{"openapi":"3.1.0","info":{"title":"SENA Enterprise API","version":"1.0.0","summary":"Machine-readable contract for SENA auth, projects, analysis, imports, reliability, validation, exports, governance, ops, and provisioning APIs."},"servers":[{"url":"https://www.sena.hk"}],"tags":[{"name":"Auth and SSO","description":"Password login, registration, session, MFA, password reset, and OAuth/OIDC provider start/callback."},{"name":"Teams and RBAC","description":"Team state, invitations, membership lifecycle, and role-aware access for PI/Admin/Coder/Reviewer workflows."},{"name":"Projects and Collaboration","description":"Durable SENA project snapshots, revisions, restore, comments, presence, adjudication, and live collaboration streams."},{"name":"SENA Analysis","description":"Server-side SENA analysis from projects, snapshots, raw datasets, or SENA JSON contracts with persisted run history."},{"name":"Imports and Uploads","description":"Source upload registry, blob verification, object-storage delivery, cleaning manifests, and import-to-project persistence."},{"name":"Reliability","description":"Multi-coder file parsing, Cohen kappa/Krippendorff alpha dashboard generation, review, and adjudication history."},{"name":"Validation","description":"Group comparison, suites, Holm correction, expert review, approval, and return-to-researcher flows."},{"name":"Publication Exports","description":"Publication-ready report artifacts for HTML, SVG, PNG, XLSX, DOCX, and PDF."},{"name":"Governance","description":"Audit export/integrity, backup delivery, managed database sync, restore dry-run, restore merge, and health evidence."},{"name":"Ops","description":"Readiness, status, metrics, deployment handoff, release-gate evidence, firing alerts, and signed alert delivery."},{"name":"Provisioning and SCIM","description":"Institution-managed users, teams, SSO identities, memberships, and SCIM 2.0 Users/Groups bridge."},{"name":"ENA Runtime","description":"Compatibility endpoint for the standalone jENA analysis runtime."}],"paths":{"/api/auth/login":{"post":{"tags":["Auth and SSO"],"operationId":"auth-login-post","summary":"Authenticate with email/password and return either a session or an MFA challenge.","security":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON { email, password, mfaCode?, rememberSession? }; completed sessions return x-sena-auth-flow, x-sena-auth-user-id, x-sena-auth-session-id, x-sena-auth-session-profile, x-sena-auth-session-expires-at, x-sena-auth-team-id, x-sena-auth-membership-role, x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps response headers so local password login cannot be mistaken for completed institution IdP production evidence."}},"multipart/form-data":{"schema":{"type":"object","description":"JSON { email, password, mfaCode?, rememberSession? }; completed sessions return x-sena-auth-flow, x-sena-auth-user-id, x-sena-auth-session-id, x-sena-auth-session-profile, x-sena-auth-session-expires-at, x-sena-auth-team-id, x-sena-auth-membership-role, x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps response headers so local password login cannot be mistaken for completed institution IdP production evidence."}}}},"responses":{"200":{"description":"sena-auth-login/v1; sena-auth-mfa-challenge/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-login/v1; sena-auth-mfa-challenge/v1"}}}}}}},"/api/auth/register":{"post":{"tags":["Auth and SSO"],"operationId":"auth-register-post","summary":"Register a researcher account and create or join an enterprise team with the enterprise password policy enforced.","security":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON { name, email, password, organization, inviteCode? }; password must satisfy sena-enterprise-password-policy/v1; completed sessions return x-sena-auth-flow, x-sena-auth-user-id, x-sena-auth-session-id, x-sena-auth-team-id, x-sena-auth-membership-role, x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps response headers so local registration cannot be mistaken for completed institution IdP production evidence."}},"multipart/form-data":{"schema":{"type":"object","description":"JSON { name, email, password, organization, inviteCode? }; password must satisfy sena-enterprise-password-policy/v1; completed sessions return x-sena-auth-flow, x-sena-auth-user-id, x-sena-auth-session-id, x-sena-auth-team-id, x-sena-auth-membership-role, x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps response headers so local registration cannot be mistaken for completed institution IdP production evidence."}}}},"responses":{"200":{"description":"sena-auth-session/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-session/v1"}}}}}}},"/api/auth/me":{"get":{"tags":["Auth and SSO"],"operationId":"auth-session-get","summary":"Return the current authenticated user, teams, memberships, and x-sena-auth-session-id/x-sena-auth-team-id response headers.","security":[{"sessionCookie":[]}],"responses":{"200":{"description":"sena-auth-session/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-session/v1"}}}}}}},"/api/auth/csrf":{"get":{"tags":["Auth and SSO"],"operationId":"auth-csrf-get","summary":"Issue a per-session CSRF token for cookie-auth mutating endpoints.","security":[{"sessionCookie":[]}],"responses":{"200":{"description":"sena-enterprise-csrf-token/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-csrf-token/v1"}}}}}}},"/api/auth/sessions":{"get":{"tags":["Auth and SSO"],"operationId":"auth-sessions-get","summary":"List active sessions for the current user or revoke one, other, or all sessions.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"DELETE with x-sena-csrf-token header and JSON { sessionId? } or { action: revoke-others|revoke-all }"}},"multipart/form-data":{"schema":{"type":"object","description":"DELETE with x-sena-csrf-token header and JSON { sessionId? } or { action: revoke-others|revoke-all }"}}}},"responses":{"200":{"description":"sena-enterprise-session-list/v1; sena-enterprise-session-revocation/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-session-list/v1; sena-enterprise-session-revocation/v1"}}}}}},"delete":{"tags":["Auth and SSO"],"operationId":"auth-sessions-delete","summary":"List active sessions for the current user or revoke one, other, or all sessions.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"DELETE with x-sena-csrf-token header and JSON { sessionId? } or { action: revoke-others|revoke-all }"}},"multipart/form-data":{"schema":{"type":"object","description":"DELETE with x-sena-csrf-token header and JSON { sessionId? } or { action: revoke-others|revoke-all }"}}}},"responses":{"200":{"description":"sena-enterprise-session-list/v1; sena-enterprise-session-revocation/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-session-list/v1; sena-enterprise-session-revocation/v1"}}}}}}},"/api/auth/logout":{"post":{"tags":["Auth and SSO"],"operationId":"auth-logout-post","summary":"Clear the current auth session cookie.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"responses":{"200":{"description":"sena-auth-logout/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-logout/v1"}}}}}}},"/api/auth/mfa":{"get":{"tags":["Auth and SSO"],"operationId":"auth-mfa-get","summary":"Inspect, enroll, verify, or remove TOTP MFA for the signed-in account.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}},"multipart/form-data":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}}}},"responses":{"200":{"description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1"}}}}}},"post":{"tags":["Auth and SSO"],"operationId":"auth-mfa-post","summary":"Inspect, enroll, verify, or remove TOTP MFA for the signed-in account.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}},"multipart/form-data":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}}}},"responses":{"200":{"description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1"}}}}}},"delete":{"tags":["Auth and SSO"],"operationId":"auth-mfa-delete","summary":"Inspect, enroll, verify, or remove TOTP MFA for the signed-in account.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}},"multipart/form-data":{"schema":{"type":"object","description":"GET/POST/DELETE responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local MFA controls cannot be mistaken for completed institution IdP production evidence; POST JSON { action: setup|enable, setupToken?, code? }; DELETE disables MFA"}}}},"responses":{"200":{"description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-mfa-status/v1; sena-enterprise-mfa-setup/v1"}}}}}}},"/api/auth/password-reset":{"post":{"tags":["Auth and SSO"],"operationId":"auth-password-reset-post","summary":"Request or confirm a password reset using the institution email bridge when configured.","security":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON { action: request|confirm, email?, token?, password? }; confirm password must satisfy sena-enterprise-password-policy/v1; request/confirm responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local reset flows cannot be mistaken for completed institution IdP production evidence."}},"multipart/form-data":{"schema":{"type":"object","description":"JSON { action: request|confirm, email?, token?, password? }; confirm password must satisfy sena-enterprise-password-policy/v1; request/confirm responses include x-sena-auth-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so local reset flows cannot be mistaken for completed institution IdP production evidence."}}}},"responses":{"200":{"description":"sena-enterprise-password-reset-request/v1; sena-enterprise-password-reset-complete/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-password-reset-request/v1; sena-enterprise-password-reset-complete/v1"}}}}}}},"/api/auth/sso":{"get":{"tags":["Auth and SSO"],"operationId":"auth-sso-get","summary":"List/preflight configured SSO providers or start an OAuth/OIDC login flow with production fallback policy enforcement.","security":[],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?status=1&preflight=1&provider=google|orcid; GET status/preflight responses include identityProductionGate with sena-enterprise-identity-production-gate-summary/v1 plus x-sena-sso-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SSO diagnostics expose institution IdP tenant approval, SSO secret custody, and secret rotation blockers without secret values; POST JSON { provider }; local pilot fallback follows sena-enterprise-sso-fallback-policy/v1 and requires SENA_ALLOW_LOCAL_SSO_FALLBACK=1 in production; completed fallback sessions return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?status=1&preflight=1&provider=google|orcid; GET status/preflight responses include identityProductionGate with sena-enterprise-identity-production-gate-summary/v1 plus x-sena-sso-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SSO diagnostics expose institution IdP tenant approval, SSO secret custody, and secret rotation blockers without secret values; POST JSON { provider }; local pilot fallback follows sena-enterprise-sso-fallback-policy/v1 and requires SENA_ALLOW_LOCAL_SSO_FALLBACK=1 in production; completed fallback sessions return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}}}},"responses":{"200":{"description":"sena-auth-sso-status/v1; sena-enterprise-identity-production-gate-summary/v1; sena-auth-sso-start/v1; sso_local_fallback_disabled","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-sso-status/v1; sena-enterprise-identity-production-gate-summary/v1; sena-auth-sso-start/v1; sso_local_fallback_disabled"}}}}}},"post":{"tags":["Auth and SSO"],"operationId":"auth-sso-post","summary":"List/preflight configured SSO providers or start an OAuth/OIDC login flow with production fallback policy enforcement.","security":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET ?status=1&preflight=1&provider=google|orcid; GET status/preflight responses include identityProductionGate with sena-enterprise-identity-production-gate-summary/v1 plus x-sena-sso-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SSO diagnostics expose institution IdP tenant approval, SSO secret custody, and secret rotation blockers without secret values; POST JSON { provider }; local pilot fallback follows sena-enterprise-sso-fallback-policy/v1 and requires SENA_ALLOW_LOCAL_SSO_FALLBACK=1 in production; completed fallback sessions return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?status=1&preflight=1&provider=google|orcid; GET status/preflight responses include identityProductionGate with sena-enterprise-identity-production-gate-summary/v1 plus x-sena-sso-production-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SSO diagnostics expose institution IdP tenant approval, SSO secret custody, and secret rotation blockers without secret values; POST JSON { provider }; local pilot fallback follows sena-enterprise-sso-fallback-policy/v1 and requires SENA_ALLOW_LOCAL_SSO_FALLBACK=1 in production; completed fallback sessions return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}}}},"responses":{"200":{"description":"sena-auth-sso-status/v1; sena-enterprise-identity-production-gate-summary/v1; sena-auth-sso-start/v1; sso_local_fallback_disabled","content":{"application/json":{"schema":{"type":"object","description":"sena-auth-sso-status/v1; sena-enterprise-identity-production-gate-summary/v1; sena-auth-sso-start/v1; sso_local_fallback_disabled"}}}}}}},"/api/auth/sso/callback":{"get":{"tags":["Auth and SSO"],"operationId":"auth-sso-callback-get","summary":"Complete OAuth/OIDC callback and create a SENA session.","security":[],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"Query { provider, code, state }; successful callback redirects return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}},"multipart/form-data":{"schema":{"type":"object","description":"Query { provider, code, state }; successful callback redirects return x-sena-auth-flow, x-sena-auth-provider, x-sena-sso-provider, x-sena-sso-mode, x-sena-auth-session-id, and x-sena-auth-team-id response headers."}}}},"responses":{"200":{"description":"302 /workspace/sena; sena-auth-sso-callback-error/v1","content":{"application/json":{"schema":{"type":"object","description":"302 /workspace/sena; sena-auth-sso-callback-error/v1"}}}}}}},"/api/ena/run":{"post":{"tags":["ENA Runtime"],"operationId":"ena-run-post","summary":"Run the standalone jENA-compatible analysis endpoint.","security":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON ENA dataset/build options"}},"multipart/form-data":{"schema":{"type":"object","description":"JSON ENA dataset/build options"}}}},"responses":{"200":{"description":"ena-run-result/v1","content":{"application/json":{"schema":{"type":"object","description":"ena-run-result/v1"}}}}}}},"/api/sena/docs":{"get":{"tags":["Governance"],"operationId":"sena-docs-get","summary":"Return this machine-readable SENA API contract or OpenAPI 3.1 document.","security":[],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"Query { format?: openapi }"}},"multipart/form-data":{"schema":{"type":"object","description":"Query { format?: openapi }"}}}},"responses":{"200":{"description":"sena-api-documentation/v1; OpenAPI 3.1","content":{"application/json":{"schema":{"type":"object","description":"sena-api-documentation/v1; OpenAPI 3.1"}}}}}}},"/api/sena/projects":{"get":{"tags":["Projects and Collaboration"],"operationId":"sena-projects-get","summary":"List RBAC-visible projects or save a project/review-packet handoff snapshot.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, title, description, snapshot|reviewPacket }; response headers include x-sena-project-id, x-sena-team-id, x-sena-project-version, x-sena-project-snapshot-sha256."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, title, description, snapshot|reviewPacket }; response headers include x-sena-project-id, x-sena-team-id, x-sena-project-version, x-sena-project-snapshot-sha256."}}}},"responses":{"200":{"description":"sena-project-list/v1; sena-project/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project-list/v1; sena-project/v1"}}}}}},"post":{"tags":["Projects and Collaboration"],"operationId":"sena-projects-post","summary":"List RBAC-visible projects or save a project/review-packet handoff snapshot.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, title, description, snapshot|reviewPacket }; response headers include x-sena-project-id, x-sena-team-id, x-sena-project-version, x-sena-project-snapshot-sha256."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, title, description, snapshot|reviewPacket }; response headers include x-sena-project-id, x-sena-team-id, x-sena-project-version, x-sena-project-snapshot-sha256."