Download OpenAPI specification:Download
Intelligent infrastructure automation platform that automatically fixes GCP issues, optimizes costs, and prevents incidents
Authenticate user and return tokens
| email required | string (Email) |
| password required | string (Password) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "email": "string",
- "password": "string",
- "tenant_id": "string"
}nullRefresh Token (string) or Refresh Token (null) (Refresh Token) | |
Any of string (Refresh Token) | |
{- "refresh_token": "string"
}null| email required | string (Email) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) | |
| send_email | boolean (Send Email) Default: true |
{- "email": "string",
- "tenant_id": "string",
- "send_email": true
}null| project_id required | string (Project Id) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "project_id": "string",
- "tenant_id": "string"
}nullStart password reset flow. Always return success to avoid user enumeration.
Behavior:
| email required | string (Email) |
{- "email": "string"
}nullComplete password reset given a valid token and new password.
| token required | string (Token) |
| new_password required | string (New Password) |
{- "token": "string",
- "new_password": "string"
}nullSet password post-signup given a one-time token and new password.
| token required | string (Token) |
| new_password required | string (New Password) |
{- "token": "string",
- "new_password": "string"
}nullSend a one-time MFA code to the user's email (idempotent and non-enumerating).
| email required | string (Email) |
{- "email": "string"
}null| email required | string (Email) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "email": "string",
- "tenant_id": "string"
}nullDeprecated alias for register/challenge; kept for test/backwards compat.
Requires authentication. When called without a valid bearer token, FastAPI will return 401 via the get_security_context dependency.
For authenticated callers, we simply acknowledge the endpoint without performing any registration logic (the SPA should use /webauthn/register/challenge).
null| email required | string (Email) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "email": "string",
- "tenant_id": "string"
}nullBackwards-compatible alias for login challenge used by tests.
This implementation is intentionally lightweight and avoids DB dependencies so it can run in smoke/test environments even when PostgreSQL is unavailable. It returns a minimal WebAuthn options structure with a publicKey field so tests can validate shape.
| email required | string (Email) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "email": "string",
- "tenant_id": "string"
}null| email required | string (Email) |
required | object (Assertion) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "email": "string",
- "assertion": { },
- "tenant_id": "string"
}nullAuthenticate user via Google OAuth and return tokens
| id_token required | string (Id Token) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "id_token": "string",
- "tenant_id": "string"
}nullCreate API key for programmatic access
| description | string (Description) Default: "" |
{- "description": ""
}nullGenerate a new TOTP secret for authenticator app setup.
Returns a QR code URI and secret for the user to configure their authenticator app. The setup is not complete until /totp/verify is called.
{- "qr_uri": "string",
- "secret": "string",
- "issuer": "SmartSRE"
}Verify a TOTP code to complete authenticator setup.
This is the final step of TOTP enrollment. The user must enter a valid code from their authenticator app to confirm the secret is correctly configured.
Returns recovery codes that should be saved securely.
| code required | string (Code) = 6 characters 6-digit TOTP code |
{- "code": "string"
}{- "status": "success",
- "recovery_codes": [
- "string"
], - "message": "TOTP authentication enabled successfully"
}Disable TOTP authentication.
Requires the current TOTP code to confirm the user has access to their authenticator.
| code required | string (Code) = 6 characters Current TOTP code to confirm |
{- "code": "string"
}nullGet current MFA configuration status for the authenticated user.
Returns which MFA methods are enabled and whether MFA is required based on the user's permissions.
{- "mfa_enabled": true,
- "totp_enabled": true,
- "webauthn_enabled": true,
- "recovery_codes_remaining": 0,
- "mfa_required": true
}Get recent signals for the current tenant.
| page | integer (Page) Default: 1 |
| page_size | integer (Page Size) Default: 50 |
Status (string) or Status (null) (Status) | |
Service Name (string) or Service Name (null) (Service Name) | |
Severity (string) or Severity (null) (Severity) | |
Sort (string) or Sort (null) (Sort) | |
Sort Dir (string) or Sort Dir (null) (Sort Dir) |
nullGet recent automations for the current tenant.
| page | integer (Page) Default: 1 |
| page_size | integer (Page Size) Default: 50 |
| sort | string (Sort) Default: "started_at" |
| sort_dir | string (Sort Dir) Default: "desc" |
nullSummarize automations using AgentRun as the source of truth.
Returns totals and status distribution for the selected window (default 30d).
| hours | integer (Hours) [ 1 .. 4320 ] Default: 720 |
nullReturn normalized automation rows based on AgentRun for the current tenant.
Shape is stable for UI consumption:
| page | integer (Page) >= 1 Default: 1 |
| page_size | integer (Page Size) [ 1 .. 200 ] Default: 25 |
| sort | string (Sort) Default: "started_at" |
| sort_dir | string (Sort Dir) Default: "desc" |
Service (string) or Service (null) (Service) | |
Status (string) or Status (null) (Status) |
nullSubmit feedback for an automation execution.
Body: { "useful": boolean, "comment": string }
| automation_id required | string (Automation Id) |
| property name* additional property | any |
{ }nullHandle complex multi-service incidents with orchestration
| property name* additional property | any |
{ }nullProxy convenience endpoint returning the current incident status.
Mirrors the data returned by /incidents/{incident_id}/status so clients
using the shorter path keep working.
| incident_id required | string (Incident Id) |
nullCreate an approval request from an SmartSRE change_set.
This bridges advise → approval by packaging the change_set with minimal risk information so approvers can review and authorize remediation.
Uses propose_changes permission (new) or falls back to manage_services (legacy).
| service required | string (Service) Enum: "cloudrun" "gke" "bigquery" "cloudsql" "gcs" "gce" "pubsub" "secretmgr" |
required | object (ChangeSet) |
Title (string) or Title (null) (Title) Optional human-friendly title | |
RiskInfo (object) or null | |
Estimated Impact (object) or Estimated Impact (null) (Estimated Impact) |
{- "service": "cloudrun",
- "change_set": {
- "steps": [
- {
- "id": "string",
- "service": "cloudrun",
- "resource_ref": {
- "service": "cloudrun",
- "name": "string",
- "full_path": "string"
}, - "action": "string",
- "params": { },
- "dry_run_cmd": "string",
- "apply_cmd": "string",
- "equivalent_command": "string",
- "prechecks": [
- {
- "id": "string",
- "description": "string",
- "required": true
}
], - "rollback": {
- "description": "string",
- "steps": [
- "string"
], - "manual": false
}, - "idempotency_key": "string"
}
], - "summary": "string"
}, - "title": "string",
- "risk": {
- "level": "low",
- "rationale": "string"
}, - "estimated_impact": { }
}{ }Process approval decision (approve/reject).
Enforces maker-checker pattern: the user who requested the approval cannot be the same user who approves it (unless platform admin bypass).
| approval_id required | string (Approval Id) |
| property name* additional property | any |
{ }{ }Update the stored change_set for a pending approval.
| approval_id required | string (Approval Id) |
| property name* additional property | any |
{ }{ }Cancel a pending approval request.
| approval_id required | string (Approval Id) |
| property name* additional property | any |
{ }{ }Request a rollback for a specific automation (step 1 of maker-checker).
Creates a pending rollback request that must be approved before execution.
| automation_id required | string (Automation Id) |
| property name* additional property | any |
{ }nullApprove a pending rollback request (step 2 of maker-checker).
Enforces maker ≠ checker: the requester cannot approve their own request.
| request_id required | string (Request Id) |
| property name* additional property | any |
{ }nullExecute an approved rollback request (step 3 of maker-checker).
Only approved rollback requests can be executed.
| request_id required | string (Request Id) |
| dry_run | boolean (Dry Run) Default: false |
nullTrigger rollback via ChangeSetExecutor (legacy endpoint).
