Backstop

Metadata endpoints

Endpoints for snapshots, audit events, alerts, health, and admin controls.

GET/metadata/snapshots metadata:read scope

Lists available snapshots. Filter by table name with ?table=users.

curl -H "Authorization: Bearer token" \
  "http://localhost:8080/metadata/snapshots?table=users"
GET/metadata/audit metadata:read scope

Returns audit events. Filter with ?agent_id=cursor-local&risk=CRITICAL&limit=50.

GET/metadata/alerts metadata:read scope

Returns system alerts — bypass detections, sidecar failures, storage issues.

GET/metadata/health metadata:read scope

Returns component health: gateway, sidecar heartbeat age, storage connectivity, last snapshot age.

{
  "gateway": "running",
  "sidecar_heartbeat_age_seconds": 34,
  "sidecar_status": "healthy",
  "last_snapshot_age_seconds": 180,
  "storage_accessible": true,
  "paused": false
}
GET/metrics metrics:read scope

Prometheus metrics endpoint. Exposes gateway throughput, risk distribution, approval rates, and sidecar snapshot lag.

POST/admin/pause admin:* scope

Emergency pause — stops all write and CRITICAL query execution. Reads (SAFE) continue.

{ "reason": "Suspicious agent behavior — investigating" }
POST/admin/resume admin:* scope

Resumes normal operation after a pause.

GET/admin/status admin:* scope

Returns the current admin state including pause status, reason, and environment info.

GET/health

Unauthenticated health probe. Returns {"status":"ok"} if the gateway is running.