}}}},"responses":{"200":{"description":"sena-project-list/v1; sena-project/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project-list/v1; sena-project/v1"}}}}}}},"/api/sena/projects/{projectId}":{"get":{"tags":["Projects and Collaboration"],"operationId":"sena-project-get","summary":"Open, update, restore revision, or archive a durable SENA project.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}},"multipart/form-data":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}}}},"responses":{"200":{"description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1"}}}}}},"put":{"tags":["Projects and Collaboration"],"operationId":"sena-project-put","summary":"Open, update, restore revision, or archive a durable SENA project.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}},"multipart/form-data":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}}}},"responses":{"200":{"description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1"}}}}}},"patch":{"tags":["Projects and Collaboration"],"operationId":"sena-project-patch","summary":"Open, update, restore revision, or archive a durable SENA project.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}},"multipart/form-data":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}}}},"responses":{"200":{"description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1"}}}}}},"delete":{"tags":["Projects and Collaboration"],"operationId":"sena-project-delete","summary":"Open, update, restore revision, or archive a durable SENA project.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}},"multipart/form-data":{"schema":{"type":"object","description":"PUT JSON { title?, description?, snapshot?, expectedVersion? }; PATCH action=restore-revision; DELETE returns sena-project-delete/v1; response headers include x-sena-project-id, x-sena-project-version, x-sena-project-snapshot-sha256, x-sena-project-restored-from-version, x-sena-project-deleted."}}}},"responses":{"200":{"description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-project/v1; sena-project-revision-restore/v1; sena-project-delete/v1"}}}}}}},"/api/sena/projects/{projectId}/collaboration":{"get":{"tags":["Projects and Collaboration"],"operationId":"sena-collaboration-get","summary":"Read or mutate collaboration state: comments, presence, adjudications, and pub/sub delivery.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action: comment|presence|adjudication|deliver-pubsub, ... }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action: comment|presence|adjudication|deliver-pubsub, ... }"}}}},"responses":{"200":{"description":"sena-enterprise-project-collaboration/v1; sena-enterprise-collaboration-pubsub-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-project-collaboration/v1; sena-enterprise-collaboration-pubsub-delivery/v1"}}}}}},"post":{"tags":["Projects and Collaboration"],"operationId":"sena-collaboration-post","summary":"Read or mutate collaboration state: comments, presence, adjudications, and pub/sub delivery.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action: comment|presence|adjudication|deliver-pubsub, ... }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action: comment|presence|adjudication|deliver-pubsub, ... }"}}}},"responses":{"200":{"description":"sena-enterprise-project-collaboration/v1; sena-enterprise-collaboration-pubsub-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-project-collaboration/v1; sena-enterprise-collaboration-pubsub-delivery/v1"}}}}}}},"/api/sena/projects/{projectId}/collaboration/stream":{"get":{"tags":["Projects and Collaboration"],"operationId":"sena-collaboration-stream-get","summary":"Server-sent collaboration event stream for live project updates with session and project:read RBAC preflight before the stream opens.","security":[{"sessionCookie":[]}],"responses":{"200":{"description":"text/event-stream; sena-project-collaboration-stream/v1; auth_required; permission_denied","content":{"application/json":{"schema":{"type":"object","description":"text/event-stream; sena-project-collaboration-stream/v1; auth_required; permission_denied"}}}}}}},"/api/sena/team":{"get":{"tags":["Teams and RBAC"],"operationId":"sena-team-get","summary":"Return team, membership, invitation, notification, and audit state visible to the user.","security":[{"sessionCookie":[]}],"responses":{"200":{"description":"sena-enterprise-team-state/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-team-state/v1"}}}}}}},"/api/sena/team/invitations":{"post":{"tags":["Teams and RBAC"],"operationId":"sena-team-invitations-post","summary":"Create, accept, or revoke role-aware team invitations.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}}}},"responses":{"200":{"description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1"}}}}}},"patch":{"tags":["Teams and RBAC"],"operationId":"sena-team-invitations-patch","summary":"Create, accept, or revoke role-aware team invitations.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}}}},"responses":{"200":{"description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1"}}}}}},"delete":{"tags":["Teams and RBAC"],"operationId":"sena-team-invitations-delete","summary":"Create, accept, or revoke role-aware team invitations.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, email, role }; PATCH JSON { invitationId|inviteCode }; DELETE JSON { invitationId }; response headers include x-sena-invitation-id, x-sena-invitation-status, x-sena-team-id, x-sena-invitation-role, x-sena-membership-id."}}}},"responses":{"200":{"description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-team-invitation/v1; sena-team-invitation-acceptance/v1"}}}}}}},"/api/sena/team/memberships":{"patch":{"tags":["Teams and RBAC"],"operationId":"sena-team-memberships-patch","summary":"Update membership role/status with the last-active-manager guardrail.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON { membershipId, role?, status? }; response headers include x-sena-membership-id, x-sena-team-id, x-sena-member-user-id, x-sena-membership-role, x-sena-membership-status."}},"multipart/form-data":{"schema":{"type":"object","description":"JSON { membershipId, role?, status? }; response headers include x-sena-membership-id, x-sena-team-id, x-sena-member-user-id, x-sena-membership-role, x-sena-membership-status."}}}},"responses":{"200":{"description":"sena-team-membership/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-team-membership/v1"}}}}}}},"/api/sena/analyze":{"get":{"tags":["SENA Analysis"],"operationId":"sena-analyze-get","summary":"Run server-side SENA analysis and optionally persist the result as a team project.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?, snapshot?, dataset?, buildOptions?, persist?, includeRuntimeBundle? }; response headers include x-sena-analysis-run-id, x-sena-analysis-source-kind, x-sena-project-id, x-sena-project-version, x-sena-report-sha256, x-sena-project-snapshot-sha256, x-sena-runtime-bundle-sha256."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?, snapshot?, dataset?, buildOptions?, persist?, includeRuntimeBundle? }; response headers include x-sena-analysis-run-id, x-sena-analysis-source-kind, x-sena-project-id, x-sena-project-version, x-sena-report-sha256, x-sena-project-snapshot-sha256, x-sena-runtime-bundle-sha256."}}}},"responses":{"200":{"description":"sena-analysis-run-list/v1; sena-analysis-run/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-analysis-run-list/v1; sena-analysis-run/v1"}}}}}},"post":{"tags":["SENA Analysis"],"operationId":"sena-analyze-post","summary":"Run server-side SENA analysis and optionally persist the result as a team project.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?, snapshot?, dataset?, buildOptions?, persist?, includeRuntimeBundle? }; response headers include x-sena-analysis-run-id, x-sena-analysis-source-kind, x-sena-project-id, x-sena-project-version, x-sena-report-sha256, x-sena-project-snapshot-sha256, x-sena-runtime-bundle-sha256."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?, snapshot?, dataset?, buildOptions?, persist?, includeRuntimeBundle? }; response headers include x-sena-analysis-run-id, x-sena-analysis-source-kind, x-sena-project-id, x-sena-project-version, x-sena-report-sha256, x-sena-project-snapshot-sha256, x-sena-runtime-bundle-sha256."}}}},"responses":{"200":{"description":"sena-analysis-run-list/v1; sena-analysis-run/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-analysis-run-list/v1; sena-analysis-run/v1"}}}}}}},"/api/sena/uploads":{"get":{"tags":["Imports and Uploads"],"operationId":"sena-uploads-get","summary":"List upload registry, verify blob integrity, create uploads, or deliver signed object-storage payloads.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?verify=1; POST multipart files or JSON { action: deliver-object-storage, teamId, uploadId? }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?verify=1; POST multipart files or JSON { action: deliver-object-storage, teamId, uploadId? }"}}}},"responses":{"200":{"description":"sena-enterprise-upload-list/v1; sena-enterprise-upload-response/v1; sena-enterprise-upload-storage-verification/v1; sena-enterprise-upload-object-storage-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-upload-list/v1; sena-enterprise-upload-response/v1; sena-enterprise-upload-storage-verification/v1; sena-enterprise-upload-object-storage-delivery/v1"}}}}}},"post":{"tags":["Imports and Uploads"],"operationId":"sena-uploads-post","summary":"List upload registry, verify blob integrity, create uploads, or deliver signed object-storage payloads.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET ?verify=1; POST multipart files or JSON { action: deliver-object-storage, teamId, uploadId? }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?verify=1; POST multipart files or JSON { action: deliver-object-storage, teamId, uploadId? }"}}}},"responses":{"200":{"description":"sena-enterprise-upload-list/v1; sena-enterprise-upload-response/v1; sena-enterprise-upload-storage-verification/v1; sena-enterprise-upload-object-storage-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-upload-list/v1; sena-enterprise-upload-response/v1; sena-enterprise-upload-storage-verification/v1; sena-enterprise-upload-object-storage-delivery/v1"}}}}}}},"/api/sena/import":{"get":{"tags":["Imports and Uploads"],"operationId":"sena-import-get","summary":"Import Excel, LMS/forum JSON/CSV/XLSX exports, CSV, SENA contract, TXT/MD transcripts, or SRT/VTT subtitle transcripts with cleaning manifests.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST multipart files; action=create-project persists the imported dataset as a team project and analysis run; response headers include x-sena-import-run-id, x-sena-import-status, x-sena-import-cleaning-manifest, x-sena-import-profiles, x-sena-project-id, x-sena-analysis-run-id."}},"multipart/form-data":{"schema":{"type":"object","description":"POST multipart files; action=create-project persists the imported dataset as a team project and analysis run; response headers include x-sena-import-run-id, x-sena-import-status, x-sena-import-cleaning-manifest, x-sena-import-profiles, x-sena-project-id, x-sena-analysis-run-id."}}}},"responses":{"200":{"description":"sena-import-run-list/v1; sena-import-response/v1; sena-analysis-run/v1; sena-project/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-import-run-list/v1; sena-import-response/v1; sena-analysis-run/v1; sena-project/v1"}}}}}},"post":{"tags":["Imports and Uploads"],"operationId":"sena-import-post","summary":"Import Excel, LMS/forum JSON/CSV/XLSX exports, CSV, SENA contract, TXT/MD transcripts, or SRT/VTT subtitle transcripts with cleaning manifests.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST multipart files; action=create-project persists the imported dataset as a team project and analysis run; response headers include x-sena-import-run-id, x-sena-import-status, x-sena-import-cleaning-manifest, x-sena-import-profiles, x-sena-project-id, x-sena-analysis-run-id."}},"multipart/form-data":{"schema":{"type":"object","description":"POST multipart files; action=create-project persists the imported dataset as a team project and analysis run; response headers include x-sena-import-run-id, x-sena-import-status, x-sena-import-cleaning-manifest, x-sena-import-profiles, x-sena-project-id, x-sena-analysis-run-id."}}}},"responses":{"200":{"description":"sena-import-run-list/v1; sena-import-response/v1; sena-analysis-run/v1; sena-project/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-import-run-list/v1; sena-import-response/v1; sena-analysis-run/v1; sena-project/v1"}}}}}}},"/api/sena/reliability":{"get":{"tags":["Reliability"],"operationId":"sena-reliability-get","summary":"Create reliability dashboards with code-level diagnostics from coder files, list run history, review, and generate adjudications with run-level coverage.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}},"multipart/form-data":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}}}},"responses":{"200":{"description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1"}}}}}},"post":{"tags":["Reliability"],"operationId":"sena-reliability-post","summary":"Create reliability dashboards with code-level diagnostics from coder files, list run history, review, and generate adjudications with run-level coverage.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}},"multipart/form-data":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}}}},"responses":{"200":{"description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1"}}}}}},"patch":{"tags":["Reliability"],"operationId":"sena-reliability-patch","summary":"Create reliability dashboards with code-level diagnostics from coder files, list run history, review, and generate adjudications with run-level coverage.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}},"multipart/form-data":{"schema":{"type":"object","description":"POST multipart coder files or JSON sena-reliability-json-request/v1 { teamId?, projectId?, reviewer?, annotations: [{ coder_id, item_id, code_id, value }] }; PATCH JSON { action: review|adjudicate, runId, status?, decision? } enforces full adjudication coverage before approval and returns x-sena-reliability-run-id/x-sena-reliability-status/x-sena-reliability-coverage-rate response headers"}}}},"responses":{"200":{"description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-reliability-run-list/v1; sena-reliability-response/v1; sena-reliability-run-review/v1; sena-reliability-adjudication-response/v1; sena-reliability-adjudication-coverage/v1"}}}}}}},"/api/sena/validation/group-comparison":{"get":{"tags":["Validation"],"operationId":"sena-validation-group-comparison-get","summary":"Run single or suite group comparisons with permutation p values, bootstrap intervals, Holm correction, preregistration plan fingerprints, validation parity evidence, and formal inference readiness manifests that can inherit project-linked analysis-run walkthrough hashes.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}}}},"responses":{"200":{"description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1"}}}}}},"post":{"tags":["Validation"],"operationId":"sena-validation-group-comparison-post","summary":"Run single or suite group comparisons with permutation p values, bootstrap intervals, Holm correction, preregistration plan fingerprints, validation parity evidence, and formal inference readiness manifests that can inherit project-linked analysis-run walkthrough hashes.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}}}},"responses":{"200":{"description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1"}}}}}},"patch":{"tags":["Validation"],"operationId":"sena-validation-group-comparison-patch","summary":"Run single or suite group comparisons with permutation p values, bootstrap intervals, Holm correction, preregistration plan fingerprints, validation parity evidence, and formal inference readiness manifests that can inherit project-linked analysis-run walkthrough hashes.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?|snapshot?|dataset, groupA, groupB, metric?, comparisons?, iterations?, preregistrationNote?, methodNote?, parityEvidence? } returns validationRun.preregistrationPlan.planHash, validationRun.parityEvidence.validationRunHash, validationRun.parityEvidence.formalInference, and x-sena-validation-run-id/x-sena-validation-parity-sha256/x-sena-formal-inference-status response headers; projectId auto-fills walkthrough evidence from the latest linked analysis run unless parityEvidence overrides it; PATCH review"}}}},"responses":{"200":{"description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-validation-run-list/v1; sena-group-comparison/v1; sena-group-comparison-suite/v1; sena-formal-inference-readiness/v1; sena-validation-run-review/v1"}}}}}}},"/api/sena/validation/expert-review":{"get":{"tags":["Validation"],"operationId":"sena-validation-expert-review-get","summary":"Capture domain expert sign-off, concern/recommendation evidence, and review decisions.