API channel

Author: flaviusburca

docs/appendices/api-reference.md

@@ -4,7 +4,10 @@ The REST API serves two roles: the web channel interface (browser SPA talks dire
 
 Base URL: `/v1`
 
-All endpoints require JWT authentication unless noted otherwise. The JWT is sent as `Authorization: Bearer <token>`.
+All endpoints require authentication unless noted otherwise. Two token types are accepted:
+
+- **JWT access tokens** (`Authorization: Bearer eyJ...`) -- for interactive users. Required on everything except `/v1/api/*`.
+- **Service-account tokens** (`Authorization: Bearer surg_sk_...`) -- for programmatic clients. Accepted **only** on `/v1/api/*`; refused elsewhere. See [Service-Account Admin CRUD](#service-accounts-admin).
 
 ## Auth Endpoints
 
@@ -323,6 +326,112 @@ Add an MCP server configuration.
 
 Remove an MCP server.
 
+## Feedback (API Channel)
+
+Service-account clients — typically an automated judge grading pipeline
+output — record feedback against an `llm.response` or `expert.result`
+event through the same handler that serves the web UI, mounted under
+the `/v1/api/*` prefix so SA tokens can reach it.
+
+### `POST /v1/api/sessions/{session_id}/events/{event_id}/feedback`
+
+**Request:**
+```json
+{
+  "rating": "up",
+  "score": 0.87,
+  "criteria": {"correctness": 0.9, "relevance": 0.85},
+  "rationale": "Matches the reference; arithmetic is correct."
+}
+```
+
+- `rating` (required, `"up"` or `"down"`) — binary bucket used by
+  training-data selectors.
+- `score` (optional, `0.0-1.0`) — numeric grade when the principal is a
+  judge; ignored by bucket-oriented selectors.
+- `criteria` (optional dict of string → float) — per-axis grades.
+- `rationale` (optional, max 10,000 chars) — free-form text the judge
+  produced.
+- `reason` (optional, max 500 chars) — the shorter, human-UI-friendly
+  explanation; interchangeable with `rationale` on the server side.
+
+**Response (201):**
+```json
+{
+  "event_id": 42,
+  "event_type": "user.feedback",
+  "source": "judge"
+}
+```
+
+`source` is `"judge"` when the caller presented a service-account token
+and `"user"` when the caller presented an interactive JWT.  Stored on
+the event's JSONB payload so downstream training-data selection and
+dashboards can weight the two independently.
+
+**Idempotency.** Dedupe is keyed on `(session_id, event_id, principal)`
+where `principal` is the caller's `user_id` for JWT callers and
+`service_account_id` for SA callers.  A retry from the same principal
+returns the original feedback event unchanged; feedback from a user
+and from a judge on the same turn coexist as two independent events.
+
+## Prompts (API Channel)
+
+Fire-and-forget prompt submission for non-interactive clients. Requires a service-account token. Results are read back from the `events` table by `session_id`. See [Channels / API](../channels/api.md) for the end-to-end pipeline workflow.
+
+### `POST /v1/api/prompts`
+
+Submit a single prompt.
+
+**Request:**
+```json
+{
+  "prompt": "Write a haiku about distributed systems.",
+  "idempotency_key": "dataset-42/row-1337",
+  "metadata": {"dataset_id": "ds_123", "row_index": 1337}
+}
+```
+
+- `prompt` (required, max 200,000 chars).
+- `idempotency_key` (optional, max 200 chars) -- two submissions with the same key + org resolve to the same session; the second returns `deduplicated: true` and enqueues no new work.
+- `metadata` (optional dict) -- stored on `sessions.config['pipeline_metadata']`; the pipeline joins results back to its dataset via this field.
+
+**Response (202):**
+```json
+{
+  "session_id": "8f...",
+  "event_id": 42,
+  "deduplicated": false,
+  "error": null
+}
+```
+
+### `POST /v1/api/prompts:batch`
+
+Submit up to 100 prompts in one round-trip. Each entry is processed independently; partial failures surface per-slot, not as a whole-request 500 (unless every entry fails).
+
+**Request:**
+```json
+{
+  "prompts": [
+    {"prompt": "...", "idempotency_key": "row-1"},
+    {"prompt": "...", "idempotency_key": "row-2"}
+  ]
+}
+```
+
+**Response (202):**
+```json
+{
+  "results": [
+    {"session_id": "...", "event_id": 1, "deduplicated": false, "error": null},
+    {"session_id": "...", "event_id": 2, "deduplicated": true, "error": null}
+  ]
+}
+```
+
+Input order is preserved so the caller can zip results back to its input rows.
+
 ## Admin
 
