source_asset_id", "target_asset_id", "relationship_type" ], "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "source_asset_id": { "type": "string", "format": "uuid" }, "target_asset_id": { "type": "string", "format": "uuid" }, "relationship_type": { "type": "string", "enum": [ "hosts", "feeds_data_to", "receives_data_from", "authenticates_via", "depends_on", "backs_up", "monitors", "load_balances", "replicates_to", "encrypts_for" ] }, "is_critical": { "type": "boolean" }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ], "nullable": true }, "strength": { "type": "integer", "minimum": 0, "maximum": 100 }, "discovered_by": { "type": "string", "enum": [ "manual", "integration", "scanner", "inferred" ] }, "description": { "type": "string", "nullable": true }, "notes": { "type": "string", "nullable": true }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" }, "created_by": { "type": "string", "format": "uuid", "nullable": true } } }, "BlastRadiusResult": { "type": "object", "properties": { "root_asset": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "name": { "type": "string" }, "type": { "type": "string" }, "criticality": { "type": "string" } } }, "affected_assets": { "type": "array", "items": { "type": "object", "properties": { "asset": { "type": "object" }, "path": { "type": "array", "items": { "type": "string" } }, "relationship_types": { "type": "array", "items": { "type": "string" } }, "depth": { "type": "integer" }, "is_critical_path": { "type": "boolean" } } } }, "total_affected": { "type": "integer" }, "critical_path_count": { "type": "integer" } } }, "Framework": { "type": "object", "required": [ "id", "name", "short_name", "version", "type", "jurisdiction" ], "properties": { "id": { "type": "string", "format": "uuid" }, "name": { "type": "string", "example": "NIS2 Directive" }, "short_name": { "type": "string", "example": "NIS2" }, "version": { "type": "string", "example": "2022" }, "description": { "type": "string", "nullable": true }, "type": { "type": "string", "enum": [ "regulation", "standard", "guideline", "directive", "national_law", "industry_standard", "certification" ] }, "effective_date": { "type": "string", "format": "date", "nullable": true }, "jurisdiction": { "type": "string", "example": "EU" }, "official_url": { "type": "string", "format": "uri", "nullable": true }, "is_active": { "type": "boolean" }, "framework_family_id": { "type": "string", "format": "uuid", "nullable": true }, "superseded_by_id": { "type": "string", "format": "uuid", "nullable": true }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "FrameworkFamilyMember": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "name": { "type": "string" }, "short_name": { "type": "string" }, "version": { "type": "string" }, "is_active": { "type": "boolean" }, "effective_date": { "type": "string", "format": "date", "nullable": true }, "superseded_by_id": { "type": "string", "format": "uuid", "nullable": true } } }, "Control": { "type": "object", "required": [ "id", "code", "name", "category" ], "properties": { "id": { "type": "string", "format": "uuid" }, "code": { "type": "string", "example": "AC-01" }, "name": { "type": "string", "example": "Access Control Policy" }, "description": { "type": "string" }, "category": { "type": "string", "enum": [ "access_control", "asset_management", "business_continuity", "change_management", "cryptography", "data_protection", "incident_response", "network_security", "physical_security", "risk_management", "security_governance", "security_monitoring", "security_awareness", "supplier_management", "vulnerability_management", "compliance", "other" ] }, "parent_control_id": { "type": "string", "format": "uuid", "nullable": true }, "implementation_guidance": { "type": "string", "nullable": true }, "testing_procedures": { "type": "string", "nullable": true }, "automation_potential": { "type": "string", "nullable": true }, "estimated_effort": { "type": "string", "nullable": true }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "ControlWithStatus": { "allOf": [ { "$ref": "#/components/schemas/Control" }, { "type": "object", "properties": { "tenant_state": { "type": "object", "nullable": true, "properties": { "id": { "type": "string", "format": "uuid" }, "status": { "type": "string", "enum": [ "not_started", "in_progress", "implemented", "partially_implemented", "not_applicable" ] }, "implementation_date": { "type": "string", "format": "date", "nullable": true }, "last_review_date": { "type": "string", "format": "date", "nullable": true }, "next_review_date": { "type": "string", "format": "date", "nullable": true }, "notes": { "type": "string", "nullable": true } } } } } ] }, "Vendor": { "type": "object", "required": [ "id", "name", "category", "risk_tier", "status" ], "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "name": { "type": "string", "example": "Cloudflare" }, "legal_name": { "type": "string", "nullable": true }, "domain": { "type": "string", "nullable": true }, "description": { "type": "string", "nullable": true }, "logo_url": { "type": "string", "format": "uri", "nullable": true }, "category": { "type": "string", "enum": [ "saas", "cloud_infrastructure", "ict_services", "payment_services", "data_processing", "security_services", "consulting", "legal", "hr_services", "telecommunications", "hosting", "other" ] }, "risk_tier": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] }, "is_critical_ict": { "type": "boolean" }, "status": { "type": "string", "enum": [ "prospect", "onboarding", "active", "under_review", "offboarding", "terminated", "suspended" ] }, "onboarding_date": { "type": "string", "format": "date", "nullable": true }, "last_review_date": { "type": "string", "format": "date", "nullable": true }, "next_review_date": { "type": "string", "format": "date", "nullable": true }, "contact_name": { "type": "string", "nullable": true }, "contact_email": { "type": "string", "format": "email", "nullable": true }, "contact_phone": { "type": "string", "nullable": true }, "headquarters_country": { "type": "string", "nullable": true }, "data_processing_locations": { "type": "array", "items": { "type": "string" }, "nullable": true }, "certifications": { "type": "array", "items": { "type": "string" }, "nullable": true }, "contract_value": { "type": "number", "nullable": true }, "contract_currency": { "type": "string", "default": "EUR" }, "contract_start_date": { "type": "string", "format": "date", "nullable": true }, "contract_end_date": { "type": "string", "format": "date", "nullable": true }, "inherent_risk_score": { "type": "number", "nullable": true }, "residual_risk_score": { "type": "number", "nullable": true }, "last_assessment_date": { "type": "string", "format": "date", "nullable": true }, "technical_score": { "type": "number", "nullable": true }, "technical_grade": { "type": "string", "enum": [ "A", "B", "C", "D", "F" ], "nullable": true }, "tags": { "type": "array", "items": { "type": "string" }, "nullable": true }, "metadata": { "type": "object" }, "notes": { "type": "string", "nullable": true }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" }, "created_by": { "type": "string", "format": "uuid", "nullable": true } } }, "CreateVendorInput": { "type": "object", "required": [ "name", "category", "risk_tier" ], "properties": { "name": { "type": "string" }, "legal_name": { "type": "string" }, "domain": { "type": "string" }, "description": { "type": "string" }, "category": { "type": "string", "enum": [ "saas", "cloud_infrastructure", "ict_services", "payment_services", "data_processing", "security_services", "consulting", "legal", "hr_services", "telecommunications", "hosting", "other" ] }, "risk_tier": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] }, "is_critical_ict": { "type": "boolean", "default": false }, "status": { "type": "string", "enum": [ "prospect", "onboarding", "active", "under_review", "offboarding", "terminated", "suspended" ], "default": "prospect" }, "contact_name": { "type": "string" }, "contact_email": { "type": "string", "format": "email" }, "headquarters_country": { "type": "string" }, "certifications": { "type": "array", "items": { "type": "string" } }, "tags": { "type": "array", "items": { "type": "string" } } } }, "VendorControlLink": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "vendor_id": { "type": "string", "format": "uuid" }, "control_id": { "type": "string", "format": "uuid" }, "source": { "type": "string", "enum": [ "contract", "framework", "manual" ] }, "control_code": { "type": "string" }, "control_name": { "type": "string" }, "control_status": { "type": "string", "nullable": true }, "requirement_id": { "type": "string", "format": "uuid", "nullable": true }, "contract_reference": { "type": "string", "nullable": true }, "notes": { "type": "string", "nullable": true }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "VendorControlCoverage": { "type": "object", "properties": { "vendorId": { "type": "string", "format": "uuid" }, "totalInScope": { "type": "integer" }, "implemented": { "type": "integer" }, "partiallyImplemented": { "type": "integer" }, "notStarted": { "type": "integer" }, "notApplicable": { "type": "integer" }, "coveragePct": { "type": "number" }, "controls": { "type": "array", "items": { "type": "object", "properties": { "controlId": { "type": "string", "format": "uuid" }, "code": { "type": "string" }, "name": { "type": "string" }, "status": { "type": "string" }, "source": { "type": "string", "enum": [ "contract", "framework", "manual" ] }, "contractReference": { "type": "string", "nullable": true } } } } } }, "Vulnerability": { "type": "object", "required": [ "id", "cve_id", "severity", "source_integration", "status" ], "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "cve_id": { "type": "string", "example": "CVE-2024-1234" }, "severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "info" ] }, "cvss_score": { "type": "number", "nullable": true, "minimum": 0, "maximum": 10 }, "source_integration": { "type": "string" }, "source_evidence_id": { "type": "string", "format": "uuid", "nullable": true }, "affected_assets": { "type": "array", "items": { "type": "object" } }, "status": { "type": "string", "enum": [ "open", "in_progress", "mitigated", "resolved", "accepted", "false_positive" ] }, "detected_at": { "type": "string", "format": "date-time" }, "raw_data": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "CreateVulnerabilityInput": { "type": "object", "required": [ "cve_id", "severity", "source_integration" ], "properties": { "cve_id": { "type": "string" }, "severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "info" ] }, "cvss_score": { "type": "number", "minimum": 0, "maximum": 10 }, "source_integration": { "type": "string" }, "affected_asset_ids": { "type": "array", "items": { "type": "string", "format": "uuid" } }, "status": { "type": "string", "enum": [ "open", "in_progress", "mitigated", "resolved", "accepted", "false_positive" ], "default": "open" } } }, "ExposureImpactResult": { "type": "object", "properties": { "blast_radius": { "type": "object", "properties": { "vulnerability_id": { "type": "string", "format": "uuid" }, "directly_affected": { "type": "array", "items": { "type": "object" } }, "transitively_affected": { "type": "array", "items": { "type": "object" } }, "total_affected": { "type": "integer" } } }, "control_impact": { "type": "object", "properties": { "vulnerability_id": { "type": "string", "format": "uuid" }, "impacted_controls": { "type": "array", "items": { "type": "object" } }, "summary": { "type": "object", "properties": { "total_controls_implicated": { "type": "integer" }, "controls_already_mitigating": { "type": "integer" }, "controls_not_mitigating": { "type": "integer" }, "controls_not_implemented": { "type": "integer" } } } } } } }, "ApiKey": { "type": "object", "required": [ "id", "name", "key_prefix", "permissions", "is_active" ], "properties": { "id": { "type": "string", "format": "uuid" }, "name": { "type": "string", "example": "CI Pipeline Key" }, "key_prefix": { "type": "string", "description": "First 8 chars of the key for identification", "example": "feu_live" }, "permissions": { "type": "array", "items": { "type": "string" }, "example": [ "read:assets", "write:assets" ] }, "is_active": { "type": "boolean" }, "created_at": { "type": "string", "format": "date-time" }, "last_used_at": { "type": "string", "format": "date-time", "nullable": true }, "expires_at": { "type": "string", "format": "date-time", "nullable": true }, "rotated_from_id": { "type": "string", "format": "uuid", "nullable": true }, "rotation_grace_until": { "type": "string", "format": "date-time", "nullable": true } } }, "CreateApiKeyInput": { "type": "object", "required": [ "name", "permissions" ], "properties": { "name": { "type": "string", "minLength": 1, "maxLength": 255 }, "permissions": { "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 100 }, "minItems": 1 }, "expires_at": { "type": "string", "format": "date-time" } } }, "RotateApiKeyInput": { "type": "object", "properties": { "grace_period_hours": { "type": "integer", "minimum": 0, "maximum": 720, "default": 24, "description": "Hours during which the old key remains valid" } } }, "ApiKeyWithPlainKey": { "allOf": [ { "$ref": "#/components/schemas/ApiKey" }, { "type": "object", "required": [ "key" ], "properties": { "key": { "type": "string", "description": "Full API key — returned only on creation or rotation. Store it securely." } } } ] }, "WebhookEndpoint": { "type": "object", "required": [ "id", "url", "events", "is_active" ], "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "url": { "type": "string", "format": "uri", "example": "https://example.com/webhooks/fortis" }, "description": { "type": "string", "nullable": true }, "events": { "type": "array", "items": { "type": "string" }, "example": [ "asset.created", "vulnerability.detected", "control.status_changed" ] }, "secret": { "type": "string", "description": "HMAC secret for signature verification (returned only on creation)" }, "is_active": { "type": "boolean" }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "CreateWebhookInput": { "type": "object", "required": [ "url", "events" ], "properties": { "url": { "type": "string", "format": "uri" }, "description": { "type": "string" }, "events": { "type": "array", "items": { "type": "string" }, "minItems": 1 } } }, "UpdateWebhookInput": { "type": "object", "properties": { "url": { "type": "string", "format": "uri" }, "description": { "type": "string" }, "events": { "type": "array", "items": { "type": "string" } }, "is_active": { "type": "boolean" } } }, "WebhookDelivery": { "type": "object", "required": [ "id", "webhook_id", "event", "status_code" ], "properties": { "id": { "type": "string", "format": "uuid" }, "webhook_id": { "type": "string", "format": "uuid" }, "event": { "type": "string", "example": "asset.created" }, "payload": { "type": "object", "description": "Event payload that was sent" }, "status_code": { "type": "integer", "description": "HTTP response status code from the endpoint" }, "response_body": { "type": "string", "nullable": true }, "duration_ms": { "type": "integer", "description": "Round-trip time in milliseconds" }, "success": { "type": "boolean" }, "attempt": { "type": "integer", "description": "Delivery attempt number (1-based)" }, "error_message": { "type": "string", "nullable": true }, "created_at": { "type": "string", "format": "date-time" } } }, "ComplianceStatus": { "type": "object", "properties": { "total_frameworks": { "type": "integer" }, "subscribed_frameworks": { "type": "integer" }, "overall_compliance_percentage": { "type": "number" }, "frameworks": { "type": "array", "items": { "type": "object" } }, "upcoming_reviews": { "type": "array", "items": { "type": "object" } }, "recent_updates": { "type": "array", "items": { "type": "object" } } } }, "ExposureFinding": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "tenant_id": { "type": "string", "format": "uuid" }, "finding_type": { "type": "string" }, "severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "info" ] }, "status": { "type": "string" }, "title": { "type": "string" }, "description": { "type": "string", "nullable": true }, "asset_id": { "type": "string", "format": "uuid", "nullable": true }, "source": { "type": "string" }, "first_seen_at": { "type": "string", "format": "date-time" }, "last_seen_at": { "type": "string", "format": "date-time" }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }, "Entitlement": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "system_name": { "type": "string" }, "type": { "type": "string" }, "name": { "type": "string" }, "risk_level": { "type": "string" }, "is_privileged": { "type": "boolean" }, "metadata": { "type": "object" }, "created_at": { "type": "string", "format": "date-time" } } }, "Identity": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "email": { "type": "string", "format": "email" }, "display_name": { "type": "string" }, "employment_status": { "type": "string" }, "risk_score": { "type": "number" }, "mfa_enabled": { "type": "boolean" }, "last_login_at": { "type": "string", "format": "date-time", "nullable": true }, "created_at": { "type": "string", "format": "date-time" } } }, "SodPolicy": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "policy_name": { "type": "string" }, "critical_action": { "type": "string" }, "required_approvals": { "type": "integer" }, "disallow_requester_approval": { "type": "boolean" }, "allowed_approver_roles": { "type": "array", "items": { "type": "string" } }, "is_active": { "type": "boolean" }, "created_at": { "type": "string", "format": "date-time" } } }, "SodViolation": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "rule_name": { "type": "string" }, "user_id": { "type": "string", "format": "uuid" }, "status": { "type": "string", "enum": [ "open", "remediated", "exception" ] }, "conflicting_roles": { "type": "array", "items": { "type": "string" } }, "detected_at": { "type": "string", "format": "date-time" }, "remediation_notes": { "type": "string", "nullable": true } } }, "ApprovalRequest": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "requester_user_id": { "type": "string", "format": "uuid" }, "workflow_type": { "type": "string" }, "action_type": { "type": "string" }, "status": { "type": "string", "enum": [ "pending", "approved", "rejected" ] }, "subject_type": { "type": "string" }, "subject_id": { "type": "string" }, "proposed_action": { "type": "string" }, "reasoning": { "type": "string" }, "created_at": { "type": "string", "format": "date-time" } } }, "DataGovernancePolicy": { "type": "object", "properties": { "exports_enabled": { "type": "boolean" }, "exports_require_admin": { "type": "boolean" }, "legal_hold_blocks_exports": { "type": "boolean" }, "default_retention_days": { "type": "integer" }, "evidence_export_retention_days": { "type": "integer" }, "webhook_receipt_retention_days": { "type": "integer" }, "allowed_regions": { "type": "array", "items": { "type": "string" } }, "restricted_regions": { "type": "array", "items": { "type": "string" } }, "block_cross_region_exports": { "type": "boolean" } } }, "LegalHold": { "type": "object", "properties": { "id": { "type": "string", "format": "uuid" }, "hold_scope": { "type": "string" }, "reason": { "type": "string" }, "is_active": { "type": "boolean" }, "created_at": { "type": "string", "format": "date-time" }, "released_at": { "type": "string", "format": "date-time", "nullable": true } } }, "SsoConfig": { "type": "object", "properties": { "sso_enforced": { "type": "boolean" }, "allowed_domains": { "type": "array", "items": { "type": "string" } }, "default_sso_role": { "type": "string", "enum": [ "admin", "editor", "auditor", "guest" ] }, "default_scim_role": { "type": "string", "enum": [ "admin", "editor", "auditor", "guest" ] }, "role_attribute_key": { "type": "string", "nullable": true }, "group_attribute_key": { "type": "string", "nullable": true }, "auto_provision_enabled": { "type": "boolean" }, "auto_deprovision_enabled": { "type": "boolean" } } }, "ScimMapping": { "type": "object", "properties": { "scim_group_id": { "type": "string", "format": "uuid", "nullable": true }, "scim_group_external_id": { "type": "string", "nullable": true }, "scim_group_display_name": { "type": "string", "nullable": true }, "mapped_role": { "type": "string", "enum": [ "admin", "editor", "auditor", "guest" ] }, "mapped_attributes": { "type": "object" }, "is_active": { "type": "boolean" } } } } }, "paths": { "/api/v1": { "get": { "tags": [ "Root" ], "summary": "API root", "description": "Returns endpoint inventory, API version, and metadata. No authentication required.", "security": [], "responses": { "200": { "description": "API metadata and endpoint inventory", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } } } } }, "/api/v1/assets": { "get": { "tags": [ "Assets" ], "summary": "List assets", "description": "Returns a paginated list of assets in the tenant's inventory. Supports filtering by type, criticality, status, and tags.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "type", "in": "query", "schema": { "type": "string" }, "description": "Filter by asset type" }, { "name": "criticality", "in": "query", "schema": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] } }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "active", "inactive", "decommissioned", "planned", "under_maintenance" ] } }, { "name": "search", "in": "query", "schema": { "type": "string" }, "description": "Full-text search across name and description" } ], "responses": { "200": { "description": "Paginated asset list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Asset" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Assets" ], "summary": "Create asset", "description": "Create a new asset in the tenant's inventory.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAssetInput" } } } }, "responses": { "201": { "description": "Asset created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Asset" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/assets/{id}": { "get": { "tags": [ "Assets" ], "summary": "Get asset by ID", "description": "Returns a single asset by its ID, including vendor dependencies.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Asset ID" } ], "responses": { "200": { "description": "Asset details", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Asset" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "patch": { "tags": [ "Assets" ], "summary": "Update asset", "description": "Partially update an asset's properties.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Asset ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateAssetInput" } } } }, "responses": { "200": { "description": "Asset updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Asset" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "delete": { "tags": [ "Assets" ], "summary": "Delete asset", "description": "Permanently delete an asset and its relationships.