{"openapi":"3.0.0","info":{"title":"Standard GRC Platform — API Reference","version":"1.0.0","description":"API-first agentic GRC platform for compliance assessments powered by the Secure Controls Framework (SCF). Features 7 specialized AI agents, assessment lifecycle management, document ingestion, knowledge base search, and multi-tenant authorization.\n\n---\n\n\n> **🤖 AI-Dev First**: Se você é um Agente Autônomo ou está configurando uma integração LLM, consuma nossa documentação contextual nativa em [`/llms-full.txt`](/llms-full.txt).\n  \n\n---\n\n\n\n---\n\n## 📖 Manuais & Cookbook\n\nConsulte [`/llms-full.txt`](/llms-full.txt) para workflows completos e [`/llms.txt`](/llms.txt) para referência rápida."},"servers":[{"url":"/","description":"Current environment"},{"url":"https://standard-api.bekaa.eu","description":"Production"}],"security":[{"BearerApiKey":[]}],"components":{"securitySchemes":{"BearerApiKey":{"type":"http","scheme":"bearer","description":"API Key issued from the Standard dashboard. Prefix: `standard_live_` or `standard_test_`."},"CookieSession":{"type":"apiKey","in":"cookie","name":"standard-native-auth.session_token","description":"Session cookie set by Standard Native Auth after login."}},"schemas":{"VendorScannerBatchInput":{"type":"object","properties":{"batch_id":{"type":"string"},"items":{"type":"array","items":{"type":"object","properties":{"correlation_id":{"type":"string","example":"vendor_clause_5.1"},"payload":{"$ref":"#/components/schemas/VendorScannerInput"}},"required":["correlation_id","payload"]},"maxItems":500}},"required":["items"]},"VendorScannerInput":{"type":"object","properties":{"vendorName":{"type":"string","example":"Amazon Web Services (AWS)"},"contractExcerpt":{"type":"string","minLength":20,"example":"5.1 The Processor agrees to notify the Controller of any breach within 120 hours."}},"required":["vendorName","contractExcerpt"]},"VendorScannerOutput":{"type":"object","properties":{"has_standard_contractual_clauses":{"type":"boolean","description":"Whether the contract has EU/ANPD standardized DPA clauses."},"is_dpa_compliant":{"type":"boolean","description":"Whether the contract is globally compliant for LGPD/GDPR."},"liability_cap_identified":{"type":"string","description":"Liability cap paid by the vendor."},"data_subprocessors_listed":{"type":"array","items":{"type":"string"},"description":"Third-party companies detected in the contract text."},"red_flags_for_negotiation":{"type":"array","items":{"type":"string"},"description":"Severe gaps that the legal team needs to renegotiate."}},"required":["has_standard_contractual_clauses","is_dpa_compliant","data_subprocessors_listed","red_flags_for_negotiation"]}},"parameters":{}},"paths":{"/api/v1/organizations":{"post":{"summary":"Create Organization","description":"Creates an organization under the authenticated tenant.","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"organization_id":{"type":"string","format":"uuid"},"slug":{"type":"string","minLength":2},"name":{"type":"string","minLength":1},"user_id":{"type":"string"}},"required":["organization_id","slug","name","user_id"],"additionalProperties":false}}}},"responses":{"201":{"description":"Organization created","content":{"application/json":{"schema":{"type":"object","properties":{"organization_id":{"type":"string"},"slug":{"type":"string"},"name":{"type":"string"},"status":{"type":"string"},"trace_id":{"type":"string"}},"required":["organization_id","slug","name","status","trace_id"]}}}}}}},"/api/v1/tenants/{organizationId}/organizations":{"get":{"summary":"List Organizations by Tenant","description":"Returns all organizations for the specified tenant.","parameters":[{"schema":{"type":"string"},"required":true,"name":"organizationId","in":"path"}],"responses":{"200":{"description":"Organization list","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"type":"object","properties":{"organization_id":{"type":"string"},"name":{"type":"string"},"slug":{"type":"string"},"status":{"type":"string"}},"required":["organization_id","name","slug","status"]}},"trace_id":{"type":"string"}},"required":["data","trace_id"]}}}}}}},"/api/v1/organizations/{organizationId}/api-keys":{"get":{"summary":"List API Keys","description":"Returns all API keys for the authenticated organization (masked). Use ?active=true to exclude revoked keys.","parameters":[{"schema":{"type":"string"},"required":true,"name":"organizationId","in":"path"},{"schema":{"type":"string","enum":["true","false"]},"required":false,"name":"active","in":"query"}],"responses":{"200":{"description":"API key list","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"maskedKey":{"type":"string"},"scopes":{"type":"array","items":{"type":"string"}},"lastUsedAt":{"type":"string","nullable":true},"expiresAt":{"type":"string","nullable":true},"revokedAt":{"type":"string","nullable":true},"isRevoked":{"type":"boolean"},"status":{"type":"string","enum":["active","expired","revoked"]},"createdAt":{"type":"string"}},"required":["id","name","maskedKey","scopes","lastUsedAt","expiresAt","revokedAt","isRevoked","status","createdAt"]}}},"required":["data"]}}}}}},"post":{"summary":"Create API Key","description":"Creates a new M2M API key. The raw key is returned only once — store it