Module Architecture & Data Flows
This document is the definitive reference for how ThreatWeaver's backend is structured internally. It covers the global request lifecycle that every API call passes through, then dedicates a full section to each of the 12 major modules: what it does, which entities it owns, which external systems it touches, and how it connects to neighbouring modules.
This page is written for backend engineers, technical leads, and security reviewers. If you want the high-level picture first, start with Architecture Diagrams. If you want individual request traces, see Request Flows.
How ThreatWeaver's Modular Architecture Worksβ
ThreatWeaver is a monolithic Express application split into functional modules. Each module maps to:
- One or more route files (
backend/src/routes/*.routes.ts) - One or more service files (
backend/src/services/) - A set of TypeORM entities it "owns" (primary read/write responsibility)
- Optional external API dependencies
- Optional module entitlement gating (e.g.,
requireModule('appsec'))
Modules are not micro-services β they share the same Node.js process, the same PostgreSQL connection pool, and the same TypeORM DataSource. What isolates them is:
- Entitlement middleware β routes check whether the authenticated tenant's license includes the module before processing any request.
- Database schema isolation β all DB queries go through
getTenantRepository(), which setssearch_pathto the tenant's private PostgreSQL schema before any query executes. - Rate limiting per module β different modules have different rate limits (e.g., AppSec reads allow 2,000 req/min vs. 100 req/min global).
The result is a system where modules can be independently enabled, independently rate-limited, and independently audited β while still sharing infrastructure for efficiency.
Global Request Lifecycleβ
Every authenticated API request passes through this middleware stack before any route handler runs. This is defined in backend/src/index.ts and applies globally.
Full Middleware Order (from index.ts)β
| Step | Middleware | Purpose |
|---|---|---|
| 1 | Trust Proxy | Enable req.ip behind Render's load balancer |
| 2 | Helmet | CSP, HSTS, X-Frame-Options, referrer-policy |
| 3 | Permissions-Policy | Restrict browser feature access |
| 4 | CORS | Origin allowlist (frontend + agent origins) |
| 5 | Global Rate Limiter | 100 req/min per IP β DoS protection |
| 6 | Auth-specific rate limiters | Login: 10/15 min; MFA: 5/15 min |
| 7 | Body Parser (JSON) | 1 MB payload cap; reject malformed JSON |
| 8 | Cookie Parser | Parse HttpOnly JWT cookies |
| 9 | Body Error Handler | Return 400 on malformed JSON or oversized body |
| 10 | JSON Depth Limiter | Reject objects nested > 20 levels (DoS protection) |
| 11 | Decryption Middleware | Decrypt E2EE payloads (double-encrypted from frontend) |
| 12 | CSRF Validation | Block state-mutating requests without valid Origin header |
| 13a | authenticate | Verify JWT from cookie or Authorization header |
| 13b | resolveTenant | Resolve tenant ID β schema name from JWT claim |
| 13c | setTenantSchema | SET search_path = <tenant_schema> on query runner |
| 13d | enforceTenancy | Validate license + module entitlement |
| 13e | tenantRateLimiter | Per-tenant request caps from entitlement config |
| 13f | usageMeter | Increment usage counter for billing/audit |
| 14 | setupModeGuard | Redirect to setup wizard if initial setup is incomplete |
| 15 | Route Handler | Module-specific logic executes |
Exceptions: Routes under
/auth/*,/internal/*, and/agent/*skip steps 13aβ13f. The/auth/*routes have their own tighter rate limits./internal/*usesX-Internal-API-Keytiming-safe comparison./agent/*uses mutual TLS + certificate authentication.
Module 1: Authenticationβ
What It Doesβ
The Authentication module handles all identity operations: user login, token issuance, refresh, logout, MFA enrollment and verification, and session management. It is the entry point for all human users before any other module is accessible. It maintains an IP allowlist/blocklist evaluated on every login attempt, and records every authentication event to a security audit log for compliance.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
User | User accounts, bcrypt-hashed passwords, role assignments, MFA secrets |
TokenBlacklist | Revoked JWTs (stored until natural expiry to prevent reuse) |
IpWhitelist | Trusted IPs that bypass rate limiting |
IpBlacklist | Blocked IPs (manual + automatic after brute-force detection) |
SecurityAuditLog | Immutable record of every auth event (login, logout, MFA, password change) |
External Dependenciesβ
None. Authentication is fully self-contained within ThreatWeaver. SSO (Microsoft Entra ID) lives in the SSO module, which delegates token exchange back to this module's session system.
