API — Diagnostics (dev-only)
Not production endpoints
The six /api/diagnostics/* controllers are development-only. They are [AllowAnonymous] and gated to IsDevelopment() — outside Development they return 404. Three of them carry an explicit source comment: "TODO: Remove or restrict to [Authorize(Roles="SuperAdmin")] before production." They are diagnostic aids, not integrations or a supported API. Do not build against them.
Purpose
Local development and UAT diagnostics: inspecting resolved approval-matrix rules, recent audit writes, the current token's claims, a manual certification-expiry sweep, an employee summary, and the skill matrix.
Endpoints
| Method | Path | Purpose |
|---|---|---|
| GET | /api/diagnostics/approval-matrix/rules |
List approval-matrix rules |
| GET | /api/diagnostics/approval-matrix/resolve |
Resolve an approver for a scenario |
| GET | /api/diagnostics/audit/recent |
Recent audit events |
| POST | /api/diagnostics/audit/test |
Emit a test audit event |
| GET | /api/diagnostics/auth/me |
Echo the current token's claims |
| POST | /api/diagnostics/certifications/run-expiry-sweep |
Manually run a cert-expiry sweep |
| GET | /api/diagnostics/employees/summary |
Employee counts summary |
| GET | /api/diagnostics/skills/matrix |
Skill-matrix dump |
Gotchas
run-expiry-sweepis the only way certifications get an expiry pass. There is no scheduled/recurring job for it (see Background jobs); this dev endpoint triggers it manually. In production there is currently no automatic cert-expiry sweep (sheet 04).- The approval-matrix resolver is real but only consumed here — it is wired into DI and these diagnostics, but not into any live approval flow (sheet 06). Don't infer a production approval-matrix engine from this endpoint's existence.
AllowAnonymous+IsDevelopment()— these return 404 in any non-Development environment; they are not a hidden admin surface.
Build status
Planned/dev-only — these exist solely for development diagnostics and are slated for removal/restriction before production. Not part of the supported API.
Related
- Background jobs — why the cert sweep is manual.
- Swagger:
/swagger· Fact sheets 04 (certifications), 06 (approval matrix), 19 (integrations — confirms no production integrations).