Skip to content

Service API

Capsem clients talk to capsem-service through one explicit HTTP route table. The desktop UI, TUI, CLI, tray, and gateway must reflect these routes; they must not invent fallback paths, compatibility aliases, or display-only contract names.

The service is the only global runtime object. Profiles own behavior and configuration. Sessions execute profiles.

Route suffixes are part of the contract:

SuffixMeaning
infoStatic or slow-changing configuration, descriptors, file origins, schema metadata, and debug facts.
statusRuntime readiness, counters, progress, and liveness. Status routes must avoid hot-path DB reads unless explicitly documented.
listInventory of child objects.
latestRecent ledger rows, including event ids needed for forensic lookup.
evaluateDry-run a supplied event or rule payload through the production evaluator.
editMutate an existing settings/profile/plugin/rule object through its typed contract.
reloadRe-read persisted profile, corp, rule, detection, or catalog material.
ensureMaterialize or download missing profile assets.
create, delete, clone, fork, save, start, resume, pause, stop, restartCommand routes with explicit side effects.

Unknown routes must return 404 at the gateway or service boundary. No generic path forwarding is allowed.

These routes describe the daemon, service-wide runtime summaries, or global catalog entry points. They are not profile behavior.

MethodRouteContract
GET/versionInstalled service version.
GET/update/statusBinary, VM asset, profile, and image update availability from the installed manifest and release-channel cache.
GET/statsService-wide runtime counters.
GET/service-logsService log tail for diagnostics.
GET/triageStructured support bundle summary.
GET/panicsRecent panic/crash evidence.
GET/host-logs/{name}Named host-side log stream.
POST/purgeDelete defunct service/session state that is no longer recoverable.
POST/runCompatibility command for creating/running a session through the service path.
GET/security/latestService-wide recent security ledger rows.
GET/security/statusService-wide security counters.
GET/enforcement/latestService-wide recent enforcement ledger rows.
GET/enforcement/statusService-wide enforcement counters.
GET/detection/latestService-wide recent detection ledger rows.
GET/detection/statusService-wide detection counters.
GET/profiles/listProfile catalog visible to this service.
GET/profiles/statusProfile readiness and asset status summary.
POST/profiles/reloadReload the profile catalog.
GET/settings/infoUI/application settings, not VM behavior.
PATCH/settings/editEdit UI/application settings.
GET/corp/infoCorporate constraints and reporting config.
PUT/corp/editReplace corporate constraints where local policy permits.
POST/corp/validateValidate corporate config without applying it.
POST/corp/reloadReload corporate config.

Profile routes are scoped by profile_id. Rules, detection, plugins, MCP, skills, assets, and profile metadata all belong here.

MethodRouteContract
GET/profiles/{profile_id}/infoProfile descriptor, icon, description, VM defaults, and file origins.
GET/profiles/{profile_id}/obomBase-image OBOM evidence for this profile.
POST/profiles/{profile_id}/validateValidate the profile and pinned files.
POST/profiles/{profile_id}/reloadReload one profile.
GET/profiles/{profile_id}/assets/infoProfile asset declaration and origins.
GET/profiles/{profile_id}/assets/statusPer-asset readiness, hash, and missing/download state.
POST/profiles/{profile_id}/assets/ensureDownload or materialize missing profile assets.
MethodRouteContract
POST/profiles/{profile_id}/enforcement/evaluateEvaluate a supplied SecurityEvent against profile enforcement rules.
GET/profiles/{profile_id}/enforcement/infoEnforcement file origins and compile status.
GET/profiles/{profile_id}/enforcement/rules/listCompiled enforcement rules with source/default/priority/action metadata.
PUT/profiles/{profile_id}/enforcement/rules/{rule_id}/editAdd or replace one profile enforcement rule.
DELETE/profiles/{profile_id}/enforcement/rules/{rule_id}/deleteDelete one mutable profile enforcement rule.
POST/profiles/{profile_id}/enforcement/reloadReload enforcement rules for the profile.
POST/profiles/{profile_id}/detection/evaluateEvaluate a supplied event against profile detection rules.
GET/profiles/{profile_id}/detection/infoDetection file origins and compile status.
GET/profiles/{profile_id}/detection/rules/listCompiled detection rules, including Sigma-derived rules.
PUT/profiles/{profile_id}/detection/rules/{rule_id}/editAdd or replace one profile detection rule.
DELETE/profiles/{profile_id}/detection/rules/{rule_id}/deleteDelete one mutable profile detection rule.
POST/profiles/{profile_id}/detection/reloadReload detection rules for the profile.

Plugins expose profile config and registry-owned descriptors. Runtime plugin activity for a running session appears under session stats and security ledger routes.