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Asset ID" } ], "responses": { "204": { "description": "Asset deleted", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/assets/{assetId}/controls": { "get": { "tags": [ "Assets" ], "summary": "Get asset controls (CTEM)", "description": "Returns controls linked to an asset. Part of the CTEM (Continuous Threat Exposure Management) asset-control graph.", "parameters": [ { "name": "assetId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Asset ID" } ], "responses": { "200": { "description": "Asset with linked controls and scope metadata", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/assets/{assetId}/relationships": { "get": { "tags": [ "Asset Relationships" ], "summary": "List asset relationships", "description": "Returns asset-to-asset relationships (dependencies) for a given asset. Supports directional filtering.", "parameters": [ { "name": "assetId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Asset ID" }, { "name": "direction", "in": "query", "schema": { "type": "string", "enum": [ "outgoing", "incoming", "both" ], "default": "both" }, "description": "Filter by relationship direction" } ], "responses": { "200": { "description": "Outgoing and incoming asset relationships with asset metadata", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "outgoing": { "type": "array", "items": { "$ref": "#/components/schemas/AssetRelationship" } }, "incoming": { "type": "array", "items": { "$ref": "#/components/schemas/AssetRelationship" } } } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Asset Relationships" ], "summary": "Create asset relationship", "description": "Create a directed asset-to-asset dependency. The source asset is the path parameter asset.", "parameters": [ { "name": "assetId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Source asset ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "target_asset_id", "relationship_type" ], "properties": { "target_asset_id": { "type": "string", "format": "uuid" }, "relationship_type": { "type": "string", "enum": [ "hosts", "feeds_data_to", "receives_data_from", "authenticates_via", "depends_on", "backs_up", "monitors", "load_balances", "replicates_to", "encrypts_for" ] }, "is_critical": { "type": "boolean", "default": false }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ] }, "strength": { "type": "integer", "minimum": 0, "maximum": 100, "default": 50 }, "discovered_by": { "type": "string", "enum": [ "manual", "integration", "scanner", "inferred" ], "default": "manual" }, "description": { "type": "string", "maxLength": 1000 } } } } } }, "responses": { "201": { "description": "Asset relationship created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/AssetRelationship" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "409": { "$ref": "#/components/responses/Conflict" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/assets/relationships/{relationshipId}": { "patch": { "tags": [ "Asset Relationships" ], "summary": "Update asset relationship", "description": "Partially update an asset-to-asset relationship (strength, criticality, etc.).", "parameters": [ { "name": "relationshipId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Relationship ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "properties": { "is_critical": { "type": "boolean" }, "data_classification": { "type": "string", "enum": [ "public", "internal", "confidential", "restricted" ], "nullable": true }, "strength": { "type": "integer", "minimum": 0, "maximum": 100 }, "description": { "type": "string", "maxLength": 1000 }, "notes": { "type": "string", "maxLength": 2000 } } } } } }, "responses": { "200": { "description": "Relationship updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/AssetRelationship" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "delete": { "tags": [ "Asset Relationships" ], "summary": "Delete asset relationship", "description": "Delete an asset-to-asset relationship. Requires admin role (enforced by RLS).", "parameters": [ { "name": "relationshipId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Relationship ID" } ], "responses": { "204": { "description": "Relationship deleted", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/assets/{assetId}/blast-radius": { "get": { "tags": [ "Asset Relationships" ], "summary": "Get asset blast radius", "description": "Computes the blast radius for an asset: all downstream assets that would be affected if the root asset is compromised. Uses recursive graph traversal with cycle prevention.", "parameters": [ { "name": "assetId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Root asset ID" }, { "name": "max_depth", "in": "query", "schema": { "type": "integer", "minimum": 1, "maximum": 5, "default": 3 }, "description": "Maximum traversal depth (hops)" } ], "responses": { "200": { "description": "Blast radius with affected assets, paths, and critical path analysis", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/BlastRadiusResult" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/controls": { "get": { "tags": [ "Compliance" ], "summary": "List controls", "description": "Returns all security controls, optionally filtered by category or implementation status. Includes tenant implementation state when authenticated.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "category", "in": "query", "schema": { "type": "string" }, "description": "Filter by control category" }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "not_started", "in_progress", "implemented", "partially_implemented", "not_applicable" ] }, "description": "Filter by tenant implementation status" }, { "name": "search", "in": "query", "schema": { "type": "string" }, "description": "Search by code or name" } ], "responses": { "200": { "description": "Paginated controls list with tenant status", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/ControlWithStatus" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/controls/{controlId}/children": { "get": { "tags": [ "Compliance" ], "summary": "Get child controls", "description": "Returns direct child controls of a parent control in the control hierarchy.", "parameters": [ { "name": "controlId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Parent control ID" } ], "responses": { "200": { "description": "Parent context and child controls list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "parent": { "$ref": "#/components/schemas/Control" }, "children": { "type": "array", "items": { "$ref": "#/components/schemas/Control" } } } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/frameworks": { "get": { "tags": [ "Compliance" ], "summary": "List compliance frameworks", "description": "Returns all available compliance frameworks (NIS2, DORA, ISO 27001, etc.) with requirement and control counts.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" } ], "responses": { "200": { "description": "Frameworks list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Framework" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/frameworks/{frameworkId}": { "get": { "tags": [ "Compliance" ], "summary": "Get framework details", "description": "Returns full details of a compliance framework including requirements and control mappings.", "parameters": [ { "name": "frameworkId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Framework ID" } ], "responses": { "200": { "description": "Framework with requirements and controls", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Framework" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/frameworks/{frameworkId}/family": { "get": { "tags": [ "Compliance" ], "summary": "Get framework family", "description": "Returns all framework versions in the same family (e.g. ISO 27001:2013 -> 2022). Uses framework_family_id to group related versions.", "parameters": [ { "name": "frameworkId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Framework ID" } ], "responses": { "200": { "description": "Framework family members with version lineage", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/FrameworkFamilyMember" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/compliance/status": { "get": { "tags": [ "Compliance" ], "summary": "Compliance status dashboard", "description": "Returns the tenant's overall compliance status across all subscribed frameworks, including per-framework breakdown and upcoming reviews.", "responses": { "200": { "description": "Compliance summary", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/ComplianceStatus" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vendors": { "get": { "tags": [ "Vendors" ], "summary": "List vendors", "description": "Returns a paginated list of third-party vendors. Supports filtering by risk tier, status, and category.