 These endpoints require admin permissions.
@@ -347,6 +456,43 @@ Create a user in an organization.
 
 Install the Slack bot for an organization.
 
+### Service Accounts (Admin) {#service-accounts-admin}
+
+Issue and revoke service-account tokens that authenticate the API channel. All endpoints require the `admin` permission. Tokens have the prefix `surg_sk_`; the raw value is returned once on creation and is not recoverable.
+
+#### `POST /v1/admin/service-accounts`
+
+Issue a new token.
+
+**Request:**
+```json
+{"org_id": "00000000-...", "name": "dataset-gen-v1"}
+```
+
+**Response (201):**
+```json
+{
+  "id": "uuid",
+  "org_id": "00000000-...",
+  "name": "dataset-gen-v1",
+  "token_prefix": "surg_sk_abcd1234",
+  "created_at": "2025-01-01T00:00:00Z",
+  "last_used_at": null,
+  "revoked_at": null,
+  "token": "surg_sk_<44 chars>"
+}
+```
+
+Store the `token` immediately -- only the `token_prefix` is persisted afterwards.
+
+#### `GET /v1/admin/service-accounts?org_id={id}`
+
+List service accounts for an org. `token` is never returned.
+
+#### `DELETE /v1/admin/service-accounts/{id}`
+
+Revoke a service account. Immediate in the revoking process; peer API/worker processes converge within 60 seconds (the in-memory auth cache's TTL). A second delete on the same id returns 404.
+
 ## Health and Metrics
 
 ### `GET /health`

docs/appendices/glossary.md

@@ -4,7 +4,8 @@
 |---|---|
 | **ABAC** | Attribute-Based Access Control. Policy rules that evaluate attributes of the user, session, tool arguments, or environment to make access decisions. Example: "allow `refund_user` only if `amount < 1000`". |
 | **AGT** | Agent Governance Toolkit. Microsoft's open-source library for agent policy enforcement, MCP security scanning, and capability modeling. Surogates uses AGT's `PolicyEngine`, `MCPSecurityScanner`, and `CapabilityModel`. |
-| **Channel** | The user-facing interface. Surogates has no CLI. Users interact through channels: the web chat UI and Slack. Each channel has an adapter that normalizes platform messages into the internal API. |
+| **API Channel** | The programmatic channel. Non-interactive clients (synthetic-data pipelines, batch jobs) submit prompts via `POST /v1/api/prompts` with a service-account token. Sessions have `channel="api"` and no user identity; results are read directly from the `events` table. |
+| **Channel** | The user-facing interface. Surogates has no CLI. Users interact through channels: web, Slack, Telegram, and the API channel for programmatic clients. Each has an adapter (or, for web/API, a REST endpoint set) that normalizes inbound messages into the internal API. |
 | **Channel Identity** | A mapping between a platform-specific user ID (e.g., Slack user `U03ABCDEF`) and an internal Surogates user. Enables cross-channel session sharing. |
 | **Cursor** | The last fully-processed event ID for a session. Used for crash recovery -- the new worker replays events after the cursor. Also used by SSE clients to resume event streams without data loss. |
 | **Delivery Outbox** | A PostgreSQL table that acts as a durable queue for outbound messages. Channel adapters claim rows, send messages, and mark them as delivered. Redis nudges are a latency optimization, not the source of truth. |
@@ -20,6 +21,7 @@
 | **Org** | Organization. The top-level tenant boundary. Each org has its own users, skills, memory, credentials, MCP servers, and policies. |
 | **Saga** | A tracked sequence of tool calls with automatic rollback. When a step fails, previously completed steps are compensated in reverse order -- builtin tools via filesystem checkpoints, MCP tools via declared undo operations. Named after the [saga pattern](https://microservices.io/patterns/data/saga.html) from distributed systems. |
 | **Sandbox** | An isolated execution environment where the LLM's generated code runs. In development: a subprocess in a temp directory. In production: a dedicated K8s pod with s3fs-fuse workspace mount. Also called "the hands". |
+| **Service Account** | An org-scoped principal used by non-interactive clients to authenticate against the API channel. Issued by an admin via `POST /v1/admin/service-accounts`; produces a long-lived `surg_sk_...` bearer token that is accepted only on `/v1/api/*` routes and carries no user identity. |
 | **Session** | A conversation between a user and an agent. Backed by an append-only event log in PostgreSQL. Sessions survive crashes -- any worker can resume from the last event. |
 | **Session Source** | Metadata about where a message came from: platform, chat ID, chat type, user ID, thread ID. Used to route messages to the correct session. |
 | **Skill** | A reusable, prompt-based behavior defined in a `SKILL.md` file. Skills are loaded from three layers (platform > org > user) with last-wins precedence. |