RBAC: execute_rollbacks or (manage_services + approve_automations)
| automation_id required | string (Automation Id) |
| dry_run | boolean (Dry Run) Default: false |
nullRollback a complete orchestration
| orchestration_id required | string (Orchestration Id) |
| property name* additional property | any |
{ }nullGet tenant information and configuration.
Platform admins can fetch any tenant even when their current token has no tenant_id set. Non-admin callers must match their own tenant.
| tenant_id required | string <uuid> (Tenant Id) |
{ }Update tenant configuration.
| tenant_id required | string <uuid> (Tenant Id) |
| property name* additional property | any |
{ }{ }Upgrade tenant to new subscription tier.
| tenant_id required | string <uuid> (Tenant Id) |
| property name* additional property | any |
{ }{ }Suspend tenant account.
| tenant_id required | string <uuid> (Tenant Id) |
| property name* additional property | any |
{ }{ }List all GCP projects for a tenant.
| tenant_id required | string <uuid> (Tenant Id) |
[- {
- "project_id": "string",
- "project_name": "string",
- "region": "string",
- "environment": "string",
- "is_active": true,
- "service_account_email": "string",
- "project_config": { },
- "automations_enabled": false,
- "last_quick_discovery_at": { },
- "last_quick_discovery_summary": { },
- "monthly_budget_usd": 0
}
]Get tenant notification preferences.
| tenant_id required | string <uuid> (Tenant Id) |
{- "email_alerts": false,
- "slack_integration": false,
- "sms_alerts": false,
- "channels": {
- "property1": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}, - "property2": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}
}
}Update tenant notification preferences.
| tenant_id required | string <uuid> (Tenant Id) |
| email_alerts | boolean (Email Alerts) Default: false |
| slack_integration | boolean (Slack Integration) Default: false |
| sms_alerts | boolean (Sms Alerts) Default: false |
Channels (object) or Channels (null) (Channels) |
{- "email_alerts": false,
- "slack_integration": false,
- "sms_alerts": false,
- "channels": {
- "property1": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}, - "property2": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}
}
}{- "email_alerts": false,
- "slack_integration": false,
- "sms_alerts": false,
- "channels": {
- "property1": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}, - "property2": {
- "enabled": false,
- "recipients": [
- "string"
], - "webhook_url": "string"
}
}
}Enable or disable automations for a specific GCP project.
| tenant_id required | string <uuid> (Tenant Id) |
| project_id required | string (Project Id) |
| automations_enabled required | boolean (Automations Enabled) |
{- "automations_enabled": true
}{ }Enable or disable a GCP project (active status).
| tenant_id required | string <uuid> (Tenant Id) |
| project_id required | string (Project Id) |
| is_active required | boolean (Is Active) |
{- "is_active": true
}{ }Update persisted preferences such as persona.
Stores values in Tenant.risk_config under preferences.
| tenant_id required | string <uuid> (Tenant Id) |
Persona (string) or Persona (null) (Persona) sre | finops | executive | |
Any of string (Persona) sre | finops | executive | |
{- "persona": "string"
}{ }Update per‑service risk guardrails for Cloud SQL (approval gating, allowed hours).
| tenant_id required | string <uuid> (Tenant Id) |
Cloudsql Require Approval (boolean) or Cloudsql Require Approval (null) (Cloudsql Require Approval) | |
Array of Cloudsql Allowed Hours (integers) or Cloudsql Allowed Hours (null) (Cloudsql Allowed Hours) [start,end] in 0..24 UTC | |
Gke Max Nodes (integer) or Gke Max Nodes (null) (Gke Max Nodes) | |
Gke Min Nodes (integer) or Gke Min Nodes (null) (Gke Min Nodes) | |
Gke Max Hpa Max (integer) or Gke Max Hpa Max (null) (Gke Max Hpa Max) | |
Bigquery Max Slots (integer) or Bigquery Max Slots (null) (Bigquery Max Slots) | |
Bigquery Min Slots (integer) or Bigquery Min Slots (null) (Bigquery Min Slots) | |
Bigquery Require Approval (boolean) or Bigquery Require Approval (null) (Bigquery Require Approval) | |
Array of Cloudrun Allowed Ops (strings) or Cloudrun Allowed Ops (null) (Cloudrun Allowed Ops) | |
Array of Bigquery Allowed Ops (strings) or Bigquery Allowed Ops (null) (Bigquery Allowed Ops) | |
Array of Gke Allowed Ops (strings) or Gke Allowed Ops (null) (Gke Allowed Ops) | |
Array of Cloudsql Allowed Ops (strings) or Cloudsql Allowed Ops (null) (Cloudsql Allowed Ops) | |
Array of Gcs Allowed Ops (strings) or Gcs Allowed Ops (null) (Gcs Allowed Ops) | |
Array of Secretmgr Allowed Ops (strings) or Secretmgr Allowed Ops (null) (Secretmgr Allowed Ops) | |
CloudSQLGuardrails (object) or null Cloud SQL guardrails (nested shape) | |
BigQueryGuardrails (object) or null BigQuery guardrails (nested shape) | |
GKEGuardrails (object) or null GKE guardrails (nested shape) | |
CloudRunGuardrails (object) or null Cloud Run guardrails (nested shape) | |
SimpleOpsGuardrails (object) or null Cloud Storage guardrails (nested shape) | |
SimpleOpsGuardrails (object) or null Secret Manager guardrails (nested shape) |
{- "cloudsql_require_approval": true,
- "cloudsql_allowed_hours": [
- 0
], - "gke_max_nodes": 0,
- "gke_min_nodes": 0,
- "gke_max_hpa_max": 0,
- "bigquery_max_slots": 0,
- "bigquery_min_slots": 0,
- "bigquery_require_approval": true,
- "cloudrun_allowed_ops": [
- "string"
], - "bigquery_allowed_ops": [
- "string"
], - "gke_allowed_ops": [
- "string"
], - "cloudsql_allowed_ops": [
- "string"
], - "gcs_allowed_ops": [
- "string"
], - "secretmgr_allowed_ops": [
- "string"
], - "cloud_sql": {
- "require_approval": true,
- "allowed_hours": [
- 0
], - "allowed_ops": [
- "string"
]
}, - "bigquery": {
- "min_slots": 0,
- "max_slots": 0,
- "require_approval": true,
- "allowed_ops": [
- "string"
], - "max_cost_impact_auto_percent": 0
}, - "gke": {
- "min_nodes": 0,
- "max_nodes": 0,
- "max_hpa_max": 0,
- "allowed_ops": [
- "string"
]
}, - "cloudrun": {
- "allowed_ops": [
- "string"
], - "max_cost_impact_auto_percent": 0
}, - "gcs": {
- "allowed_ops": [
- "string"
]
}, - "secretmgr": {
- "allowed_ops": [
- "string"
]
}
}{ }Update tenant-level risk global settings.
| tenant_id required | string <uuid> (Tenant Id) |
Automation Enabled (boolean) or Automation Enabled (null) (Automation Enabled) Master switch for automation execution | |
Auto Execution Enabled (boolean) or Auto Execution Enabled (null) (Auto Execution Enabled) Back-compat alias; many agents read this flag for auto-execution | |
Require Approval For High Risk (boolean) or Require Approval For High Risk (null) (Require Approval For High Risk) If true, high/critical actions require explicit approval | |
Auto Approve Rollbacks (boolean) or Auto Approve Rollbacks (null) (Auto Approve Rollbacks) If true, safe rollbacks may bypass approval | |
Business Hours Only (boolean) or Business Hours Only (null) (Business Hours Only) If true, automation only during business hours | |
Max Cost Impact Auto (number) or Max Cost Impact Auto (null) (Max Cost Impact Auto) Maximum % cost impact allowed for auto-execution | |
Max Cost Impact Approval (number) or Max Cost Impact Approval (null) (Max Cost Impact Approval) Maximum % cost impact allowed with approval | |
Risk Profile (string) or Risk Profile (null) (Risk Profile) Risk profile key (conservative|balanced|aggressive|custom) |
{- "automation_enabled": true,
- "auto_execution_enabled": true,
- "require_approval_for_high_risk": true,
- "auto_approve_rollbacks": true,
- "business_hours_only": true,
- "max_cost_impact_auto": 0,
- "max_cost_impact_approval": 0,
- "risk_profile": "string"
}{ }Update scheduler settings (admin/platform-admin).