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}}}},"responses":{"200":{"description":"sena-expert-review-list/v1; sena-expert-review-response/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-expert-review-list/v1; sena-expert-review-response/v1"}}}}}},"post":{"tags":["Validation"],"operationId":"sena-validation-expert-review-post","summary":"Capture domain expert sign-off, concern/recommendation evidence, and review decisions.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}}}},"responses":{"200":{"description":"sena-expert-review-list/v1; sena-expert-review-response/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-expert-review-list/v1; sena-expert-review-response/v1"}}}}}},"patch":{"tags":["Validation"],"operationId":"sena-validation-expert-review-patch","summary":"Capture domain expert sign-off, concern/recommendation evidence, and review decisions.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { projectId?, reviewer, expertise, ratings, concerns?, recommendations? }; PATCH review; response headers include x-sena-expert-review-id, x-sena-project-id, x-sena-team-id, x-sena-expert-review-status, x-sena-expert-review-claim-scope, x-sena-expert-review-target-kind, x-sena-expert-review-interpretation-validity."}}}},"responses":{"200":{"description":"sena-expert-review-list/v1; sena-expert-review-response/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-expert-review-list/v1; sena-expert-review-response/v1"}}}}}}},"/api/sena/validation/claim-package":{"get":{"tags":["Validation"],"operationId":"sena-validation-claim-package-get","summary":"Return a project-scoped claim evidence package with approved reliability, validation, preregistration, validation parity, domain expert review, source snapshot provenance evidence, and x-sena-source-snapshot-sha256/x-sena-report-sha256 response headers.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?projectId=..."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?projectId=..."}}}},"responses":{"200":{"description":"sena-enterprise-claim-evidence-package/v1; sena-enterprise-claim-source-snapshot/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-claim-evidence-package/v1; sena-enterprise-claim-source-snapshot/v1"}}}}}}},"/api/sena/exports/publication":{"post":{"tags":["Publication Exports"],"operationId":"sena-publication-export-post","summary":"Generate publication-ready SENA artifacts or a manifest-backed multi-format publication package with enterprise project provenance when exported from projectId.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"JSON { projectId? or snapshot, format: html|svg|png|xlsx|docx|pdf|package, teamId? }; projectId exports the persisted server-side project snapshot with RBAC checks, claim-package provenance, and x-sena-export-source/x-sena-project-version/x-sena-source-snapshot-sha256/x-sena-report-sha256/x-sena-export-format/x-sena-export-filename/x-sena-export-bytes/x-sena-export-sha256/x-sena-publication-package-sha256/x-sena-publication-artifact-count/x-sena-publication-formats/x-sena-publication-verification-status response headers"}},"multipart/form-data":{"schema":{"type":"object","description":"JSON { projectId? or snapshot, format: html|svg|png|xlsx|docx|pdf|package, teamId? }; projectId exports the persisted server-side project snapshot with RBAC checks, claim-package provenance, and x-sena-export-source/x-sena-project-version/x-sena-source-snapshot-sha256/x-sena-report-sha256/x-sena-export-format/x-sena-export-filename/x-sena-export-bytes/x-sena-export-sha256/x-sena-publication-package-sha256/x-sena-publication-artifact-count/x-sena-publication-formats/x-sena-publication-verification-status response headers"}}}},"responses":{"200":{"description":"text/html; image/svg+xml; image/png; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; application/vnd.openxmlformats-officedocument.wordprocessingml.document; application/pdf; sena-publication-package/v1; sena-publication-source-snapshot/v1; sena-publication-verification-certificate/v1; sena-publication-enterprise-project-evidence/v1; sena-data-governance-metadata/v1","content":{"application/json":{"schema":{"type":"object","description":"text/html; image/svg+xml; image/png; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; application/vnd.openxmlformats-officedocument.wordprocessingml.document; application/pdf; sena-publication-package/v1; sena-publication-source-snapshot/v1; sena-publication-verification-certificate/v1; sena-publication-enterprise-project-evidence/v1; sena-data-governance-metadata/v1"}}}}}}},"/api/sena/notifications":{"get":{"tags":["Governance"],"operationId":"sena-notifications-get","summary":"Query notifications, run delivery workers, deliver institution email, and mark notifications read.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}}}},"responses":{"200":{"description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1"}}}}}},"post":{"tags":["Governance"],"operationId":"sena-notifications-post","summary":"Query notifications, run delivery workers, deliver institution email, and mark notifications read.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}}}},"responses":{"200":{"description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1"}}}}}},"patch":{"tags":["Governance"],"operationId":"sena-notifications-patch","summary":"Query notifications, run delivery workers, deliver institution email, and mark notifications read.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action: deliver|deliver-email, teamId? }; PATCH JSON { notificationId }"}}}},"responses":{"200":{"description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-notifications/v1; sena-enterprise-notification-delivery/v1; sena-enterprise-email-delivery/v1"}}}}}}},"/api/sena/governance/health":{"get":{"tags":["Governance"],"operationId":"sena-governance-health-get","summary":"Return enterprise runtime health, governance checks, and count summaries.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns enterprise governance health; GET responses include x-sena-governance-status, x-sena-deployment-readiness-status, x-sena-identity-readiness-blocking-count, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, x-sena-identity-lifecycle-owner-mode, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, and x-sena-identity-cutover-blockers so governance health exports keep institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation blockers machine-readable."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns enterprise governance health; GET responses include x-sena-governance-status, x-sena-deployment-readiness-status, x-sena-identity-readiness-blocking-count, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, x-sena-identity-lifecycle-owner-mode, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, and x-sena-identity-cutover-blockers so governance health exports keep institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation blockers machine-readable."}}}},"responses":{"200":{"description":"sena-enterprise-governance/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-governance/v1"}}}}}}},"/api/sena/governance/security":{"get":{"tags":["Governance"],"operationId":"sena-governance-security-get","summary":"Return deployment security posture for identity, access, data protection, audit monitoring, and continuity controls.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns deployment security posture; GET responses include x-sena-security-posture-status, x-sena-security-identity-controls-review, x-sena-security-identity-control-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so security review can block production until institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation evidence are accepted."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns deployment security posture; GET responses include x-sena-security-posture-status, x-sena-security-identity-controls-review, x-sena-security-identity-control-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so security review can block production until institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation evidence are accepted."}}}},"responses":{"200":{"description":"sena-enterprise-security-posture/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-security-posture/v1"}}}}}}},"/api/sena/governance/audit":{"get":{"tags":["Governance"],"operationId":"sena-governance-audit-get","summary":"Query/export audit log, verify audit-chain integrity, or forward signed audit payloads.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?format=csv&integrity=1; POST JSON { teamId?, limit? }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?format=csv&integrity=1; POST JSON { teamId?, limit? }"}}}},"responses":{"200":{"description":"sena-enterprise-audit-log/v1; text/csv; sena-enterprise-audit-integrity/v1; sena-enterprise-audit-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-audit-log/v1; text/csv; sena-enterprise-audit-integrity/v1; sena-enterprise-audit-delivery/v1"}}}}}},"post":{"tags":["Governance"],"operationId":"sena-governance-audit-post","summary":"Query/export audit log, verify audit-chain integrity, or forward signed audit payloads.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET ?format=csv&integrity=1; POST JSON { teamId?, limit? }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?format=csv&integrity=1; POST JSON { teamId?, limit? }"}}}},"responses":{"200":{"description":"sena-enterprise-audit-log/v1; text/csv; sena-enterprise-audit-integrity/v1; sena-enterprise-audit-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-audit-log/v1; text/csv; sena-enterprise-audit-integrity/v1; sena-enterprise-audit-delivery/v1"}}}}}}},"/api/sena/governance/backup":{"get":{"tags":["Governance"],"operationId":"sena-governance-backup-get","summary":"Export, verify, deliver, sync, dry-run restore, or merge restore a sanitized team backup.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action?: deliver|sync-database|restore-dry-run|restore, teamId?, artifact? }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action?: deliver|sync-database|restore-dry-run|restore, teamId?, artifact? }"}}}},"responses":{"200":{"description":"sena-enterprise-backup/v1; sena-enterprise-backup-verification/v1; sena-enterprise-backup-delivery/v1; sena-enterprise-database-sync/v1; sena-enterprise-backup-restore/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-backup/v1; sena-enterprise-backup-verification/v1; sena-enterprise-backup-delivery/v1; sena-enterprise-database-sync/v1; sena-enterprise-backup-restore/v1"}}}}}},"post":{"tags":["Governance"],"operationId":"sena-governance-backup-post","summary":"Export, verify, deliver, sync, dry-run restore, or merge restore a sanitized team backup.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { action?: deliver|sync-database|restore-dry-run|restore, teamId?, artifact? }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { action?: deliver|sync-database|restore-dry-run|restore, teamId?, artifact? }"}}}},"responses":{"200":{"description":"sena-enterprise-backup/v1; sena-enterprise-backup-verification/v1; sena-enterprise-backup-delivery/v1; sena-enterprise-database-sync/v1; sena-enterprise-backup-restore/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-backup/v1; sena-enterprise-backup-verification/v1; sena-enterprise-backup-delivery/v1; sena-enterprise-database-sync/v1; sena-enterprise-backup-restore/v1"}}}}}}},"/api/sena/ops/status":{"get":{"tags":["Ops"],"operationId":"sena-ops-status-get","summary":"Return runtime storage, queue, webhook, backup, and collection status.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns runtime status; GET responses include x-sena-ops-status, x-sena-deployment-readiness-status, x-sena-identity-readiness-blocking-count, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so deployment monitors can see institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation blockers beside basic runtime status."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns runtime status; GET responses include x-sena-ops-status, x-sena-deployment-readiness-status, x-sena-identity-readiness-blocking-count, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so deployment monitors can see institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation blockers beside basic runtime status."}}}},"responses":{"200":{"description":"sena-enterprise-ops-status/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-ops-status/v1"}}}}}}},"/api/sena/ops/metrics":{"get":{"tags":["Ops"],"operationId":"sena-ops-metrics-get","summary":"Return Prometheus-style enterprise runtime metrics.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns Prometheus text; gauges include sena_enterprise_deployment_readiness_blocking_review, sena_enterprise_identity_readiness_blockers, and sena_enterprise_identity_readiness_item so production monitors can scrape institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness without parsing JSON."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns Prometheus text; gauges include sena_enterprise_deployment_readiness_blocking_review, sena_enterprise_identity_readiness_blockers, and sena_enterprise_identity_readiness_item so production monitors can scrape institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness without parsing JSON."}}}},"responses":{"200":{"description":"text/plain; version=0.0.4","content":{"application/json":{"schema":{"type":"object","description":"text/plain; version=0.0.4"}}}}}}},"/api/sena/ops/readiness":{"get":{"tags":["Ops"],"operationId":"sena-ops-readiness-get","summary":"Return production-gate readiness checks and platform-decision blockers.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns deployment readiness; GET responses include x-sena-deployment-readiness-status, x-sena-deployment-readiness-blocking-review, x-sena-deployment-readiness-blockers, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so production monitors can block on institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation prerequisites without parsing the readiness body."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns deployment readiness; GET responses include x-sena-deployment-readiness-status, x-sena-deployment-readiness-blocking-review, x-sena-deployment-readiness-blockers, x-sena-identity-readiness-blockers, x-sena-identity-evidence-host-allowlist, x-sena-identity-secret-version-binding, x-sena-identity-secret-store-reference, x-sena-identity-secret-rotation-cadence, x-sena-identity-idp-tenant-binding, and x-sena-identity-lifecycle-owner-mode so production monitors can block on institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation prerequisites without parsing the readiness body."}}}},"responses":{"200":{"description":"sena-enterprise-deployment-readiness/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-deployment-readiness/v1"}}}}}}},"/api/sena/ops/deployment":{"get":{"tags":["Ops"],"operationId":"sena-ops-deployment-get","summary":"Return the redacted organization deployment handoff package with a platform decision register and latest release-gate evidence.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped organization deployment handoff package; session requests require teamId; omit teamId only for bearer-authenticated global ops review; env includes SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS as the production identity evidence host allowlist requirement; identityProductionHandoff includes the redacted identity production evidence dossier with platform request blockers and missing evidence IDs; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for deployment archive gating; GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for deployment archive routing by institution IdP and provisioning owner lane; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so deployment archive capture can bind the owner-runbook artifact version without parsing the dossier body."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped organization deployment handoff package; session requests require teamId; omit teamId only for bearer-authenticated global ops review; env includes SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS as the production identity evidence host allowlist requirement; identityProductionHandoff includes the redacted identity production evidence dossier with platform request blockers and missing evidence IDs; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for deployment archive gating; GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for deployment archive routing by institution IdP and provisioning owner lane; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so deployment archive capture can bind the owner-runbook artifact version without parsing the dossier body."