Key Security Considerationsβ
- All passwords use bcrypt with a minimum cost factor of 12.
- JWTs are issued as
HttpOnly; Secure; SameSite=Strictcookies β not accessible to JavaScript. - Tokens contain
tenantId,userId,role, and ajti(unique token ID) for revocation tracking. - After 5 consecutive failed logins, the source IP is automatically added to the blocklist.
- The
/auth/*path is excluded from the multi-tenant middleware chain (unauthenticated users have no tenant context yet).
Cross-Module Dependenciesβ
- SSO Module delegates user provisioning and session issuance back to Auth.
- Security Audit Module queries
SecurityAuditLog(written by Auth) for the admin security dashboard. - Admin Panel manages
UserandIpWhitelist/Blacklistentities.
Module 2: Sync Engine (Tenable Integration)β
What It Doesβ
The Sync Engine is ThreatWeaver's data ingestion pipeline. It connects to the Tenable.io Cloud API (Export API v2), streams vulnerability and asset data in paginated chunks, normalizes the Tenable schema into ThreatWeaver's internal schema, and upserts the results into PostgreSQL. After each successful sync, it triggers the aggregation service to recompute all KPIs and trend data. Syncs are tracked as SyncJob records with full progress visibility via SSE.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
SyncJob | Tracks every sync run β status, start/end time, record counts, error messages |
Audit | General audit log entries written during sync for compliance |
External Dependenciesβ
- Tenable.io Cloud API (Export API v2) β requires
TENABLE_ACCESS_KEYandTENABLE_SECRET_KEYenvironment variables stored encrypted inAppConfig. - Tenable API keys are decrypted at runtime by the API Config module.
Key Security Considerationsβ
- Sync is admin-only. The
usageMetermiddleware tracks each sync against the tenant's monthly quota. tenantRateLimiterprevents sync abuse (e.g., triggering dozens of concurrent exports).- Tenable API credentials are never stored in plaintext β they live in
AppConfigencrypted with AES-256.
Cross-Module Dependenciesβ
- API Config Module β Sync reads Tenable credentials from
AppConfig. - Dashboard Module β Sync feeds data to
VulnerabilityandAssettables that the Dashboard reads. - Assets Module β Upserted
Assetrecords become queryable via the Assets API. - Vulnerabilities Module β Upserted
Vulnerabilityrecords power all vulnerability views. - Progress/SSE Module β Progress events are streamed back to the UI via the SSE endpoint.
Module 3: Dashboardβ
What It Doesβ
The Dashboard module is the primary read path for the Vulnerability Management workspace. It aggregates vulnerability and asset data into KPIs (total vulns, critical count, WeaverScore, trend direction), serves widget data for customizable charts, and provides trend snapshots for time-series analysis. It is a read-only module β it never writes vulnerability or asset data directly.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
TrendSnapshot | Point-in-time snapshots of KPIs for trend charts (saved after each sync) |
Read Entities (owned by other modules)β
Vulnerability, Asset (owned by their respective modules β Dashboard reads only).
External Dependenciesβ
None. Dashboard is a pure internal aggregation layer.
Key Security Considerationsβ
requireModule('vulnerability_dashboard')β tenants without this module entitlement receive 403.- Cache headers are set on KPI responses to reduce DB load on high-traffic deployments.
- Widget data queries use parameterized queries via TypeORM; the
groupByfield is validated against an allowlist before being interpolated.
Cross-Module Dependenciesβ
- Sync Engine β must run first to populate
VulnerabilityandAssettables. - Vulnerabilities Module β shares the
Vulnerabilitytable. - Assets Module β shares the
Assettable. - Export Module β the Dashboard's aggregated data can be exported via the Export module.