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "risk_tier", "in": "query", "schema": { "type": "string", "enum": [ "critical", "high", "medium", "low" ] } }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "prospect", "onboarding", "active", "under_review", "offboarding", "terminated", "suspended" ] } }, { "name": "category", "in": "query", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Paginated vendors list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Vendor" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Vendors" ], "summary": "Create vendor", "description": "Add a new third-party vendor to the TPRM registry.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateVendorInput" } } } }, "responses": { "201": { "description": "Vendor created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Vendor" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vendors/{id}": { "get": { "tags": [ "Vendors" ], "summary": "Get vendor by ID", "description": "Returns full vendor details including contacts, documents, and risk assessment data.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" } ], "responses": { "200": { "description": "Vendor details", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Vendor" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "patch": { "tags": [ "Vendors" ], "summary": "Update vendor", "description": "Partially update a vendor's properties.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateVendorInput" } } } }, "responses": { "200": { "description": "Vendor updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Vendor" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vendors/{id}/controls": { "get": { "tags": [ "Vendor Controls" ], "summary": "List vendor controls", "description": "Returns all controls linked to a vendor, enriched with control code, name, and implementation status.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" } ], "responses": { "200": { "description": "Vendor controls list with enrichment", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/VendorControlLink" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Vendor Controls" ], "summary": "Link control to vendor", "description": "Create a vendor-control link. Source indicates how the control was assigned (contract, framework, manual).", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "control_id", "source" ], "properties": { "control_id": { "type": "string", "format": "uuid" }, "source": { "type": "string", "enum": [ "contract", "framework", "manual" ] }, "requirement_id": { "type": "string", "format": "uuid" }, "contract_reference": { "type": "string", "maxLength": 500 }, "notes": { "type": "string", "maxLength": 2000 } } } } } }, "responses": { "201": { "description": "Vendor control link created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "409": { "$ref": "#/components/responses/Conflict" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vendors/{id}/controls/{linkId}": { "delete": { "tags": [ "Vendor Controls" ], "summary": "Unlink control from vendor", "description": "Remove a vendor-control link by its link ID.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" }, { "name": "linkId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor control link ID" } ], "responses": { "204": { "description": "Unlinked successfully", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vendors/{id}/control-coverage": { "get": { "tags": [ "Vendor Controls" ], "summary": "Get vendor control coverage", "description": "Compute control coverage for a vendor: in-scope controls vs implementation status, with a coverage percentage.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vendor ID" } ], "responses": { "200": { "description": "Vendor control coverage snapshot", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/VendorControlCoverage" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vulnerabilities": { "get": { "tags": [ "Vulnerabilities" ], "summary": "List vulnerabilities", "description": "Returns a paginated list of vulnerability findings. Supports filtering by severity, status, and source integration.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "severity", "in": "query", "schema": { "type": "string", "enum": [ "critical", "high", "medium", "low", "info" ] } }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "open", "in_progress", "mitigated", "resolved", "accepted", "false_positive" ] } }, { "name": "source_integration", "in": "query", "schema": { "type": "string" }, "description": "Filter by source integration type" } ], "responses": { "200": { "description": "Paginated vulnerability findings", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Vulnerability" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Vulnerabilities" ], "summary": "Create vulnerability finding", "description": "Manually report a vulnerability finding. Typically used for findings from external scanners not yet integrated.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateVulnerabilityInput" } } } }, "responses": { "201": { "description": "Vulnerability created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/Vulnerability" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vulnerabilities/unmitigated": { "get": { "tags": [ "Vulnerabilities" ], "summary": "List unmitigated vulnerabilities", "description": "Returns vulnerability findings with no linked control mitigation. Core CTEM query for identifying exposure gaps.", "parameters": [ { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 200, "maximum": 500 } }, { "name": "status", "in": "query", "schema": { "type": "string" }, "description": "Comma-separated statuses (default: open,in_progress)" } ], "responses": { "200": { "description": "Unmitigated vulnerability findings", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Vulnerability" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/vulnerabilities/{vulnerabilityId}/impact": { "get": { "tags": [ "Vulnerabilities" ], "summary": "Get vulnerability exposure impact", "description": "Computes the full CTEM impact chain: blast radius (directly + transitively affected assets) and control impact mapping (controls linked to affected assets, with mitigation status).", "parameters": [ { "name": "vulnerabilityId", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Vulnerability finding ID" }, { "name": "max_depth", "in": "query", "schema": { "type": "integer", "minimum": 1, "maximum": 5, "default": 2 }, "description": "Maximum asset-relationship traversal depth" }, { "name": "include", "in": "query", "schema": { "type": "string", "enum": [ "blast_radius", "controls", "all" ], "default": "all" }, "description": "Which sections to include in response" } ], "responses": { "200": { "description": "Vulnerability impact: blast radius and/or control impact mapping", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/ExposureImpactResult" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/api-keys": { "get": { "tags": [ "API Keys" ], "summary": "List API keys", "description": "List all API keys for the authenticated tenant. Never returns the full key — only prefix, name, permissions, and metadata. Requires `admin:api-keys` permission.", "responses": { "200": { "description": "API keys list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/ApiKey" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "API Keys" ], "summary": "Create API key", "description": "Create a new API key. The plain key is returned exactly once in the response — store it securely. Requires `admin:api-keys` permission.