m2-market/specs/002-market-web/contracts/web-api.md

1,002 B

Contract: m2-market-web /api (v1)

Session: POST /api/login {passcode} → 204 + Set-Cookie m2mw_session (signed, 7d) | 401. All /api/* below require the cookie (401 otherwise). /health is open → {"status":"healthy"}.

  • GET /api/search?q=&limit=10 → [{listing_id, name, summary, category, price:{amount,currency,model}, seller, stats, score}]
  • GET /api/listing/{listing_id} → {listing..., evidence_summary, permissions[], install_ref, install_command: "m2-market install --yes"}
  • GET /api/wallet/{operator_id} → {operator_id, balance, as_of, transactions:[last 20 {ts,from,to,amount,reason,ref}]}
  • GET /api/economy → {operators:[{operator_id,balance}], audit:{date, url}} # url deep-links registry audit file
  • GET /api/governance → {open_prs:[{number,title,age_days,labels,url}], listings:[{listing_id,status,url}]}

DTOs only — never raw upstream JSON. Upstream failure → 502 {"error","panel"} so the frontend degrades per-panel. No key material in any response (tested).