Module 4: AppSec Scannerβ
What It Doesβ
The AppSec Scanner is ThreatWeaver's automated penetration testing engine and the largest, most complex module in the codebase. It manages the full assessment lifecycle: target definition, authentication profiling, six-phase scanning (Phase 0 bootstrap through Phase 5 chaining + reporting), 56+ attack agents, AI-powered finding validation, and PDF report generation. It exposes SSE streams for real-time progress, supports CI/CD integration via API key authentication, and can send webhook callbacks when scans complete.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
PentestAssessment | Top-level scan container β target, config, status, phase, timing, stats |
PentestFinding | Discovered vulnerability: type, severity, CVSS, CWE, evidence refs, validation status |
PentestTarget | Application/API being tested: URL, tech stack, scan mode (black/gray/white box) |
PentestEvidence | Raw request/response payloads proving a finding (stored encrypted) |
PentestAuthProfile | Authentication credentials and session config per target |
PentestReport | Generated PDF/HTML pentest reports (S3 or DB storage) |
PentestExploitChain | Multi-step attack chains linking related findings |
PentestFindingObservation | FP heuristic results and per-probe confidence data |
PentestAgentLog | Per-agent execution logs (timing, endpoint count, errors) |
PentestCrawlResult | Discovered endpoints from Phase 1 crawling |
Phase0Session | Interactive Phase 0 Q&A session data (sector, context hints) |
PentestAgentConfig | Per-agent tuning (timeouts, payload lists, thresholds) |
External Dependenciesβ
- AI Providers (Claude/GPT) β used for finding validation, CVSS enrichment, remediation generation, executive summary narrative, and exploit chain analysis. Configured via
AiProviderentity. - OOB Callback Server (optional) β SSRF/OAST probes use an out-of-band DNS/HTTP callback server (
INTERACTSH_URLenv var).
Key Security Considerationsβ
- Read endpoints: 2,000 req/min. Write endpoints: 120 req/min. Prevents scan flooding.
requireModule('appsec')β only tenants with the AppSec module can create assessments.- All outbound HTTP probe requests go through
validateOutboundUrl()β prevents SSRF from the scanner itself being weaponized. - Evidence payloads (raw HTTP request/response) may contain secrets from the target; they are stored with restricted access and stripped of known-sensitive headers before display.
Cross-Module Dependenciesβ
- CI/CD Scan Module β delegates scan creation and start to AppSec entities.
- Delta Scanning Module β reads AppSec assessment data read-only.
- Webhook Receivers β GitHub/GitLab pushes trigger AppSec assessments.
- Reports Module β reads
PentestFindingandPentestAssessmentfor compliance report generation. - Notifications β scan completion triggers notification events.
Module 5: CI/CD Scan Integrationβ
What It Doesβ
The CI/CD Scan module provides a headless, session-free interface for triggering AppSec scans from CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins). Unlike the main AppSec module which requires JWT-authenticated browser sessions, this module authenticates entirely via a static X-API-Key header validated with a timing-safe comparison. It exposes minimal endpoints: create a scan, check status, retrieve findings summary β exactly what a CI job needs.
Owned DB Entitiesβ
PentestAssessment, PentestTarget (shared with AppSec β CI/CD creates assessments in the same tables).
External Dependenciesβ
None. Delegates all scanning logic to the AppSec module's coordinator.
Key Security Considerationsβ
- No session cookies or JWTs involved β purely API key based for CI compatibility.
requireApiKeyusescrypto.timingSafeEqual()to prevent timing side-channel attacks.- API keys are stored hashed (SHA-256) in the database β never retrievable in plaintext after creation.
- The tenant is derived from the API key itself (keys are scoped per-tenant at creation time).
Cross-Module Dependenciesβ
- AppSec Scanner β CI/CD Scan is a thin facade over AppSec's coordinator.
- Webhook Receivers β complementary entry point (GitHub push β webhook β this module for automated trigger).
Module 6: Webhook Receiversβ
What It Doesβ
The Webhook Receivers module handles inbound webhooks from external source code platforms β primarily GitHub and GitLab. When a push event arrives (e.g., a merge to main), the module verifies the webhook signature, identifies the associated PentestTarget, creates a new assessment, and triggers the AppSec scanner. This enables fully automated security scanning on every code push with zero human intervention.
Owned DB Entitiesβ
PentestTarget (read β maps repo URL to target), PentestAssessment (creates new assessment per push).
External Dependenciesβ
- GitHub β sends
push,pull_request,releaseevents signed with HMAC-SHA256. - GitLab β sends equivalent events with a plain
X-Gitlab-Tokensecret header.
Key Security Considerationsβ
- GitHub: HMAC-SHA256 signature verification against
X-Hub-Signature-256header. Rejects any request that doesn't match. - GitLab: Plain token comparison using timing-safe equality.
- Event payloads are never logged in plaintext (may contain source code metadata).