docs/architecture/index.md

@@ -7,7 +7,7 @@ Surogates follows the three-component model: decouple the brain from the hands,
 ```
 +-----------------------------------------------------------------+
 |                     Channel Adapters                             |
-|         Web Chat UI (SPA)         |         Slack          |
+|  Web SPA   |   Slack   |   Telegram   |   API (service account) |
 +---------------+-------+---------+---------+------------+--------+
                 |
 +---------------v-------------------------------------------------+
@@ -110,6 +110,21 @@ The sandbox runs the full `surogates` Python package. A `tool-executor` script a
 5. Adapter formats payload -> sends via platform API -> marks row delivered
 ```
 
+### API Channel (Programmatic)
+
+```
+1. Pipeline: POST /v1/api/prompts with a service-account token (surg_sk_...)
+2. API Server: resolve service account -> create session (channel="api",
+   user_id=NULL) -> emit user.message event -> enqueue to Redis -> 202
+3. Worker: dequeue -> wake(session_id) -> harness loop -> events emitted
+4. Pipeline: reads results back from the `events` table keyed by session_id
+   (no streaming, no SSE). `sessions.status` indicates completion.
+```
+
+API-channel sessions never appear in the delivery outbox -- pipelines pull
+directly from PostgreSQL. See [Channels / API](../channels/api.md) for the
+request/response schema and idempotency semantics.
+
 ### Crash Recovery
 
 ```

docs/audit/views.md

@@ -11,6 +11,12 @@ External consumers should prefer views over raw JSONB queries — adding
 new keys to an event's JSONB payload never breaks a view-backed
 query, because the view's column list stays fixed.
 
+**A note on `user_id`.** The column is `NULL` for every event in an
+API-channel session (sessions submitted via `POST /v1/api/prompts`,
+owned by a service account instead of a user).  Dashboards that group
+by `user_id` should also group by `channel` to avoid collapsing
+every service-account session into a single "unknown user" bucket.
+
 | View | Driven by | Purpose |
 |---|---|---|
 | [`v_session_tree`](#v_session_tree) | `sessions.parent_id` | Recursive ancestry for expert-delegation subtrees. |

docs/background-jobs/index.md

@@ -160,6 +160,11 @@ The training collector extracts successful conversation trajectories from the ev
 4. Write to tenant-{org_id}/shared/skills/{expert}/training/
 ```
 
