Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/samkit511/SAW---Security-Analyst-Workspace/llms.txt

Use this file to discover all available pages before exploring further.

POST /agent-test runs a free-form prompt directly through the Google ADK msoa_coordinator agent, skipping the multi-stage triage pipeline. Use this endpoint to verify that ADK is initialized correctly, inspect what the coordinator agent produces for a given input, and debug unexpected behavior in the advisory layer before routing real logs through /ingest-log. This endpoint is not intended for production log ingestion. It is subject to the same in-flight limit as all other authenticated endpoints.

Authentication

Include your API key in the x-api-key request header. The default key for local development is demo. 
x-api-key: <your-api-key>

Request

Headers
x-api-key
string
required
API key for authentication. Requests without a valid key return 401 unauthorized.
Body
prompt
string
required
The text prompt to send to the ADK coordinator agent. Must not be empty. For security-related testing, use a realistic log snippet or a JSON description of an incident to exercise the agent’s reasoning path.
Example 
curl -X POST https://your-saw-host/agent-test \
  -H "x-api-key: demo" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "A POST request to /api/transfer with payload amount=99999&to_account=9876 arrived from 198.51.100.7. The same IP sent 5 similar requests in the last 10 seconds. Classify the threat and recommend a decision."
  }'

Response

On success the server returns 200. If the Google ADK runner is available and enabled, the response reflects a live ADK session. If ADK is unavailable or disabled, the server falls back to the deterministic coordinator path. 
{
  "agent": "msoa_coordinator_adk",
  "agent_interface": "google_adk_runner",
  "runtime": "google_adk",
  "adk_status": "ok",
  "cache_hit": false,
  "root_agent": "msoa_coordinator",
  "session_id": "msoa-3e1f2a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b",
  "input": "A POST request to /api/transfer with payload amount=99999...",
  "response": {
    "summary": "Potential fraud or brute-force pattern detected from 198.51.100.7.",
    "coordinator_plan": ["detect_threat", "assess_risk", "recommend_decision"],
    "recommended_decision": "EXECUTE",
    "reason": "Rapid repeated high-value transfer requests from a single IP indicate automated attack behavior.",
    "runtime": "google_adk"
  },
  "response_text": "```json\n{...}\n```"
}
agent
string
required
Always "msoa_coordinator_adk".
agent_interface
string
required
The execution path used. "google_adk_runner" when ADK is active, "fallback_wrapper" when ADK is unavailable.
runtime
string
required
Matches agent_interface. Values: "google_adk", "fallback_wrapper".
adk_status
string
required
"ok" when the ADK session completed successfully, "error" when the ADK runner raised an exception, or "skipped" when ADK execution is disabled via ASA_ENABLE_ADK_ADVISORY=false.
session_id
string
The ADK session ID created for this request. Formatted as msoa-<uuid>. Present only when ADK is available.
input
string
required
The prompt that was submitted to the agent, echoed back for verification.
response
object
The parsed JSON object extracted from the agent’s final response text. The coordinator agent is instructed to return keys summary, coordinator_plan, recommended_decision, follow_up_task, reason, and runtime when analyzing a security event.
response_text
string
The raw final response text from the ADK agent before JSON parsing. Useful for debugging malformed agent outputs.
cache_hit
boolean
required
true if the response was served from the in-process ADK response cache (TTL: 120 seconds by default). Caching prevents redundant LLM calls for identical prompts within the TTL window.

Error codes

StatusCodeDescription
400invalid_jsonThe request body is not valid JSON.
400empty_promptThe prompt field is missing or resolves to an empty string.
401unauthorizedThe x-api-key header is missing or incorrect.
413payload_too_largeThe request body exceeds ASA_MAX_REQUEST_BYTES (default: 16 384 bytes).
503overloadedThe server has reached ASA_MAX_INFLIGHT (default: 8) concurrent requests. Retry after 1 second.
When adk_status is "error", the response body still returns 200 and includes an adk_error field with the error message, a retry_after_seconds value if the ADK API returned a rate limit header, and a fallback_response object with a deterministic threat snapshot for the submitted prompt.

Build docs developers (and LLMs) love

Get started for freeTalk to us