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateApiKeyInput" } } } }, "responses": { "201": { "description": "API key created (includes plain key)", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/ApiKeyWithPlainKey" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/api-keys/{id}": { "delete": { "tags": [ "API Keys" ], "summary": "Revoke API key", "description": "Permanently revoke (delete) an API key. The key will immediately stop working.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "API key ID" } ], "responses": { "204": { "description": "API key revoked", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/api-keys/{id}/rotate": { "post": { "tags": [ "API Keys" ], "summary": "Rotate API key", "description": "Rotate an API key: creates a new key and optionally keeps the old key active during a grace period. Returns the new plain key exactly once.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "API key ID to rotate" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/RotateApiKeyInput" } } } }, "responses": { "201": { "description": "New rotated key created (includes plain key)", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/ApiKeyWithPlainKey" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/webhooks": { "get": { "tags": [ "Webhooks" ], "summary": "List webhook endpoints", "description": "Returns all registered webhook endpoints for the tenant.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" } ], "responses": { "200": { "description": "Webhook endpoints list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/WebhookEndpoint" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "post": { "tags": [ "Webhooks" ], "summary": "Create webhook endpoint", "description": "Register a new webhook endpoint. The HMAC signing secret is returned only on creation.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateWebhookInput" } } } }, "responses": { "201": { "description": "Webhook endpoint created (includes signing secret)", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/WebhookEndpoint" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/webhooks/{id}": { "patch": { "tags": [ "Webhooks" ], "summary": "Update webhook endpoint", "description": "Update a webhook endpoint's URL, events, or active status.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Webhook endpoint ID" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateWebhookInput" } } } }, "responses": { "200": { "description": "Webhook endpoint updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "$ref": "#/components/schemas/WebhookEndpoint" }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "400": { "$ref": "#/components/responses/BadRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } }, "delete": { "tags": [ "Webhooks" ], "summary": "Delete webhook endpoint", "description": "Permanently delete a webhook endpoint and its delivery history.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Webhook endpoint ID" } ], "responses": { "204": { "description": "Webhook endpoint deleted", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/webhooks/{id}/deliveries": { "get": { "tags": [ "Webhooks" ], "summary": "List webhook deliveries", "description": "Returns delivery attempts for a webhook endpoint, ordered by most recent first. Useful for debugging failed deliveries.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" }, "description": "Webhook endpoint ID" }, { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "success", "in": "query", "schema": { "type": "boolean" }, "description": "Filter by delivery success status" } ], "responses": { "200": { "description": "Webhook delivery log", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/WebhookDelivery" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/Forbidden" }, "404": { "$ref": "#/components/responses/NotFound" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/evidence": { "get": { "tags": [ "Evidence" ], "summary": "List evidence", "description": "Paginated automated evidence from integrations.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "type", "in": "query", "schema": { "type": "string" }, "description": "Evidence type filter" }, { "name": "integration", "in": "query", "schema": { "type": "string" }, "description": "Integration type filter" }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "valid", "stale", "expired", "superseded" ] } } ], "responses": { "200": { "description": "Evidence list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/audit/evidence": { "get": { "tags": [ "Audit" ], "summary": "List audit evidence", "description": "Returns audit trail evidence records for compliance reporting.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" } ], "responses": { "200": { "description": "Audit evidence list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/access-reviews": { "get": { "tags": [ "Access Reviews" ], "summary": "List access reviews", "description": "Access review campaigns with completion status.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "draft", "in_progress", "completed" ] } } ], "responses": { "200": { "description": "Access reviews list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/offboarding": { "get": { "tags": [ "Offboarding" ], "summary": "List offboarding requests", "description": "Offboarding requests with task completion.", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "pending", "in_progress", "completed", "cancelled" ] } } ], "responses": { "200": { "description": "Offboarding list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/questionnaires": { "get": { "tags": [ "Questionnaires" ], "summary": "List questionnaire requests", "description": "Questionnaire requests (internal).", "parameters": [ { "$ref": "#/components/parameters/LimitParam" }, { "$ref": "#/components/parameters/OffsetParam" }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "draft", "ai_suggested", "in_review", "completed" ] } }, { "name": "source_channel", "in": "query", "schema": { "type": "string", "enum": [ "dashboard", "trust_center" ] } } ], "responses": { "200": { "description": "Questionnaire requests list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "429": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/exposures": { "get": { "tags": [ "Exposures" ], "summary": "List exposure findings", "description": "Returns CTEM exposure findings with optional filtering by severity, type, status, and asset.", "parameters": [ { "name": "severity", "in": "query", "description": "Comma-separated severity filter", "schema": { "type": "string" } }, { "name": "finding_type", "in": "query", "description": "Comma-separated finding type filter", "schema": { "type": "string" } }, { "name": "status", "in": "query", "description": "Comma-separated status filter", "schema": { "type": "string" } }, { "name": "asset_id", "in": "query", "description": "Filter by asset UUID", "schema": { "type": "string", "format": "uuid" } }, { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 200, "maximum": 500 } } ], "responses": { "200": { "description": "Exposure findings list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/ExposureFinding" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/exposures/{id}": { "get": { "tags": [ "Exposures" ], "summary": "Get exposure finding", "description": "Returns a single exposure finding with linked asset details.