Requires X-API-Key header for authentication.
Request Body Unique identifier for this event. Must be globally unique across all submissions.
Action descriptor in domain:scope:verb format. Examples: github:pull_request:create, slack:message:send, filesystem:file:read.
ISO 8601 timestamp of when the event occurred.
Information about the AI agent that performed the action. Unique identifier for the agent instance.
Type of agent (e.g., coding_assistant, data_analyst, chatbot).
Agent framework used (e.g., langchain, autogen, crew_ai, custom).
Underlying LLM model (e.g., gpt-4o, claude-sonnet-4-20250514, gemini-2.0-flash).
Session context for the event. Unique session identifier.
Identifier of the human user who initiated or oversees the session.
ISO 8601 timestamp of when the session began.
The resource being acted upon. Type of resource (e.g., repository, file, database, api_endpoint).
Identifier for the specific resource.
Sensitivity classification from 0 (public) to 4 (critical). Higher values trigger stricter scoring.
Arbitrary key-value parameters associated with the action. Schema varies by action type.
Model Context Protocol metadata, if the agent action was routed through an MCP server. Show mcp_context properties
Human-readable name of the MCP server.
Unique identifier for the MCP server instance.
Transport protocol used (stdio, sse, http).
Whether the MCP server has been verified/trusted by the organization.
Name of the MCP tool invoked.
List of data fields the agent accessed. Each item can be a plain string (field name) or an object with field and classification. Name of the data field accessed (e.g., email, ssn, api_key).
Data classification label (e.g., PII, PHI, financial, public).
Ordered list of action strings that occurred before this event in the same session. Used for behavioral sequence analysis.
Free-text description of what the user asked the agent to do. Provides intent context for scoring.
Array of conversation messages leading up to this action. Each item typically contains role and content fields.
Arbitrary metadata for custom integrations. Not used in scoring but stored with the event record.
Response The event identifier echoed back from the request.
Processing status. Always scored for synchronous responses.
Overall risk score from 0 (no risk) to 100 (critical risk).
Human-readable risk level: none, low, medium, high, or critical.
Natural language explanation of why this score was assigned.
List of policy or compliance violations detected.
Which scoring engine produced the result: graph, llm, or hybrid.
References to compliance framework articles relevant to this event (e.g., EU_AI_Act:Article_14, SOC2:CC6.1).
Recommended mitigation actions to reduce risk.
Breakdown of individual scoring rule contributions.
Behavioral anomalies detected from session context and preceding actions.
Score produced by the graph-based rule engine (0-100).
Score produced by the LLM scorer, if invoked. null if graph confidence was sufficient.
Whether the LLM was called because graph confidence was below the 0.8 threshold.
Detailed breakdown of how the final score was composed from graph, LLM, and GNN components.
Score from the Graph Neural Network co-processor, if enabled. null otherwise.
Confidence level of the scoring result (0.0 to 1.0).
Raw score from the deterministic rule engine before any adjustments.
curl -X POST https://api-production-56df.up.railway.app/events \ -H "Content-Type: application/json" \ -H "X-API-Key: your-api-key" \ -d '{ "event_id": "evt_a1b2c3d4-5678-9012-abcd-ef3456789012", "action": "github:pull_request:create", "timestamp": "2026-02-26T14:32:00Z", "agent": { "agent_id": "agent-codex-01", "agent_type": "coding_assistant", "framework": "custom", "model": "claude-sonnet-4-20250514" }, "session": { "session_id": "sess_9f8e7d6c", "user_id": "user_42", "started_at": "2026-02-26T14:00:00Z" }, "target": { "resource_type": "repository", "resource_id": "acme-corp/payments-service", "sensitivity_level": 3 }, "parameters": { "title": "Fix payment retry logic", "base_branch": "main", "head_branch": "fix/payment-retry", "files_changed": 4, "additions": 87, "deletions": 12 }, "mcp_context": { "server_name": "github-mcp", "server_id": "mcp_gh_01", "transport": "stdio", "is_verified": true, "tool_name": "create_pull_request" }, "data_fields_accessed": [ {"field": "api_key", "classification": "secret"}, {"field": "retry_count", "classification": "public"} ], "preceding_actions": [ "github:repository:clone", "filesystem:file:read", "filesystem:file:write", "github:branch:create" ], "user_context": "Fix the payment retry logic that causes duplicate charges after timeout", "metadata": { "ci_pipeline": "github-actions", "team": "payments" } }'
{ "event_id" : "evt_a1b2c3d4-5678-9012-abcd-ef3456789012" , "status" : "scored" , "score" : 62 , "risk_level" : "medium" , "reasoning" : "Agent created a pull request to a high-sensitivity repository (payments-service, sensitivity 3) and accessed a field classified as 'secret' (api_key). The action sequence is consistent with a legitimate code fix workflow, but the secret field access elevates the risk." , "violations" : [ "secret_field_access_in_pr" ], "scoring_source" : "graph" , "compliance_refs" : [ "EU_AI_Act:Article_14" , "SOC2:CC6.1" , "ISO_27001:A.9.4.1" ], "mitigations" : [ "Ensure api_key is not included in committed code or PR diff" , "Require human review before merging to sensitive repositories" , "Enable secret scanning on the repository" ], "score_components" : [ { "rule" : "sensitivity_level_check" , "contribution" : 25 }, { "rule" : "secret_field_access" , "contribution" : 20 }, { "rule" : "pr_to_main_branch" , "contribution" : 10 }, { "rule" : "session_action_coherence" , "contribution" : 7 } ], "behavioral_flags" : [], "graph_score" : 62 , "llm_score" : null , "llm_fallback" : false , "score_decomposition" : { "graph_weight" : 1.0 , "llm_weight" : 0.0 , "gnn_weight" : 0.0 , "final" : 62 }, "gnn_score" : null , "confidence" : 0.91 , "rule_score" : 62 }
