List of HTTP routes exposed by the arka-deck Fastify server, grouped by functional domain.
Source of truth: adapters/inbound/web/server/src/routes/.
- CORS: localhost + RFC1918 ranges in LAN mode
- CSP:
script-src 'self', connect-src localhost + LAN
- Rate limit: 900 writes/min (GET/loopback exemptions)
- Token:
X-Arka-Token header required in LAN mode
- HSTS: disabled (local HTTP, no TLS)
- Request ID: UUID per request, logged
| Method | Path | Description |
|---|
| GET | /api/health | Health check (status + version) |
| GET | /api/system/* | System metadata (boot, token) |
| GET | /api/i18n/:lang | UI translations |
| GET | /api/preferences | User preferences |
| PUT | /api/preferences | Update preferences |
| Method | Path | Description |
|---|
| GET | /api/workspaces | List |
| GET | /api/workspaces/:id | Detail |
| POST | /api/workspaces | Create |
| PUT | /api/workspaces/:id | Modify |
| DELETE | /api/workspaces/:id | Delete (refuses if non-empty) |
| GET | /api/workspaces/:id/projects | Projects of the workspace |
| GET | /api/projects | List all projects |
| GET | /api/projects/:id | Detail |
| GET | /api/projects/find-by-cwd?path=... | Auto-detect by marker |
| POST | /api/projects | Create (checks allowlist + workspace) |
| PUT | /api/projects/:id | Modify (path immutable) |
| DELETE | /api/projects/:id | Forget (204) |
| DELETE | /api/projects/:id?purge=true | Full purge |
| POST | /api/projects/:id/touch | Update lastUsedAt |
| Method | Path | Description |
|---|
| GET | /api/catalogue/profiles | List HYOS profiles |
| GET | /api/catalogue/profiles/:id | Profile detail |
| DELETE | /api/catalogue/cache | Clear catalogue cache |
| Method | Path | Description |
|---|
| POST | /api/chat/sessions | Start a session |
| POST | /api/chat/sessions/:id/send-message | Send a turn (SSE stream) |
| GET | /api/chat/sessions/:id/stream | SSE stream |
| GET | /api/chat/sessions | List project sessions |
| GET | /api/chat/sessions/:id | Session detail |
| Method | Path | Description |
|---|
| GET | /api/memory/:projectId | Project memory overview |
| POST | /api/memory/:projectId/entry | Capture an entry |
| GET | /api/memory/:projectId/entries | List entries |
| Method | Path | Description |
|---|
| GET | /api/arkadoc/:projectId | List documents |
| GET | /api/arkadoc/:projectId/:docId | Document detail |
| PATCH | /api/arkadoc/:projectId/:docId/status | Update status |
| GET | /api/arkadoc/:projectId/:docId/render | Markdown render |
| Method | Path | Description |
|---|
| GET | /api/projects/:id/documentation/documents | Filtered list of project ArkaDoc deliverables |
| GET | /api/projects/:id/documentation/documents/:docId/index | Consultation index for one document |
| GET | /api/projects/:id/documentation/documents/:docId/outline | Human-readable document outline |
| GET | /api/projects/:id/documentation/documents/:docId/neighbors | Incoming/outgoing document relations |
| GET | /api/projects/:id/documentation/documents/:docId/full | Full document read |
| GET | /api/projects/:id/documentation/documents/:docId/blocks/:blockId | Read one precise block |
These routes read the project’s real ArkaDoc documents. They power the Documentation UI and the agent MCP tools that navigate indexes/blocks before opening a full document.
| Method | Path | Description |
|---|
| GET | /api/projects/:id/agent-action-cards | Cards for the project/session, optionally filtered by run |
| POST | /api/projects/:id/agent-action-cards/:cardId/select | Select a card before a turn or orchestration command |
| GET | /api/cortex-actions/tree | Catalogue blocs tree |
| GET | /api/cortex-actions/search?q= | Search catalogue blocs |
| GET | /api/cortex-actions/:type/:id/content | Read one catalogue bloc content |
| POST | /api/cortex-actions/:projectId/select | Record a project-scoped selection for the next turn |
| POST | /api/cortex-actions/:projectId/exec-log | Record a project-scoped execution log |
| GET | /api/cortex-actions/:projectId/options | Read project Cortex Actions options |
| PUT | /api/cortex-actions/:projectId/options | Update project Cortex Actions options |
| GET | /api/cortex-actions/:projectId/favorites | Read project favorites |
| POST | /api/cortex-actions/:projectId/favorites | Add a project favorite |
| DELETE | /api/cortex-actions/:projectId/favorites/:type/:id | Remove a project favorite |
| POST | /api/cortex-actions/:projectId/favorites/suggest | Launch project-scoped suggestion worker |
Dispatch approval cards are generated from ready ArkaDoc task documents and exclude QA-only assignments. Existing card ids are reused on refresh to avoid duplicates.
