Skip to main content
GET
/
protection
/
org
/
{org_id}
Get this layer's protection manifest
curl --request GET \
  --url https://api.mnemom.ai/v1/protection/org/{org_id} \
  --header 'Authorization: Bearer <token>'
{
  "card_version": "<string>",
  "agent_id": "<string>",
  "thresholds": {
    "warn": 0.5,
    "quarantine": 0.5,
    "block": 0.5
  },
  "screen_surfaces": {
    "incoming": true,
    "outgoing": true,
    "tool_calls": true,
    "tool_responses": true
  },
  "trusted_sources": {
    "domains": [
      "<string>"
    ],
    "agent_ids": [
      "<string>"
    ],
    "ip_ranges": [
      "<string>"
    ]
  },
  "card_id": "<string>",
  "issued_at": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z",
  "extensions": {},
  "_composition": {
    "canonical_id": "<string>",
    "composed_at": "2023-11-07T05:31:56Z",
    "scopes_applied": [
      {
        "scope": "<string>",
        "version": 123,
        "template_version": 123,
        "card_id": "<string>"
      }
    ],
    "exemptions_applied": [
      "<string>"
    ],
    "source_card_id": "<string>",
    "source_policy_id": "<string>"
  }
}

Authorizations

Authorization
string
header
required

Supabase JWT token in Authorization: Bearer header

Headers

Accept
enum<string>

Response format. YAML is canonical; JSON is returned only on explicit application/json. The ?include=sources envelope is JSON-only.

Available options:
text/yaml,
application/yaml,
application/json

Path Parameters

org_id
string
required

Organization identifier (e.g. org-abc12345)

Query Parameters

include_composition
boolean
default:false

Include the _composition metadata block on the response body.

include
enum<string>

When sources, returns the scope-resolution envelope for this scope (the contributing layers + the composed result); the envelope shape is scope-specific (see ADR-053). The envelope is JSON-only.

Available options:
sources

Response

Protection manifest at this scope.

Unified protection card (ADR-037). Safe House thresholds + trusted-source policy for a single agent. Shape matches src/composition/types.ts::UnifiedProtectionCard (canonical) and what the runtime validator at src/composition/validate.ts accepts. The customer-facing docs at /concepts/protection-card and /specifications/protection-card-schema document this same shape.

card_version
string
required
agent_id
string
required
mode
enum<string>
required

Strictest-wins composition: enforce > nudge > observe > off.

Available options:
off,
observe,
nudge,
enforce
thresholds
object
required

Score bands. Must satisfy warn <= quarantine <= block; each value in [0, 1].

screen_surfaces
object
required

Which request surfaces Safe House inspects. Composed across scopes by OR-per-field (any scope requiring inspection wins).

trusted_sources
object
required

Sources for which detectors short-circuit (each match logged in the trace). Composed as platform->agent intersection (compliance ceiling) with org+agent union inside that ceiling — an agent cannot widen trust beyond what the platform allows.

card_id
string
issued_at
string<date-time>
expires_at
string<date-time> | null
extensions
object

Free-form extension slot for non-canonical fields. Ignored by the composer; preserved on read for tooling that needs an audit-tail metadata bag.

_composition
object

System-managed block describing which scope sources merged into the canonical card. Only returned when ?include_composition=true.