FastAPI (Python 3.12). server.py is a thin orchestrator that assembles a RouteContext and registers ~16 domain modules under src/mori_soc/api/routes/. OpenAPI is served at /docs.
| Mechanism | Where | Notes |
|---|---|---|
Session cookie mori_session |
browser /ui·/admin |
issued by POST /auth/login (httponly, 7-day); local users + optional LDAP bind |
| RBAC roles | per request | admin · security · monitor · auditor · helpdesk · user. Risk/controls/evidence = admin·security; infra/help-desk see only their own servers |
| Ingest token | POST /ingest/* |
MORI_INGEST_TOKEN via Authorization: Bearer or X-MORI-Token (session fallback) |
| Language | any | ?lang=/mori_lang cookie → KO/EN response where localized (e.g. /guides) |
Conventions — JSON in/out; 200 ok · 400 bad body · 401 unauth · 403 role · 404 missing · 503 backend (e.g. ingest needs MORI_DATABASE_URL). Reads hit the query backend live per request; writes are cache-aside + write-through to Postgres.
GET /login · POST /auth/login · GET /auth/logout · GET /auth/me · GET|POST /auth/profile · POST /auth/signup-request · GET /auth/signup-requests · PATCH /auth/signup-requests/{req_id}
GET / · GET /ui · GET /admin · GET /catalog · GET /health (insecure-config warning when demo creds/no token)
GET /dashboard/summary · POST /query · POST /interpret (NLQ) · GET|POST /dashboard/preferences · GET|POST /admin/dashboard/preferences · GET /admin/dashboard/user-preferences · DELETE /admin/dashboard/user-preferences/{username}
GET /assets (fleet+zabbix+trivy rollup) · POST /assets/refresh (on-demand poll: zabbix|fleet|wazuh|trivy) · GET|POST /assets/owners · DELETE /assets/owners/{hostname} · GET|PUT /assets/plans/{host_id} · GET /fleet/hosts · GET /zabbix/hosts · GET /trivy/vulnerabilities
GET /alerts · PATCH /alerts/{alert_id}/triage · POST /alerts/{alert_id}/zabbix/suppress · POST /alerts/{alert_id}/zabbix/unsuppress · GET|POST /incidents · PATCH /incidents/{incident_id} · POST /incidents/{incident_id}/notes
GET /vulnerabilities/{vuln_id}/action · PUT /vulnerabilities/{vuln_id}/plan · PUT|DELETE /vulnerabilities/{vuln_id}/exception · GET|PUT /vulnerabilities/{vuln_id}/risk (3×3 matrix) · GET /vulnerabilities/risk-summary · GET|PUT /settings/risk
GET /compliance/pdca · GET /compliance/pdca/pending.csv · GET /compliance/reports · GET /compliance/reports/{report_type} · GET /dashboard/evidence-gaps · GET /dashboard/host-remediation/{hostname} · GET /controls/tree (incl. coverage.review reviewed/draft) · GET /controls/detail/{id} · PUT /controls/status/{id} · POST /controls · DELETE /controls/{id} · POST /controls/import-nlp · GET|PUT /controls/claude-key
GET /controls/detail/{id}/evidence.pdf · …/evidence.csv · GET /controls/evidence-bundle.zip?scope=mapped|all · GET|POST /controls/detail/{id}/evidence-records · POST …/evidence-records/auto (dated live snapshot) · DELETE …/evidence-records/{evidence_id} · GET|POST /controls/evidence-snapshot/config · POST /controls/evidence-snapshot/run
GET /accounts/overview · GET /accounts/overview.csv · GET /accounts/host/{host_key} · …/privileged · GET|POST /accounts/approvals · DELETE /accounts/approvals/{id} · POST /accounts/approval-requests · POST /accounts/approvals/{id}/approve|reject · GET|POST /accounts/view-roles
GET /guides · GET /guides/{id} (KO/EN by ?lang=) · PUT /guides/{id} · GET|POST /webhooks · DELETE /webhooks/{id} · POST /webhooks/{id}/test
GET /admin/action-audit-log · POST /admin/action-audit-log · GET /admin/audit-log · GET /admin/logs · GET|POST /admin/role-permissions · GET /admin/user-tab-permissions · POST|DELETE /admin/user-tab-permissions/{username} · GET /admin/ldap/status · GET|POST /admin/ldap/users · POST /admin/ldap/users/{uid}/password|role · DELETE /admin/ldap/users/{uid}
| Endpoint | Source → | Effect |
|---|---|---|
POST /ingest/trivy |
Trivy scan JSON | vulnerabilities + evidence |
POST /ingest/wazuh |
Wazuh alert(s) | → Alert Triage queue |
POST /ingest/evidence |
CSOP before/after diff | evidence envelope |
POST /ingest/accounts |
osquery local accounts | host_accounts (governance) |
GET /evidence |
— | list ingested evidence |
flowchart LR
subgraph SRC["Source tools (unchanged)"]
ZBX[Zabbix]:::s
FLEET[Fleet / osquery]:::s
WZ[Wazuh]:::s
TRV[Trivy]:::s
LOKI[Loki]:::s
end
subgraph MORI["MORI — evidence layer"]
POLL[Pollers / ingest]:::m --> DB[(PostgreSQL<br/>schema 001-011)]:::db
DB --> API[FastAPI /ui]:::m
API --> JUDGE[Triage - Risk - Control status]:::m
JUDGE --> EVID[Evidence PDF/CSV/ZIP + audit log]:::m
end
ZBX -->|"REST poll 30s"| POLL
TRV -->|"token push / daily"| POLL
WZ -->|"/ingest/wazuh"| POLL
FLEET -.->|"Phase 3 poller"| POLL
API -.->|"deep link"| GRAF[Grafana / Loki<br/>viewing layer]:::v
JUDGE -->|"write-back L1-3"| ZBX
classDef s fill:#dbeafe,stroke:#2563eb,color:#111827
classDef m fill:#dcfce7,stroke:#16a34a,color:#111827
classDef db fill:#fef9c3,stroke:#a16207,color:#111827
classDef v fill:#f3f4f6,stroke:#6b7280,color:#111827
See also: DB ERD · collection standards · full reference.