Digest
REST endpoints for the quarantine queue — list, inspect, decide.
The quarantine queue over REST.
| Method | Path | Summary | Flags |
|---|---|---|---|
| GET | /digest | List queued items. | |
| GET | /ipc/digest/items/{id} | Fetch one digest item with full forensics. | IPC |
| POST | /digest/{id}/approve | Approve and execute. | |
| POST | /digest/{id}/deny | Deny and block. | |
| POST | /digest/{id}/learn | Approve and train the reputation system. | |
| POST | /digest/{id}/escalate | Escalate to team (Pro). | Pro |
| POST | /digest/{id}/unlock-egress | Approve and whitelist the destination for this session. | |
| POST | /digest/{id}/deny-terminate | Deny and kill the originating process tree. | |
| POST | /digest/{id}/allow-always | Permanent allowlist for this call shape (Pro). | Pro |
| POST | /digest/{id}/webhook-review | Apply a decision delivered via webhook callback. |
GET /digest
List pending items.
{
"items": [
{
"id": "7d1f-...",
"ts": "2026-05-14T09:14:23Z",
"session": "abc12345-...",
"operation": "file_read",
"target": "/home/you/.ssh/config",
"composite_score": 4.2,
"filters_fired": [...]
}
]
}
GET /ipc/digest/items/{id}
Full forensics on a single item (IPC-only). Includes the session's recent history and reputation context — useful for the dashboard.
Decision endpoints
All decision endpoints are POST with an optional JSON body for annotations:
POST /digest/{id}/approve
POST /digest/{id}/deny
POST /digest/{id}/learn
POST /digest/{id}/escalate (Pro)
POST /digest/{id}/unlock-egress
POST /digest/{id}/deny-terminate
POST /digest/{id}/allow-always (Pro)
POST /digest/{id}/webhook-review
Body shape (optional):
{
"annotations": "user-provided note",
"annotation_tags": ["false-positive", "legitimate-ssh-fix"]
}
Response: 204 No Content on success.
POST /digest/{id}/webhook-review
For asynchronous review flows — a notification channel delivered the item, the reviewer clicked an approve link, and the receiving webhook now POSTs the decision back. Body:
{
"decision": "approve | deny | learn",
"signature": "hmac-sha256-...",
"ts": "..."
}
The signature is verified against the channel's shared secret; mismatched signatures
return 403 SIGNATURE_INVALID.
See also
Last updated: 2026-05-14Edit this page on GitHub →