CFD API Reference

The Context Front Door API covers six functional areas: configuration, quarantine management, observability and metrics, pattern and intelligence management, canary credentials, and compliance exports. All endpoints require a Bearer token or API key unless otherwise noted. Base URL: https://api.mnemom.ai

Configuration

Control how CFD behaves — globally for the org, per-agent, or in bulk.

Method	Endpoint	Description
`GET`	`/v1/cfd/config`	Retrieve org-level CFD defaults (thresholds, enforcement mode, enabled threat types)
`PUT`	`/v1/cfd/config`	Update org-level defaults — applies to all agents that don’t have a per-agent override
`GET`	`/v1/agents/:id/cfd/config`	Retrieve per-agent CFD config (shows effective config after inheritance from org)
`PUT`	`/v1/agents/:id/cfd/config`	Update per-agent config — overrides org defaults for the specified fields only
`POST`	`/v1/cfd/config/bulk-apply`	Apply a config patch to multiple agents at once

Retrieve org-level config:

curl https://api.mnemom.ai/v1/cfd/config \
  -H "Authorization: Bearer $TOKEN"

{
  "enforcement_mode": "quarantine",
  "thresholds": {
    "bec_fraud":          { "warn": 0.45, "block": 0.80 },
    "prompt_injection":   { "warn": 0.40, "block": 0.75 },
    "indirect_injection": { "warn": 0.50, "block": 0.85 },
    "social_engineering": { "warn": 0.50, "block": 0.80 },
    "agent_spoofing":     { "warn": 0.45, "block": 0.75 },
    "hijack_attempt":     { "warn": 0.55, "block": 0.85 },
    "data_exfiltration":  { "warn": 0.45, "block": 0.80 },
    "privilege_escalation":{ "warn": 0.45, "block": 0.80 }
  },
  "session_risk_escalation_threshold": 0.70,
  "canary_auto_create": false
}

Update a single agent’s config:

curl -X PUT https://api.mnemom.ai/v1/agents/smolt-18a228f3/cfd/config \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "thresholds": {
      "bec_fraud": { "warn": 0.50, "block": 0.88 }
    }
  }'

Bulk-apply a config patch:

curl -X POST https://api.mnemom.ai/v1/cfd/config/bulk-apply \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_ids": ["smolt-18a228f3", "smolt-a9f34c12"],
    "patch": {
      "enforcement_mode": "block"
    }
  }'

Quarantine Management

Quarantined turns are held pending human review. Reviewers can release (with or without a false-positive flag) or confirm as a genuine threat.

Method	Endpoint	Description
`GET`	`/v1/cfd/quarantine`	List quarantined items — filter by `status`, `agent_id`, `threat_type`, date range
`GET`	`/v1/cfd/quarantine/:id`	Retrieve a single quarantine record with full evaluation detail
`DELETE`	`/v1/cfd/quarantine/:id`	Delete a quarantine record (admin only; irreversible)
`POST`	`/v1/cfd/quarantine/:id/release`	Release the quarantined turn to the agent; optionally mark as false positive
`POST`	`/v1/cfd/quarantine/:id/report`	Confirm the quarantined turn as a genuine threat

List open quarantine items:

curl "https://api.mnemom.ai/v1/cfd/quarantine?status=pending&limit=20" \
  -H "Authorization: Bearer $TOKEN"

Release with false-positive flag:

curl -X POST https://api.mnemom.ai/v1/cfd/quarantine/qid_7f3a9b2c/release \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "is_false_positive": true,
    "note": "Verified legitimate wire transfer request from CFO"
  }'

Confirm as genuine threat:

curl -X POST https://api.mnemom.ai/v1/cfd/quarantine/qid_7f3a9b2c/report \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "note": "Confirmed BEC attempt — forwarded to security team"
  }'

Query & Observability

Query the full evaluation history, aggregate metrics, and access a live SSE stream for real-time monitoring.