}}}},"responses":{"200":{"description":"sena-enterprise-organization-deployment/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-release-gate-reviews/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-release-verification-evidence/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-organization-deployment/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-release-gate-reviews/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-release-verification-evidence/v1"}}}}}}},"/api/sena/ops/native-adapters":{"get":{"tags":["Ops"],"operationId":"sena-ops-native-adapters-get","summary":"Return the native adapter certification dossier for institution platform owners reviewing managed database, object storage, pub/sub, IdP, email, audit, backup, alerting, and SaaS operations readiness.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped native adapter certification dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped native adapter certification dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review."}}}},"responses":{"200":{"description":"sena-enterprise-native-adapter-certification/v1; sena-enterprise-platform-decision-register/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-native-adapter-certification/v1; sena-enterprise-platform-decision-register/v1"}}}}}}},"/api/sena/ops/saas-operations":{"get":{"tags":["Ops"],"operationId":"sena-ops-saas-operations-get","summary":"Return the SaaS operations readiness dossier that links platform-owner approval, native adapter certification, release-gate verification, and full backend operating-model evidence.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped SaaS operations readiness dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review; evidence includes identityProductionReleaseGateDigestBinding so release reviewers can detect stale identity production evidence after the latest release-gate approval; GET responses include x-sena-saas-operations-status, x-sena-saas-operations-blockers, x-sena-identity-production-status, x-sena-identity-rotation-freshness, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-release-gate-digest-binding, x-sena-identity-latest-release-gate-evidence-binding-digest, and x-sena-identity-current-evidence-binding-digest for SaaS cutover automation without parsing the readiness body."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped SaaS operations readiness dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review; evidence includes identityProductionReleaseGateDigestBinding so release reviewers can detect stale identity production evidence after the latest release-gate approval; GET responses include x-sena-saas-operations-status, x-sena-saas-operations-blockers, x-sena-identity-production-status, x-sena-identity-rotation-freshness, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, x-sena-identity-release-gate-digest-binding, x-sena-identity-latest-release-gate-evidence-binding-digest, and x-sena-identity-current-evidence-binding-digest for SaaS cutover automation without parsing the readiness body."}}}},"responses":{"200":{"description":"sena-enterprise-saas-operations-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-saas-operations-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1"}}}}}}},"/api/sena/ops/capability-audit":{"get":{"tags":["Ops"],"operationId":"sena-ops-capability-audit-get","summary":"Return the enterprise capability audit that maps the original missing-feature backlog to runnable API, UI, artifact, and platform-decision evidence.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped enterprise capability audit; session requests require teamId; omit teamId only for bearer-authenticated global ops review; GET responses include identityProductionEvidence as the redacted identity production evidence dossier for one-call auth blocker archive capture; GET responses include x-sena-auth-capability-status, x-sena-auth-capability-remaining-platform-decisions, x-sena-auth-capability-required-artifacts, and x-sena-auth-capability-next-action so CI and ops archive capture can block auth production cutover until institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation evidence are complete; GET responses also include x-sena-auth-capability-idp-missing-production-evidence, x-sena-auth-capability-provisioning-missing-production-evidence, x-sena-auth-capability-idp-missing-technical-prerequisites, and x-sena-auth-capability-provisioning-missing-technical-prerequisites so platform-owner tooling can split IdP tenant/SSO secret blockers from SCIM/IdP lifecycle ownership blockers without parsing the dossier body; GET responses also include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest so capability-audit archive capture can bind the auth blocker to the current identity evidence dossier and request policy; GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so capability-audit automation can route institution IdP and provisioning owner lanes without parsing the dossier body; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so capability-audit automation can bind the owner-runbook artifact version without parsing the dossier body; GET responses also include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions, x-sena-identity-receipt-archive-missing-inputs, x-sena-identity-production-evidence-artifact-completeness, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary so the capability-audit gate exposes the same identity production blocker summary as the production evidence dossier; GET responses also include x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence so release automation can block on secret-rotation freshness without parsing the dossier body."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped enterprise capability audit; session requests require teamId; omit teamId only for bearer-authenticated global ops review; GET responses include identityProductionEvidence as the redacted identity production evidence dossier for one-call auth blocker archive capture; GET responses include x-sena-auth-capability-status, x-sena-auth-capability-remaining-platform-decisions, x-sena-auth-capability-required-artifacts, and x-sena-auth-capability-next-action so CI and ops archive capture can block auth production cutover until institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation evidence are complete; GET responses also include x-sena-auth-capability-idp-missing-production-evidence, x-sena-auth-capability-provisioning-missing-production-evidence, x-sena-auth-capability-idp-missing-technical-prerequisites, and x-sena-auth-capability-provisioning-missing-technical-prerequisites so platform-owner tooling can split IdP tenant/SSO secret blockers from SCIM/IdP lifecycle ownership blockers without parsing the dossier body; GET responses also include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest so capability-audit archive capture can bind the auth blocker to the current identity evidence dossier and request policy; GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so capability-audit automation can route institution IdP and provisioning owner lanes without parsing the dossier body; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so capability-audit automation can bind the owner-runbook artifact version without parsing the dossier body; GET responses also include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions, x-sena-identity-receipt-archive-missing-inputs, x-sena-identity-production-evidence-artifact-completeness, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary so the capability-audit gate exposes the same identity production blocker summary as the production evidence dossier; GET responses also include x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence so release automation can block on secret-rotation freshness without parsing the dossier body."}}}},"responses":{"200":{"description":"sena-enterprise-capability-audit/v1; sena-enterprise-organization-deployment/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-go-live-rehearsal/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-capability-audit/v1; sena-enterprise-organization-deployment/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-go-live-rehearsal/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1"}}}}}}},"/api/sena/ops/identity-production-evidence":{"get":{"tags":["Ops"],"operationId":"sena-ops-identity-production-evidence-get","summary":"Return the redacted institution identity production evidence packet and evidence manifest for IdP tenant approval, callback approval, SSO provider secret custody, SSO secret-store reference, SSO secret rotation, SCIM/IdP ownership, bearer-token rotation, lifecycle guardrails, and release-gate identity blockers.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... for a team-scoped identity production evidence dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review; GET responses include x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, x-sena-identity-receipt-archive-manifest-digest, and x-sena-identity-institution-action-plan-digest; GET responses include x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so platform-owner scripts can route institution IdP and provisioning lanes without parsing the dossier body; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so platform-owner scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash from the canonical dossier route; GET responses include x-sena-identity-request-packet-policy-binding so ops archive capture can see current, stale, or missing IdP/provisioning receipt binding without parsing the dossier body; GET responses also include x-sena-identity-receipt-archive-missing-inputs, x-sena-identity-production-evidence-artifact-completeness, and x-sena-identity-production-evidence-artifact-completeness-summary for ops archive capture and release-gate freshness checks; GET responses also include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, and x-sena-identity-cutover-blockers for machine-readable production cutover gating without parsing the dossier body; institutionActionPlan groups redacted submissionDrafts, missing evidence IDs, responseAuditHeaders, and receiptArchiveBodyPaths by institution-idp-owner and institution-provisioning-owner so tenant/callback/SSO secret custody and SCIM/lifecycle ownership work can be assigned without exposing secrets or evidence URLs; institutionActionPlan.submissionMatrix.rows maps each production evidence ID to its institution owner lane, decisionId, source, cutover item, required body fields, artifact digest, verifiedAt, evidenceUrl, responseAuditHeaders, and receiptArchiveBodyPaths; institutionActionPlan.ownerRunbooks.runbooks maps each institution owner lane to preflight checks, submissionSteps, receiptArchiveSteps, releaseGateBlockers, required env vars, productionEvidenceIds, requestPacketPolicyHash, responseAuditHeaders, and receipt archive paths; institutionActionPlan redaction excludes secret values, evidence URL values, and owner names, and uses evidenceUrlField instead of an evidenceUrl value; platformRequestPacket.submission.requiredBodyFields lists the POST body contract for /api/sena/ops/platform-decisions; requiredBodyFields includes productionEvidenceArtifactDigest so platform-owner scripts cannot omit the institution-owned external evidence artifact digest; platformRequestPacket.submission.identityProductionEvidenceBodyFields lists the evidenceUrl, productionEvidenceIds, productionEvidenceArtifactDigest, productionEvidenceVerifiedAt, and requestPacketPolicyHash identity production evidence fields; platformRequestPacket.submission.productionEvidenceArtifactDigestPolicy records the sha256 external-evidence-artifact digest scope, required evidence IDs, institution custody, and no raw artifact or secret upload policy; platformRequestPacket.submission.responseAuditHeaders lists the response headers platform owners should archive; responseAuditHeaders include overall identity production gate headers for status, release blocking, missing evidence, cutover checklist, cutover blockers, and artifact completeness summary; platformRequestPacket.submission.receiptArchivePolicy lists required archive headers and response body paths, including identityProductionEvidence.institutionActionPlan, current-validation-snapshot, and platform-submission-inputs digest scopes; stableSubmissionDigestInputFields includes productionEvidenceArtifactDigest so archive reviewers can verify the stable submission digest binds the institution-owned external artifact digest; receiptArchiveManifest lists per-decision receipt digest headers, stable submission digest headers, archive body paths, and ready-for-archive status, plus production evidence artifact digest and missingArchiveInputCounts blocker categories; receiptArchiveManifest records productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; receiptArchiveManifest records productionEvidenceArtifactDigestCoveredEvidenceIds so release reviewers can see which submitted evidence IDs the external artifact digest covers; receiptArchiveManifest records productionEvidenceArtifactDigestCompletenessStatus so release reviewers can distinguish partial artifact coverage from complete decision evidence; platformRequestPacket.requests[].submissionTemplate.submissionDraft provides redacted platform-owner JSON bodies with productionEvidenceArtifactDigest placeholders; platformRequestPacket.evidence includes requestPacketPolicyHash and requestPacketPolicyBinding, plus productionEvidenceArtifactDigest archive requirements; platformRequestPacket requests include submissionTemplate.ownerNamePolicy, submissionTemplate.productionEvidenceVerifiedAtPolicy, and submissionTemplate.rotationFreshnessPolicy; submissionVerifier.evidence repeats requestPacketPolicyHash and requestPacketPolicyBinding for release reviewers; cutoverChecklist summarizes IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation blockers."