| tenant_id required | string <uuid> (Tenant Id) |
Enabled (boolean) or Enabled (null) (Enabled) Enable periodic scans | |
Array of Services (strings) or Services (null) (Services) Subset of services, e.g., ['cloudrun','gcs','bigquery'] | |
Interval Minutes (integer) or Interval Minutes (null) (Interval Minutes) Advise interval minutes (tenant override) |
{- "enabled": true,
- "services": [
- "string"
], - "interval_minutes": 0
}{ }Assign or change a user's role within the tenant.
| tenant_id required | string <uuid> (Tenant Id) |
| user_email required | string (User Email) User email to assign role to |
| role_name required | string (Role Name) Role name to assign (e.g., user, viewer, admin, platform_admin) |
{- "user_email": "string",
- "role_name": "string"
}{ }Update configuration for a specific agent type
| agent_type required | string (Agent Type) |
| property name* additional property | any |
{ }nullList users with an indicator whether a password_hash is present (admin only).
Returns up to limit users ordered by creation time desc with fields:
| limit | integer (Limit) Default: 100 |
nullGet audit events for the current tenant
| limit | integer (Limit) [ 1 .. 1000 ] Default: 100 |
| hours | integer (Hours) [ 1 .. 168 ] Default: 24 |
Category (string) or Category (null) (Category) | |
Level (string) or Level (null) (Level) |
nullList recent automations with cost impact for cost history/accuracy views.
| days | integer (Days) [ 1 .. 365 ] Default: 30 |
Service (string) or Service (null) (Service) Optional service filter (e.g., cloudrun, bigquery, gke, cloudsql) | |
| limit | integer (Limit) [ 1 .. 500 ] Default: 100 |
nullTenant-scoped health analytics built from agent runs and findings.
| days | integer (Days) [ 1 .. 90 ] Default: 30 |
Project Id (string) or Project Id (null) (Project Id) Filter by GCP project id/number when present in scan scope | |
Service (string) or Service (null) (Service) Filter by agent service | |
| bucket | string (Bucket) ^(day|week)$ Default: "day" Aggregation bucket for trend data |
null| limit | integer (Limit) [ 1 .. 10 ] Default: 5 |
| property name* additional property | any |
{ }nullGet current quota usage status for the authenticated tenant.
FIX Critical Bug C2: Previously called get_plan_limits(context.tenant_id) which expects a tier name. Also referenced undefined variables in response.
Returns monthly or hourly advisor run quota usage and limits.
| quota_type | string (Quota Type) ^(monthly|hourly)$ Default: "monthly" |
nullExecute an agent action. Used by internal automation runners.
agent_type: one of [cloudrun, gke, bigquery, cloudsql] payload: normalized alert dict expected by the specific agent
| agent_type required | string (Agent Type) |
| property name* additional property | any |
{ }nullLightweight agent health endpoint for supervisory checks.
This reflects whether we have a first-class in-process agent implementation for the given service key (e.g. cloudrun, bigquery, gke, cloudsql). Other services are handled via generic tooling pipelines and do not expose a dedicated agent health surface.
| agent_type required | string (Agent Type) |
nullProvision/register an agent for a service.
For now, this verifies local agent availability and returns a basic status. For advise-only services, it returns provisioned=true without performing external health probes.
| service required | string (Service) |
nullAsync advise endpoint with quota enforcement.
Args: run_type: "monitoring" (unlimited) or "advisor" (metered, enforces quota)
| service required | string (Service) |
| run_type | string (Run Type) ^(monitoring|advisor)$ Default: "advisor" |
| tenant_id required | string (Tenant Id) |
| service required | string (Service) Enum: "cloudrun" "gke" "bigquery" "cloudsql" "gcs" "gce" "pubsub" "secretmgr" |
ScopeSelector (object) or null | |
Scope Id (string) or Scope Id (null) (Scope Id) | |
Options (object) or Options (null) (Options) | |
Run Id (string) or Run Id (null) (Run Id) |
{- "tenant_id": "string",
- "service": "cloudrun",
- "scope": {
- "project_ids": [
- "string"
], - "labels": {
- "property1": "string",
- "property2": "string"
}
}, - "scope_id": "string",
- "options": { },
- "run_id": "string"
}{- "job_id": "string",
- "run_id": "string",
- "status": "queued"
}Async remediation endpoint.
| service required | string (Service) |
| tenant_id required | string (Tenant Id) |
| service required | string (Service) Enum: "cloudrun" "gke" "bigquery" "cloudsql" "gcs" "gce" "pubsub" "secretmgr" |
required | object (ChangeSet) |
Run Id (string) or Run Id (null) (Run Id) | |
Guardrails (object) or null | |
Automation Id (string) or Automation Id (null) (Automation Id) |
{- "tenant_id": "string",
- "service": "cloudrun",
- "approved_change_set": {
- "steps": [
- {
- "id": "string",
- "service": "cloudrun",
- "resource_ref": {
- "service": "cloudrun",
- "name": "string",
- "full_path": "string"
}, - "action": "string",
- "params": { },
- "dry_run_cmd": "string",
- "apply_cmd": "string",
- "equivalent_command": "string",
- "prechecks": [
- {
- "id": "string",
- "description": "string",
- "required": true
}
], - "rollback": {
- "description": "string",
- "steps": [
- "string"
], - "manual": false
}, - "idempotency_key": "string"
}
], - "summary": "string"
}, - "run_id": "string",
- "guardrails": {
- "dry_run": true,
- "max_concurrency": 0,
- "blast_radius_limit": 0
}, - "automation_id": "string"
}{- "job_id": "string",
- "run_id": "string",
- "status": "queued"
}Return stored artifacts (diagnostics, prompts, reports) for a run.
| run_id required | string (Run Id) |
| limit | integer (Limit) [ 1 .. 200 ] Default: 50 |
| offset | integer (Offset) >= 0 Default: 0 |
nullEdit a pending change set. Resets approval status and updates the plan steps.
| change_set_id required | string (Change Set Id) |
required | Array of objects (Steps) Full list of steps to replace current steps |
Reason (string) or Reason (null) (Reason) Reason for the edit |
{- "steps": [
- { }
], - "reason": "string"
}nullReturn the materialized run_view snapshot. If since_version is provided and the snapshot has not advanced, return an unchanged marker.
| run_id required | string (Run Id) |
Since Version (integer) or Since Version (null) (Since Version) |
nullList findings for the current tenant (RBAC: view_analytics or read_automations).
Service (string) or Service (null) (Service) | |
Severity (string) or Severity (null) (Severity) | |
Run (string) or Run (null) (Run) Run UUID or external id | |
| limit | integer (Limit) [ 1 .. 500 ] Default: 50 |
| offset | integer (Offset) >= 0 Default: 0 |
nullPlatform admin dashboard: latest agent runs with findings/artifacts.
| tenant_id required | string <uuid> (Tenant Id) |
| per_service | integer (Per Service) [ 1 .. 5 ] Default: 1 |
| finding_limit | integer (Finding Limit) [ 0 .. 50 ] Default: 10 |
| artifact_limit | integer (Artifact Limit) [ 0 .. 20 ] Default: 5 |
nullList agent runs for the current tenant (RBAC: view_analytics or read_automations).
