1.2 KiB
1.2 KiB
Contract: m2-market-web /api (v1)
Config: GET /api/config → {auth_mode:"passcode"|"gpt"|"both"}. Session: POST /api/login {passcode} OR {email,password} → 204 + Set-Cookie m2mw_session (signed, 7d) | 401. Session identity: GET /api/session → {email,role,tenant_id,fleet_admin,operator_id,auth_method} with no upstream token. All /api/* below require the cookie (401 otherwise). /health is open → {"status":"healthy"}.
- GET /api/search?q=&limit=10 → [{listing_id, name, summary, category, price:{amount,currency,model}, seller, stats, score}]
- GET /api/listing/{listing_id} → {listing..., evidence_summary, permissions[], install_ref, install_command: "m2-market install --yes"}
- GET /api/wallet/{operator_id} → {operator_id, balance, as_of, transactions:[last 20 {ts,from,to,amount,reason,ref}]} | 403 for non-admin foreign wallet
- GET /api/economy → {operators:[{operator_id,balance}], audit:{date, url}} # url deep-links registry audit file
- GET /api/governance → {open_prs:[{number,title,age_days,labels,url}], listings:[{listing_id,status,url}]}
DTOs only — never raw upstream JSON. Upstream failure → 502 {"error","panel"} so the frontend degrades per-panel. No key material in any response (tested).