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... for a team-scoped identity production evidence dossier; session requests require teamId; omit teamId only for bearer-authenticated global ops review; GET responses include x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, x-sena-identity-receipt-archive-manifest-digest, and x-sena-identity-institution-action-plan-digest; GET responses include x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so platform-owner scripts can route institution IdP and provisioning lanes without parsing the dossier body; GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so platform-owner scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash from the canonical dossier route; GET responses include x-sena-identity-request-packet-policy-binding so ops archive capture can see current, stale, or missing IdP/provisioning receipt binding without parsing the dossier body; GET responses also include x-sena-identity-receipt-archive-missing-inputs, x-sena-identity-production-evidence-artifact-completeness, and x-sena-identity-production-evidence-artifact-completeness-summary for ops archive capture and release-gate freshness checks; GET responses also include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, and x-sena-identity-cutover-blockers for machine-readable production cutover gating without parsing the dossier body; institutionActionPlan groups redacted submissionDrafts, missing evidence IDs, responseAuditHeaders, and receiptArchiveBodyPaths by institution-idp-owner and institution-provisioning-owner so tenant/callback/SSO secret custody and SCIM/lifecycle ownership work can be assigned without exposing secrets or evidence URLs; institutionActionPlan.submissionMatrix.rows maps each production evidence ID to its institution owner lane, decisionId, source, cutover item, required body fields, artifact digest, verifiedAt, evidenceUrl, responseAuditHeaders, and receiptArchiveBodyPaths; institutionActionPlan.ownerRunbooks.runbooks maps each institution owner lane to preflight checks, submissionSteps, receiptArchiveSteps, releaseGateBlockers, required env vars, productionEvidenceIds, requestPacketPolicyHash, responseAuditHeaders, and receipt archive paths; institutionActionPlan redaction excludes secret values, evidence URL values, and owner names, and uses evidenceUrlField instead of an evidenceUrl value; platformRequestPacket.submission.requiredBodyFields lists the POST body contract for /api/sena/ops/platform-decisions; requiredBodyFields includes productionEvidenceArtifactDigest so platform-owner scripts cannot omit the institution-owned external evidence artifact digest; platformRequestPacket.submission.identityProductionEvidenceBodyFields lists the evidenceUrl, productionEvidenceIds, productionEvidenceArtifactDigest, productionEvidenceVerifiedAt, and requestPacketPolicyHash identity production evidence fields; platformRequestPacket.submission.productionEvidenceArtifactDigestPolicy records the sha256 external-evidence-artifact digest scope, required evidence IDs, institution custody, and no raw artifact or secret upload policy; platformRequestPacket.submission.responseAuditHeaders lists the response headers platform owners should archive; responseAuditHeaders include overall identity production gate headers for status, release blocking, missing evidence, cutover checklist, cutover blockers, and artifact completeness summary; platformRequestPacket.submission.receiptArchivePolicy lists required archive headers and response body paths, including identityProductionEvidence.institutionActionPlan, current-validation-snapshot, and platform-submission-inputs digest scopes; stableSubmissionDigestInputFields includes productionEvidenceArtifactDigest so archive reviewers can verify the stable submission digest binds the institution-owned external artifact digest; receiptArchiveManifest lists per-decision receipt digest headers, stable submission digest headers, archive body paths, and ready-for-archive status, plus production evidence artifact digest and missingArchiveInputCounts blocker categories; receiptArchiveManifest records productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; receiptArchiveManifest records productionEvidenceArtifactDigestCoveredEvidenceIds so release reviewers can see which submitted evidence IDs the external artifact digest covers; receiptArchiveManifest records productionEvidenceArtifactDigestCompletenessStatus so release reviewers can distinguish partial artifact coverage from complete decision evidence; platformRequestPacket.requests[].submissionTemplate.submissionDraft provides redacted platform-owner JSON bodies with productionEvidenceArtifactDigest placeholders; platformRequestPacket.evidence includes requestPacketPolicyHash and requestPacketPolicyBinding, plus productionEvidenceArtifactDigest archive requirements; platformRequestPacket requests include submissionTemplate.ownerNamePolicy, submissionTemplate.productionEvidenceVerifiedAtPolicy, and submissionTemplate.rotationFreshnessPolicy; submissionVerifier.evidence repeats requestPacketPolicyHash and requestPacketPolicyBinding for release reviewers; cutoverChecklist summarizes IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation blockers."}}}},"responses":{"200":{"description":"sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-production-evidence-manifest/v1; sena-enterprise-identity-platform-decision-request-packet/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-receipt-archive-manifest/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-capability-audit/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-production-evidence-manifest/v1; sena-enterprise-identity-platform-decision-request-packet/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-receipt-archive-manifest/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-capability-audit/v1"}}}}}}},"/api/sena/ops/go-live-rehearsal":{"get":{"tags":["Ops"],"operationId":"sena-ops-go-live-rehearsal-get","summary":"Return the go-live rehearsal dossier that links deployment readiness, native adapter certification, SaaS operations readiness, rollback drill evidence, post-cutover monitoring, and release-gate verification.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped go-live rehearsal dossier with identityProductionHandoff for IdP, SCIM, rotation blockers, and cutoverChecklist; GET ?artifact=rollback-drill or ?artifact=post-cutover-monitor or ?attestations=1&teamId=...; GET ?artifact=post-cutover-monitor includes latestObservation with sena-enterprise-post-cutover-observations/v1 readiness evidence; session requests require teamId; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; POST JSON { teamId, environment, releaseVersion, decision, attesterName, attesterRole, notes, checklist } returns an attestation with identityProductionHandoffSnapshot, identityProductionHandoffSnapshot.dossierDigest, identityProductionHandoffSnapshot.receiptArchiveManifest, and latestReleaseGateSnapshot.identityCutoverChecklistStatus / identityCutoverChecklistBlockingItems; POST JSON { action: start-post-cutover-observation, teamId, environment, releaseVersion } starts a fixed 60-minute sena-enterprise-post-cutover-observation/v1 after release, rollback, ops, and alert preflight; POST JSON { action: record-post-cutover-sample, teamId, observationId } records an observation sample; POST JSON { action: complete-post-cutover-observation, teamId, observationId, acknowledgedWarningAlertIds } completes the observation only after the 60-minute window and warning acknowledgement rules pass; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoffSnapshot; approved attestation is rejected until postCutoverMonitor.status is ready, while conditional and blocked attestations remain audit records; GET and POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for final cutover automation; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so final cutover automation can route unresolved institution IdP and provisioning owner lanes; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so final cutover automation can bind the owner-runbook artifact version without parsing the handoff body; identityProductionHandoff.institutionActionPlan.submissionMatrix preserves the owner-lane evidence submission map for final cutover review; identityProductionHandoff.institutionActionPlan.ownerRunbooks preserves institution owner preflight, submission, receipt archive, and release blocker runbooks for final cutover review; latestReleaseGateSnapshot.identityReceiptArchiveDecisions preserves submittedEvidenceDigest and productionEvidenceArtifactDigest for final go-live archive capture; audit detail preserves latestReleaseGateIdentityReceiptArchiveDecisions as a JSON string for SIEM/archive review."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped go-live rehearsal dossier with identityProductionHandoff for IdP, SCIM, rotation blockers, and cutoverChecklist; GET ?artifact=rollback-drill or ?artifact=post-cutover-monitor or ?attestations=1&teamId=...; GET ?artifact=post-cutover-monitor includes latestObservation with sena-enterprise-post-cutover-observations/v1 readiness evidence; session requests require teamId; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; POST JSON { teamId, environment, releaseVersion, decision, attesterName, attesterRole, notes, checklist } returns an attestation with identityProductionHandoffSnapshot, identityProductionHandoffSnapshot.dossierDigest, identityProductionHandoffSnapshot.receiptArchiveManifest, and latestReleaseGateSnapshot.identityCutoverChecklistStatus / identityCutoverChecklistBlockingItems; POST JSON { action: start-post-cutover-observation, teamId, environment, releaseVersion } starts a fixed 60-minute sena-enterprise-post-cutover-observation/v1 after release, rollback, ops, and alert preflight; POST JSON { action: record-post-cutover-sample, teamId, observationId } records an observation sample; POST JSON { action: complete-post-cutover-observation, teamId, observationId, acknowledgedWarningAlertIds } completes the observation only after the 60-minute window and warning acknowledgement rules pass; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoffSnapshot; approved attestation is rejected until postCutoverMonitor.status is ready, while conditional and blocked attestations remain audit records; GET and POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for final cutover automation; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so final cutover automation can route unresolved institution IdP and provisioning owner lanes; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so final cutover automation can bind the owner-runbook artifact version without parsing the handoff body; identityProductionHandoff.institutionActionPlan.submissionMatrix preserves the owner-lane evidence submission map for final cutover review; identityProductionHandoff.institutionActionPlan.ownerRunbooks preserves institution owner preflight, submission, receipt archive, and release blocker runbooks for final cutover review; latestReleaseGateSnapshot.identityReceiptArchiveDecisions preserves submittedEvidenceDigest and productionEvidenceArtifactDigest for final go-live archive capture; audit detail preserves latestReleaseGateIdentityReceiptArchiveDecisions as a JSON string for SIEM/archive review."}}}},"responses":{"200":{"description":"sena-enterprise-go-live-rehearsal/v1; sena-enterprise-release-gate-draft/v1; sena-enterprise-go-live-rollback-drill/v1; sena-enterprise-go-live-monitor/v1; sena-enterprise-post-cutover-observation/v1; sena-enterprise-post-cutover-observations/v1; sena-enterprise-go-live-attestation/v1; sena-enterprise-go-live-attestations/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-saas-operations-readiness/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-go-live-rehearsal/v1; sena-enterprise-release-gate-draft/v1; sena-enterprise-go-live-rollback-drill/v1; sena-enterprise-go-live-monitor/v1; sena-enterprise-post-cutover-observation/v1; sena-enterprise-post-cutover-observations/v1; sena-enterprise-go-live-attestation/v1; sena-enterprise-go-live-attestations/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-saas-operations-readiness/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1"}}}}}},"post":{"tags":["Ops"],"operationId":"sena-ops-go-live-rehearsal-post","summary":"Return the go-live rehearsal dossier that links deployment readiness, native adapter certification, SaaS operations readiness, rollback drill evidence, post-cutover monitoring, and release-gate verification.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":false,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped go-live rehearsal dossier with identityProductionHandoff for IdP, SCIM, rotation blockers, and cutoverChecklist; GET ?artifact=rollback-drill or ?artifact=post-cutover-monitor or ?attestations=1&teamId=...; GET ?artifact=post-cutover-monitor includes latestObservation with sena-enterprise-post-cutover-observations/v1 readiness evidence; session requests require teamId; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; POST JSON { teamId, environment, releaseVersion, decision, attesterName, attesterRole, notes, checklist } returns an attestation with identityProductionHandoffSnapshot, identityProductionHandoffSnapshot.dossierDigest, identityProductionHandoffSnapshot.receiptArchiveManifest, and latestReleaseGateSnapshot.identityCutoverChecklistStatus / identityCutoverChecklistBlockingItems; POST JSON { action: start-post-cutover-observation, teamId, environment, releaseVersion } starts a fixed 60-minute sena-enterprise-post-cutover-observation/v1 after release, rollback, ops, and alert preflight; POST JSON { action: record-post-cutover-sample, teamId, observationId } records an observation sample; POST JSON { action: complete-post-cutover-observation, teamId, observationId, acknowledgedWarningAlertIds } completes the observation only after the 60-minute window and warning acknowledgement rules pass; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoffSnapshot; approved attestation is rejected until postCutoverMonitor.status is ready, while conditional and blocked attestations remain audit records; GET and POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for final cutover automation; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so final cutover automation can route unresolved institution IdP and provisioning owner lanes; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so final cutover automation can bind the owner-runbook artifact version without parsing the handoff body; identityProductionHandoff.institutionActionPlan.submissionMatrix preserves the owner-lane evidence submission map for final cutover review; identityProductionHandoff.institutionActionPlan.ownerRunbooks preserves institution owner preflight, submission, receipt archive, and release blocker runbooks for final cutover review; latestReleaseGateSnapshot.identityReceiptArchiveDecisions preserves submittedEvidenceDigest and productionEvidenceArtifactDigest for final go-live archive capture; audit detail preserves latestReleaseGateIdentityReceiptArchiveDecisions as a JSON string for SIEM/archive review."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped go-live rehearsal dossier with identityProductionHandoff for IdP, SCIM, rotation blockers, and cutoverChecklist; GET ?artifact=rollback-drill or ?artifact=post-cutover-monitor or ?attestations=1&teamId=...; GET ?artifact=post-cutover-monitor includes latestObservation with sena-enterprise-post-cutover-observations/v1 readiness evidence; session requests require teamId; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoff; POST JSON { teamId, environment, releaseVersion, decision, attesterName, attesterRole, notes, checklist } returns an attestation with identityProductionHandoffSnapshot, identityProductionHandoffSnapshot.dossierDigest, identityProductionHandoffSnapshot.receiptArchiveManifest, and latestReleaseGateSnapshot.identityCutoverChecklistStatus / identityCutoverChecklistBlockingItems; POST JSON { action: start-post-cutover-observation, teamId, environment, releaseVersion } starts a fixed 60-minute sena-enterprise-post-cutover-observation/v1 after release, rollback, ops, and alert preflight; POST JSON { action: record-post-cutover-sample, teamId, observationId } records an observation sample; POST JSON { action: complete-post-cutover-observation, teamId, observationId, acknowledgedWarningAlertIds } completes the observation only after the 60-minute window and warning acknowledgement rules pass; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from identityProductionHandoffSnapshot; approved attestation is rejected until postCutoverMonitor.status is ready, while conditional and blocked attestations remain audit records; GET and POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness for final cutover automation; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so final cutover automation can route unresolved institution IdP and provisioning owner lanes; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so final cutover automation can bind the owner-runbook artifact version without parsing the handoff body; identityProductionHandoff.institutionActionPlan.submissionMatrix preserves the owner-lane evidence submission map for final cutover review; identityProductionHandoff.institutionActionPlan.ownerRunbooks preserves institution owner preflight, submission, receipt archive, and release blocker runbooks for final cutover review; latestReleaseGateSnapshot.identityReceiptArchiveDecisions preserves submittedEvidenceDigest and productionEvidenceArtifactDigest for final go-live archive capture; audit detail preserves latestReleaseGateIdentityReceiptArchiveDecisions as a JSON string for SIEM/archive review."}}}},"responses":{"200":{"description":"sena-enterprise-go-live-rehearsal/v1; sena-enterprise-release-gate-draft/v1; sena-enterprise-go-live-rollback-drill/v1; sena-enterprise-go-live-monitor/v1; sena-enterprise-post-cutover-observation/v1; sena-enterprise-post-cutover-observations/v1; sena-enterprise-go-live-attestation/v1; sena-enterprise-go-live-attestations/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-saas-operations-readiness/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-go-live-rehearsal/v1; sena-enterprise-release-gate-draft/v1; sena-enterprise-go-live-rollback-drill/v1; sena-enterprise-go-live-monitor/v1; sena-enterprise-post-cutover-observation/v1; sena-enterprise-post-cutover-observations/v1; sena-enterprise-go-live-attestation/v1; sena-enterprise-go-live-attestations/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-native-adapter-certification/v1; sena-enterprise-saas-operations-readiness/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1"}}}}}}},"/api/sena/ops/platform-decisions":{"get":{"tags":["Ops"],"operationId":"sena-ops-platform-decisions-get","summary":"List or record team-scoped platform decision acceptance records for production bridge/native-adapter ownership.