Skip to content

API reference

RepoWrangler exposes a small JSON HTTP API. The SPA is its only required client; you can also call it directly. All responses are JSON. Paths are relative to your instance origin (PUBLIC_BASE_URL), or to VITE_API_BASE_URL for a decoupled SPA.

Authentication

  • Session cookie. Sign in via /auth/*; the API accepts the resulting HttpOnly rw_session cookie. Send credentials with cross-origin requests (credentials: 'include') and register the SPA origin in CORS_ALLOWED_ORIGINS.
  • Demo mode. When DEMO_MODE=true, /api/v1/* is served with a synthetic demo viewer — no sign-in needed.
  • Roles. owner > admin > viewer. Mutating admin endpoints require admin or owner.

Unauthenticated calls to protected endpoints return 401; insufficient role returns 403.

Health

MethodPathAuthDescription
GET/health/livenoneLiveness. { ok: true, version }. No provider or DB calls.
GET/health/readynoneReadiness. { ok, demoMode }; 503 if the DB/migrations aren't ready.

Auth

MethodPathAuthDescription
GET/auth/confignoneActive sign-in mode: { mode: 'github_app' | 'entra', demo }.
GET/auth/mecookieCurrent session user, or 401. In demo mode returns the demo viewer.
GET/auth/github/loginnoneBegin GitHub OAuth sign-in (redirect).
GET/auth/github/callbacknoneGitHub OAuth callback; sets the session cookie.
GET/auth/entra/loginnoneBegin Entra OIDC sign-in (redirect). AUTH_MODE=entra.
GET/auth/entra/callbacknoneEntra OIDC callback; sets the session cookie.
POST/auth/logoutcookieClear the session.

Setup

MethodPathAuthDescription
GET/setup/github-appnoneOne-tap GitHub App Manifest flow to create your own App. See providers/github-app.md.

Estate — read

All require an authenticated session (or demo mode). Prefixed /api/v1.

MethodPathDescription
GET/api/v1/creditsOpen-source attribution (public — no session).
GET/api/v1/overviewCommand Center counts and headline metrics.
GET/api/v1/attentionRepositories needing attention, most severe first.
GET/api/v1/repositoriesEstate repository list (filterable; virtualized in the UI).
GET/api/v1/repositories/:idFull repository detail (activity, branches, CRs, security, capabilities).
GET/api/v1/branchesEstate-wide branch/comparison view.
GET/api/v1/change-requestsEstate pull/merge requests.
GET/api/v1/pipelinesRecent pipeline/workflow runs.
GET/api/v1/securitySecurity findings across the estate.
GET/api/v1/budgetsBudgets & usage across workspaces.
GET/api/v1/activityRecent activity feed.
GET/api/v1/workspacesMonitored workspaces (orgs/groups).
GET/api/v1/platform-healthInstance health: sync jobs, webhooks, provider connection state.
GET/api/v1/about/creditsIn-product credits detail.

Saved views (FR-012)

MethodPathAuthDescription
GET/api/v1/viewssessionList saved views (instance-scoped, shareable).
POST/api/v1/viewssessionCreate a saved view { name, definition }.
DELETE/api/v1/views/:idsessionDelete a saved view.

In demo mode, writes are accepted as no-ops.

Admin

MethodPathAuthDescription
POST/api/v1/admin/syncadmin/ownerTrigger an immediate reconciliation sync.

Webhooks (provider → RepoWrangler)

MethodPathAuthDescription
POST/webhooks/githubsignatureGitHub webhook receiver; verified with GITHUB_WEBHOOK_SECRET, idempotent by delivery ID.
POST/webhooks/gitlabsignatureGitLab webhook receiver; verified with GITLAB_WEBHOOK_SECRET.

Export

The SPA offers CSV and Markdown export of the repository list (FR-014); these are generated client-side from the list endpoints above.

Notes

  • Read endpoints reflect the last synced snapshot; freshness metadata is on each record. Trigger /api/v1/admin/sync or wait for the schedule/webhooks.
  • Everything is read-only against providers — there is no endpoint that writes to GitHub or GitLab (ADR-008).

Apache-2.0 licensed. Read-only by design.