K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / api / en

API Reference

๐Ÿ‡ต๐Ÿ‡ฑ Polski ๐Ÿ‡ฌ๐Ÿ‡ง English

REST contract for the cyber/AI incident system. Base resource /api, JSON format, header-based authentication (Bearer / x-konsult-secret). Per-endpoint authorization depends on role (see Roles & Priorities).

Read-path LIVE. The read endpoints /api/ip3/incidents, /api/ip3/stats, /api/ip3/playbooks actually work (SIMULATION data) โ€” try them in the API Explorer. Machine contract: openapi.json. The operational registry /api/incidents and all writes (POST/PATCH) are protected / production (OIDC/mTLS โ€” ROADMAP).
Status: contract draft. The endpoints describe the target contract. Production implementation carries the status GAP. All request/response examples are SIMULATION data โ€” they illustrate the shape of the payload, not real traffic.

Conventions

Endpoint overview

MethodPathMin. roleDescription
POST/api/incidentsReporterCreate an incident (defaults to gap).
GET/api/incidentsViewerList with filters (priority, level, flags, status).
GET/api/incidents/:idViewerIncident detail with evidence and actions.
PATCH/api/incidents/:idAnalystUpdate classification/status/flags.
POST/api/incidents/:id/evidenceAnalystAttach evidence (kind, hash, confidence, custody).
GET/api/incidents/:id/evidenceViewer*Incident evidence (visibility filtered by role).
POST/api/incidents/:id/actionsOperatorAdd a response step from a playbook.
PATCH/api/actions/:idOperatorUpdate step status; HITL approve.
GET/api/map/incidentsViewerData for the Threat Map (geo/sector/time).
GET/api/stats/incidentsViewerKPI aggregates for the dashboard.
GET/api/playbooksViewerPlaybook index.
GET/api/playbooks/:typeViewerSteps for a playbook of a given type.
POST/api/intake/osintOperatorOSINT submission (entry status media/public).
POST/api/intake/logDevSecOpsSIEM/EDR log submission (internal).
POST/api/agents/:id/quarantineAI SafetyQuarantine an agent (revoke privileges).
POST/api/agents/:id/restoreAI SafetyRestore an agent after validation.
POST/api/reports/incidents/:id/exportLegal/DPOExport a report to an authority (NIS2/GDPR/AI Act).

* Viewer* โ€” a Public Viewer sees only visibility=public evidence; restricted/internal require an Analyst+ role.

POST /api/incidents โ€” creation

Request SIMULATION:

POST /api/incidents
Content-Type: application/json

{
  "title": "Suspected prompt injection in a support agent",
  "source_type": "form",
  "level": "L2_ai",
  "category": "prompt_injection",
  "detected_at": "2026-07-04T08:12:00Z",
  "agent_id": "b1f2...-agent",
  "impact_integrity": 2,
  "gdpr_personal_data": true
}

Response SIMULATION:

201 Created

{
  "id": "9c0a...-inc",
  "public_id": "INC-2026-0042",
  "evidence_status": "gap",
  "priority": null,
  "status_lifecycle": "open",
  "sla_due_at": null,
  "flags": { "ai_act_relevant": true, "gdpr_personal_data": true },
  "created_at": "2026-07-04T08:12:03Z"
}
Doctrinal note. A new incident is always born as gap with priority=null. Priority and any status promotion are granted only by classification after evidence exists (Classification Engine).

POST /api/incidents/:id/evidence โ€” attaching evidence

POST /api/incidents/INC-2026-0042/evidence     // SIMULATION

{
  "kind": "agent_trace",
  "source": "orchestrator-logs",
  "content_ref": "s3://evidence/trace-0042.json",
  "hash_sha256": "3b1f...e9",
  "confidence": 82,
  "visibility": "internal",
  "chain_of_custody": [
    {"ts":"2026-07-04T08:20:00Z","actor":"analyst:kdzik","action":"collected","hash_after":"3b1f...e9"}
  ]
}

--> 201 Created  { "id":"ev-771", "status":"confirmed" }
// aggregation raises incidents.evidence_status: gap -> confirmed

PATCH /api/incidents/:id โ€” classification and closure

PATCH /api/incidents/INC-2026-0042              // SIMULATION
{ "priority": "P1", "severity": 7, "ai_serious_incident": true }
--> 200 OK  { "sla_due_at":"2026-07-05T08:12:03Z", "nis2_relevant":true }

// attempt to close without remediation evidence:
PATCH /api/incidents/INC-2026-0042  { "status_lifecycle":"closed" }
--> 422 Unprocessable Entity
{ "error":"evidence_required",
  "detail":"Closure requires a response_action with a validation_ref (remediation evidence)." }

POST /api/agents/:id/quarantine โ€” response to takeover

POST /api/agents/b1f2...-agent/quarantine       // SIMULATION
{ "incident_id":"INC-2026-0042", "reason":"prompt_injection_confirmed",
  "approved_by":"aiso:mpaw" }
--> 200 OK
{ "status":"quarantined","current_score":34,"trust_delta":-66,
  "allowed_tools_effective":[] }

Quarantine revokes effective privileges regardless of allowed_tools. Restoration (/restore) requires the AI Safety Officer role and validation evidence (see the agent hijack playbook).

POST /api/reports/incidents/:id/export โ€” report to an authority

POST /api/reports/incidents/INC-2026-0042/export   // SIMULATION
{ "target":"csirt_nask", "regime":"nis2", "phase":"early_warning_24h" }
--> 202 Accepted
{ "report_id":"RPT-0042-1", "regime":"nis2", "phase":"24h",
  "bundle":["incident","evidence(public,restricted)","timeline"],
  "delivery":"edelivery_pending" }

The export selects its scope by regime: NIS2 (24h early warning โ†’ 72h notification โ†’ final report), GDPR art. 33 (72h to the supervisory authority), AI Act art. 73 (serious incident). Delivery is confirmed by a UPO/e-Delivery receipt, which returns as evidence of type upo_edelivery. Regime details: Compliance.

Regulatory framing, not certification. References to AI Act art. 73, NIS2, GDPR art. 33/34 and DORA are educational / framework-level and describe the intended reporting shape. They are not legal advice and do not constitute a certification of compliance.

GET /api/stats/incidents โ€” KPI

GET /api/stats/incidents?window=30d              // SIMULATION
--> 200 OK
{ "total":128, "open_p0_p1":7, "evidence_coverage":0.94,
  "flags":{"ai_serious_incident":3,"nis2_relevant":11,"gdpr_breach":5},
  "mtta_p0_min":131, "mttc_p1_h":18, "_note":"demonstration data" }
A contract, not a promise of function. This page defines the shape of the interface. Until the backend is deployed and tested, treat every endpoint as an implementation GAP โ€” the schema conforms to the data model.