MethodRouteContract
GET/profiles/{profile_id}/plugins/infoPlugin subsystem info for the profile.
GET/profiles/{profile_id}/plugins/listProfile plugin config plus registry metadata.
GET/profiles/{profile_id}/plugins/{plugin_id}/infoOne plugin descriptor, config, capabilities, stages, and status schema.
PATCH/profiles/{profile_id}/plugins/{plugin_id}/editEnable, disable, or edit one plugin config object.
GET/profiles/{profile_id}/plugins/credential_broker/credentials/infoCredential broker inventory summary without raw secrets.

MCP is profile-owned. There is no global MCP tool list.

MethodRouteContract
GET/profiles/{profile_id}/mcp/infoProfile MCP subsystem info.
GET/profiles/{profile_id}/mcp/default/infoDefault MCP policy for this profile.
PATCH/profiles/{profile_id}/mcp/default/editEdit the profile default MCP action.
GET/profiles/{profile_id}/mcp/servers/listMCP servers declared or discovered for this profile.
PUT/profiles/{profile_id}/mcp/servers/{server_id}/editAdd or replace one profile MCP server.
DELETE/profiles/{profile_id}/mcp/servers/{server_id}/deleteDelete one profile MCP server.
POST/profiles/{profile_id}/mcp/servers/{server_id}/refreshRefresh one server’s tool/resource inventory.
GET/profiles/{profile_id}/mcp/servers/{server_id}/tools/listTools for one MCP server.
PATCH/profiles/{profile_id}/mcp/servers/{server_id}/tools/{tool_id}/editEdit one tool’s action for this profile.
POST/profiles/{profile_id}/mcp/servers/{server_id}/tools/{tool_id}/callCall one MCP tool through the audited service path.

Skills are profile-owned. The current routes reserve the profile-scoped control surface; implementation must keep skill metadata and mutation behind the profile contract.

MethodRouteContract
GET/profiles/{profile_id}/skills/infoProfile skill subsystem info.
GET/profiles/{profile_id}/skills/listSkills enabled or available for the profile.
POST/profiles/{profile_id}/skills/addAdd a skill to the profile.
PATCH/profiles/{profile_id}/skills/{skill_id}/editEdit one profile skill.
DELETE/profiles/{profile_id}/skills/{skill_id}/deleteDelete one profile skill.

Session routes are runtime operations for one existing session id. User-facing UI can call these sessions; internal debug output may still mention VM where it describes virtualization state.

MethodRouteContract
POST/vms/createCreate a new session from a profile.
GET/vms/listList sessions.
GET/vms/{id}/infoSession config/runtime info, including profile, process, and storage diagnostics.
GET/vms/{id}/statusIn-memory session liveness, readiness, state, and counters.
POST/vms/{id}/stopStop a running session.
POST/vms/{id}/pausePause or suspend a running session.
POST/vms/{id}/startStart a stopped session.
POST/vms/{id}/resumeResume a paused or stopped session through the service path.
DELETE/vms/{id}/deleteDelete a session.
POST/vms/{id}/savePersist session state.
GET/vms/{id}/save/statusSave progress/status.
POST/vms/{id}/forkFork a session.
GET/vms/{id}/fork/statusFork progress/status.
GET/vms/{id}/logsSession log stream.
POST/vms/{id}/execExecute a command through the audited control path.
POST/vms/{id}/files/writeWrite a file through the audited control path.
POST/vms/{id}/files/readRead a file through the audited control path.
GET/vms/{id}/files/listList files through the service file browser route.
GET/vms/{id}/files/contentDownload file content through the service route.
POST/vms/{id}/files/contentUpload file content through the service route.
GET/vms/{id}/snapshots/statusSnapshot subsystem readiness for the session.
GET/vms/{id}/snapshots/listSnapshot entries exposed by the snapshot subsystem, not security activity.
GET/vms/{id}/timelineSession timeline.
GET/vms/{id}/historySession history.
GET/vms/{id}/history/processesProcess history.
GET/vms/{id}/history/countsHistory counters.
GET/vms/{id}/history/transcriptTerminal transcript history.
GET/vms/{id}/security/latestRecent security ledger rows for this session.
GET/vms/{id}/security/statusSecurity counters for this session.
GET/vms/{id}/enforcement/latestRecent enforcement ledger rows for this session.
GET/vms/{id}/enforcement/statusEnforcement counters for this session.
GET/vms/{id}/detection/latestRecent detection ledger rows for this session.
GET/vms/{id}/detection/statusDetection counters for this session.
  • The UI/TUI must use profile routes for profile behavior and settings routes only for UI/application preferences.
  • Profile cards render name, description, icon, readiness, and asset checklist from profile route data.
  • Enforcement, detection, plugins, MCP, assets, and skills pages are scoped by profile id.
  • Session actions are state-dependent. Incompatible or defunct sessions must not offer start/resume/pause actions.
  • Raw JSON is a debug view. Normal panels should render the typed fields once.