Service (string) or Service (null) (Service) | |
Status (string) or Status (null) (Status) | |
Scope Id (string) or Scope Id (null) (Scope Id) Filter by Scope ID | |
Parent Id (string) or Parent Id (null) (Parent Id) Filter by parent run id | |
| root_only | boolean (Root Only) Default: false If true, only runs without a parent (parent_run_id is null) |
| limit | integer (Limit) [ 1 .. 500 ] Default: 50 |
| offset | integer (Offset) >= 0 Default: 0 |
nullSimulate how the current risk configuration would treat a proposed change.
Uses the authoritative AdvancedRiskEngine to determine the decision, ensuring parity with actual workflow execution logic (Profiles + Financial Limits + Heuristics).
| service required | string (Service) Service identifier, e.g. cloudrun, bigquery, gke, cloudsql, gcs |
| change_description required | string (Change Description) Human-readable description of the proposed change |
Estimated Monthly Cost Change (number) or Estimated Monthly Cost Change (null) (Estimated Monthly Cost Change) Estimated monthly cost delta in percent (positive for increase) | |
Risk Level Hint (string) or Risk Level Hint (null) (Risk Level Hint) Optional risk level hint if already assessed |
{- "service": "string",
- "change_description": "string",
- "estimated_monthly_cost_change": 0,
- "risk_level_hint": "string"
}{ }Submit user feedback on a specific agent synthesis pattern. This feedback is used to improve future synthesis prompts.
| run_id required | string (Run Id) Run ID this feedback applies to |
| pattern_id required | string (Pattern Id) ^[a-z0-9_]+_[a-f0-9]{8}$ Canonical pattern ID (service_hash) |
| sentiment required | string (Sentiment) ^(useful|not_useful)$ Sentiment |
Reason (string) or Reason (null) (Reason) Reason for negative feedback | |
Comment (string) or Comment (null) (Comment) Free text comment |
{- "run_id": "string",
- "pattern_id": "string",
- "sentiment": "string",
- "reason": "string",
- "comment": "string"
}nullPersist report schedule under tenant.risk_config.report_schedule.
| recipients required | Array of strings (Recipients) |
| cadence | string (Cadence) Default: "monthly" |
| day_of_month | integer (Day Of Month) [ 1 .. 28 ] Default: 1 |
| time | string (Time) Default: "09:00" |
| timezone | string (Timezone) Default: "Asia/Kolkata" |
{- "recipients": [
- "string"
], - "cadence": "monthly",
- "day_of_month": 1,
- "time": "09:00",
- "timezone": "Asia/Kolkata"
}nullReturn onboarding status for the authenticated tenant (SPA flow).
Mirrors the information shape expected by the frontend:
nullUpdate onboarding step for the authenticated tenant (SPA flow).
| step_id required | string (Step Id) |
| status | string (Status) Default: "completed" |
object (Data) Default: {} |
{- "status": "completed",
- "data": { }
}nullSelf-service customer signup with automated tenant creation Creates tenant, sends welcome email, and starts onboarding flow
| organization_name required | string (Organization Name) |
| admin_email required | string (Admin Email) |
| admin_name required | string (Admin Name) |
| subscription_tier | string (Subscription Tier) Default: "starter" |
Company Size (string) or Company Size (null) (Company Size) | |
Use Case (string) or Use Case (null) (Use Case) | |
Referral Source (string) or Referral Source (null) (Referral Source) | |
Password (string) or Password (null) (Password) |
{- "organization_name": "string",
- "admin_email": "string",
- "admin_name": "string",
- "subscription_tier": "starter",
- "company_size": "string",
- "use_case": "string",
- "referral_source": "string",
- "password": "string"
}{- "status": "success",
- "tenant_id": "string",
- "organization_name": "string",
- "estimated_setup_time": "string",
- "next_url": "string",
- "next_steps": [
- "string"
]
}Return tenant metadata for a given GCP project (dev/test helper guarded by reset token).
| gcp_project_id required | string (Gcp Project Id) |
{- "tenant_id": "string",
- "organization_name": "string",
- "project_id": "string",
- "completion_percentage": 0,
- "current_step": 0,
- "total_steps": 0
}Google OAuth-based signup that auto-creates a tenant.
| id_token required | string (Id Token) |
| organization_name required | string (Organization Name) |
Admin Name (string) or Admin Name (null) (Admin Name) | |
| subscription_tier | string (Subscription Tier) Default: "starter" |
Company Size (string) or Company Size (null) (Company Size) | |
Use Case (string) or Use Case (null) (Use Case) | |
Referral Source (string) or Referral Source (null) (Referral Source) |
{- "id_token": "string",
- "organization_name": "string",
- "admin_name": "string",
- "subscription_tier": "starter",
- "company_size": "string",
- "use_case": "string",
- "referral_source": "string"
}nullDetect active services in the specified GCP project.
This endpoint now returns immediately (202 Accepted) and performs discovery in the background.
| project_id required | string (Project Id) |
Array of Services (strings) or Services (null) (Services) |
{- "project_id": "string",
- "services": [
- "string"
]
}nullTrigger the automated validation and discovery saga in the background.
| project_id required | string (Project Id) |
{- "project_id": "string"
}nullGET variant of GCP validation to support simple curl/browser calls.
Uses the authenticated tenant from the SecurityContext. The optional customer_id query parameter is accepted for compatibility but is not required and is ignored if it does not match the authenticated tenant.
Customer Id (string) or Customer Id (null) (Customer Id) |
nullReturn an automation-focused setup script for a single service.
This is used when a tenant initially configured discovery-only access and later opts into automation for a specific service. The script is idempotent and safe to re-run; it reuses the same impersonation-based model as the primary GCP setup flow.
| service required | string (Service) Service key to enable automation for (e.g. cloudrun, bigquery, cloudsql) |
nullSave risk configuration during onboarding
| auto_apply_cost_threshold | number (Auto Apply Cost Threshold) Default: 50 |
| auto_apply_risk_level | string (Auto Apply Risk Level) Default: "low" Enum: "low" "medium" "high" |
| require_approval_for_production | boolean (Require Approval For Production) Default: true |
| require_approval_for_cost_above | number (Require Approval For Cost Above) Default: 500 |
| approval_timeout_hours | integer (Approval Timeout Hours) Default: 24 |
| allowed_services_for_auto_apply | Array of strings (Allowed Services For Auto Apply) Default: ["cloudrun","gcs"] |
| blocked_services | Array of strings (Blocked Services) Default: [] |
| notify_on_auto_apply | boolean (Notify On Auto Apply) Default: true |
| notify_channels | Array of strings (Notify Channels) Default: ["email"] |
{- "auto_apply_cost_threshold": 50,
- "auto_apply_risk_level": "low",
- "require_approval_for_production": true,
- "require_approval_for_cost_above": 500,
- "approval_timeout_hours": 24,
- "allowed_services_for_auto_apply": [
- "cloudrun",
- "gcs"
], - "blocked_services": [ ],
- "notify_on_auto_apply": true,
- "notify_channels": [
- "email"
]
}nullSave compliance checklist for enterprise tier
| sso_configured | boolean (Sso Configured) Default: false |
| mfa_enforced | boolean (Mfa Enforced) Default: false |
| audit_logging_enabled | boolean (Audit Logging Enabled) Default: true |
| data_retention_days | integer (Data Retention Days) Default: 2555 |
| encryption_at_rest | boolean (Encryption At Rest) Default: true |
| encryption_in_transit | boolean (Encryption In Transit) Default: true |
| principle_of_least_privilege | boolean (Principle Of Least Privilege) Default: false |
| regular_access_reviews | boolean (Regular Access Reviews) Default: false |
| gdpr_compliant | boolean (Gdpr Compliant) Default: false |
| soc2_compliant | boolean (Soc2 Compliant) Default: false |
| iso27001_compliant | boolean (Iso27001 Compliant) Default: false |
| incident_response_plan | boolean (Incident Response Plan) Default: false |
| security_contacts_configured | boolean (Security Contacts Configured) Default: false |
{- "sso_configured": false,
- "mfa_enforced": false,
- "audit_logging_enabled": true,
- "data_retention_days": 2555,
- "encryption_at_rest": true,
- "encryption_in_transit": true,
- "principle_of_least_privilege": false,
- "regular_access_reviews": false,
- "gdpr_compliant": false,
- "soc2_compliant": false,
- "iso27001_compliant": false,
- "incident_response_plan": false,
- "security_contacts_configured": false
}nullSend a team invitation.
| email required | string (Email) |
Name (string) or Name (null) (Name) | |
| role | string (Role) Default: "user" Enum: "user" "viewer" "admin" "platform_admin" |
{- "email": "string",
- "name": "string",
- "role": "user"
}nullSave risk guardrails during onboarding. Bypasses the 'manage_risk_config' permission check (which requires MFA) as this is part of the initial setup flow for authenticated admins.