| Method | Path | Description |
|---|
| GET | /api/squads/:projectId | List squads of the project |
| POST | /api/squads | Create a squad |
| POST | /api/squads/:id/materialize-leader | Recruit the Leader Pack |
| GET | /api/orchestration/:projectId/missions | List missions |
| POST | /api/orchestration/missions | Start mission |
| GET | /api/orchestration/missions/:id | Mission state |
| Method | Path | Description |
|---|
| GET | /api/mission-guardian/:projectId/state | Phases + gates state |
| POST | /api/mission-guardian/:projectId/decision | Record decision |
| GET | /api/mission-guardian/:projectId/evidence | Captured evidence |
Mission Guardian is the gate authority. Mission Control is exposed to agents through the runtime context/MCP surfaces.
| Method | Path | Description |
|---|
| GET | /api/providers/manifests | Static manifests (catalogue) |
| GET | /api/providers/instances | List configured instances |
| POST | /api/providers/instances | Create an instance |
| PUT | /api/providers/instances/:id | Modify |
| DELETE | /api/providers/instances/:id | Delete |
| POST | /api/providers/instances/:id/test | Test (check + live) |
| GET | /api/cortex-lite/projects/:id/state | Cortex Lite project state |
| POST | /api/cortex-lite/projects/:id/sync | Synchronize |
| GET | /api/cortex-runtime/status | Runtime endpoint readiness |
| POST | /api/cortex-runtime/sync | Synchronize runtime atoms/prompts |
| GET | /api/projects/:id/runtime/snapshot | Project runtime snapshot for agents |
| GET | /api/projects/:id/runtime/docs | Runtime ArkaDoc summaries |
| GET | /api/projects/:id/runtime/docs/:docId | Runtime ArkaDoc detail |
| POST | /api/projects/:id/runtime/docs/search | Runtime ArkaDoc search |
| GET | /api/projects/:id/runtime/tasks | Runtime task summaries |
| GET | /api/projects/:id/runtime/memory | Runtime memory by scope |
For task dispatch, runtime task summaries expose the ArkaDoc id as dispatch_task_id. A payload-level business task_id may be shown as business_task_id, but dispatch commands must use the ArkaDoc id.
| Method | Path | Description |
|---|
| GET | /api/connectors/manifests | Available connectors |
| GET | /api/connectors/installations/:projectId | Project installations |
| POST | /api/connectors/installations | Enable a connector |
| DELETE | /api/connectors/installations/:id | Disable |
| POST | /api/connectors/oauth/start | Start OAuth flow |
| GET | /api/connectors/oauth/callback | OAuth callback |
| POST | /api/connectors/executions | Execute an action |
| GET | /api/connectors/audit-log/:projectId | Audit trail |
| Method | Path | Description |
|---|
| GET | /api/projects/:id/mcp-connectors | List MCP servers attached to the project |
| POST | /api/projects/:id/mcp-connectors | Create a custom HTTP/SSE project MCP |
| POST | /api/projects/:id/mcp-connectors/from-installation/:installationId | Attach the MCP exposed by a connector installation |
| GET | /api/projects/:id/mcp-connectors/:connectorId | Project MCP detail |
| PATCH | /api/projects/:id/mcp-connectors/:connectorId | Update display name, endpoint or tool policy |
| POST | /api/projects/:id/mcp-connectors/:connectorId/test | Test MCP server availability |
| POST | /api/projects/:id/mcp-connectors/:connectorId/enable | Enable exposure to the project’s agents |
| POST | /api/projects/:id/mcp-connectors/:connectorId/disable | Disable exposure to the project’s agents |
| DELETE | /api/projects/:id/mcp-connectors/:connectorId | Remove the MCP from the project |
Project MCP servers are scoped to one project and exposed to the provider runtime under a connector_* name. Remote endpoints must use HTTPS; HTTP is accepted only on loopback. Secrets are not copied into the project MCP configuration.
| Method | Path | Description |
|---|
| POST | /api/workers/:name/invoke | Invoke a worker (1-shot) |
| GET | /api/workers/:name/logs | Invocation logs |
| Method | Path | Description |
|---|
| GET | /api/fs/read?path=... | Read a file |
| POST | /api/fs/write | Write (allowlist) |