Compliance API¶

The Compliance API generates and retrieves compliance packages (INV-001). A compliance package is a point-in-time evidence bundle for a single agent, containing the execution graph, data flow diagram, vendor security questionnaire responses, sub-processor list, and SOC 2 control mappings. Packages are generated from runtime audit data and stored as versioned, immutable records.

All endpoints are scoped to the authenticated user's organization via Row-Level Security.

Generate Compliance Package¶

Generates a new compliance package for an agent by analyzing the audit trail, connector configurations, policy rules, and drift events.

• Method: POST
• Path: /v1/compliance
• Required Role: admin or auditor

Request Body¶

Example¶

curl -X POST "https://api.arxsec.io/v1/compliance" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }'

Response¶

Returns the generated compliance package with HTTP status 201 Created. The package includes execution_graph, data_flow_diagram, vsq_responses, sub_processors, and control_mappings sections.

{
  "id": "pkg-uuid",
  "org_id": "org-uuid",
  "agent_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "generated_by": "user-uuid",
  "execution_graph": {
    "total_actions": 1247,
    "connectors_used": ["crowdstrike", "jira"],
    "operations_performed": { "connector.called": 1100, "agent.deployed": 3 },
    "policy_verdicts": { "PERMIT": 1090, "ESCALATE": 8, "DENY": 2 },
    "first_action": "2026-03-15T10:00:00Z",
    "last_action": "2026-04-10T16:30:00Z"
  },
  "data_flow_diagram": { "mermaid": "graph LR ...", "connectors": [...] },
  "vsq_responses": { ... },
  "sub_processors": [ ... ],
  "control_mappings": { "controls_covered": ["CC6.1", "CC6.3", "CC7.1", "CC8.1"], ... },
  "generated_at": "2026-04-10T17:00:00Z"
}

The generation is audit-logged with action type compliance.generated.

List Compliance Packages¶

Retrieves all compliance packages for the organization, optionally filtered by agent.

• Method: GET
• Path: /v1/compliance
• Required Role: Any authenticated user

Query Parameters¶

Example¶

curl -X GET "https://api.arxsec.io/v1/compliance?agent_id=a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -H "Authorization: Bearer {token}"

Response¶

{
  "packages": [
    {
      "id": "pkg-uuid",
      "org_id": "org-uuid",
      "agent_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "generated_by": "user-uuid",
      "generated_at": "2026-04-10T17:00:00Z",
      "execution_graph": { ... },
      "control_mappings": { ... }
    }
  ],
  "total": 3
}

Results are ordered by generated_at descending (most recent first).

Get Compliance Package¶

Retrieves a single compliance package by ID.

• Method: GET
• Path: /v1/compliance/{package_id}
• Required Role: Any authenticated user

Path Parameters¶

Example¶

curl -X GET "https://api.arxsec.io/v1/compliance/pkg-uuid" \
  -H "Authorization: Bearer {token}"

Response¶

Returns the full compliance package object. Returns 404 if the package does not exist or belongs to a different organization.

Download Compliance PDF¶

Downloads a compliance package as a branded PDF document suitable for sharing with external auditors.

• Method: GET
• Path: /v1/compliance/{package_id}/pdf
• Required Role: Any authenticated user

Path Parameters¶

Example¶

curl -X GET "https://api.arxsec.io/v1/compliance/pkg-uuid/pdf" \
  -H "Authorization: Bearer {token}" \
  -o compliance-report.pdf

Response¶

Returns the PDF as a binary download with Content-Type: application/pdf and a Content-Disposition header containing the filename (e.g., compliance-triage-agent-pkg-uuid.pdf). The PDF includes the execution graph, data flow diagram, VSQ responses, sub-processor list, and SOC 2 control mappings formatted for auditor review.

Returns 404 if the package does not exist or belongs to a different organization.