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped platformDecisionRegister; GET responses include identityProductionEvidence as a redacted pre-submission packet with platformRequestPacket, cutoverChecklist, and receiptArchiveManifest plus identityProductionEvidence.institutionActionPlan.submissionMatrix and identityProductionEvidence.institutionActionPlan.ownerRunbooks for platform-owner submission tooling; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash; GET responses include x-sena-identity-request-packet-policy-binding so platform-owner submission scripts can preflight current, stale, or missing IdP/provisioning receipt binding; GET responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for pre-submission archive capture; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for pre-submission identity production gate feedback; GET responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for platform-owner scripts that need blocker counts without parsing the dossier body; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so institution IdP and provisioning owner lane scripts can route production evidence work from headers; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so institution IdP and provisioning owner lane scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as overall receipt archive gate headers; POST JSON { teamId, decisionId, status, acceptedBridge?, ownerName, ownerRole, environment, evidenceUrl?, productionEvidenceIds?, productionEvidenceArtifactDigest?, productionEvidenceVerifiedAt?, requestPacketPolicyHash?, notes }; POST responses include refreshed identityProductionEvidence for immediate verifier/blocker feedback; POST responses include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, and x-sena-identity-production-verifier-status for platform-owner audit capture; POST responses include x-sena-identity-production-receipt-digest; POST responses include x-sena-identity-submitted-evidence-digest as the stable platform-submission-inputs digest; stable platform-submission-inputs digest covers productionEvidenceArtifactDigest, submitted evidence IDs, redacted evidence URL hashes, request packet policy hash, and technical binding inputs; POST responses include x-sena-identity-production-evidence-artifact-digest for the platform-supplied external evidence artifact digest; POST responses include x-sena-identity-production-evidence-artifact-covered-ids and x-sena-identity-production-evidence-artifact-coverage for evidence-id coverage archive capture; POST responses include x-sena-identity-production-evidence-artifact-completeness for refreshed overall receipt archive gate capture; POST responses include x-sena-identity-submitted-decision-production-evidence-artifact-completeness for complete versus partial submitted-decision evidence archive capture; POST responses include x-sena-identity-evidence-url-host-binding, x-sena-identity-technical-binding, x-sena-identity-technical-readiness, x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence; POST responses include x-sena-identity-receipt-archive-status and x-sena-identity-receipt-archive-missing-inputs; POST responses include x-sena-identity-submitted-decision-receipt-archive-missing-inputs for the submitted decision; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for refreshed overall identity production gate feedback; POST responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for refreshed overall identity production gate feedback; POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as refreshed overall receipt archive gate headers; POST responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for immediate handoff archive capture; identity evidenceUrl must be HTTPS, non-local, non-private, separate from the SENA application origin, and returned only as evidenceUrlHash plus redacted evidenceUrlHostHash/evidenceUrlAllowedHostHash binding hashes; production NODE_ENV requires SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS for identity evidenceUrl acceptance; identity productionEvidenceIds require a production or pilot-production environment; IdP productionEvidenceIds include idp-tenant-approval, idp-callback-approval, sso-provider-secrets, sso-secret-store-reference, and sso-secret-rotation; provisioning productionEvidenceIds include provisioning-owner, scim-or-idp-ownership, bearer-token-rotation, and lifecycle-guardrails; productionEvidenceArtifactDigest must be a SHA-256 hex digest and is required for receipt archive readiness when productionEvidenceIds include identity production evidence ids; productionEvidenceArtifactDigest is listed in platformRequestPacket.submission.requiredBodyFields so platform-owner scripts submit the external evidence artifact digest with every identity production decision; missing productionEvidenceArtifactDigest is rejected when identity production evidence ids are submitted; productionEvidenceArtifactDigestPolicy keeps external evidence artifacts in institution custody and rejects raw artifact or secret uploads; productionEvidenceVerifiedAt is required when productionEvidenceIds include identity production evidence ids; requestPacketPolicyHash must echo the current platformRequestPacket.evidence requestPacketPolicyHash for identity production evidence submissions; productionEvidenceVerifiedAt must not be in the future; ownerNamePolicy requires a specific institution identity platform owner; productionEvidenceVerifiedAtPolicy requires a valid past-or-present timestamp; rotationFreshnessPolicy lists SSO and bearer-token rotation max-age and warning windows; production NODE_ENV requires SENA_SSO_*_CLIENT_SECRET_VERSION and SENA_PROVISIONING_TOKEN_VERSION as non-secret rotation identifiers stored only as binding hashes; production NODE_ENV requires SENA_SSO_INSTITUTION_CLIENT_SECRET_REF and SENA_PROVISIONING_TOKEN_SECRET_REF as non-secret institution secret-store references stored only as binding hashes; production NODE_ENV requires SENA_IDENTITY_SECRET_ROTATION_CADENCE_DAYS as a non-secret institution-approved rotation cadence from 1 to 180 days; production NODE_ENV requires SENA_SSO_INSTITUTION_TENANT_ID as a non-secret IdP tenant/app-registration binding stored only as a hash; production NODE_ENV requires SENA_IDENTITY_LIFECYCLE_OWNER_MODE to be scim, idp, or hybrid for SCIM/IdP lifecycle ownership binding; production evidence receipts include requestPacketPolicyHash, requestPacketPolicyBindingStatus; production evidence receipts include productionEvidenceArtifactDigest; production evidence receipts include productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; production evidence receipts include productionEvidenceArtifactDigestCoveredEvidenceIds and productionEvidenceArtifactDigestCoverageStatus for submitted evidence-id coverage; production evidence receipts include productionEvidenceArtifactDigestCompletenessStatus for complete versus partial submitted-decision evidence; production evidence receipts include responseAuditHeaders and receiptArchiveBodyPaths; production evidence receipts include evidenceUrlHostBindingStatus, technicalBindingStatus, rotationFreshnessChecks, rotationExpiredEvidenceIds, and rotationDueSoonEvidenceIds for SSO and bearer-token rotation evidence."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped platformDecisionRegister; GET responses include identityProductionEvidence as a redacted pre-submission packet with platformRequestPacket, cutoverChecklist, and receiptArchiveManifest plus identityProductionEvidence.institutionActionPlan.submissionMatrix and identityProductionEvidence.institutionActionPlan.ownerRunbooks for platform-owner submission tooling; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash; GET responses include x-sena-identity-request-packet-policy-binding so platform-owner submission scripts can preflight current, stale, or missing IdP/provisioning receipt binding; GET responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for pre-submission archive capture; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for pre-submission identity production gate feedback; GET responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for platform-owner scripts that need blocker counts without parsing the dossier body; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so institution IdP and provisioning owner lane scripts can route production evidence work from headers; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so institution IdP and provisioning owner lane scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as overall receipt archive gate headers; POST JSON { teamId, decisionId, status, acceptedBridge?, ownerName, ownerRole, environment, evidenceUrl?, productionEvidenceIds?, productionEvidenceArtifactDigest?, productionEvidenceVerifiedAt?, requestPacketPolicyHash?, notes }; POST responses include refreshed identityProductionEvidence for immediate verifier/blocker feedback; POST responses include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, and x-sena-identity-production-verifier-status for platform-owner audit capture; POST responses include x-sena-identity-production-receipt-digest; POST responses include x-sena-identity-submitted-evidence-digest as the stable platform-submission-inputs digest; stable platform-submission-inputs digest covers productionEvidenceArtifactDigest, submitted evidence IDs, redacted evidence URL hashes, request packet policy hash, and technical binding inputs; POST responses include x-sena-identity-production-evidence-artifact-digest for the platform-supplied external evidence artifact digest; POST responses include x-sena-identity-production-evidence-artifact-covered-ids and x-sena-identity-production-evidence-artifact-coverage for evidence-id coverage archive capture; POST responses include x-sena-identity-production-evidence-artifact-completeness for refreshed overall receipt archive gate capture; POST responses include x-sena-identity-submitted-decision-production-evidence-artifact-completeness for complete versus partial submitted-decision evidence archive capture; POST responses include x-sena-identity-evidence-url-host-binding, x-sena-identity-technical-binding, x-sena-identity-technical-readiness, x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence; POST responses include x-sena-identity-receipt-archive-status and x-sena-identity-receipt-archive-missing-inputs; POST responses include x-sena-identity-submitted-decision-receipt-archive-missing-inputs for the submitted decision; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for refreshed overall identity production gate feedback; POST responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for refreshed overall identity production gate feedback; POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as refreshed overall receipt archive gate headers; POST responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for immediate handoff archive capture; identity evidenceUrl must be HTTPS, non-local, non-private, separate from the SENA application origin, and returned only as evidenceUrlHash plus redacted evidenceUrlHostHash/evidenceUrlAllowedHostHash binding hashes; production NODE_ENV requires SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS for identity evidenceUrl acceptance; identity productionEvidenceIds require a production or pilot-production environment; IdP productionEvidenceIds include idp-tenant-approval, idp-callback-approval, sso-provider-secrets, sso-secret-store-reference, and sso-secret-rotation; provisioning productionEvidenceIds include provisioning-owner, scim-or-idp-ownership, bearer-token-rotation, and lifecycle-guardrails; productionEvidenceArtifactDigest must be a SHA-256 hex digest and is required for receipt archive readiness when productionEvidenceIds include identity production evidence ids; productionEvidenceArtifactDigest is listed in platformRequestPacket.submission.requiredBodyFields so platform-owner scripts submit the external evidence artifact digest with every identity production decision; missing productionEvidenceArtifactDigest is rejected when identity production evidence ids are submitted; productionEvidenceArtifactDigestPolicy keeps external evidence artifacts in institution custody and rejects raw artifact or secret uploads; productionEvidenceVerifiedAt is required when productionEvidenceIds include identity production evidence ids; requestPacketPolicyHash must echo the current platformRequestPacket.evidence requestPacketPolicyHash for identity production evidence submissions; productionEvidenceVerifiedAt must not be in the future; ownerNamePolicy requires a specific institution identity platform owner; productionEvidenceVerifiedAtPolicy requires a valid past-or-present timestamp; rotationFreshnessPolicy lists SSO and bearer-token rotation max-age and warning windows; production NODE_ENV requires SENA_SSO_*_CLIENT_SECRET_VERSION and SENA_PROVISIONING_TOKEN_VERSION as non-secret rotation identifiers stored only as binding hashes; production NODE_ENV requires SENA_SSO_INSTITUTION_CLIENT_SECRET_REF and SENA_PROVISIONING_TOKEN_SECRET_REF as non-secret institution secret-store references stored only as binding hashes; production NODE_ENV requires SENA_IDENTITY_SECRET_ROTATION_CADENCE_DAYS as a non-secret institution-approved rotation cadence from 1 to 180 days; production NODE_ENV requires SENA_SSO_INSTITUTION_TENANT_ID as a non-secret IdP tenant/app-registration binding stored only as a hash; production NODE_ENV requires SENA_IDENTITY_LIFECYCLE_OWNER_MODE to be scim, idp, or hybrid for SCIM/IdP lifecycle ownership binding; production evidence receipts include requestPacketPolicyHash, requestPacketPolicyBindingStatus; production evidence receipts include productionEvidenceArtifactDigest; production evidence receipts include productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; production evidence receipts include productionEvidenceArtifactDigestCoveredEvidenceIds and productionEvidenceArtifactDigestCoverageStatus for submitted evidence-id coverage; production evidence receipts include productionEvidenceArtifactDigestCompletenessStatus for complete versus partial submitted-decision evidence; production evidence receipts include responseAuditHeaders and receiptArchiveBodyPaths; production evidence receipts include evidenceUrlHostBindingStatus, technicalBindingStatus, rotationFreshnessChecks, rotationExpiredEvidenceIds, and rotationDueSoonEvidenceIds for SSO and bearer-token rotation evidence."}}}},"responses":{"200":{"description":"sena-enterprise-platform-decision-acceptances/v1; sena-enterprise-platform-decision-acceptance/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-platform-decision-acceptances/v1; sena-enterprise-platform-decision-acceptance/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1"}}}}}},"post":{"tags":["Ops"],"operationId":"sena-ops-platform-decisions-post","summary":"List or record team-scoped platform decision acceptance records for production bridge/native-adapter ownership.