{"components":{"schemas":{"CatalogTool":{"properties":{"cve_count":{"type":"integer"},"first_seen":{"format":"date-time","type":"string"},"grade":{"type":"string"},"id":{"type":"integer"},"last_seen":{"format":"date-time","type":"string"},"status":{"type":"string"},"tool_name":{"type":"string"}},"type":"object"},"ConstitutionRule":{"properties":{"created_at":{"format":"date-time","type":"string"},"id":{"type":"integer"},"mode":{"enum":["enforce","monitor"],"type":"string"},"rule_name":{"type":"string"},"severity":{"enum":["low","medium","high","critical"],"type":"string"},"value":{"type":"string"}},"type":"object"},"CreateRuleRequest":{"properties":{"mode":{"enum":["enforce","monitor"],"type":"string"},"rule_name":{"type":"string"},"severity":{"enum":["low","medium","high","critical"],"type":"string"},"value":{"type":"string"}},"required":["rule_name","value"],"type":"object"},"InterceptRequest":{"properties":{"agent_id":{"description":"Identifier for the calling agent","type":"string"},"context":{"description":"Additional task context","type":"string"},"inner_monologue":{"description":"Agent's internal reasoning","type":"string"},"intent":{"description":"Why the agent wants to call this tool","type":"string"},"parameters":{"description":"Parameters passed to the tool","type":"object"},"parent_agent_id":{"description":"Parent agent ID for A2A chain tracing","type":"string"},"tool_name":{"description":"Name of the tool being called","type":"string"},"usage":{"properties":{"input_tokens":{"type":"integer"},"output_tokens":{"type":"integer"},"thinking_tokens":{"type":"integer"}},"type":"object"},"webhook_url":{"description":"Callback URL for async resolution","type":"string"}},"required":["tool_name"],"type":"object"},"InterceptResponse":{"properties":{"action_id":{"type":"string"},"analysis":{"type":"string"},"message":{"type":"string"},"risk_score":{"type":"integer"},"status":{"enum":["allowed","pending","blocked","shadow-blocked"],"type":"string"},"violations":{"items":{"properties":{"reason":{"type":"string"},"rule":{"type":"string"},"severity":{"type":"string"}},"type":"object"},"type":"array"}},"type":"object"},"PendingAction":{"properties":{"agent_id":{"type":"string"},"created_at":{"format":"date-time","type":"string"},"id":{"type":"string"},"risk_score":{"type":"integer"},"status":{"type":"string"},"tool_name":{"type":"string"},"violations":{"items":{"type":"string"},"type":"array"}},"type":"object"},"ResolveRequest":{"properties":{"decision":{"enum":["approve","deny"],"type":"string"}},"required":["decision"],"type":"object"}},"securitySchemes":{"BearerAuth":{"description":"API key with af_ prefix","scheme":"bearer","type":"http"}}},"info":{"contact":{"name":"Snapwire","url":"https://www.getsnapwire.com"},"description":"Manage governance rules, run compliance checks, and pull audit bundles via API. Designed for CI/CD pipelines, GitHub Actions, and enterprise governance automation.","title":"Snapwire Headless Compliance API","version":"1.0.0"},"openapi":"3.0.3","paths":{"/api/actions/pending":{"get":{"description":"Returns all tool call actions currently held for human review.","operationId":"getPendingActions","responses":{"200":{"content":{"application/json":{"schema":{"properties":{"actions":{"items":{"$ref":"#/components/schemas/PendingAction"},"type":"array"}},"type":"object"}}},"description":"Pending actions list"},"401":{"description":"Authentication required"}},"summary":"Get Pending Actions","tags":["Review Queue"]}},"/api/actions/{id}/resolve":{"post":{"description":"Approve or deny a pending action programmatically.","operationId":"resolveAction","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ResolveRequest"}}},"required":true},"responses":{"200":{"description":"Action resolved"},"401":{"description":"Authentication required"},"404":{"description":"Action not found"}},"summary":"Resolve Action","tags":["Review Queue"]}},"/api/catalog":{"get":{"description":"Returns all known tools with safety grades (A-F), approval status, and CVE exposure.","operationId":"listCatalog","responses":{"200":{"content":{"application/json":{"schema":{"properties":{"catalog":{"items":{"$ref":"#/components/schemas/CatalogTool"},"type":"array"}},"type":"object"}}},"description":"Tool catalog"},"401":{"description":"Authentication required"}},"summary":"List Tool Catalog","tags":["Tool Catalog"]}},"/api/catalog/{id}/consequential":{"patch":{"description":"Toggle the high-stakes (consequential) tag on a cataloged tool for Colorado SB24-205 compliance. Consequential tools are listed in the Safety PDF and Compliance Portal.","operationId":"toggleConsequential","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"id":{"type":"integer"},"is_consequential":{"type":"boolean"},"tool_name":{"type":"string"}},"type":"object"}}},"description":"Consequentiality tag toggled"},"401":{"description":"Authentication required"},"404":{"description":"Tool not found"}},"summary":"Toggle Consequentiality Tag","tags":["Tool Catalog"]}},"/api/catalog/{id}/status":{"patch":{"description":"Change the approval status of a cataloged tool. Banned tools are blocked by the intercept