Method	Endpoint	Description
`GET`	`/v1/cfd/evaluations`	Full evaluation log — filter by `agent_id`, `verdict`, `threat_type`, `from`, `to`, `min_risk`
`GET`	`/v1/cfd/metrics/summary`	Aggregated counts: total evaluations, block rate, warn rate, false positive rate
`GET`	`/v1/cfd/metrics/timeseries`	Time-bucketed metrics for charts — specify `bucket` (`hour`, `day`, `week`)
`GET`	`/v1/cfd/metrics/threats`	Top threat types by volume and confidence over a time window
`GET`	`/v1/cfd/feed`	SSE stream of live CFD events — connect once and receive events as they happen
`GET`	`/v1/cfd/sessions`	List active sessions with elevated session risk (`medium` or `high`)

Query evaluations with filters:

curl "https://api.mnemom.ai/v1/cfd/evaluations?agent_id=smolt-18a228f3&verdict=block&from=2026-03-01T00:00:00Z&limit=50" \
  -H "Authorization: Bearer $TOKEN"

Get summary metrics:

curl "https://api.mnemom.ai/v1/cfd/metrics/summary?from=2026-03-01T00:00:00Z&to=2026-03-30T23:59:59Z" \
  -H "Authorization: Bearer $TOKEN"

{
  "period": { "from": "2026-03-01T00:00:00Z", "to": "2026-03-30T23:59:59Z" },
  "total_evaluations": 14832,
  "block_count": 47,
  "block_rate": 0.0032,
  "warn_count": 312,
  "warn_rate": 0.021,
  "quarantine_count": 89,
  "false_positive_count": 12,
  "false_positive_rate": 0.135,
  "top_threat_type": "prompt_injection"
}

Connect to the live SSE feed:

curl -N https://api.mnemom.ai/v1/cfd/feed \
  -H "Authorization: Bearer $TOKEN" \
  -H "Accept: text/event-stream"

The feed emits cfd.evaluation.*, cfd.canary.*, cfd.session.*, and cfd.campaign.* events as they occur. Reconnect with Last-Event-ID to replay missed events (replays up to 10 minutes back).

Patterns & Intelligence

Manage the threat pattern library and retrieve adaptive threshold recommendations.

Method	Endpoint	Description
`GET`	`/v1/cfd/patterns`	List active and candidate threat patterns — filter by `status`, `threat_type`
`POST`	`/v1/cfd/patterns`	Submit a candidate pattern for review and potential promotion
`GET`	`/v1/cfd/threshold-suggestions`	Adaptive threshold recommendations based on your false-positive and miss rate

List active patterns for a threat type:

curl "https://api.mnemom.ai/v1/cfd/patterns?status=active&threat_type=bec_fraud" \
  -H "Authorization: Bearer $TOKEN"

Get threshold suggestions:

curl https://api.mnemom.ai/v1/cfd/threshold-suggestions \
  -H "Authorization: Bearer $TOKEN"

{
  "suggestions": [
    {
      "threat_type": "bec_fraud",
      "scope": "agent",
      "agent_id": "smolt-18a228f3",
      "current_warn": 0.45,
      "suggested_warn": 0.55,
      "current_block": 0.80,
      "suggested_block": 0.88,
      "rationale": "False positive rate 18.4% over 30 days — above 15% target. Raise warn threshold to reduce noise.",
      "confidence": "high"
    }
  ]
}

Submit a candidate pattern:

curl -X POST https://api.mnemom.ai/v1/cfd/patterns \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "threat_type": "bec_fraud",
    "pattern": "(?i)urgent.*wire.*ceo|executive.*transfer.*now",
    "description": "CEO wire fraud variant with transposed urgency/authority order",
    "source": "user_submission"
  }'

Submitted patterns enter candidate status. The arena evaluation pipeline tests them against labeled benign and malicious message sets. Patterns that exceed precision/recall thresholds are promoted to active.

Canary Credentials

Canary credentials are honeypot API keys, tokens, or other secrets deliberately planted in the agent’s context. If an attacker extracts and uses them, CFD detects the use and fires a cfd.canary.triggered event.