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } } ], "responses": { "200": { "description": "Exposure finding detail", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "NotFound": { "$ref": "#/components/responses/NotFound" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/exposures/discoveries": { "get": { "tags": [ "Exposures" ], "summary": "List discovery candidates", "description": "Returns pending discovery candidates — exposure-linked assets not yet matched to inventory.", "parameters": [ { "name": "limit", "in": "query", "schema": { "type": "integer" } } ], "responses": { "200": { "description": "Discovery candidates list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/exposures/stats": { "get": { "tags": [ "Exposures" ], "summary": "Get exposure statistics", "description": "Returns aggregate exposure metrics: totals by severity, finding type, and trends.", "responses": { "200": { "description": "Exposure statistics", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/approvals/requests": { "post": { "tags": [ "Approvals" ], "summary": "Create approval request", "description": "Submit a governance approval request. SoD policies are automatically enforced.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "requester_user_id", "workflow_type", "action_type", "subject_type", "subject_id", "proposed_action", "reasoning" ], "properties": { "requester_user_id": { "type": "string", "format": "uuid" }, "workflow_type": { "type": "string", "enum": [ "patch_remediation", "incident_response", "control_review", "vendor_assessment", "evidence_collection", "compliance_notification", "vulnerability_triage", "training_reminder", "synergy_rules" ] }, "action_type": { "type": "string", "enum": [ "create_task", "assign_task", "send_notification", "update_status", "escalate", "create_assessment", "schedule_review", "generate_report", "apply_patch", "disable_account", "revoke_access" ] }, "subject_type": { "type": "string" }, "subject_id": { "type": "string" }, "critical_action": { "type": "string" }, "proposed_action": { "type": "string" }, "reasoning": { "type": "string" }, "required_approvals": { "type": "integer" }, "due_at": { "type": "string", "format": "date-time" }, "metadata": { "type": "object" } } } } } }, "responses": { "201": { "description": "Approval request created", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ApprovalRequest" } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "Conflict": { "$ref": "#/components/responses/Conflict" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/approvals/requests/{id}/decision": { "post": { "tags": [ "Approvals" ], "summary": "Decide on approval request", "description": "Approve or reject a pending approval request. SoD enforcement may block self-approval.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "decider_user_id", "decision" ], "properties": { "decider_user_id": { "type": "string", "format": "uuid" }, "decision": { "type": "string", "enum": [ "approve", "reject" ] }, "rationale": { "type": "string" } } } } } }, "responses": { "200": { "description": "Decision recorded", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "NotFound": { "$ref": "#/components/responses/NotFound" }, "Conflict": { "$ref": "#/components/responses/Conflict" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/sod/policies": { "get": { "tags": [ "Segregation of Duties" ], "summary": "List SoD policies", "description": "Returns all Segregation of Duties policies for the tenant.", "responses": { "200": { "description": "SoD policies list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/SodPolicy" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } }, "put": { "tags": [ "Segregation of Duties" ], "summary": "Upsert SoD policies", "description": "Replace the full set of SoD policies for the tenant.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "policies" ], "properties": { "policies": { "type": "array", "items": { "type": "object", "required": [ "policy_name", "critical_action", "required_approvals" ], "properties": { "policy_name": { "type": "string" }, "critical_action": { "type": "string" }, "required_approvals": { "type": "integer", "minimum": 1 }, "disallow_requester_approval": { "type": "boolean", "default": true }, "allowed_approver_roles": { "type": "array", "items": { "type": "string" } }, "is_active": { "type": "boolean", "default": true } } } } } } } } }, "responses": { "200": { "description": "Policies updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/sod/violations": { "get": { "tags": [ "Segregation of Duties" ], "summary": "List SoD violations", "description": "Returns Segregation of Duties violations with rule and remediation info.", "parameters": [ { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 200 } }, { "name": "status", "in": "query", "schema": { "type": "string", "enum": [ "open", "remediated", "exception" ] } } ], "responses": { "200": { "description": "SoD violations list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/SodViolation" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/data-governance/policy": { "get": { "tags": [ "Data Governance" ], "summary": "Get data governance policy", "description": "Returns the tenant's data governance policy configuration.", "responses": { "200": { "description": "Data governance policy", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DataGovernancePolicy" } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } }, "put": { "tags": [ "Data Governance" ], "summary": "Update data governance policy", "description": "Update export controls, retention periods, regional restrictions, and legal hold settings.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "properties": { "exports_enabled": { "type": "boolean" }, "exports_require_admin": { "type": "boolean" }, "legal_hold_blocks_exports": { "type": "boolean" }, "default_retention_days": { "type": "integer", "minimum": 30, "maximum": 3650 }, "evidence_export_retention_days": { "type": "integer", "minimum": 30, "maximum": 3650 }, "webhook_receipt_retention_days": { "type": "integer", "minimum": 7, "maximum": 3650 }, "allowed_regions": { "type": "array", "items": { "type": "string" } }, "restricted_regions": { "type": "array", "items": { "type": "string" } }, "block_cross_region_exports": { "type": "boolean" }, "actor_user_id": { "type": "string", "format": "uuid" } } } } } }, "responses": { "200": { "description": "Policy updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/data-governance/legal-holds": { "post": { "tags": [ "Data Governance" ], "summary": "Create or release legal hold", "description": "Create a new legal hold or release an existing one. Active holds block export and deletion workflows.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "action", "reason" ], "properties": { "action": { "type": "string", "enum": [ "create", "release" ] }, "hold_scope": { "type": "string", "default": "all" }, "hold_id": { "type": "string", "format": "uuid", "description": "Required for release action" }, "reason": { "type": "string" }, "actor_user_id": { "type": "string", "format": "uuid" }, "metadata": { "type": "object" } } } } } }, "responses": { "200": { "description": "Legal hold created/released", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LegalHold" } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "NotFound": { "$ref": "#/components/responses/NotFound" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/entitlements": { "get": { "tags": [ "Identity Governance" ], "summary": "List entitlements", "description": "Returns entitlement catalog entries (roles, groups, permissions from IdP sync).", "parameters": [ { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 50 } }, { "name": "system_name", "in": "query", "schema": { "type": "string" }, "description": "Filter by source system" }, { "name": "type", "in": "query", "schema": { "type": "string" }, "description": "Entitlement type filter" }, { "name": "risk_level", "in": "query", "schema": { "type": "string" }, "description": "Risk level filter" }, { "name": "is_privileged", "in": "query", "schema": { "type": "boolean" }, "description": "Filter privileged entitlements" } ], "responses": { "200": { "description": "Entitlements list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Entitlement" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/identities": { "get": { "tags": [ "Identity Governance" ], "summary": "List identity profiles", "description": "Returns identity