Cloudsql Require Approval (boolean) or Cloudsql Require Approval (null) (Cloudsql Require Approval) | |
Array of Cloudsql Allowed Hours (integers) or Cloudsql Allowed Hours (null) (Cloudsql Allowed Hours) [start,end] in 0..24 UTC | |
Gke Max Nodes (integer) or Gke Max Nodes (null) (Gke Max Nodes) | |
Gke Min Nodes (integer) or Gke Min Nodes (null) (Gke Min Nodes) | |
Gke Max Hpa Max (integer) or Gke Max Hpa Max (null) (Gke Max Hpa Max) | |
Bigquery Max Slots (integer) or Bigquery Max Slots (null) (Bigquery Max Slots) | |
Bigquery Min Slots (integer) or Bigquery Min Slots (null) (Bigquery Min Slots) | |
Bigquery Require Approval (boolean) or Bigquery Require Approval (null) (Bigquery Require Approval) | |
Array of Cloudrun Allowed Ops (strings) or Cloudrun Allowed Ops (null) (Cloudrun Allowed Ops) | |
Array of Bigquery Allowed Ops (strings) or Bigquery Allowed Ops (null) (Bigquery Allowed Ops) | |
Array of Gke Allowed Ops (strings) or Gke Allowed Ops (null) (Gke Allowed Ops) | |
Array of Cloudsql Allowed Ops (strings) or Cloudsql Allowed Ops (null) (Cloudsql Allowed Ops) | |
Array of Gcs Allowed Ops (strings) or Gcs Allowed Ops (null) (Gcs Allowed Ops) | |
Array of Secretmgr Allowed Ops (strings) or Secretmgr Allowed Ops (null) (Secretmgr Allowed Ops) | |
CloudSQLGuardrails (object) or null | |
BigQueryGuardrails (object) or null | |
GKEGuardrails (object) or null | |
CloudRunGuardrails (object) or null | |
SimpleOpsGuardrails (object) or null | |
SimpleOpsGuardrails (object) or null |
{- "cloudsql_require_approval": true,
- "cloudsql_allowed_hours": [
- 0
], - "gke_max_nodes": 0,
- "gke_min_nodes": 0,
- "gke_max_hpa_max": 0,
- "bigquery_max_slots": 0,
- "bigquery_min_slots": 0,
- "bigquery_require_approval": true,
- "cloudrun_allowed_ops": [
- "string"
], - "bigquery_allowed_ops": [
- "string"
], - "gke_allowed_ops": [
- "string"
], - "cloudsql_allowed_ops": [
- "string"
], - "gcs_allowed_ops": [
- "string"
], - "secretmgr_allowed_ops": [
- "string"
], - "cloud_sql": {
- "require_approval": true,
- "allowed_hours": [
- 0
], - "allowed_ops": [
- "string"
]
}, - "bigquery": {
- "min_slots": 0,
- "max_slots": 0,
- "require_approval": true,
- "allowed_ops": [
- "string"
], - "max_cost_impact_auto_percent": 0
}, - "gke": {
- "min_nodes": 0,
- "max_nodes": 0,
- "max_hpa_max": 0,
- "allowed_ops": [
- "string"
]
}, - "cloudrun": {
- "allowed_ops": [
- "string"
], - "max_cost_impact_auto_percent": 0
}, - "gcs": {
- "allowed_ops": [
- "string"
]
}, - "secretmgr": {
- "allowed_ops": [
- "string"
]
}
}{ }Create a new custom workflow
| name required | string (Name) |
Description (string) or Description (null) (Description) Default: "" | |
required | Array of objects (Nodes) |
required | Array of objects (Edges) |
| enabled | boolean (Enabled) Default: true |
| tags | Array of strings (Tags) Default: [] |
Scope Id (string) or Scope Id (null) (Scope Id) | |
State Schema (object) or State Schema (null) (State Schema) |
{- "name": "string",
- "description": "",
- "nodes": [
- {
- "id": "string",
- "type": "AgentNode",
- "config": { },
- "data": { }
}
], - "edges": [
- {
- "source": "string",
- "target": "string",
- "condition": "string"
}
], - "enabled": true,
- "tags": [ ],
- "scope_id": "string",
- "state_schema": { }
}nullUpdate an existing workflow
| workflow_id required | string (Workflow Id) |
| name required | string (Name) |
Description (string) or Description (null) (Description) Default: "" | |
required | Array of objects (Nodes) |
required | Array of objects (Edges) |
| enabled | boolean (Enabled) Default: true |
| tags | Array of strings (Tags) Default: [] |
Scope Id (string) or Scope Id (null) (Scope Id) | |
State Schema (object) or State Schema (null) (State Schema) |
{- "name": "string",
- "description": "",
- "nodes": [
- {
- "id": "string",
- "type": "AgentNode",
- "config": { },
- "data": { }
}
], - "edges": [
- {
- "source": "string",
- "target": "string",
- "condition": "string"
}
], - "enabled": true,
- "tags": [ ],
- "scope_id": "string",
- "state_schema": { }
}nullExecute a workflow (Saved only for V2 engine)
Workflow Id (string) or Workflow Id (null) (Workflow Id) | |
Array of Nodes (objects) or Nodes (null) (Nodes) | |
Array of Edges (objects) or Edges (null) (Edges) | |
object (Input) Default: {} | |
Trigger Data (object) or Trigger Data (null) (Trigger Data) |
{- "workflow_id": "string",
- "nodes": [
- { }
], - "edges": [
- { }
], - "input": { },
- "trigger_data": { }
}nullResume a paused workflow execution (Human-in-the-Loop)
| execution_id required | string (Execution Id) |
| decision required | string (Decision) |
object (State Updates) Default: {} |
{- "decision": "string",
- "state_updates": { }
}nullCreate a new custom workflow template for the tenant.
| name required | string (Name) |
required | Description (string) or Description (null) (Description) |
required | object (Definition) |
{- "name": "string",
- "description": "string",
- "definition": { }
}{- "id": "string",
- "name": "string",
- "description": "string",
- "definition": { },
- "is_system": true,
- "version": 0
}Update an existing custom workflow template.
| template_id required | string (Template Id) |
required | Name (string) or Name (null) (Name) |
required | Description (string) or Description (null) (Description) |
required | Definition (object) or Definition (null) (Definition) |
{- "name": "string",
- "description": "string",
- "definition": { }
}{- "id": "string",
- "name": "string",
- "description": "string",
- "definition": { },
- "is_system": true,
- "version": 0
}Automatically diagnose an issue and provide troubleshooting steps
| issue_description required | string (Issue Description) |
Error Message (string) or Error Message (null) (Error Message) | |
Context (object) or Context (null) (Context) | |
Category (string) or Category (null) (Category) |
{- "issue_description": "string",
- "error_message": "string",
- "context": { },
- "category": "string"
}nullCreate a support ticket for complex issues
| issue_description required | string (Issue Description) |
Error Message (string) or Error Message (null) (Error Message) | |
Context (object) or Context (null) (Context) | |
Category (string) or Category (null) (Category) |
{- "issue_description": "string",
- "error_message": "string",
- "context": { },
- "category": "string"
}nullSet platform-wide minimum advise interval (platform admin only).
| property name* additional property | any |
{ }nullEnqueue an advise job for the given service (internal only).
