Skip to main content
Available under X-Mnemom-Version: 2026-04-15 and later. The legacy /card, /policy, /cfd/config, /org-card-exempt, and /card-template endpoints were removed in this cutover rather than deprecated — see ADR-008 for the rationale.

Two cards per agent

Every agent on Mnemom is governed by two YAML cards:
CardAuthorsAnswers
Alignment cardAgent operator, Org adminWho is this agent? What may it do? What does it commit to?
Protection cardSecurity operatorHow is this agent protected from threats?
Both cards are composed at storage time from three scopes — PlatformOrgAgent — into a canonical document the gateway and observer read on every request. Composition semantics (union / deny-overrides / floor / concat) are defined in ADR-008.

Endpoint surface

Per-agent

MethodPathPurpose
GET/v1/agents/:id/alignment-cardRead the canonical alignment card
PUT/v1/agents/:id/alignment-cardPublish a new alignment card (YAML or JSON)
GET/v1/agents/:id/protection-cardRead the canonical protection card
PUT/v1/agents/:id/protection-cardPublish a new protection card
GET/v1/agents/:id/exemptionsList active exemptions
POST/v1/agents/:id/exemptionsGrant an exemption (org-admin only)
DELETE/v1/agents/:id/exemptions/:exemption_idRevoke an exemption

Per-org

MethodPathPurpose
GET/v1/orgs/:id/alignment-templateRead the org alignment template
PUT/v1/orgs/:id/alignment-templateUpdate the template (triggers org-wide recompose)
DELETE/v1/orgs/:id/alignment-templateClear the template
GET/v1/orgs/:id/protection-templateRead the org protection template
PUT/v1/orgs/:id/protection-templateUpdate the template (triggers org-wide recompose)
DELETE/v1/orgs/:id/protection-templateClear the template

Content negotiation

All card endpoints are YAML-first.
Request headerResponse body
Accept: text/yaml (default)YAML
Accept: application/yamlYAML
Accept: application/jsonJSON
PUT endpoints accept either YAML (via Content-Type: text/yaml) or JSON (via Content-Type: application/json with the raw card as the body, or wrapped as { "card_yaml": "<yaml string>" } or { "card_json": {...} }).

Required request headers on mutations

Every PUT, POST, or DELETE must carry: 
Idempotency-Key: <opaque 24h-unique string>
Replays of the same key with the same request body return the cached response. Replays with a different body return 422 Idempotency-Key conflict.

Cross-cutting contracts

Every response from a card endpoint includes X-Mnemom-Schema, every mutation writes a governance_audit_log row before responding, and every mutation emits a webhook event. See the Governance guarantees page for details.

What is NOT available through these endpoints

  • Trust edges, team cards, team coherence, fault lines — separate endpoints under /v1/teams/…; unchanged by UC-4.
  • Safe House operational endpoints (quarantine, canary, patterns, metrics, sessions, compliance reports) — preserved; unchanged by UC-4.
  • Policy evaluation/v1/policies/evaluate and /v1/policies/evaluate/historical are preserved as a distinct concern (evaluate a card’s enforcement section against a tool manifest).