profiles with risk scores (including MFA and drift signals).", "parameters": [ { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 200 } }, { "name": "employment_status", "in": "query", "schema": { "type": "string" }, "description": "Filter by employment status" }, { "name": "min_risk_score", "in": "query", "schema": { "type": "number" }, "description": "Minimum identity risk score" } ], "responses": { "200": { "description": "Identity profiles list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Identity" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/identities/orphaned": { "get": { "tags": [ "Identity Governance" ], "summary": "List orphaned identities", "description": "Returns identities that have entitlements but no active employment record (orphaned accounts).", "responses": { "200": { "description": "Orphaned identities list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/Identity" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/identity/sso-config": { "get": { "tags": [ "Identity Management" ], "summary": "Get SSO configuration", "description": "Returns the tenant's SSO and SCIM configuration.", "responses": { "200": { "description": "SSO configuration", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SsoConfig" } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } }, "put": { "tags": [ "Identity Management" ], "summary": "Update SSO configuration", "description": "Update SSO enforcement, domain allowlisting, default roles, and auto-provisioning settings.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SsoConfig" } } } }, "responses": { "200": { "description": "SSO configuration updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/identity/scim-mappings": { "get": { "tags": [ "Identity Management" ], "summary": "Get SCIM group mappings", "description": "Returns the tenant's SCIM group-to-role mappings.", "responses": { "200": { "description": "SCIM mappings list", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "array", "items": { "$ref": "#/components/schemas/ScimMapping" } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } }, "put": { "tags": [ "Identity Management" ], "summary": "Update SCIM group mappings", "description": "Replace the full set of SCIM group-to-role mappings.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "mappings" ], "properties": { "mappings": { "type": "array", "items": { "$ref": "#/components/schemas/ScimMapping" } } } } } } }, "responses": { "200": { "description": "SCIM mappings updated", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/identity/scim-tokens/{id}/rotate": { "post": { "tags": [ "Identity Management" ], "summary": "Rotate SCIM token", "description": "Rotate a SCIM bearer token. The new token is returned once and cannot be retrieved again.", "parameters": [ { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } } ], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "expires_at": { "type": "string", "format": "date-time", "nullable": true } } } } } }, "responses": { "200": { "description": "Token rotated — new token shown once", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "token": { "type": "string", "description": "New SCIM token — shown once" }, "tokenId": { "type": "string", "format": "uuid" } } }, "meta": { "type": "object", "properties": { "rotated_at": { "type": "string", "format": "date-time" } } } } } } } }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "NotFound": { "$ref": "#/components/responses/NotFound" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/tprm/signals/ingest": { "post": { "tags": [ "TPRM Signals" ], "summary": "Ingest vendor risk signals", "description": "Ingest external vendor risk signals into the ORI (Operational Risk Intelligence) pipeline.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "vendor_id", "signals" ], "properties": { "vendor_id": { "type": "string", "format": "uuid" }, "signals": { "type": "array", "items": { "type": "object", "required": [ "source", "signal_type", "severity" ], "properties": { "source": { "type": "string", "minLength": 1, "maxLength": 100 }, "signal_type": { "type": "string", "minLength": 1, "maxLength": 120 }, "severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "info" ] }, "confidence_score": { "type": "integer", "minimum": 0, "maximum": 100 }, "attribution": { "type": "string", "enum": [ "confirmed", "probable", "weak" ] }, "observed_at": { "type": "string", "format": "date-time" }, "expires_at": { "type": "string", "format": "date-time" }, "external_key": { "type": "string", "maxLength": 200 }, "raw_ref": { "type": "string", "maxLength": 500 }, "payload": { "type": "object" }, "metadata": { "type": "object" } } } } } } } } }, "responses": { "200": { "description": "Signals ingested", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "inserted": { "type": "integer" }, "deduped": { "type": "integer" } } }, "meta": { "$ref": "#/components/schemas/Meta" } } } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "Forbidden": { "$ref": "#/components/responses/Forbidden" }, "TooManyRequests": { "$ref": "#/components/responses/TooManyRequests" } } } }, "/api/v1/monolith/enroll": { "post": { "tags": [ "Monolith" ], "summary": "Agent device enrollment", "description": "Called by the Monolith endpoint agent during device enrollment. Authenticated via enrollment secret, not API key.", "security": [], "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "enroll_secret" ], "properties": { "enroll_secret": { "type": "string" } } } } } }, "responses": { "200": { "description": "Enrollment successful", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "application/json": { "schema": { "type": "object", "properties": { "server_url": { "type": "string" }, "tenant_id": { "type": "string", "format": "uuid" }, "agent_version": { "type": "string" }, "custom_osquery_flags": { "type": "object" }, "tier": { "type": "string" } } } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" } } } }, "/api/v1/monolith/agent/install-script": { "get": { "tags": [ "Monolith" ], "summary": "Get agent install script", "description": "Returns a platform-specific install script with embedded enrollment secret. Authenticated via query parameter secret.", "security": [], "parameters": [ { "name": "secret", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enrollment secret" }, { "name": "platform", "in": "query", "schema": { "type": "string", "enum": [ "macos", "linux", "windows" ], "default": "macos" }, "description": "Target platform" } ], "responses": { "200": { "description": "Platform-specific install script", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" } }, "content": { "text/plain": { "schema": { "type": "string" } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" } } } }, "/api/v1/portal/audit-report": { "get": { "tags": [ "Portal" ], "summary": "Download audit report PDF", "description": "Generate and download a compliance audit report as PDF. Authenticated via auditor token query parameter, not API key.", "security": [], "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Auditor access token" } ], "responses": { "200": { "description": "PDF audit report", "headers": { "X-RateLimit-Limit": { "$ref": "#/components/headers/X-RateLimit-Limit" }, "X-RateLimit-Remaining": { "$ref": "#/components/headers/X-RateLimit-Remaining" }, "X-RateLimit-Reset": { "$ref": "#/components/headers/X-RateLimit-Reset" }, "X-Content-Hash": { "description": "SHA-256 hash of the PDF content", "schema": { "type": "string" } }, "Content-Disposition": { "description": "Attachment filename", "schema": { "type": "string" } } }, "content": { "application/pdf": { "schema": { "type": "string", "format": "binary" } } } }, "BadRequest": { "$ref": "#/components/responses/BadRequest" }, "Unauthorized": { "$ref": "#/components/responses/Unauthorized" }, "NotFound": { "$ref": "#/components/responses/NotFound" } } } } } }