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped platformDecisionRegister; GET responses include identityProductionEvidence as a redacted pre-submission packet with platformRequestPacket, cutoverChecklist, and receiptArchiveManifest plus identityProductionEvidence.institutionActionPlan.submissionMatrix and identityProductionEvidence.institutionActionPlan.ownerRunbooks for platform-owner submission tooling; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash; GET responses include x-sena-identity-request-packet-policy-binding so platform-owner submission scripts can preflight current, stale, or missing IdP/provisioning receipt binding; GET responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for pre-submission archive capture; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for pre-submission identity production gate feedback; GET responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for platform-owner scripts that need blocker counts without parsing the dossier body; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so institution IdP and provisioning owner lane scripts can route production evidence work from headers; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so institution IdP and provisioning owner lane scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as overall receipt archive gate headers; POST JSON { teamId, decisionId, status, acceptedBridge?, ownerName, ownerRole, environment, evidenceUrl?, productionEvidenceIds?, productionEvidenceArtifactDigest?, productionEvidenceVerifiedAt?, requestPacketPolicyHash?, notes }; POST responses include refreshed identityProductionEvidence for immediate verifier/blocker feedback; POST responses include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, and x-sena-identity-production-verifier-status for platform-owner audit capture; POST responses include x-sena-identity-production-receipt-digest; POST responses include x-sena-identity-submitted-evidence-digest as the stable platform-submission-inputs digest; stable platform-submission-inputs digest covers productionEvidenceArtifactDigest, submitted evidence IDs, redacted evidence URL hashes, request packet policy hash, and technical binding inputs; POST responses include x-sena-identity-production-evidence-artifact-digest for the platform-supplied external evidence artifact digest; POST responses include x-sena-identity-production-evidence-artifact-covered-ids and x-sena-identity-production-evidence-artifact-coverage for evidence-id coverage archive capture; POST responses include x-sena-identity-production-evidence-artifact-completeness for refreshed overall receipt archive gate capture; POST responses include x-sena-identity-submitted-decision-production-evidence-artifact-completeness for complete versus partial submitted-decision evidence archive capture; POST responses include x-sena-identity-evidence-url-host-binding, x-sena-identity-technical-binding, x-sena-identity-technical-readiness, x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence; POST responses include x-sena-identity-receipt-archive-status and x-sena-identity-receipt-archive-missing-inputs; POST responses include x-sena-identity-submitted-decision-receipt-archive-missing-inputs for the submitted decision; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for refreshed overall identity production gate feedback; POST responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for refreshed overall identity production gate feedback; POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as refreshed overall receipt archive gate headers; POST responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for immediate handoff archive capture; identity evidenceUrl must be HTTPS, non-local, non-private, separate from the SENA application origin, and returned only as evidenceUrlHash plus redacted evidenceUrlHostHash/evidenceUrlAllowedHostHash binding hashes; production NODE_ENV requires SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS for identity evidenceUrl acceptance; identity productionEvidenceIds require a production or pilot-production environment; IdP productionEvidenceIds include idp-tenant-approval, idp-callback-approval, sso-provider-secrets, sso-secret-store-reference, and sso-secret-rotation; provisioning productionEvidenceIds include provisioning-owner, scim-or-idp-ownership, bearer-token-rotation, and lifecycle-guardrails; productionEvidenceArtifactDigest must be a SHA-256 hex digest and is required for receipt archive readiness when productionEvidenceIds include identity production evidence ids; productionEvidenceArtifactDigest is listed in platformRequestPacket.submission.requiredBodyFields so platform-owner scripts submit the external evidence artifact digest with every identity production decision; missing productionEvidenceArtifactDigest is rejected when identity production evidence ids are submitted; productionEvidenceArtifactDigestPolicy keeps external evidence artifacts in institution custody and rejects raw artifact or secret uploads; productionEvidenceVerifiedAt is required when productionEvidenceIds include identity production evidence ids; requestPacketPolicyHash must echo the current platformRequestPacket.evidence requestPacketPolicyHash for identity production evidence submissions; productionEvidenceVerifiedAt must not be in the future; ownerNamePolicy requires a specific institution identity platform owner; productionEvidenceVerifiedAtPolicy requires a valid past-or-present timestamp; rotationFreshnessPolicy lists SSO and bearer-token rotation max-age and warning windows; production NODE_ENV requires SENA_SSO_*_CLIENT_SECRET_VERSION and SENA_PROVISIONING_TOKEN_VERSION as non-secret rotation identifiers stored only as binding hashes; production NODE_ENV requires SENA_SSO_INSTITUTION_CLIENT_SECRET_REF and SENA_PROVISIONING_TOKEN_SECRET_REF as non-secret institution secret-store references stored only as binding hashes; production NODE_ENV requires SENA_IDENTITY_SECRET_ROTATION_CADENCE_DAYS as a non-secret institution-approved rotation cadence from 1 to 180 days; production NODE_ENV requires SENA_SSO_INSTITUTION_TENANT_ID as a non-secret IdP tenant/app-registration binding stored only as a hash; production NODE_ENV requires SENA_IDENTITY_LIFECYCLE_OWNER_MODE to be scim, idp, or hybrid for SCIM/IdP lifecycle ownership binding; production evidence receipts include requestPacketPolicyHash, requestPacketPolicyBindingStatus; production evidence receipts include productionEvidenceArtifactDigest; production evidence receipts include productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; production evidence receipts include productionEvidenceArtifactDigestCoveredEvidenceIds and productionEvidenceArtifactDigestCoverageStatus for submitted evidence-id coverage; production evidence receipts include productionEvidenceArtifactDigestCompletenessStatus for complete versus partial submitted-decision evidence; production evidence receipts include responseAuditHeaders and receiptArchiveBodyPaths; production evidence receipts include evidenceUrlHostBindingStatus, technicalBindingStatus, rotationFreshnessChecks, rotationExpiredEvidenceIds, and rotationDueSoonEvidenceIds for SSO and bearer-token rotation evidence."}},"multipart/form-data":{"schema":{"type":"object","description":"GET ?teamId=... returns a team-scoped platformDecisionRegister; GET responses include identityProductionEvidence as a redacted pre-submission packet with platformRequestPacket, cutoverChecklist, and receiptArchiveManifest plus identityProductionEvidence.institutionActionPlan.submissionMatrix and identityProductionEvidence.institutionActionPlan.ownerRunbooks for platform-owner submission tooling; GET responses include x-sena-identity-request-packet-policy-hash so platform-owner submission scripts can echo the current policy hash; GET responses include x-sena-identity-request-packet-policy-binding so platform-owner submission scripts can preflight current, stale, or missing IdP/provisioning receipt binding; GET responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for pre-submission archive capture; GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for pre-submission identity production gate feedback; GET responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for platform-owner scripts that need blocker counts without parsing the dossier body; GET and POST responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path so institution IdP and provisioning owner lane scripts can route production evidence work from headers; GET and POST responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so institution IdP and provisioning owner lane scripts can bind the owner-runbook artifact version without parsing the dossier body; GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as overall receipt archive gate headers; POST JSON { teamId, decisionId, status, acceptedBridge?, ownerName, ownerRole, environment, evidenceUrl?, productionEvidenceIds?, productionEvidenceArtifactDigest?, productionEvidenceVerifiedAt?, requestPacketPolicyHash?, notes }; POST responses include refreshed identityProductionEvidence for immediate verifier/blocker feedback; POST responses include x-sena-identity-request-packet-policy-hash, x-sena-identity-request-packet-policy-binding, and x-sena-identity-production-verifier-status for platform-owner audit capture; POST responses include x-sena-identity-production-receipt-digest; POST responses include x-sena-identity-submitted-evidence-digest as the stable platform-submission-inputs digest; stable platform-submission-inputs digest covers productionEvidenceArtifactDigest, submitted evidence IDs, redacted evidence URL hashes, request packet policy hash, and technical binding inputs; POST responses include x-sena-identity-production-evidence-artifact-digest for the platform-supplied external evidence artifact digest; POST responses include x-sena-identity-production-evidence-artifact-covered-ids and x-sena-identity-production-evidence-artifact-coverage for evidence-id coverage archive capture; POST responses include x-sena-identity-production-evidence-artifact-completeness for refreshed overall receipt archive gate capture; POST responses include x-sena-identity-submitted-decision-production-evidence-artifact-completeness for complete versus partial submitted-decision evidence archive capture; POST responses include x-sena-identity-evidence-url-host-binding, x-sena-identity-technical-binding, x-sena-identity-technical-readiness, x-sena-identity-rotation-freshness, x-sena-identity-rotation-expired-evidence, and x-sena-identity-rotation-due-soon-evidence; POST responses include x-sena-identity-receipt-archive-status and x-sena-identity-receipt-archive-missing-inputs; POST responses include x-sena-identity-submitted-decision-receipt-archive-missing-inputs for the submitted decision; POST responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-missing-evidence-ids, x-sena-identity-cutover-checklist, x-sena-identity-cutover-blockers, and x-sena-identity-production-evidence-artifact-completeness-summary for refreshed overall identity production gate feedback; POST responses include x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, x-sena-identity-production-blocking-decisions for refreshed overall identity production gate feedback; POST responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness as refreshed overall receipt archive gate headers; POST responses include refreshed x-sena-identity-production-evidence-digest, x-sena-identity-evidence-binding-digest, and x-sena-identity-receipt-archive-manifest-digest for immediate handoff archive capture; identity evidenceUrl must be HTTPS, non-local, non-private, separate from the SENA application origin, and returned only as evidenceUrlHash plus redacted evidenceUrlHostHash/evidenceUrlAllowedHostHash binding hashes; production NODE_ENV requires SENA_IDENTITY_EVIDENCE_ALLOWED_HOSTS for identity evidenceUrl acceptance; identity productionEvidenceIds require a production or pilot-production environment; IdP productionEvidenceIds include idp-tenant-approval, idp-callback-approval, sso-provider-secrets, sso-secret-store-reference, and sso-secret-rotation; provisioning productionEvidenceIds include provisioning-owner, scim-or-idp-ownership, bearer-token-rotation, and lifecycle-guardrails; productionEvidenceArtifactDigest must be a SHA-256 hex digest and is required for receipt archive readiness when productionEvidenceIds include identity production evidence ids; productionEvidenceArtifactDigest is listed in platformRequestPacket.submission.requiredBodyFields so platform-owner scripts submit the external evidence artifact digest with every identity production decision; missing productionEvidenceArtifactDigest is rejected when identity production evidence ids are submitted; productionEvidenceArtifactDigestPolicy keeps external evidence artifacts in institution custody and rejects raw artifact or secret uploads; productionEvidenceVerifiedAt is required when productionEvidenceIds include identity production evidence ids; requestPacketPolicyHash must echo the current platformRequestPacket.evidence requestPacketPolicyHash for identity production evidence submissions; productionEvidenceVerifiedAt must not be in the future; ownerNamePolicy requires a specific institution identity platform owner; productionEvidenceVerifiedAtPolicy requires a valid past-or-present timestamp; rotationFreshnessPolicy lists SSO and bearer-token rotation max-age and warning windows; production NODE_ENV requires SENA_SSO_*_CLIENT_SECRET_VERSION and SENA_PROVISIONING_TOKEN_VERSION as non-secret rotation identifiers stored only as binding hashes; production NODE_ENV requires SENA_SSO_INSTITUTION_CLIENT_SECRET_REF and SENA_PROVISIONING_TOKEN_SECRET_REF as non-secret institution secret-store references stored only as binding hashes; production NODE_ENV requires SENA_IDENTITY_SECRET_ROTATION_CADENCE_DAYS as a non-secret institution-approved rotation cadence from 1 to 180 days; production NODE_ENV requires SENA_SSO_INSTITUTION_TENANT_ID as a non-secret IdP tenant/app-registration binding stored only as a hash; production NODE_ENV requires SENA_IDENTITY_LIFECYCLE_OWNER_MODE to be scim, idp, or hybrid for SCIM/IdP lifecycle ownership binding; production evidence receipts include requestPacketPolicyHash, requestPacketPolicyBindingStatus; production evidence receipts include productionEvidenceArtifactDigest; production evidence receipts include productionEvidenceArtifactDigestAlgorithm=sha256 and productionEvidenceArtifactDigestScope=external-evidence-artifact; production evidence receipts include productionEvidenceArtifactDigestCoveredEvidenceIds and productionEvidenceArtifactDigestCoverageStatus for submitted evidence-id coverage; production evidence receipts include productionEvidenceArtifactDigestCompletenessStatus for complete versus partial submitted-decision evidence; production evidence receipts include responseAuditHeaders and receiptArchiveBodyPaths; production evidence receipts include evidenceUrlHostBindingStatus, technicalBindingStatus, rotationFreshnessChecks, rotationExpiredEvidenceIds, and rotationDueSoonEvidenceIds for SSO and bearer-token rotation evidence."}}}},"responses":{"200":{"description":"sena-enterprise-platform-decision-acceptances/v1; sena-enterprise-platform-decision-acceptance/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-platform-decision-acceptances/v1; sena-enterprise-platform-decision-acceptance/v1; sena-enterprise-platform-decision-production-evidence-receipt/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1"}}}}}}},"/api/sena/ops/release-gate":{"get":{"tags":["Ops"],"operationId":"sena-ops-release-gate-get","summary":"List or record team-scoped release gate reviews with deployment-readiness, platform-decision, and identity production evidence snapshots.","security":[{"sessionCookie":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, environment, releaseVersion, decision, approverName, approverRole, notes, verificationCommand, verificationEvidence? }; responses include identityProductionSnapshot.cutoverChecklist for IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation release blockers; responses include identityProductionSnapshot.receiptArchiveManifest and identityProductionSnapshot.dossierDigest so reviewers can archive receipt manifest digests with release approval; responses include identityProductionSnapshot.institutionActionPlan so release reviewers can archive the redacted institution owner lane plan with the approval record; identityProductionSnapshot.institutionActionPlan.submissionMatrix maps each production evidence ID to its owner lane for release approval review; identityProductionSnapshot.institutionActionPlan.ownerRunbooks maps each institution owner lane to preflight, submission, receipt archive, and release blocker review for release approval review; identityProductionSnapshot.receiptArchiveManifest decisions preserve submittedEvidenceDigest and productionEvidenceArtifactDigest for release approval archive capture; release-gate identity snapshots expose platformRequestPacket.evidence requestPacketPolicyHash/requestPacketPolicyBinding so reviewers can verify the current identity request policy before approval; POST and GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for release-approval archive routing by institution owner lane; POST and GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps for release-approval archive binding of the owner-runbook artifact version."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, environment, releaseVersion, decision, approverName, approverRole, notes, verificationCommand, verificationEvidence? }; responses include identityProductionSnapshot.cutoverChecklist for IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation release blockers; responses include identityProductionSnapshot.receiptArchiveManifest and identityProductionSnapshot.dossierDigest so reviewers can archive receipt manifest digests with release approval; responses include identityProductionSnapshot.institutionActionPlan so release reviewers can archive the redacted institution owner lane plan with the approval record; identityProductionSnapshot.institutionActionPlan.submissionMatrix maps each production evidence ID to its owner lane for release approval review; identityProductionSnapshot.institutionActionPlan.ownerRunbooks maps each institution owner lane to preflight, submission, receipt archive, and release blocker review for release approval review; identityProductionSnapshot.receiptArchiveManifest decisions preserve submittedEvidenceDigest and productionEvidenceArtifactDigest for release approval archive capture; release-gate identity snapshots expose platformRequestPacket.evidence requestPacketPolicyHash/requestPacketPolicyBinding so reviewers can verify the current identity request policy before approval; POST and GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for release-approval archive routing by institution owner lane; POST and GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps for release-approval archive binding of the owner-runbook artifact version."