VectorVue Client API Manual

This manual provides production-safe integration guidance for client-facing APIs.

1. Security Model

• JWT authentication with tenant claim required
• Tenant-scoped reads only for client data APIs
• Compliance APIs return signed response envelopes
• Client API telemetry ingestion is disabled (Phase 0 Sprint 0.1)

2. Base URL and Authentication

Default local endpoint:

• https://127.0.0.1

Login:

• POST /api/v1/client/auth/login

Use access token in all calls:

• Authorization: Bearer <token>

3. Core Client Endpoints

• GET /api/v1/client/findings
• GET /api/v1/client/findings/{finding_id}
• GET /api/v1/client/evidence
• GET /api/v1/client/evidence/{finding_id}
• GET /api/v1/client/reports
• GET /api/v1/client/reports/{report_id}/download
• GET /api/v1/client/risk
• GET /api/v1/client/risk-summary
• GET /api/v1/client/risk-trend
• GET /api/v1/client/remediation
• GET /api/v1/client/remediation-status

4. Analytics Endpoints

• GET /ml/client/security-score
• GET /ml/client/risk
• GET /ml/client/detection-gaps
• GET /ml/client/anomalies
• POST /ml/client/simulate
• GET /ml/operator/suggestions/{campaign_id}

Client analytics response contract:

• score
• confidence
• explanation
• model_version
• generated_at

5. Compliance Endpoints

• POST /audit/session
• GET /compliance/frameworks
• GET /compliance/{framework}/controls
• GET /compliance/{framework}/score
• GET /compliance/{framework}/report
• GET /compliance/audit-window

Compliance responses include:

• data
• signature (cryptographic signature envelope)

6. Example Login Flow

curl -k -X POST https://127.0.0.1/api/v1/client/auth/login \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "acme_viewer",
    "password": "AcmeView3r!",
    "tenant_id": "10000000-0000-0000-0000-000000000001"
  }'

7. Telemetry Endpoint Status

POST /api/v1/client/events and /api/v1/integrations/spectrastrike/* are retired and not exposed by the runtime API.

8. Integration Validation Checklist

1. Authenticate and resolve tenant context.
2. Read findings, risk, and remediation data.
3. Confirm telemetry ingestion endpoints are not exposed.
4. Call one analytics endpoint.
5. Call one compliance endpoint and validate signature envelope presence.

9. Operational Commands

make deploy
make seed-clients
make api-smoke

10. Related References

• Compliance API Spec
• Auditor Guide
• Phase 0 Sprint 0.1 Roadmap
• Security Expansion Appendix
• Secure SpectraStrike ↔ VectorVue Integration