API Reference¶

The web backend exposes a REST API under /api.

Health¶

GET /api/health

Returns {"status": "ok"}.

Phases¶

GET /api/phases

Returns all 52 phases as JSON array.

Scans¶

Create scan¶

POST /api/scans
Content-Type: application/json

{
  "target": "target.com",
  "phases": ["1", "2", "5"],
  "quick": false,
  "stealth": false,
  "internal": false,
  "timeout": 8.0,
  "workers": 32,
  "token": null,
  "bing_key": null,
  "user_hint": null
}

Returns {"run_id": "..."} immediately.

List scans¶

GET /api/scans?limit=50&offset=0

Get scan¶

GET /api/scans/{run_id}

SSE events¶

GET /api/scans/{run_id}/events

Server-Sent Events stream with phase_start, phase_end, finding, scan_complete, scan_error.

Get findings¶

GET /api/scans/{run_id}/findings

Get chain¶

GET /api/scans/{run_id}/chain

Get report HTML¶

GET /api/scans/{run_id}/report.html

Get executive summary¶

GET /api/scans/{run_id}/executive_summary.html

Get artifact¶

GET /api/scans/{run_id}/artifacts/{name}

Names: findings.json, issues.json, leads.json, chain.json, attack_paths.md, etc.

Re-run scan¶

POST /api/scans/{run_id}/rerun

Returns {"run_id": "..."} for the new scan.

Delete scan¶

DELETE /api/scans/{run_id}