sxe-measurement

Sentivex Evolution Engine API

POST/redteam/inject

Redteam Inject

Operator calls this once per controlled attack injection. The payload is appended (atomically, threadsafe) to a newline-delimited JSON log. No de-duplication; if the operator re-injects, send a new POST.

Request body

attack_namestringrequired

short label, e.g. 'mimikatz_lsass_dump'

target_hoststringrequired

hostname or asset id, case-insensitive match

injected_atstringrequired

ISO 8601 timestamp when injection ran

expected_verdictstring | null

benign | suspicious | malicious

expected_severitystring | null

Low | Medium | High | Critical

expected_mitrestring[]

MITRE technique IDs e.g. ['T1003.001']

target_userstring | null
toolstring | null

attack tool / binary, e.g. 'mimikatz_v2.2'

operatorstring | null

who ran the injection

notesstring | null

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X POST https://see.in-bridge.com/redteam/inject \
  -H "Content-Type: application/json" \
  -d '{"attack_name":"string","target_host":"string","injected_at":"string","expected_verdict":"string","expected_severity":"string","expected_mitre":["string"],"target_user":"string","tool":"string","operator":"string","notes":"string"}'
JavaScript
const res = await fetch("https://see.in-bridge.com/redteam/inject", {
  method: "POST",
  headers: {
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "attack_name": "string",
    "target_host": "string",
    "injected_at": "string",
    "expected_verdict": "string",
    "expected_severity": "string",
    "expected_mitre": [
      "string"
    ],
    "target_user": "string",
    "tool": "string",
    "operator": "string",
    "notes": "string"
  })
});
const data = await res.json();
Response 200
{}
GET/redteam/match

Redteam Match

Lookup: does any RT injection match host `host` near time `ts`? Query params: host: required, case-insensitive match against target_host ts: required, ISO 8601 timestamp to search around window_minutes: ± window, default 5 The browser / bundle endpoint calls this when assembling an incident to attach `ground_truth` if a controlled injection lines up.

Query parameters

hoststringrequired
tsstringrequired
window_minutesinteger

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/redteam/match?host=string&ts=string&window_minutes=0
JavaScript
const res = await fetch("https://see.in-bridge.com/redteam/match", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/redteam/list

Redteam List

List recent injections (for ops verification + browser sanity).

Query parameters

limitinteger
hoststring | null

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/redteam/list?limit=0&host=string
JavaScript
const res = await fetch("https://see.in-bridge.com/redteam/list", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/sxe/metering/usage

AI 토큰 종량 미터링 롤업 (billing 축2, #136) — 기간·(테넌트)·모델별 raw 토큰

AI 토큰 종량 미터링 롤업 (auth 청구 축2, 이슈 #136). 조회전용·측정격리(sxe.analyses 무관). LiteLLM_SpendLogs(inc: 태그=sxe 분석 콜)를 기간 window 로 model 별 집계. ★tokens=SEE authoritative, 원가/초과 환산=auth 경제 SoT — SEE 는 가격/cost 를 안 낸다(SoT 이중화 방지, #136 확정: raw 토큰만, 파생 cost 미포함. token×price→overage 는 하류 billing 이 auth 가격표로 계산). tenant 지정 시 request_tags `tenant:<id>` 필터(태깅 전엔 정직 빈=0), 미지정=배포전체(현행 단일고객). 계약: docs/38-to-auth-see-metering-billing-contract-2026-07-05.md @param since/until 기간(epoch_ms 또는 상대). @param tenant 테넌트 스코프. @returns {window, tenant, totals, by_model[], note}. side-effect: 없음(read-only).