Method	Endpoint	Description
`POST`	`/v1/cfd/canaries`	Create a canary credential and associate it with an agent
`GET`	`/v1/cfd/canaries?agent_id=`	List canaries for an agent
`GET`	`/v1/cfd/canaries/:id/status`	Check whether a specific canary has been triggered

Create a canary:

curl -X POST https://api.mnemom.ai/v1/cfd/canaries \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "smolt-18a228f3",
    "type": "api_key",
    "label": "Honeypot AWS key — do not use",
    "inject_into": "system_prompt"
  }'

{
  "canary_id": "can_f9e2a01b",
  "credential": "AKIAFAKE00HONEYPOT01",
  "type": "api_key",
  "agent_id": "smolt-18a228f3",
  "status": "active",
  "triggered": false,
  "created_at": "2026-03-30T12:00:00Z"
}

The credential value is returned only at creation time. CFD monitors for its appearance in outbound requests or inbound message content. Check canary status:

curl https://api.mnemom.ai/v1/cfd/canaries/can_f9e2a01b/status \
  -H "Authorization: Bearer $TOKEN"

Special Endpoints

Sovereign Agent Setup

One-call configuration for sovereign agents — applies hardened defaults, creates initial canaries, sets enforcement mode to block, and enables all threat types.

curl -X POST https://api.mnemom.ai/v1/cfd/sovereign-setup \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "smolt-18a228f3"
  }'

This is the recommended starting point for agents handling financial transactions, sensitive data access, or privileged system actions.

Cross-Agent Campaign Detection

List detected attack campaigns — groups of related attacks targeting multiple agents from the same infrastructure.

curl "https://api.mnemom.ai/v1/cfd/campaigns?status=active" \
  -H "Authorization: Bearer $TOKEN"

{
  "campaigns": [
    {
      "campaign_id": "camp_b3c9d4a1",
      "status": "active",
      "threat_type": "bec_fraud",
      "affected_agents": ["smolt-18a228f3", "smolt-a9f34c12"],
      "agent_count": 2,
      "first_seen": "2026-03-30T16:50:00Z",
      "last_seen": "2026-03-30T17:20:00Z",
      "similarity_score": 0.92
    }
  ]
}

EU AI Act Compliance Export

Export CFD evaluation data in EU AI Act Article 50 compliance format.

curl "https://api.mnemom.ai/v1/compliance/cfd-report?from=2026-01-01T00:00:00Z&to=2026-03-31T23:59:59Z" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Accept: application/json"

Returns a structured compliance report covering all evaluation decisions, blocked/quarantined turns, false positive resolutions, and configuration change audit records within the requested window. Supports Accept: text/csv for spreadsheet-compatible export.

Error Responses

All CFD endpoints return standard Mnemom error objects:

{
  "error": "Quarantine item not found",
  "type": "not_found",
  "quarantine_id": "qid_7f3a9b2c"
}

HTTP Status	Meaning
`400`	Invalid request body or parameters
`401`	Missing or invalid authentication
`403`	Insufficient permissions for the requested operation
`404`	Resource not found
`429`	Rate limit exceeded
`500`	Internal server error

CFD Threat Model — What each threat type means and how detection works
CFD Webhooks — React to CFD events in real-time
CFD Monitoring — Security Observatory and alert management
Policy Overview — Policy enforcement runs alongside CFD

API Reference

Context Front Door

Agents

Traces

Integrity

Checkpoints

Drift

Enforcement

Agent Containment

Conscience Values

Card Templates

AIP Webhooks

Auth

Billing

Organizations

Teams

Team Reputation

Webhook Notifications

Licensing

Analyze

Verification

Blog

Admin API

CFD API Reference

CFD API Reference

Configuration

Quarantine Management

Query & Observability

Patterns & Intelligence

Canary Credentials

Special Endpoints

Sovereign Agent Setup

Cross-Agent Campaign Detection

EU AI Act Compliance Export

Error Responses

API Reference

Context Front Door

Agents

Traces

Integrity

Checkpoints

Drift

Enforcement

Agent Containment

Conscience Values

Card Templates

AIP Webhooks

Auth

Billing

Organizations

Teams

Team Reputation

Webhook Notifications

Licensing

Analyze

Verification

Blog

Admin API

​CFD API Reference

​Configuration

​Quarantine Management

​Query & Observability

​Patterns & Intelligence

​Canary Credentials

​Special Endpoints

​Sovereign Agent Setup

​Cross-Agent Campaign Detection

​EU AI Act Compliance Export

​Error Responses

​Related

CFD API Reference

Configuration

Quarantine Management

Query & Observability

Patterns & Intelligence

Canary Credentials

Special Endpoints

Sovereign Agent Setup

Cross-Agent Campaign Detection

EU AI Act Compliance Export

Error Responses

Related