TenantAtlas/specs/101-golden-master-baseline-governance-v1/contracts/baseline-governance.openapi.yaml

openapi: 3.0.3
info:
  title: Baseline Governance v1 (Golden Master)
  version: 1.0.0
  description: |
    Conceptual HTTP contract for Baseline Governance actions.

    Note: The implementation is Filament + Livewire; these endpoints describe the server-side behavior
    (authorization, precondition failures, operation run creation) in a REST-like form for clarity.    

servers:
  - url: /admin

paths:
  /workspaces/{workspaceId}/baselines:
    get:
      summary: List baseline profiles
      parameters:
        - $ref: '#/components/parameters/workspaceId'
      responses:
        '200':
          description: OK

  /workspaces/{workspaceId}/baselines/{baselineProfileId}:
    get:
      summary: View baseline profile
      parameters:
        - $ref: '#/components/parameters/workspaceId'
        - $ref: '#/components/parameters/baselineProfileId'
      responses:
        '200':
          description: OK
        '404':
          description: Not found (workspace not entitled)
        '403':
          description: Forbidden (missing capability)

  /workspaces/{workspaceId}/baselines/{baselineProfileId}/capture:
    post:
      summary: Capture immutable baseline snapshot from a tenant
      parameters:
        - $ref: '#/components/parameters/workspaceId'
        - $ref: '#/components/parameters/baselineProfileId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [source_tenant_id]
              properties:
                source_tenant_id:
                  type: integer
      responses:
        '202':
          description: Enqueued (OperationRun created/reused)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OperationRunStartResponse'
        '422':
          description: Precondition failure (no OperationRun created)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PreconditionFailure'
              examples:
                missingSourceTenant:
                  value:
                    reason_code: baseline.capture.missing_source_tenant
        '404':
          description: Not found (workspace not entitled)
        '403':
          description: Forbidden (missing capability)

  /tenants/{tenantId}/baseline-compare:
    post:
      summary: Compare tenant state to assigned baseline and generate drift findings
      parameters:
        - $ref: '#/components/parameters/tenantId'
      responses:
        '202':
          description: Enqueued (OperationRun created/reused)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OperationRunStartResponse'
        '422':
          description: Precondition failure (no OperationRun created)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PreconditionFailure'
              examples:
                noAssignment:
                  value:
                    reason_code: baseline.compare.no_assignment
                profileNotActive:
                  value:
                    reason_code: baseline.compare.profile_not_active
                noActiveSnapshot:
                  value:
                    reason_code: baseline.compare.no_active_snapshot
        '404':
          description: Not found (tenant/workspace not entitled)
        '403':
          description: Forbidden (missing capability)

  /tenants/{tenantId}/baseline-compare/latest:
    get:
      summary: Fetch latest baseline compare summary for tenant
      parameters:
        - $ref: '#/components/parameters/tenantId'
      responses:
        '200':
          description: OK

components:
  parameters:
    workspaceId:
      name: workspaceId
      in: path
      required: true
      schema:
        type: integer
    tenantId:
      name: tenantId
      in: path
      required: true
      schema:
        type: integer
    baselineProfileId:
      name: baselineProfileId
      in: path
      required: true
      schema:
        type: integer

  schemas:
    OperationRunStartResponse:
      type: object
      required: [operation_run_id]
      properties:
        operation_run_id:
          type: integer
        reused:
          type: boolean
          description: True if an already-queued/running run was returned

    PreconditionFailure:
      type: object
      required: [reason_code]
      properties:
        reason_code:
          type: string
          description: Stable code for UI + support triage