securely.","parameters":[{"schema":{"type":"string"},"required":true,"name":"organizationId","in":"path"}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"name":{"type":"string","minLength":1,"maxLength":100},"expiresAt":{"type":"string","format":"date-time"},"scopes":{"type":"array","items":{"type":"string","enum":["assessment:read","assessment:write","assessment:transition","document:read","document:write","document:delete","scf:read","soa:read","soa:write","gap:read","gap:write","poam:read","poam:write","report:read","report:write","report:export","kb:read","kb:search","agent:read","agent:run","integration:analyze","intelligence:read","intelligence:run","job:read","audit:read","metrics:read","usage:read","workflow:read","workflow:write","workflow:signal","artifact:read","artifact:write","approval:read"]},"minItems":1,"maxItems":33}},"required":["name"]}}}},"responses":{"201":{"description":"API key created","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"key":{"type":"string","description":"Raw key — shown only once"},"maskedKey":{"type":"string"},"scopes":{"type":"array","items":{"type":"string"}},"expiresAt":{"type":"string","nullable":true},"createdAt":{"type":"string"}},"required":["id","name","key","maskedKey","scopes","expiresAt","createdAt"]}},"required":["data"]}}}}}}},"/api/v1/organizations/{organizationId}/api-keys/{keyId}":{"patch":{"summary":"Update API Key","description":"Update name, expiration date, and/or scopes of an existing API key.","parameters":[{"schema":{"type":"string"},"required":true,"name":"organizationId","in":"path"},{"schema":{"type":"string"},"required":true,"name":"keyId","in":"path"}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"name":{"type":"string","minLength":1,"maxLength":100},"expiresAt":{"type":"string","nullable":true,"format":"date-time"},"scopes":{"type":"array","items":{"type":"string","enum":["assessment:read","assessment:write","assessment:transition","document:read","document:write","document:delete","scf:read","soa:read","soa:write","gap:read","gap:write","poam:read","poam:write","report:read","report:write","report:export","kb:read","kb:search","agent:read","agent:run","integration:analyze","intelligence:read","intelligence:run","job:read","audit:read","metrics:read","usage:read","workflow:read","workflow:write","workflow:signal","artifact:read","artifact:write","approval:read"]},"minItems":1,"maxItems":33}}}}}},"responses":{"200":{"description":"API key updated"}}}},"/api/v1/privacy/scan-vendor-contract/batch":{"post":{"summary":"Scan Vendor Contracts in Bulk (Async)","description":"Dispatches long-running analysis across up to 500 contract snippets simultaneously. Returns a jobId for polling.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/VendorScannerBatchInput"}}}},"responses":{"202":{"description":"Batch job dispatched successfully","content":{"application/json":{"schema":{"type":"object","properties":{"status":{"type":"string"},"job_id":{"type":"string"}},"required":["status","job_id"]}}}}}}},"/api/v1/privacy/scan-vendor-contract":{"post":{"summary":"B2B Legal Analyzer (Vendor Risk Scanner)","description":"Transforms raw contract text into executive intelligence about sub-processors and LGPD/GDPR privacy compliance.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/VendorScannerInput"}}}},"responses":{"200":{"description":"Vendor risks and compliance gaps","content":{"application/json":{"schema":{"$ref":"#/components/schemas/VendorScannerOutput"}}}}}}},"/api/v1/me/data-export":{"get":{"tags":["Data Subject Rights"],"summary":"Export personal data (LGPD art. 18)","description":"Returns a portable JSON export of all personal data stored for the authenticated user. Compliant with LGPD art. 18 (right of access and portability). The response includes a Content-Disposition header for download.","responses":{"200":{"description":"Personal data export","content":{"application/json":{"schema":{"type":"object","properties":{"export_generated_at":{"type":"string"},"export_format":{"type":"string"},"subject":{"type":"object","properties":{"id":{"type":"string"},"email":{"type":"string","nullable":true},"name":{"type":"string","nullable":true}},"required":["id","email","name"]},"profile":{"type":"object","properties":{"id":{"type":"string"},"email":{"type":"string","nullable":true},"name":{"type":"string","nullable":true}},"required":["id","email","name"]},"memberships":{"type":"array","items":{"type":"object","additionalProperties":{"nullable":true}}},"notices":{"type":"array","items":{"type":"string"}}},"required":["export_generated_at","export_format","subject","profile","memberships","notices"]}}}}}}},"/api/v1/me/account":{"delete":{"tags":["Data Subject Rights"],"summary":"Request account deletion (LGPD art. 18)","description":"Initiates an account deletion request. The account is flagged for deletion immediately. Personal data is permanently purged within 30 days per the data retention policy.","responses":{"200":{"description":"Deletion request accepted","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"},"requested_at":{"type":"string"},"expected_purge_within":{"type":"string"},"contact":{"type":"string"},"trace_id":{"type":"string"}},"required":["message","requested_at","expected_purge_within","contact","trace_id"]}}}}}}},"/api/v1/soc/status":{"get":{"tags":["SOC Monitoring"],"summary":"SOC pipeline health status","description":"Returns SOC monitoring pipeline status: queue binding health, alert service configuration, and pipeline readiness. Requires admin:write permission (platform admin only).","responses":{"200":{"description":"SOC pipeline status","content":{"application/json":{"schema":{"type":"object","properties":{"status":{"type":"string","enum":["operational","degraded"]},"timestamp":{"type":"string"},"pipeline":{"type":"object","properties":{"soc_triage_queue":{"type":"string","enum":["bound","unbound"]},"alert_service":{"type":"string","enum":["configured","unconfigured"]}},"required":["soc_triage_queue","alert_service"]},"note":{"type":"string"},"trace_id":{"type":"string"}},"required":["status","timestamp","pipeline","note","trace_id"]}}}}}}}}}