Requires a valid access token with manage_services or read_automations.
Tenant Id (string) or Tenant Id (null) (Tenant Id) | |
| service required | string (Service) Target service key, e.g. cloudrun |
Scope (object) or Scope (null) (Scope) | |
Reason (string) or Reason (null) (Reason) | |
Trigger (string) or Trigger (null) (Trigger) manual|schedule|alert | |
Selectors (object) or Selectors (null) (Selectors) | |
Idempotency Key (string) or Idempotency Key (null) (Idempotency Key) Optional client-supplied id to dedupe requests | |
Priority (string) or Priority (null) (Priority) Optional priority hint: 'low' routes to low-priority queue if configured | |
Schedule Seconds (integer) or Schedule Seconds (null) (Schedule Seconds) Optionally delay execution by N seconds (jitter) |
{- "tenant_id": "string",
- "service": "string",
- "scope": { },
- "reason": "string",
- "trigger": "string",
- "selectors": { },
- "idempotency_key": "string",
- "priority": "string",
- "schedule_seconds": 0
}{- "job_id": "string",
- "run_id": "string",
- "status": "queued"
}Snapshot current Redis metrics to PostgreSQL.
Called by Cloud Scheduler (hourly in production). Manually callable in local dev: curl -X POST http://localhost:8081/internal/metrics/snapshot
Authorization: OIDC audience (Cloud Scheduler) or platform admin
nullService (string) or Service (null) (Service) | |
Intent (string) or Intent (null) (Intent) | |
| include_all_versions | boolean (Include All Versions) Default: false |
[- {
- "template_id": "string",
- "tenant_id": "string",
- "service": "string",
- "intent": "string",
- "version": 0,
- "is_active": true,
- "updated_by": "string",
- "template_text": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}
]| service required | string (Service) cloudrun|bigquery|gke|cloud_sql |
| intent required | string (Intent) advise_change_set|cold_start|slot_optimization|... |
| template_text required | string (Template Text) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{- "service": "string",
- "intent": "string",
- "template_text": "string",
- "tenant_id": "string"
}{- "template_id": "string",
- "tenant_id": "string",
- "service": "string",
- "intent": "string",
- "version": 0,
- "is_active": true,
- "updated_by": "string",
- "template_text": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z"
}Report seeding status for known (service, intent) pairs.
[- {
- "service": "string",
- "intent": "string",
- "has_db_template": true,
- "has_global_config": true,
- "has_file": true,
- "seeded": true
}
]Trigger seeding of prompt templates from on-disk Jinja files into the database.
This uses the same resolution path as the runtime (ConfigurationService.get_prompt_template), but is exposed as an explicit admin operation instead of relying on first-use.
[- {
- "service": "string",
- "intent": "string",
- "has_db_template": true,
- "has_global_config": true,
- "has_file": true,
- "seeded": true
}
]| service required | string (Service) |
| intent required | string (Intent) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) | |
Template Text (string) or Template Text (null) (Template Text) | |
Scope (object) or Scope (null) (Scope) | |
Signals (object) or Signals (null) (Signals) | |
Caps (object) or Caps (null) (Caps) | |
Region (string) or Region (null) (Region) |
{- "service": "string",
- "intent": "string",
- "tenant_id": "string",
- "template_text": "string",
- "scope": { },
- "signals": { },
- "caps": { },
- "region": "string"
}{ }Return the resolved template text and source (tenant|global|global_config|file|none).
| service required | string (Service) |
| intent required | string (Intent) |
Tenant Id (string) or Tenant Id (null) (Tenant Id) |
{ }List all compression configuration priorities.
Access: Platform admin only
[- {
- "service": "string",
- "priority_keys": [
- "string"
], - "description": "string",
- "created_at": "string",
- "updated_at": "string"
}
]Get compression configuration for a specific service.
Access: Platform admin only
| service required | string (Service) |
{- "service": "string",
- "priority_keys": [
- "string"
], - "description": "string",
- "created_at": "string",
- "updated_at": "string"
}Update compression configuration for a service.
Creates new config if it doesn't exist.
Access: Platform admin only
| service required | string (Service) |
| service required | string (Service) |
| priority_keys required | Array of strings (Priority Keys) |
Description (string) or Description (null) (Description) |
{- "service": "string",
- "priority_keys": [
- "string"
], - "description": "string"
}{- "service": "string",
- "priority_keys": [
- "string"
], - "description": "string",
- "created_at": "string",
- "updated_at": "string"
}Get overall feedback statistics.
Requires: Platform admin access
{- "total_feedback_count": 0,
- "unique_findings_with_feedback": 0,
- "disputed_finding_types": 0,
- "avg_feedback_per_finding_type": 0,
- "feedback_by_status": { },
- "suggestions_by_severity": { }
}Get aggregated feedback grouped by finding type.
Requires: Platform admin access
| disputed_only | boolean (Disputed Only) Default: false Only show disputed finding types |
| min_feedback_count | integer (Min Feedback Count) Default: 1 Minimum feedback count to include |
| limit | integer (Limit) <= 100 Default: 50 Max results |
[- {
- "service": "string",
- "kind": "string",
- "current_severity": "string",
- "feedback_count": 0,
- "suggested_severities": { },
- "most_common_suggestion": "string",
- "agreement_percentage": 0,
- "reasons": { },
- "is_disputed": true,
- "sample_comments": [
- "string"
]
}
]Update finding type severity metadata based on reviewed feedback.
Requires: Platform admin access
| service required | string (Service) |
| kind required | string (Kind) |
| new_severity required | string (New Severity) Enum: "critical" "high" "medium" "low" |
| reason required | string (Reason) <= 500 characters Why this change is being made |
{- "service": "string",
- "kind": "string",
- "new_severity": "critical",
- "reason": "string"
}nullList all scopes for the tenant, optionally filtered by service.
Service (string) or Service (null) (Service) |
[- {
- "scope_id": "string",
- "service": "string",
- "human_label": "string",
- "params": { },
- "targets": [ ],
- "is_default": true,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string",
- "created_at": "string",
- "updated_at": "string"
}
]Create a new scope.
Service (string) or Service (null) (Service) | |
Params (object) or Params (null) (Params) | |
Array of Targets (objects) or Targets (null) (Targets) | |
| human_label required | string (Human Label) |
| is_default | boolean (Is Default) Default: false |
Risk Profile (string) or Risk Profile (null) (Risk Profile) | |
Policy (object) or Policy (null) (Policy) | |
Scheduler Config (object) or Scheduler Config (null) (Scheduler Config) | |
Owner Team Id (string) or Owner Team Id (null) (Owner Team Id) |
{- "service": "string",
- "params": { },
- "targets": [
- { }
], - "human_label": "string",
- "is_default": false,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string"
}{- "scope_id": "string",
- "service": "string",
- "human_label": "string",
- "params": { },
- "targets": [ ],
- "is_default": true,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string",
- "created_at": "string",
- "updated_at": "string"
}Return a lightweight coverage summary for scopes vs active inventory.
This powers the Scopes Control Center view and is derived from the same matching logic used by the InventoryService, so UI coverage matches what the scheduler/executor will see.
Service (string) or Service (null) (Service) Optional service key (e.g. cloudrun, bigquery) |
nullDiagnose how scopes and their policies apply to a specific resource.