Query parameters

sincestring | null

시작(epoch_ms 순수숫자 또는 24h/7d/60m 상대). 미지정=24h

untilstring | null

끝(epoch_ms). 미지정=now

tenantstring | null

테넌트 id — request_tags tenant:<id> additive 필터(태깅 전엔 매칭 0). 미지정=배포전체

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/sxe/metering/usage?since=string&until=string&tenant=string
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/metering/usage", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/sxe/spendlogs

call 단위 LLM SpendLogs trace(비용/지연)

LiteLLM_SpendLogs trace — 두 모드. - incident_uid 지정: 이 인시던트의 trace (request_tags 의 'inc:UID' 매칭, 시간순). - since 지정 (예: '24h','7d','60m'): 최근 구간 전체 sxe trace 집계 (dashboard big-kpi 24h 비용). (2026-05-31 fix: dashboard big-kpi 가 since=24h 로 호출하는데 incident_uid 필수라 422 나던 계약 불일치 해소 + total_cost 집계 추가.)

Query parameters

incident_uidstring | null
sincestring | null
limitinteger

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/sxe/spendlogs?incident_uid=string&since=string&limit=0
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/spendlogs", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/sxe/syskind_latency

phase별 LLM 지연 p50/p95/p99 (LiteLLM SpendLogs)

sys_kind 별 latency p50/p95/p99 — LiteLLM_SpendLogs 의 sxe 호출만. measurements.html 의 §sys_kind latency 표 채우기 용도.

Responses

200 Successful Response
itemsSyskindLatencyItem[]required
sys_kindstringrequired
nintegerrequired
p50_snumberrequired
p95_snumberrequired
p99_snumberrequired
max_snumberrequired
avg_tokensinteger | null
total_costnumber | null
notestring | null

SpendLogs DB 미가용 시 사유

cURL
curl -X GET https://see.in-bridge.com/sxe/syskind_latency
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/syskind_latency", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "items": [
    {
      "sys_kind": "string",
      "n": 0,
      "p50_s": 0,
      "p95_s": 0,
      "p99_s": 0,
      "max_s": 0,
      "avg_tokens": 0,
      "total_cost": 0
    }
  ],
  "note": "string"
}
GET/sxe/tenant_vendor_scope

테넌트 OCSF 벤더 스코프 (auth tenant_vendors → data_vendor_name, #135)

auth 테넌트→OCSF 벤더 스코프 resolver 결과 노출 (이슈 #135 A안, 데이터필터 파운데이션). tenant_id 있으면 그 테넌트가 등록한 벤더의 OCSF metadata.product.vendor_name 목록, 없으면 vendor_names=null(=필터 미적용). catalog_size=라이브 auth /catalog/vendors 매핑 크기. ★ 조회 전용(측정/동결경로 무관). /opensearch_* 자동주입은 아직 안 함 — 전제(tenant_vendors 시드 + 세션 tenant 결선)는 이슈 #135 블로커. require_see_session 미적용(read route 관례). @param tenant_id auth tenants.id @returns {tenant_id, vendor_names: list|null, catalog_size, resolved}

Query parameters

tenant_idstring | null

auth tenants.id (없으면 vendor_names=null=필터 미적용)

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/sxe/tenant_vendor_scope?tenant_id=string
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/tenant_vendor_scope", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/sxe/stats

per-source 분석 통계 (건수·비용·지연)

전체 sxe 통계 (per-source). NOTE (cost-null bug fix): the legacy v_source_stats view defined measured_analyses = COUNT FILTER (measurement_enabled) but avg_cost_usd = AVG(total_cost_usd). For a vendor whose rows are all measurement-enabled yet cost-less (e.g. the ocsf pending block: 54 rows, every total_cost_usd NULL) this produced the contradictory "measured_analyses=54 / avg_cost_usd=null". We now derive BOTH fields from the SAME `total_cost_usd IS NOT NULL` filter so measured_analyses counts only actually-costed runs and avg_cost_usd is null IFF measured_analyses==0. enabled_analyses keeps the old measurement_enabled count for reference.

