System info, activities, data management, and URL reachability. Mounted at /api/v1 (INF-005).
All queries are scoped to the authenticated user's workspace (ACL-001).
Endpoints
| Method | Path | Description | Min Role |
|---|---|---|---|
GET |
/api/v1/activities |
Activity log (filterable by type, project) | viewer |
POST |
/api/v1/test-connection |
Verify a URL is reachable (SSRF-protected) | qa_lead |
GET |
/api/v1/system |
Uptime, Node/Playwright versions, DB counts | viewer |
POST |
/api/v1/system/client-error |
Log a frontend crash report | viewer |
DELETE |
/api/v1/data/runs |
Clear all run history (incl. soft-deleted) | admin |
DELETE |
/api/v1/data/activities |
Clear activity log | admin |
DELETE |
/api/v1/data/healing |
Clear self-healing history | admin |
- Source:
Members
(inner, constant) auditExportLimiter
SEC-007: anti-exfiltration rate limiter for bulk audit-log exports.
Browsing the JSON paginated view is cheap; CSV/NDJSON exports return the
entire current page in one shot and a determined exfiltrator can
script the cursor loop to pull the whole log in seconds. Cap export
calls at 10 per 15-min window per (workspace × admin) — generous for
legitimate evidence requests (SOC 2 control-walk, customer DSAR), tight
enough that a script tripping the limit shows up as a clear signal in
both the rate-limit logs and the meta-audit audit.export rows.
The keyGenerator includes req.workspaceId + sub so a compromised admin
cookie can't burn the budget of an unrelated workspace.
- Source: