API — Platform (health, settings, dashboard, audit)
Purpose
Cross-cutting platform endpoints: the health check, business-unit settings, the manager landing dashboard, and read access to the audit event log.
Endpoints
Health — base /api/Health
| Method | Path | Purpose | Gate |
|---|---|---|---|
| GET | /api/Health |
Liveness + database/version | none (open) |
The health endpoint is the one the mobile skeleton calls (see Background jobs / sheet 20).
Settings — base /api/settings
| Method | Path | Purpose | Gate |
|---|---|---|---|
| GET | /api/settings |
Read BU settings | [Authorize] |
| PATCH | /api/settings |
Update BU settings | admin.config |
Dashboard — base /api/dashboard
| Method | Path | Purpose | Gate |
|---|---|---|---|
| GET | /api/dashboard/summary |
Manager landing tiles | dashboard.view |
Audit events — base /api/audit/events
| Method | Path | Purpose | Gate |
|---|---|---|---|
| GET | /api/audit/events |
Query the audit log | admin.audit (resolved in-handler) |
dashboard.view is held by all roles except EMPLOYEE; admin.audit by SYS_ADMIN + HR_ADMIN (see the RBAC matrix).
Shapes & errors
/api/dashboard/summary returns tile counts (a landing summary, JSON tiles — no charts, sheet 17). /api/audit/events reads the append-only audit_events table; the handler authorizes the required policy explicitly before returning. Standard ProblemDetails on failure.
Gotchas
- Audit is read-only here and selective at the source. The log only contains events that services explicitly logged — it is not an automatic shadow of every write (see Audit & soft-delete).
- Dashboard is tiles, not analytics — utilization/equalization summaries are JSON-only elsewhere; there is no chart library (sheet 17).
admin.configgates the settings write only — reads are open to any authenticated user.
Related
- Audit & soft-delete · RBAC matrix
- Swagger:
/swagger· Fact sheets 01 (foundation), 17 (reports & dashboards).