Responses

200 Successful Response
total_analysesintegerrequired
measured_analysesintegerrequired
by_sourceStatsBySource[]required
sourcestringrequired
unique_incidentsinteger | null
total_analysesinteger | null
enabled_analysesinteger | null
measured_analysesinteger | null
avg_elapsed_sstring | null
avg_cost_usdstring | null
cURL
curl -X GET https://see.in-bridge.com/sxe/stats
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/stats", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "total_analyses": 0,
  "measured_analyses": 0,
  "by_source": [
    {
      "source": "string",
      "unique_incidents": 0,
      "total_analyses": 0,
      "enabled_analyses": 0,
      "measured_analyses": 0,
      "avg_elapsed_s": "string",
      "avg_cost_usd": "string"
    }
  ]
}
GET/sxe/measurement_stats

측정 집계 롤업(논문 §5 보조)

P5-C5 (2026-05-30) — 측정/논문 단일 진실 소스. 7 단계 진단 출력 — 어떤 컬럼이 채워지고 안 채워지는지를 한 번에 본다: 1) 전체 분석 수 / 측정모드 분포 2) config_hash 분포 (paper §5 ablation 대상) 3) status 분포 (done/running/error 등) 4) phase_reached 분포 5) 정규화 테이블 row 분포 (findings/debate/dialogue/itsm/spawned) 6) cross_ref_round=1 채움 비율 (F-5 fix 검증) 7) 0007 컬럼 채움 비율 (vendor_label / disposition / correlation_keys / bundle_vendor_eval) 측정 batch 끝나고 한 번 호출 → 모든 컬럼 sanity check. paper §5 export 도 이 값을 인용 — UI 와 export 가 서로 다른 숫자로 빠지는 것을 방지.

Query parameters

sourcestring | null
backend_runnerboolean | null
measurementboolean | null
statusstring | null
config_hashstring | null

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/sxe/measurement_stats?source=string&backend_runner=true&measurement=true
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/measurement_stats", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
GET/sxe/measure/candidates

Sxe Measure Candidates

측정 선정용 후보 — 벤더별 richness 정렬. kumho(cortex_xdr) 는 sxe_richness(alert/hash/file/net), 그 외 벤더는 incident.count(detection 수) 로 정렬. source 미지정은 기본 OCSF 데이터스트림(ocsf_ds)을 사용한다. source=vendor_default 일 때만 기존 벤더별 측정 소스(ocsf/crowdstrike/...)를 사용한다. source=ocsf|ocsf_ds 지정 시 해당 OCSF 인덱스 패턴에서 후보를 뽑고, 측정 실행 source도 그 값으로 태깅한다.

Query parameters

vendorstring
sourcestring | null
min_alertinteger
min_hashinteger
min_fileinteger
min_netinteger
limitinteger
sortstring

Responses

200 Successful Response422 Validation Error
object
cURL
curl -X GET https://see.in-bridge.com/sxe/measure/candidates?vendor=string&source=string&min_alert=0
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/measure/candidates", {
  method: "GET"
});
const data = await res.json();
Response 200
{}
POST/sxe/measure/run

Sxe Measure Run

선정 incident 들을 벤더별 SOURCE 로 measure.mjs 실행 (백그라운드, 동시성 cap). body: { incidents: [{uid, source}] } (source 미지정시 ocsf_ds)

Responses

200 Successful Response
object
cURL
curl -X POST https://see.in-bridge.com/sxe/measure/run
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/measure/run", {
  method: "POST"
});
const data = await res.json();
Response 200
{}
GET/sxe/measure/runs

측정 실행 상태 타임라인 (active/max_concurrent)

측정 실행 상태 (measure-lab 타임라인용). 최신순.

Responses

200 Successful Response
runsany[]

measure 실행 상태(최신순)

activeintegerrequired
max_concurrentintegerrequired
cURL
curl -X GET https://see.in-bridge.com/sxe/measure/runs
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/measure/runs", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "runs": [
    null
  ],
  "active": 0,
  "max_concurrent": 0
}
POST/sxe/measure/clear

Sxe Measure Clear

완료/에러 run 정리 (running/queued 는 보존).

Responses

200 Successful Response
object
cURL
curl -X POST https://see.in-bridge.com/sxe/measure/clear
JavaScript
const res = await fetch("https://see.in-bridge.com/sxe/measure/clear", {
  method: "POST"
});
const data = await res.json();
Response 200
{}