+Sessions from every channel (web, Slack, Telegram, API) are considered
+training candidates.  Synthetic-data pipelines that submit prompts via
+`POST /v1/api/prompts` feed successful trajectories back into expert
+fine-tuning exactly like human-driven sessions.
+
 ### Usage
 
 ```bash

docs/channels/api.md

@@ -0,0 +1,116 @@
+# API Channel
+
+The API channel is a programmatic, fire-and-forget interface for non-interactive clients -- synthetic data generation pipelines, batch evaluation jobs, and any other workload that submits prompts from outside the web or messaging channels. Authentication is by org-scoped API key ("service-account token"); no user identity is involved.
+
+The API channel is not a chat interface -- it accepts a prompt, creates a session, queues it for the worker, and returns the session identifier. Results are read directly from the `events` and `sessions` database tables.
+
+## When to use it
+
+| Use case | Example |
+|---|---|
+| Synthetic training-data generation | A pipeline iterates over dataset rows, submits each prompt as a session, and later sweeps the `events` table for `llm.response` rows to harvest completions. |
+| Automated evaluations | A scorer submits thousands of prompts in parallel and reads `events.data` for downstream metrics. |
+| Scheduled bulk work | A cron job dispatches org-wide prompt runs. |
+
+Do **not** use the API channel for interactive experiences -- use the [web channel](web.md) instead, which streams tokens and tool calls live over SSE.
+
+## Authentication
+
+The client presents an API key in the `Authorization: Bearer` header. API keys have the prefix `surg_sk_` and are issued to an org by an admin:
+
+```
+POST /v1/admin/service-accounts
+Authorization: Bearer <admin-jwt>
+
+{
+  "org_id": "00000000-...",
+  "name": "dataset-gen-v1"
+}
+```
+
+The raw token is returned **exactly once** in the response body (`token`). Store it immediately -- the server keeps only a SHA-256 hash and cannot recover the plaintext. List and revoke endpoints live under the same `/v1/admin/service-accounts` prefix.
+
+API keys may only authenticate requests to routes under `/v1/api/*`. Presenting one anywhere else returns 403. Conversely, the `/v1/api/*` routes reject interactive JWTs so the two principal types stay cleanly separated.
+
+## Submitting a prompt
+
+```
+POST /v1/api/prompts
+Authorization: Bearer surg_sk_...
+
+{
+  "prompt": "Write a haiku about distributed systems.",
+  "idempotency_key": "dataset-42/row-1337",
+  "metadata": {
+    "dataset_id": "ds_123",
+    "row_index": 1337,
+    "experiment": "baseline-v3"
+  }
+}
+```
+
+Response (`202 Accepted`):
+
+```json
+{
+  "session_id": "8f...",
+  "event_id": 42,
+  "deduplicated": false
+}
+```
+
+The worker picks the session off the Redis queue and processes it asynchronously. The pipeline owns the returned `session_id` and uses it to read results from the database.
+
+### Idempotency
+
+`idempotency_key` is an optional client-supplied string scoped per org. Two requests from the same org with the same key resolve to the **same** session:
+
+- first call -> `deduplicated: false`, new session created
+- second call -> `deduplicated: true`, original `session_id` returned, no new work queued
+
+Use this to make pipeline retries safe under timeouts or restarts. Keys from different orgs do not collide.
+
+### Metadata passthrough
+
+Anything in `metadata` is persisted onto `sessions.config['pipeline_metadata']`. The pipeline joins results back to its source dataset by querying for sessions with specific metadata values -- no side-table required.
+
+## Submitting a batch
+
+```
+POST /v1/api/prompts:batch
+Authorization: Bearer surg_sk_...
+
+{
+  "prompts": [
+    {"prompt": "...", "idempotency_key": "row-1", "metadata": {"i": 1}},
+    {"prompt": "...", "idempotency_key": "row-2", "metadata": {"i": 2}}
+  ]
+}
+```
+
+Each entry is accepted independently. The response preserves input order so callers can zip results back to their input rows. Up to 100 prompts per request.