}}}},"responses":{"200":{"description":"sena-enterprise-release-gate-reviews/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-release-gate-reviews/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1"}}}}}},"post":{"tags":["Ops"],"operationId":"sena-ops-release-gate-post","summary":"List or record team-scoped release gate reviews with deployment-readiness, platform-decision, and identity production evidence snapshots.","security":[{"sessionCookie":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":true,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teamId, environment, releaseVersion, decision, approverName, approverRole, notes, verificationCommand, verificationEvidence? }; responses include identityProductionSnapshot.cutoverChecklist for IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation release blockers; responses include identityProductionSnapshot.receiptArchiveManifest and identityProductionSnapshot.dossierDigest so reviewers can archive receipt manifest digests with release approval; responses include identityProductionSnapshot.institutionActionPlan so release reviewers can archive the redacted institution owner lane plan with the approval record; identityProductionSnapshot.institutionActionPlan.submissionMatrix maps each production evidence ID to its owner lane for release approval review; identityProductionSnapshot.institutionActionPlan.ownerRunbooks maps each institution owner lane to preflight, submission, receipt archive, and release blocker review for release approval review; identityProductionSnapshot.receiptArchiveManifest decisions preserve submittedEvidenceDigest and productionEvidenceArtifactDigest for release approval archive capture; release-gate identity snapshots expose platformRequestPacket.evidence requestPacketPolicyHash/requestPacketPolicyBinding so reviewers can verify the current identity request policy before approval; POST and GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for release-approval archive routing by institution owner lane; POST and GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps for release-approval archive binding of the owner-runbook artifact version."}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teamId, environment, releaseVersion, decision, approverName, approverRole, notes, verificationCommand, verificationEvidence? }; responses include identityProductionSnapshot.cutoverChecklist for IdP tenant, SSO secret custody, SCIM/IdP ownership, and identity secret rotation release blockers; responses include identityProductionSnapshot.receiptArchiveManifest and identityProductionSnapshot.dossierDigest so reviewers can archive receipt manifest digests with release approval; responses include identityProductionSnapshot.institutionActionPlan so release reviewers can archive the redacted institution owner lane plan with the approval record; identityProductionSnapshot.institutionActionPlan.submissionMatrix maps each production evidence ID to its owner lane for release approval review; identityProductionSnapshot.institutionActionPlan.ownerRunbooks maps each institution owner lane to preflight, submission, receipt archive, and release blocker review for release approval review; identityProductionSnapshot.receiptArchiveManifest decisions preserve submittedEvidenceDigest and productionEvidenceArtifactDigest for release approval archive capture; release-gate identity snapshots expose platformRequestPacket.evidence requestPacketPolicyHash/requestPacketPolicyBinding so reviewers can verify the current identity request policy before approval; POST and GET responses include x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-receipt-review-requests, and x-sena-identity-production-blocking-decisions from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-receipt-archive-missing-inputs and x-sena-identity-production-evidence-artifact-completeness from the release-gate identityProductionSnapshot; POST and GET responses include x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, and x-sena-identity-institution-action-plan-submission-path for release-approval archive routing by institution owner lane; POST and GET responses include x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps for release-approval archive binding of the owner-runbook artifact version."}}}},"responses":{"200":{"description":"sena-enterprise-release-gate-reviews/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-release-gate-reviews/v1; sena-enterprise-release-gate-review/v1; sena-enterprise-deployment-readiness/v1; sena-enterprise-platform-decision-register/v1; sena-enterprise-identity-production-evidence/v1; sena-enterprise-identity-submission-verifier/v1; sena-enterprise-identity-rotation-freshness/v1; sena-enterprise-identity-cutover-checklist/v1; sena-enterprise-identity-institution-action-plan/v1; sena-enterprise-identity-submission-matrix/v1; sena-enterprise-identity-owner-runbook/v1"}}}}}}},"/api/sena/ops/alerts":{"get":{"tags":["Ops"],"operationId":"sena-ops-alerts-get","summary":"Return machine-readable firing alerts or deliver signed alert webhooks.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns firing ops alerts; GET responses include x-sena-ops-alert-status, x-sena-ops-alert-firing, x-sena-identity-alert-count, x-sena-identity-alert-blockers, and x-sena-identity-alert-severity so deployment monitors can escalate unresolved institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness alerts without parsing the alert body; POST JSON { action: deliver }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns firing ops alerts; GET responses include x-sena-ops-alert-status, x-sena-ops-alert-firing, x-sena-identity-alert-count, x-sena-identity-alert-blockers, and x-sena-identity-alert-severity so deployment monitors can escalate unresolved institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness alerts without parsing the alert body; POST JSON { action: deliver }"}}}},"responses":{"200":{"description":"sena-enterprise-ops-alerts/v1; sena-enterprise-ops-alert-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-ops-alerts/v1; sena-enterprise-ops-alert-delivery/v1"}}}}}},"post":{"tags":["Ops"],"operationId":"sena-ops-alerts-post","summary":"Return machine-readable firing alerts or deliver signed alert webhooks.","security":[{"sessionCookie":[]},{"opsBearer":[]}],"parameters":[{"name":"x-sena-csrf-token","in":"header","required":false,"schema":{"type":"string"},"description":"Token returned by GET /api/auth/csrf for cookie-auth browser mutations. Bearer-token ops calls may omit it."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"GET returns firing ops alerts; GET responses include x-sena-ops-alert-status, x-sena-ops-alert-firing, x-sena-identity-alert-count, x-sena-identity-alert-blockers, and x-sena-identity-alert-severity so deployment monitors can escalate unresolved institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness alerts without parsing the alert body; POST JSON { action: deliver }"}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns firing ops alerts; GET responses include x-sena-ops-alert-status, x-sena-ops-alert-firing, x-sena-identity-alert-count, x-sena-identity-alert-blockers, and x-sena-identity-alert-severity so deployment monitors can escalate unresolved institution IdP tenant approval, SSO secret custody, SCIM/IdP ownership, and secret rotation readiness alerts without parsing the alert body; POST JSON { action: deliver }"}}}},"responses":{"200":{"description":"sena-enterprise-ops-alerts/v1; sena-enterprise-ops-alert-delivery/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-ops-alerts/v1; sena-enterprise-ops-alert-delivery/v1"}}}}}}},"/api/sena/provisioning":{"get":{"tags":["Provisioning and SCIM"],"operationId":"sena-provisioning-get","summary":"Inspect provisioning configuration or upsert institution-managed teams, users, identities, and memberships.","security":[{"provisioningBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teams?, users?, memberships?, ssoIdentities? }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teams?, users?, memberships?, ssoIdentities? }"}}}},"responses":{"200":{"description":"sena-enterprise-provisioning-status/v1; sena-enterprise-provisioning/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-provisioning-status/v1; sena-enterprise-provisioning/v1"}}}}}},"post":{"tags":["Provisioning and SCIM"],"operationId":"sena-provisioning-post","summary":"Inspect provisioning configuration or upsert institution-managed teams, users, identities, and memberships.","security":[{"provisioningBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"POST JSON { teams?, users?, memberships?, ssoIdentities? }"}},"multipart/form-data":{"schema":{"type":"object","description":"POST JSON { teams?, users?, memberships?, ssoIdentities? }"}}}},"responses":{"200":{"description":"sena-enterprise-provisioning-status/v1; sena-enterprise-provisioning/v1","content":{"application/json":{"schema":{"type":"object","description":"sena-enterprise-provisioning-status/v1; sena-enterprise-provisioning/v1"}}}}}}},"/api/sena/scim/v2/ServiceProviderConfig":{"get":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-config-get","summary":"Return SCIM 2.0 ServiceProviderConfig for the SENA bridge.","security":[{"scimBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"GET returns SCIM 2.0 ServiceProviderConfig with urn:sena:params:scim:schemas:extension:identity-production:2.0:ServiceProviderConfig carrying sena-scim-identity-production-gate/v1 redacted identity production gate status; responses include x-sena-scim-production-owner-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-provisioning-missing-evidence, x-sena-identity-provisioning-missing-technical-prerequisites, x-sena-identity-lifecycle-owner-mode, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SCIM clients and platform owners can block production provisioning until SCIM/IdP ownership, lifecycle guardrails, bearer-token rotation, and secret rotation evidence are accepted."}},"multipart/form-data":{"schema":{"type":"object","description":"GET returns SCIM 2.0 ServiceProviderConfig with urn:sena:params:scim:schemas:extension:identity-production:2.0:ServiceProviderConfig carrying sena-scim-identity-production-gate/v1 redacted identity production gate status; responses include x-sena-scim-production-owner-gate, x-sena-identity-production-status, x-sena-identity-release-gate-blocked, x-sena-identity-request-blockers, x-sena-identity-production-blocking-decisions, x-sena-identity-provisioning-missing-evidence, x-sena-identity-provisioning-missing-technical-prerequisites, x-sena-identity-lifecycle-owner-mode, x-sena-identity-rotation-freshness, x-sena-identity-institution-action-plan-digest, x-sena-identity-institution-action-plan-blocking-lanes, x-sena-identity-institution-action-plan-ready-lanes, x-sena-identity-institution-action-plan-submission-path, x-sena-identity-owner-runbook-digest, x-sena-identity-owner-runbook-blocking, x-sena-identity-owner-runbook-preflight-checks, x-sena-identity-owner-runbook-submission-steps, and x-sena-identity-owner-runbook-receipt-archive-steps so SCIM clients and platform owners can block production provisioning until SCIM/IdP ownership, lifecycle guardrails, bearer-token rotation, and secret rotation evidence are accepted."}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig; sena-scim-identity-production-gate/v1","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig; sena-scim-identity-production-gate/v1"}}}}}}},"/api/sena/scim/v2/Users":{"get":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-users-get","summary":"List or create SCIM users with SENA enterprise role extensions.","security":[{"scimBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"SCIM User resource"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM User resource"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:User; ListResponse","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:User; ListResponse"}}}}}},"post":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-users-post","summary":"List or create SCIM users with SENA enterprise role extensions.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM User resource"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM User resource"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:User; ListResponse","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:User; ListResponse"}}}}}}},"/api/sena/scim/v2/Users/{resourceId}":{"put":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-user-resource-put","summary":"Replace or patch a SCIM user resource and mapped SENA memberships.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM User resource or PATCH operations"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM User resource or PATCH operations"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:User","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:User"}}}}}},"patch":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-user-resource-patch","summary":"Replace or patch a SCIM user resource and mapped SENA memberships.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM User resource or PATCH operations"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM User resource or PATCH operations"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:User","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:User"}}}}}}},"/api/sena/scim/v2/Groups":{"get":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-groups-get","summary":"List or create SCIM groups mapped to SENA teams and roles.","security":[{"scimBearer":[]}],"requestBody":{"required":false,"content":{"application/json":{"schema":{"type":"object","description":"SCIM Group resource"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM Group resource"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:Group; ListResponse","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:Group; ListResponse"}}}}}},"post":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-groups-post","summary":"List or create SCIM groups mapped to SENA teams and roles.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM Group resource"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM Group resource"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:Group; ListResponse","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:Group; ListResponse"}}}}}}},"/api/sena/scim/v2/Groups/{resourceId}":{"put":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-group-resource-put","summary":"Replace or patch a SCIM group resource and mapped team memberships.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM Group resource or PATCH operations"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM Group resource or PATCH operations"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:Group","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:Group"}}}}}},"patch":{"tags":["Provisioning and SCIM"],"operationId":"sena-scim-group-resource-patch","summary":"Replace or patch a SCIM group resource and mapped team memberships.","security":[{"scimBearer":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"SCIM Group resource or PATCH operations"}},"multipart/form-data":{"schema":{"type":"object","description":"SCIM Group resource or PATCH operations"}}}},"responses":{"200":{"description":"urn:ietf:params:scim:schemas:core:2.0:Group","content":{"application/json":{"schema":{"type":"object","description":"urn:ietf:params:scim:schemas:core:2.0:Group"}}}}}}}},"components":{"securitySchemes":{"sessionCookie":{"type":"apiKey","in":"cookie","name":"sena_session"},"opsBearer":{"type":"http","scheme":"bearer","description":"Set SENA_OPS_TOKEN for deployment monitors."},"provisioningBearer":{"type":"http","scheme":"bearer","description":"Set SENA_PROVISIONING_TOKEN for provisioning and SCIM bridges."},"scimBearer":{"type":"http","scheme":"bearer","description":"Same bearer-token mechanism as the provisioning bridge."}}}}