endpoint.","operationId":"updateToolStatus","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"integer"}}],"requestBody":{"content":{"application/json":{"schema":{"properties":{"status":{"enum":["approved","banned","pending_review"],"type":"string"}},"required":["status"],"type":"object"}}},"required":true},"responses":{"200":{"description":"Status updated"},"401":{"description":"Authentication required"},"404":{"description":"Tool not found"}},"summary":"Update Tool Status","tags":["Tool Catalog"]}},"/api/compliance/aibom":{"get":{"description":"Generate a CycloneDX v1.7 JSON AIBOM for the current tenant. Includes all registered tools as components, observed tool-call services, aggregate compliance properties, and SHA-256 formulation hashes linking intent to action.","operationId":"getAIBOM","parameters":[{"description":"Number of days to include in the AIBOM window (1-365)","in":"query","name":"days","required":false,"schema":{"default":30,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"CycloneDX v1.7 JSON"},"401":{"description":"Authentication required"}},"summary":"Get AI Bill of Materials","tags":["Compliance"]}},"/api/compliance/aibom/download":{"get":{"description":"Download the CycloneDX v1.7 AIBOM as a .cdx.json file attachment.","operationId":"downloadAIBOM","parameters":[{"description":"Number of days to include (1-365)","in":"query","name":"days","required":false,"schema":{"default":30,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"format":"binary","type":"string"}}},"description":"CycloneDX JSON file"},"401":{"description":"Authentication required"}},"summary":"Download AIBOM File","tags":["Compliance"]}},"/api/compliance/aibom/summary":{"get":{"description":"Returns component count, unique service count, total intercepts, safety grade distribution, and consequential tool count for the current tenant.","operationId":"getAIBOMSummary","parameters":[{"description":"Number of days to include (1-365)","in":"query","name":"days","required":false,"schema":{"default":30,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"component_count":{"type":"integer"},"consequential_count":{"type":"integer"},"grade_distribution":{"type":"object"},"service_count":{"type":"integer"},"total_intercepts":{"type":"integer"}},"type":"object"}}},"description":"AIBOM summary"},"401":{"description":"Authentication required"}},"summary":"AIBOM Summary Stats","tags":["Compliance"]}},"/api/compliance/audit-bundle":{"get":{"description":"Generate a cryptographically signed ZIP archive with Safety Disclosure PDF, resolved actions CSV, SHA-256 hashed audit log, and CycloneDX v1.7 AIBOM.","operationId":"getAuditBundle","responses":{"200":{"content":{"application/zip":{"schema":{"format":"binary","type":"string"}}},"description":"ZIP archive"},"401":{"description":"Authentication required"}},"summary":"Download Audit Bundle","tags":["Compliance"]}},"/api/compliance/nist-report":{"get":{"description":"Generate a JSON report mapping active rules to NIST CSF 2.0 categories with coverage score and gap analysis.","operationId":"getNistReport","responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Compliance report"},"401":{"description":"Authentication required"}},"summary":"NIST Compliance Report","tags":["Compliance"]}},"/api/compliance/nist-report/pdf":{"get":{"description":"Download a formatted PDF compliance report aligned to NIST IR 8596 Agentic AI guidelines.","operationId":"getNistReportPdf","responses":{"200":{"content":{"application/pdf":{"schema":{"format":"binary","type":"string"}}},"description":"PDF report"},"401":{"description":"Authentication required"}},"summary":"NIST Report PDF","tags":["Compliance"]}},"/api/constitution":{"get":{"description":"Returns all active constitutional rules for the current workspace.","operationId":"getConstitution","responses":{"200":{"content":{"application/json":{"schema":{"properties":{"rules":{"items":{"$ref":"#/components/schemas/ConstitutionRule"},"type":"array"}},"type":"object"}}},"description":"Rules list"},"401":{"description":"Authentication required"}},"summary":"List Constitution Rules","tags":["Policy Engine"]},"post":{"description":"Add a new governance rule. Rules are evaluated against every intercepted tool call.","operationId":"createConstitutionRule","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateRuleRequest"}}},"required":true},"responses":{"200":{"description":"Rule created"},"401":{"description":"Authentication required"}},"summary":"Create Constitution Rule","tags":["Policy Engine"]}},"/api/intercept":{"post":{"description":"Evaluate a tool call against policy rules before execution. Returns allow, block, or pending decision.","operationId":"interceptToolCall","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/InterceptRequest"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/InterceptResponse"}}},"description":"Decision returned"},"401":{"description":"Missing or invalid API key"},"429":{"description":"Rate limit exceeded"}},"summary":"Intercept Tool Call","tags":["Policy Engine"]}}},"security":[{"BearerAuth":[]}],"servers":[{"description":"Current instance","url":"https://www.getsnapwire.com"}]}