- Only registered
PentestTargetrepos can trigger scans β unknown repos are silently ignored with 200 OK (prevents enumeration).
Cross-Module Dependenciesβ
- AppSec Scanner β creates assessments and starts scans using the AppSec coordinator.
- CI/CD Scan Module β similar purpose; Webhook Receivers is the push-triggered entry point, CI/CD Scan is the pull/polling entry point.
Module 7: SSO (Microsoft Entra ID)β
What It Doesβ
The SSO module implements OAuth2 authentication via Microsoft Entra ID (formerly Azure AD). When a user clicks "Sign in with Microsoft," this module handles the authorization code exchange, validates the Microsoft-issued JWT, provisions the user in ThreatWeaver (or updates their profile if they already exist), and issues a ThreatWeaver session cookie via the Auth module. It also manages tenant membership β assigning SSO users to the correct tenant based on their Azure tenant ID.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
User | Created/updated on first SSO login (shared with Auth module) |
tenant_memberships | Maps SSO users to their ThreatWeaver tenant |
tenant_configs | Per-tenant SSO configuration (client ID, tenant ID, redirect URIs) |
External Dependenciesβ
- Microsoft Entra ID β OAuth2 authorization server. Requires
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_IDper-tenant configuration stored intenant_configs.
Key Security Considerationsβ
- PKCE (
code_verifier/code_challenge) is used β protects against authorization code interception. stateparameter is a cryptographically random nonce stored in session β validated on callback to prevent CSRF.resolveLimiterrate limiter on the callback endpoint prevents token flooding.- Microsoft JWTs are validated against Microsoft's JWKS endpoint (signature + audience + expiry).
Cross-Module Dependenciesβ
- Auth Module β SSO delegates final session issuance (JWT cookie creation) to the Auth module.
- Admin Panel β admins manage
tenant_configsfor SSO setup. - Setup Module β SSO configuration can be completed via the Setup wizard.
Module 8: Admin Panelβ
What It Doesβ
The Admin Panel module exposes all tenant administration capabilities: user management (create, update, deactivate, assign roles), global settings, role and permission management, tenant configuration, and archived data management. Every route requires at least JWT authentication plus requirePermission() middleware for fine-grained authorization β no admin route is accessible to non-admin users.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
User | User accounts managed via admin UI (shared with Auth) |
Role | Named role definitions (admin, analyst, viewer, etc.) |
Settings | Tenant-level configuration (feature flags, notification prefs, branding) |
ArchivedData | Soft-deleted records preserved for audit trail |
External Dependenciesβ
None. Admin is a fully internal management layer.
Key Security Considerationsβ
- Zod strict validation on all write endpoints β extra fields are rejected (not ignored), preventing mass-assignment attacks.
requirePermission()is granular β a user withmanage_userscannot accessmanage_settingswithout that separate permission.- All admin mutations are written to
SecurityAuditLog. - Self-demotion protection: admins cannot remove their own admin role via the API.
Cross-Module Dependenciesβ
- Auth Module β manages
Userentity also used by Auth. - SSO Module β admin configures
tenant_configsfor SSO. - API Config Module β admin manages Tenable API credentials stored in
AppConfig. - Security Audit Module β admin actions are logged to
SecurityAuditLog.
Module 9: API Configurationβ
What It Doesβ
The API Config module manages external API credentials β primarily Tenable API keys β stored with AES-256 encryption. Credentials are never stored in plaintext. The module provides endpoints to save, test, and retrieve (masked) credential configuration. The encryption key is derived from a server-side secret, meaning database compromise alone cannot expose credentials.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
AppConfig | Key-value store for tenant configuration; sensitive values stored AES-256 encrypted |
External Dependenciesβ
- Tenable API β used only for the "test connection" endpoint.
Key Security Considerationsβ
- Encryption key is stored in
APP_ENCRYPTION_KEYenvironment variable β never in the database. - AES-256-GCM provides both confidentiality and integrity (authenticated encryption).
- Credentials are only decrypted in-memory, at the moment they are needed (e.g., during sync), never written decrypted.
- GET endpoints for credential retrieval return only masked values (e.g.,
****abcd).
Cross-Module Dependenciesβ
- Sync Engine β primary consumer; reads Tenable credentials at sync time.
- Admin Panel β exposes the UI for managing
AppConfigentries.
