Compliance APIs¶
Why This Exists¶
This document defines API responsibilities for the Compliance Domain.
It does not define implementation code or final OpenAPI specifications.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Compliance APIs allow other domains and user experiences to access readiness, requirements, evidence, expiry, risk, and suggestion review through governed boundaries.
API Groups¶
| API group | Responsibilities | Example endpoints |
|---|---|---|
| Compliance Profile API | Create and inspect compliance profiles. | POST /organizations/{organizationId}/compliance-profile, GET /compliance/profiles/{profileId} |
| Requirement API | Manage general and tender-specific requirements. | POST /compliance/requirements, GET /compliance/requirements?organizationId= |
| Document API | Upload and manage compliance documents. | POST /compliance/documents, PATCH /compliance/documents/{documentId} |
| Evidence API | Link evidence to requirements. | POST /compliance/evidence, GET /compliance/evidence/{evidenceId} |
| Verification API | Review and verify evidence. | POST /compliance/verifications, GET /compliance/verifications/{verificationId} |
| Expiry API | Query expiry and renewal status. | GET /compliance/expiry?organizationId= |
| Readiness API | Retrieve readiness score and components. | GET /compliance/readiness/{organizationId} |
| Risk API | Manage compliance risks and gaps. | GET /compliance/risks?organizationId=, PATCH /compliance/risks/{riskId} |
| AI Suggestion Review API | Accept, reject, or review AI suggestions. | POST /compliance/ai-suggestions/{suggestionId}/review |
| South African Context API | Expose SA compliance context summaries. | GET /compliance/za/{organizationId} |
API Principles¶
- APIs must require OrganizationId for organization-bound compliance work.
- APIs must not duplicate Organization identity ownership.
- APIs must enforce verification, expiry, and readiness rules.
- APIs must treat AI suggestions as suggestions until approved.
- APIs must publish compliance events for meaningful state changes.
OpenAPI Scope¶
Final OpenAPI specifications come later. This document defines API responsibilities and example endpoint shapes only.