This endpoint is a thin wrapper around InventoryService.test_policy_for_resource and merge_scope_policies. It answers:
| service required | string (Service) |
Project Id (string) or Project Id (null) (Project Id) | |
Region (string) or Region (null) (Region) | |
Dataset Id (string) or Dataset Id (null) (Dataset Id) | |
Resource Id (string) or Resource Id (null) (Resource Id) | |
Resource Name (string) or Resource Name (null) (Resource Name) | |
Resource Key (string) or Resource Key (null) (Resource Key) | |
Array of Actions (strings) or Actions (null) (Actions) |
{- "service": "string",
- "project_id": "string",
- "region": "string",
- "dataset_id": "string",
- "resource_id": "string",
- "resource_name": "string",
- "resource_key": "string",
- "actions": [
- "string"
]
}{- "service": "string",
- "project_id": "string",
- "region": "string",
- "dataset_id": "string",
- "resource_id": "string",
- "resource_name": "string",
- "effective_policy": { },
- "matched_scopes": [
- { }
], - "actions": [
- {
- "op": "string",
- "canonical_op": "string",
- "allowed": true,
- "reason": "string",
- "blocking_scopes": [ ],
- "allowed_scopes": [ ],
- "effective_allowed_ops": [
- "string"
]
}
]
}Update an existing scope.
| scope_id required | string <uuid> (Scope Id) |
Human Label (string) or Human Label (null) (Human Label) | |
Params (object) or Params (null) (Params) | |
Array of Targets (objects) or Targets (null) (Targets) | |
Is Default (boolean) or Is Default (null) (Is Default) | |
Risk Profile (string) or Risk Profile (null) (Risk Profile) | |
Policy (object) or Policy (null) (Policy) | |
Scheduler Config (object) or Scheduler Config (null) (Scheduler Config) | |
Owner Team Id (string) or Owner Team Id (null) (Owner Team Id) |
{- "human_label": "string",
- "params": { },
- "targets": [
- { }
], - "is_default": true,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string"
}{- "scope_id": "string",
- "service": "string",
- "human_label": "string",
- "params": { },
- "targets": [ ],
- "is_default": true,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string",
- "created_at": "string",
- "updated_at": "string"
}Apply a targeted patch to a scope's policy.
Currently supports add_allowed_op for policy.allowed_ops so that UIs can relax guardrails safely without rewriting the entire Scope.
| scope_id required | string <uuid> (Scope Id) |
| op required | string (Op) Patch operation type (currently only add_allowed_op) Value: "add_allowed_op" |
| value required | string (Value) Operation identifier to add to policy.allowed_ops |
{- "op": "add_allowed_op",
- "value": "string"
}{- "scope_id": "string",
- "service": "string",
- "human_label": "string",
- "params": { },
- "targets": [ ],
- "is_default": true,
- "risk_profile": "string",
- "policy": { },
- "scheduler_config": { },
- "owner_team_id": "string",
- "created_at": "string",
- "updated_at": "string"
}object (Initial Context) | |
Scope Id (string) or Scope Id (null) (Scope Id) |
{- "initial_context": { },
- "scope_id": "string"
}{- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}{- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}| saga_id required | string (Saga Id) |
Project Id (string) or Project Id (null) (Project Id) | |
Service (string) or Service (null) (Service) | |
Region (string) or Region (null) (Region) | |
Dataset Id (string) or Dataset Id (null) (Dataset Id) | |
Human Label (string) or Human Label (null) (Human Label) | |
object (Extra) | |
Array of Targets (objects) or Targets (null) (Targets) |
{- "project_id": "string",
- "service": "string",
- "region": "string",
- "dataset_id": "string",
- "human_label": "string",
- "extra": { },
- "targets": [
- { }
]
}{- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}| saga_id required | string (Saga Id) |
Risk Profile (string) or Risk Profile (null) (Risk Profile) | |
Policy (object) or Policy (null) (Policy) | |
Owner Team Id (string) or Owner Team Id (null) (Owner Team Id) | |
object (Extra) |
{- "risk_profile": "string",
- "policy": { },
- "owner_team_id": "string",
- "extra": { }
}{- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}| saga_id required | string (Saga Id) |
Scheduler Config (object) or Scheduler Config (null) (Scheduler Config) | |
object (Extra) |
{- "scheduler_config": { },
- "extra": { }
}{- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}{- "saga": {
- "id": "string",
- "tenant_id": "string",
- "scope_id": "string",
- "status": "string",
- "current_step": "string",
- "data": { },
- "validation_results": { },
- "created_at": "string",
- "updated_at": "string"
}, - "scope_id": "string"
}List discovered/active/ignored resources for the current tenant.
| tab | string (Tab) ^(discovered|active|ignored|all)$ Default: "discovered" |
Service (string) or Service (null) (Service) | |
Environment (string) or Environment (null) (Environment) | |
Status (string) or Status (null) (Status) | |
Search (string) or Search (null) (Search) | |
Project Id (string) or Project Id (null) (Project Id) | |
Region (string) or Region (null) (Region) | |
Dataset Id (string) or Dataset Id (null) (Dataset Id) | |
| limit | integer (Limit) [ 1 .. 100 ] Default: 25 |
| offset | integer (Offset) >= 0 Default: 0 |
{- "items": [
- { }
], - "total": 0
}Bulk update status (pending/active/ignored) for discovered resources.
| ids required | Array of strings (Ids) |
| status required | string (Status) |
{- "ids": [
- "string"
], - "status": "string"
}nullReturn merged scope policy and matching scopes for a given service.
This endpoint is intended for debugging scope overlaps and understanding which guardrails apply before automation is executed. It currently resolves policies at the service level; future revisions may accept resource identifiers to provide per-resource diagnostics.
| service required | string (Service) Service key (e.g. cloudrun, bigquery) |
Project Id (string) or Project Id (null) (Project Id) Optional GCP project id for context |
nullPolicy Tester endpoint.
Given a hypothetical resource (service + project + optional region/dataset), return which scopes would match it and the merged effective scope policy.
| service required | string (Service) |
Project Id (string) or Project Id (null) (Project Id) | |
Region (string) or Region (null) (Region) | |
Dataset Id (string) or Dataset Id (null) (Dataset Id) | |
Resource Id (string) or Resource Id (null) (Resource Id) | |
Resource Name (string) or Resource Name (null) (Resource Name) |
{- "service": "string",
- "project_id": "string",
- "region": "string",
- "dataset_id": "string",
- "resource_id": "string",
- "resource_name": "string"
}nullCreate a new team.
| name required | string (Name) |
Description (string) or Description (null) (Description) |
{- "name": "string",
- "description": "string"
}{- "id": "string",
- "name": "string",
- "description": "string",
- "member_count": 0,
- "created_at": "string"
}Update a team.
| team_id required | string <uuid> (Team Id) |
Name (string) or Name (null) (Name) | |
Description (string) or Description (null) (Description) |
{- "name": "string",
- "description": "string"
}{- "id": "string",
- "name": "string",
- "description": "string",
- "member_count": 0,
- "created_at": "string"
}Add a user to a team.
| team_id required | string <uuid> (Team Id) |
| user_id required | string <uuid> (User Id) |
| role | string (Role) Default: "member" |
{- "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5",
- "role": "member"
}{- "user_id": "string",
- "email": "string",
- "role": "string",
- "joined_at": "string"
}Update a user's role.
| user_id required | string (User Id) |
| role required | string (Role) New role name or ID |
{- "role": "string"
}nullList team-scope assignments.
Team Id (string) or Team Id (null) (Team Id) |
[- {
- "id": "string",
- "team_id": "string",
- "team_name": "string",
- "scope_id": "string",
- "scope_name": "string",
- "created_at": "string",
- "created_by": "string"
}
]Add a scope to a team.
| team_id required | string (Team Id) |
| scope_id required | string (Scope Id) |
{- "team_id": "string",
- "scope_id": "string"
}{- "id": "string",
- "team_id": "string",
- "team_name": "string",
- "scope_id": "string",
- "scope_name": "string",
- "created_at": "string",
- "created_by": "string"
}List maker-checker audit log entries.