Module 10: Security Auditβ
What It Doesβ
The Security Audit module provides a read-only window into the security event log for administrators and security reviewers. It surfaces all authentication events, admin actions, permission changes, and anomalous access patterns from SecurityAuditLog. It also exposes management interfaces for the IP allowlist and blocklist β the dynamic security controls that Auth evaluates on every login.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
SecurityAuditLog | Immutable event log (written by Auth, read by Security Audit module) |
IpWhitelist | Trusted IPs that bypass auth rate limits |
IpBlacklist | Blocked IPs (can be manually added/removed here) |
External Dependenciesβ
None. Security Audit is a pure read/management layer over the security event log.
Key Security Considerationsβ
- All read endpoints require
view_securitypermission β not all admin users have this. SecurityAuditLogentries are append-only by design β there is no DELETE endpoint for log entries.- IP allowlist/blocklist changes are themselves logged to
SecurityAuditLog.
Cross-Module Dependenciesβ
- Auth Module β writes all events that Security Audit reads.
- Admin Panel β provides the UI surfacing Security Audit data.
Module 11: Scanner/Sensor (Distributed Agents)β
What It Doesβ
The Scanner/Sensor module manages distributed Docker-based scan sensors β remote agents that can be deployed in isolated network segments to reach targets not accessible from ThreatWeaver's cloud backend. Sensors establish a persistent WebSocket tunnel to the backend's /ws/agent endpoint, authenticate with mutual TLS plus a certificate, and receive scan tasks. Results stream back through the same tunnel. The module handles agent enrollment, heartbeat monitoring, task dispatch, and reconnection logic.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
ScannerConfig | Global scanner configuration (concurrency, timeouts, allowed probe types) |
ScanSensor | Registered remote sensor record (hostname, network segment, enrollment status) |
ScanSensorHeartbeat | Health check records β used to detect offline sensors |
ScannerEnrollmentToken | One-time tokens issued for sensor enrollment |
ScannerAgent | Agent definition records (name, category, capabilities, enabled flag) |
ScanAgentTask | Individual task records assigned to agents |
External Dependenciesβ
None external. Sensors communicate directly with the backend over WebSocket.
Key Security Considerationsβ
- mTLS: sensors must present a valid client certificate signed by ThreatWeaver's internal CA.
antiReplaymiddleware: each WebSocket message includes a monotonically increasing sequence number; replayed messages are rejected.authenticateAgentvalidates both the certificate and the enrollment token before admitting a sensor.- Sensor-to-backend communication is WebSocket over TLS only β no plain HTTP fallback.
Cross-Module Dependenciesβ
- AppSec Scanner β the coordinator dispatches tasks to remote sensors and receives findings through this module's gateway.
- Scan Management Module β users manage sensors and view sensor health via the Scan Management UI.
Module 12: Reportingβ
What It Doesβ
The Reporting module handles scheduled and on-demand report generation. Reports can be compliance-focused (PCI-DSS, SOC2, ISO 27001 mapping) or operational (vulnerability trends, asset risk summaries). Reports are generated as PDF or HTML documents, stored, and optionally emailed. The module supports scheduling (e.g., weekly PDF to CISO) and ad-hoc generation from the UI. XSS stripping is applied to all user-supplied text before it enters the report template.
Owned DB Entitiesβ
| Entity | Purpose |
|---|---|
ReportSchedule | Recurring report definitions (cron schedule, template, recipients) |
ReportJob | Individual report generation jobs with status, output location, error info |
External Dependenciesβ
- Email service β SMTP-based email delivery for scheduled report distribution (configured via
Settings).
Key Security Considerationsβ
requireModule('compliance_reporting')β reports are a licensed feature.- XSS stripping on all user-provided strings before template rendering prevents stored-XSS in generated documents.
- Generated PDFs are stored with tenant-scoped paths β cross-tenant access to report files is prevented at the storage layer.
- Report download URLs are short-lived (signed URLs or session-gated endpoints).
Cross-Module Dependenciesβ
- AppSec Scanner β reads
PentestFindingandPentestAssessmentfor pentest reports. - Vulnerabilities Module β reads
VulnerabilityandAssetfor operational reports. - Compliance entities β reads
ComplianceMappingfor compliance-focused reports. - Admin Panel β report schedule management is accessible via Admin UI.
Cross-Module Data Flowsβ
The following diagram shows how data flows between modules over the lifetime of a typical enterprise deployment.