+
+## Reading results
+
+Each submitted prompt becomes a session (`channel='api'`). The pipeline reads:
+
+| Signal | Source |
+|---|---|
+| Final LLM answer | `events` rows with `type = 'llm.response'` for the session |
+| Tool calls / tool results | `events` rows with `type IN ('tool.call', 'tool.result')` |
+| Completion status | `sessions.status` (`active`, `idle`, `completed`, `failed`) |
+| Cost / token usage | `sessions.input_tokens`, `sessions.output_tokens`, `sessions.estimated_cost_usd` |
+| Pipeline metadata | `sessions.config->'pipeline_metadata'` |
+
+The `v_session_messages` view returns conversation-shaped events in training-data format; the `v_response_feedback` and `v_tool_invocations` views expose related signals. See [docs/audit/views.md](../audit/views.md) for the full catalog.
+
+## Recording judge feedback
+
+Pipelines that run an automated judge over their outputs record the judge's grade by `POST /v1/api/sessions/{session_id}/events/{event_id}/feedback`, authenticated with the same service-account token. The endpoint accepts binary `rating` (required), a numeric `score`, per-axis `criteria`, and a free-form `rationale`. The stored event carries `source: "judge"` so downstream training-data selection can weight judge feedback independently from human thumbs. See [Appendix B: Feedback (API Channel)](../appendices/api-reference.md#feedback-api-channel) for the full schema and idempotency semantics.
+
+## Interaction with other subsystems
+
+- **Training data**: API sessions participate in `TrainingDataCollector` exports on the same footing as every other channel -- successful expert delegations and skill invocations from pipeline-submitted prompts are eligible for fine-tuning.
+- **Idle reset**: the session-reset CronJob resets API sessions in place without running the memory-flush agent -- service accounts have no per-user memory.
+- **Memory**: API sessions use the org-shared memory directory, not user-scoped memory.
+- **Permissions**: API keys carry no permissions; access is scoped entirely by org membership. They cannot reach admin, auth, or any other `/v1/` routes.

docs/channels/index.md

@@ -9,6 +9,7 @@ There is no CLI. All user interaction happens through channels. A channel is an
 | **[Web](web.md)** | Browser-based chat UI with real-time streaming, session management, and workspace browsing |
 | **[Slack](slack.md)** | Socket Mode integration with DMs, @mentions, threading, file attachments, and multi-workspace support |
 | **[Telegram](telegram.md)** | Bot API integration with DMs, groups, forum topics, media handling, and fallback IP transport for restricted networks |
+| **[API](api.md)** | Fire-and-forget programmatic channel for synthetic data pipelines and batch jobs. Service-account auth, idempotent submission, results read from database tables. |
 
 ## Session Routing
 

docs/index.md

@@ -39,6 +39,7 @@ Built on Kubernetes, Surogates implements the [Managed Agents architecture](http
 ### [5. Multi-Tenancy](multi-tenancy/index.md)
 - Tenant model (orgs, users, channel identities)
 - Authentication (database provider)
+- Service-account tokens for programmatic access (API channel)
 - Per-org provider configuration
 - JWT token flow (issuance, refresh, validation)
 - Tenant context and credential vault
@@ -48,6 +49,8 @@ Built on Kubernetes, Surogates implements the [Managed Agents architecture](http
 - Channel adapter protocol
 - [Web](channels/web.md) -- browser chat UI with real-time streaming, session management, workspace browsing
 - [Slack](channels/slack.md) -- setup guide, Socket Mode, DMs, @mentions, threading, file attachments, multi-workspace
+- [Telegram](channels/telegram.md) -- Bot API, DMs, groups, forum topics, media handling
+- [API](channels/api.md) -- fire-and-forget programmatic channel for synthetic-data pipelines and batch jobs
 - Session routing and response delivery (durable outbox, Redis nudges)
 
 ### [7. Tools](tools/index.md)