URL de base : https://api.monsys.ai/api/v1. Authentification :
- Agents :
Authorization: Bearer <agent-token>
- Dashboard / CLI : cookie de session signé ou clé API
Endpoints agent
| Méthode | Chemin | Objectif |
|---|
| POST | /ingest | Batch métriques/heartbeat/inventaire/alertes. Requis X-Monsys-Signature quand signing_pubkey est pinned — voir Signature payload agent |
| POST | /agents/register | Enregistrement idempotent + TOFU-pin de signing_pubkey |
| POST | /agents/:id/heartbeat | Statut en temps réel |
| GET | /ws/agents/:id | WebSocket pour token d’urgence + RPC console |
Endpoints dashboard
Agents & télémétrie
| Méthode | Chemin |
|---|
| GET | /agents |
| GET | /agents/:id |
| GET | /agents/:id/metrics?from&to&interval |
| GET | /agents/:id/inventory |
| GET | /agents/:id/processes |
| DELETE | /agents/:id |
| GET | /alerts |
| PATCH | /alerts/:id/resolve |
Asset Intelligence (Sessie 12)
| Méthode | Chemin |
|---|
| GET | /agents/:id/governance |
| PUT | /agents/:id/governance |
| GET | /agents/:id/inventory/containers |
| GET | /agents/:id/inventory/systemd |
| GET | /agents/:id/inventory/users |
| GET | /agents/:id/inventory/sudo |
| GET | /agents/:id/inventory/ssh-keys |
| GET | /agents/:id/inventory/backups |
| GET | /compliance?framework=&agent_id=&status= |
| POST | /compliance/run |
| GET | /compliance/export/:tool (trustos/vanta/cyberday/generic) |
Cloud Asset Discovery
| Méthode | Chemin |
|---|
| GET | /cloud/accounts |
| POST | /cloud/accounts (validation des credentials en direct) |
| DELETE | /cloud/accounts/:id |
| POST | /cloud/accounts/:id/discover (déclenche une discovery immédiate) |
| GET | /cloud/resources?account_id=&type=&has_agent=&is_public= |
| GET | /cloud/resources/:id |
| GET | /cloud/resources/:id/install (commandes d’installation agent) |
| GET | /cloud/summary |
| GET | /cloud/findings?severity=&status= |
| GET | /cloud/runs?account_id= |
Fournisseurs pris en charge : aws, azure, gcp, hetzner, proxmox,
digitalocean, scaleway, ovh, ionos. La hub requiert CLOUD_ENCRYPTION_KEY
(32 octets hex) pour le chiffrement des credentials au repos.
Topology & diagrammes
| Méthode | Chemin |
|---|
| GET | /topology/nodes · POST · PATCH /:id · DELETE /:id |
| GET | /topology/edges · POST · DELETE /:id |
| GET | /topology/zones · POST |
| GET | /topology/detected[?unmatched=1] |
| POST | /topology/detected/:id/promote |
| GET | /topology/snapshots · POST |
| GET | /topology/export/mermaid |
| GET | /diagrams · POST /generate · GET /templates |
| POST | /diagrams/from-template/:id |
| GET | /diagrams/:id · PUT · DELETE |
| POST | /diagrams/:id/share · unshare |
| GET | /diagrams/share/:token (public, sans auth) |
Durcissement audit-grade
| Méthode | Chemin |
|---|
| POST | /agents/:id/rotate-token (admin/owner) |
| POST | /agents/:id/rotate-signing-key (admin/owner) |
| GET | /integrity-anomalies?include_resolved=0|1 |
| PATCH | /integrity-anomalies/:id/resolve |
Console d’urgence (Sessie 6b)
| Méthode | Chemin |
|---|
| POST | /agents/:id/console/start (admin/owner + TOTP) |
| GET | /console/sessions |
| GET | /console/sessions/:id/recording (asciicast v2) |
| DELETE | /console/sessions/:id (terminé par admin) |
| GET | /ws/console/:session_id (navigateur → hub WebSocket) |
Auth / session
| Méthode | Chemin |
|---|
| POST | /auth/login |
| POST | /auth/totp/challenge |
| POST | /auth/totp/setup / /verify / /disable |
| POST | /auth/forgot-password · /reset-password |
| POST | /auth/accept-invite · /invitations |
Autres
| Méthode | Chemin |
|---|
| POST | /agents/:id/emergency |
| GET | /blast-radius/:id |
| GET | /inventory/cves |
| GET | /ai/explain?log=…&agent_id=…&lang=fr |
| GET | /security (honeypots / DNA / agents silencieux) |
| GET | /webhooks · POST · DELETE |
Statut & métriques
GET /api/v1/health → { "status": "ok" }
GET /metrics → Exposition Prometheus.
Limites de débit
| Endpoint | Limite |
|---|
/ingest | 60 / minute / agent |
/agents/:id/emergency | 5 / heure / utilisateur |
/agents/:id/console/start | 5 / heure / utilisateur |
/agents/:id/rotate-token | 10 / heure / utilisateur |
/agents/:id/rotate-signing-key | 10 / heure / utilisateur |
/auth/login | 10 / minute / IP |
/auth/forgot-password | 5 / heure / IP |
/auth/totp/challenge | 10 / minute / IP |
/compliance/run | 10 / heure / utilisateur |
/invitations POST | 20 / heure / tenant |
| Autres endpoints utilisateur | 1000 / minute / IP |
Journal d’audit
Chaque action sensible enregistre une ligne dans audit_log. Événements
attendus dans un audit :
event_type | Déclencheur |
|---|
agent_token_rotated | POST /agents/:id/rotate-token |
agent_signing_key_cleared | POST /agents/:id/rotate-signing-key |
console_session_started / _ended / _admin_terminated | Console d’urgence |
agent_version_seen | IntegrityCheckWorker checkpoint |