Key Cross-Module Integration Pointsβ
| Source Module | Target Module | Data Transferred | Trigger |
|---|---|---|---|
| Sync Engine | Dashboard | Vulnerability, Asset records | After each sync completes |
| Sync Engine | Vulnerabilities | Vulnerability upserts | Continuous during sync |
| AppSec Scanner | Reports | PentestFinding, PentestAssessment | On-demand or scheduled |
| AppSec Scanner | VFP | PentestFinding enriched with CVSS | After scan completion |
| Auth | Security Audit | SecurityAuditLog events | Every auth operation |
| Webhook Receivers | AppSec Scanner | New PentestAssessment | On push event receipt |
| CI/CD Scan | AppSec Scanner | New PentestAssessment | On API call from CI |
| API Config | Sync Engine | Decrypted Tenable credentials | At sync start |
| SSO | Auth | Provisioned User record | On first SSO login |
Tenant Isolation: Schema-Per-Tenantβ
Every data-accessing module uses getTenantRepository() instead of the global TypeORM repository. This single function call is the enforcement point for ThreatWeaver's schema-per-tenant isolation model.
How It Worksβ
- The JWT contains a
tenantIdclaim. - The
resolveTenantmiddleware mapstenantIdβschemaName(e.g.,tenant_abc123). - The
setTenantSchemamiddleware executesSET search_path = tenant_abc123, publicon the PostgreSQL connection before any query runs. - All TypeORM queries on that connection automatically resolve to the tenant's private schema.
- There is no need to add
WHERE tenant_id = ?to queries β isolation is enforced at the connection level.
What Is Shared vs. Isolatedβ
| Data | Isolation Level | Location |
|---|---|---|
| User vulnerability data | Full schema isolation | tenant_abc123.vulnerabilities |
| AppSec findings | Full schema isolation | tenant_abc123.pentest_findings |
| Assets | Full schema isolation | tenant_abc123.assets |
| Tenant definitions | Shared (public schema) | public.tenants |
| Module entitlements | Shared (public schema) | public.tenant_entitlements |
| AI provider configs | Shared (public schema) | public.ai_providers |
| Global scanner configs | Shared (public schema) | public.scanner_agents |
Bypassed Pathsβ
The multi-tenant middleware chain (steps 13aβ13f) is skipped for:
/auth/*β user has no tenant context yet/internal/*β internal service-to-service calls usingX-Internal-API-Key/agent/*β sensor WebSocket connections authenticated by mTLS, not JWT
These paths use their own authentication mechanisms and explicitly scope queries to the tenant derived from their respective auth tokens.
Additional Modules (Summary Reference)β
The following modules follow the same patterns as the 12 detailed above. They are documented here for completeness.
| Module | Route File | Primary Purpose | Auth |
|---|---|---|---|
| Assets | assets.routes.ts | Asset inventory management; mirrors Tenable asset data | JWT + requireModule('vulnerability_dashboard') |
| Vulnerabilities | vulnerabilities.routes.ts | Vulnerability CRUD, state transitions, bulk operations | JWT + requireModule + readLimiter / writeLimiter |
| Anomaly Detection | anomaly.routes.ts | AI-powered anomaly events and exclusion management | JWT + requireModule('intelligence') |
| Asset Ownership | assetOwnership.routes.ts | CSV-driven asset ownership assignment | JWT + file upload validation |
| OS Category Rules | osCategoryRules.routes.ts | Custom rules mapping OS strings to categories | JWT + XSS strip |
| Delta Scanning | delta.routes.ts | Read-only diff view of assessment changes between runs | JWT + requireModule('appsec') |
| Progress/SSE | progress.routes.ts | Real-time sync progress stream | JWT + SSE (setMaxListeners(50)) |
| Export | export.routes.ts | Streaming CSV/JSON exports of vuln and asset data | JWT + requireModule + streaming response |
| AI Security | aiSecurity.routes.ts | AI tool inventory, risk tracking, policy enforcement | JWT + requireModule('ai_security') |
| Setup/License | setup.routes.ts | Initial setup wizard and license validation (TLM) | Public for setup; JWT for license updates |
| Internal API | internal.routes.ts | Service-to-service calls (provisioning, webhooks) | X-Internal-API-Key timing-safe comparison |
| Scan Management | scan.routes.ts | Scan scheduler, credential vault, job history | JWT + requireModule('scanner_management') + validateOutboundUrl |