Entity Type (string) or Entity Type (null) (Entity Type) Filter by entity type (change, rollback) | |
Action (string) or Action (null) (Action) Filter by action (propose, approve, execute, reject) | |
| limit | integer (Limit) <= 200 Default: 50 |
| offset | integer (Offset) Default: 0 |
[- {
- "id": "string",
- "entity_type": "string",
- "entity_id": "string",
- "action": "string",
- "performed_by": "string",
- "performed_by_email": "string",
- "performed_at": "string",
- "is_emergency_bypass": false,
- "bypass_reason": "string",
- "notes": "string"
}
]Get notifications for the current user.
Event Types (string) or Event Types (null) (Event Types) Comma-separated event types to filter | |
| unread_only | boolean (Unread Only) Default: false Only return unread notifications |
| limit | integer (Limit) [ 1 .. 100 ] Default: 50 |
| offset | integer (Offset) >= 0 Default: 0 |
{- "notifications": [
- {
- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "event_type": "string",
- "severity": "string",
- "title": "string",
- "message": "string",
- "resource_type": "string",
- "resource_id": "string",
- "action_url": "string",
- "read": true,
- "metadata": { },
- "created_at": "string"
}
], - "unread_count": 0,
- "total": 0
}Get notifications for the current user.
Event Types (string) or Event Types (null) (Event Types) Comma-separated event types to filter | |
| unread_only | boolean (Unread Only) Default: false Only return unread notifications |
| limit | integer (Limit) [ 1 .. 100 ] Default: 50 |
| offset | integer (Offset) >= 0 Default: 0 |
{- "notifications": [
- {
- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "event_type": "string",
- "severity": "string",
- "title": "string",
- "message": "string",
- "resource_type": "string",
- "resource_id": "string",
- "action_url": "string",
- "read": true,
- "metadata": { },
- "created_at": "string"
}
], - "unread_count": 0,
- "total": 0
}Get notification preferences for the current user.
{- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": false,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "UTC",
- "min_severity": "info"
}Get notification preferences for the current user.
{- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": false,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "UTC",
- "min_severity": "info"
}Update notification preferences for the current user.
In App Enabled (boolean) or In App Enabled (null) (In App Enabled) | |
Email Enabled (boolean) or Email Enabled (null) (Email Enabled) | |
Email Digest Frequency (string) or Email Digest Frequency (null) (Email Digest Frequency) | |
Event Preferences (object) or Event Preferences (null) (Event Preferences) | |
Service Preferences (object) or Service Preferences (null) (Service Preferences) | |
Quiet Hours Enabled (boolean) or Quiet Hours Enabled (null) (Quiet Hours Enabled) | |
Quiet Hours Start (string) or Quiet Hours Start (null) (Quiet Hours Start) | |
Quiet Hours End (string) or Quiet Hours End (null) (Quiet Hours End) | |
Quiet Hours Timezone (string) or Quiet Hours Timezone (null) (Quiet Hours Timezone) | |
Min Severity (string) or Min Severity (null) (Min Severity) |
{- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": true,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "string",
- "min_severity": "string"
}{- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": false,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "UTC",
- "min_severity": "info"
}Update notification preferences for the current user.
In App Enabled (boolean) or In App Enabled (null) (In App Enabled) | |
Email Enabled (boolean) or Email Enabled (null) (Email Enabled) | |
Email Digest Frequency (string) or Email Digest Frequency (null) (Email Digest Frequency) | |
Event Preferences (object) or Event Preferences (null) (Event Preferences) | |
Service Preferences (object) or Service Preferences (null) (Service Preferences) | |
Quiet Hours Enabled (boolean) or Quiet Hours Enabled (null) (Quiet Hours Enabled) | |
Quiet Hours Start (string) or Quiet Hours Start (null) (Quiet Hours Start) | |
Quiet Hours End (string) or Quiet Hours End (null) (Quiet Hours End) | |
Quiet Hours Timezone (string) or Quiet Hours Timezone (null) (Quiet Hours Timezone) | |
Min Severity (string) or Min Severity (null) (Min Severity) |
{- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": true,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "string",
- "min_severity": "string"
}{- "id": "string",
- "tenant_id": "string",
- "user_id": "string",
- "in_app_enabled": true,
- "email_enabled": true,
- "email_digest_frequency": "string",
- "event_preferences": { },
- "service_preferences": { },
- "quiet_hours_enabled": false,
- "quiet_hours_start": "string",
- "quiet_hours_end": "string",
- "quiet_hours_timezone": "UTC",
- "min_severity": "info"
}Submit feedback about a finding's severity.
This feedback is used to:
Permissions: Any authenticated user can submit feedback on findings they have access to (tenant-scoped).
| finding_id required | string <uuid> (Finding Id) |
| suggested_severity required | string (Suggested Severity) Enum: "critical" "high" "medium" "low" |
| reason required | string (Reason) Enum: "too_high" "too_low" "wrong_category" "context_missing" "other" Why the current severity is incorrect |
Comment (string) or Comment (null) (Comment) Optional explanation |
{- "suggested_severity": "critical",
- "reason": "too_high",
- "comment": "string"
}{- "id": "string",
- "finding_id": "string",
- "suggested_severity": "string",
- "created_by": "string",
- "message": "Feedback submitted successfully. Thank you for helping improve severity classification!"
}Get overall feedback statistics.
Requires: Platform admin access
{- "total_feedback_count": 0,
- "unique_findings_with_feedback": 0,
- "disputed_finding_types": 0,
- "avg_feedback_per_finding_type": 0,
- "feedback_by_status": { },
- "suggestions_by_severity": { }
}Get aggregated feedback grouped by finding type.
Requires: Platform admin access
| disputed_only | boolean (Disputed Only) Default: false Only show disputed finding types |
| min_feedback_count | integer (Min Feedback Count) Default: 1 Minimum feedback count to include |
| limit | integer (Limit) <= 100 Default: 50 Max results |
[- {
- "service": "string",
- "kind": "string",
- "current_severity": "string",
- "feedback_count": 0,
- "suggested_severities": { },
- "most_common_suggestion": "string",
- "agreement_percentage": 0,
- "reasons": { },
- "is_disputed": true,
- "sample_comments": [
- "string"
]
}
]Update finding type severity metadata based on reviewed feedback.
Requires: Platform admin access
| service required | string (Service) |
| kind required | string (Kind) |
| new_severity required | string (New Severity) Enum: "critical" "high" "medium" "low" |
| reason required | string (Reason) <= 500 characters Why this change is being made |
{- "service": "string",
- "kind": "string",
- "new_severity": "critical",
- "reason": "string"
}nullList all join requests for a tenant. Requires 'manage_users' permission (admin role).
| tenant_id required | string <uuid> (Tenant Id) |
Status Filter (string) or Status Filter (null) (Status Filter) |
nullReject a join request.
| tenant_id required | string <uuid> (Tenant Id) |
| request_id required | string <uuid> (Request Id) |
Reason (string) or Reason (null) (Reason) | |
Any of string (Reason) | |
{- "reason": "string"
}nullGet cost summary by tier.
Returns LLM token usage, cache stats, and estimated COGS.
Access: Platform admin only
Tier (string) or Tier (null) (Tier) Filter by tier (free/team/pro/enterprise) | |
| time_window | string (Time Window) ^(1h|24h|7d|30d)$ Default: "7d" |
nullGet cache performance by service.
Returns hit rates, miss counts, and scan efficiency.
Access: Platform admin only
Service (string) or Service (null) (Service) Filter by service |
nullGet tier pricing configuration for signup page.
Returns all tier configurations from service_ops.yaml tier_config section. Used to render the pricing matrix during signup.
Response includes:
{ }Get tier pricing configuration for signup page.
Returns all tier configurations from service_ops.yaml tier_config section. Used to render the pricing matrix during signup.
Response includes:
{ }