REST API
| Endpoint | Does |
|---|---|
GET /buckets | List buckets with object counts. |
GET /search?q= | Search the corpus by hash prefix, tag, or filename. |
PUT /buckets/{bucket}/objects/{key} | Upload bytes (?conflict=reject|replace|version). |
GET /buckets/{bucket}/objects?prefix= | List a bucket's objects. |
POST .../objects/{key}/move · DELETE .../objects/{key} | Move / hide a location. |
GET .../objects/{key}/versions | Version history for a location. |
GET /objects/{sha256}/content | Download bytes by hash. |
GET /objects/{sha256}/locations | Every live bucket/key for an object. |
GET|POST /objects/{sha256}/tags · /aliases · /annotations · /children | Read/attach metadata and relations. |
GET /objects/{sha256}/jobs | Per-plugin processing status for an object (queued / running / done / dead + error). |
GET /plugins | List plugins with their accepted content types and operations. |
POST /plugins/{id}/operations/{op} | Run a plugin operation (e.g. similarity match, metadata) and return its rows. |
GET|POST /repos · POST /repos/from-selection | List/create repos; build a repo from a corpus selection. |
POST /gitea/webhook | Project a Gitea push. |
# run a similarity match over the corpus, then read the metadata + processing status
curl -X POST -H 'content-type: application/json' \
-d '{"bucket":"malware-corpus","key":"family-a/crackme.i64","limit":5}' \
http://127.0.0.1:3000/plugins/kep-bbsh/operations/match_resource
curl -X POST -H 'content-type: application/json' \
-d '{"bucket":"malware-corpus","key":"family-a/crackme.i64"}' \
http://127.0.0.1:3000/plugins/kep-metadata/operations/get_metadata
curl http://127.0.0.1:3000/objects/<sha256>/jobs
# upload (content type from the header, else inferred from the key)
curl -X PUT -H 'content-type: application/x-ida-i64' \
--data-binary @crackme.i64 \
http://127.0.0.1:3000/buckets/malware-corpus/objects/family-a/crackme.i64
# download by hash, list locations, tag it
curl http://127.0.0.1:3000/objects/<sha256>/content --output crackme.i64
curl http://127.0.0.1:3000/objects/<sha256>/locations
curl -X POST -H 'content-type: application/json' -d '{"name":"vmprotect"}' \
http://127.0.0.1:3000/objects/<sha256>/tags
CLI
The same operations are available from the command line (bun run <command>). Run
bun run src/main.ts help for the full list.
| Command | Does |
|---|---|
setup | Boot dependencies, migrate, provision extractors. |
dev | Run api + reactor + worker together in one process. |
api · reactor · worker | Run the platform parts separately (API/UI, event→job, extract). |
ingest <files…> | Upload into a bucket (--bucket, --key, --reset, --replace). |
operation <plugin> <op> <json> | Run a plugin operation (see Plugins). |
object:get <sha256> [path] · object:locations <sha256> | Fetch bytes / list locations by hash. |
git:init-bucket · git:import · git:validate | Local bare-repo Git transport. |
gitea:create|sync|webhook|user|rotate | Gitea-hosted repos and identity. |
# ingest two IDBs, project them, run extraction, then query similarity
bun run ingest --reset --bucket idb-analysis a.i64 b.i64
bun run reactor --once
bun run worker --concurrency 4
bun run operation kep-bbsh match_resource '{"bucket":"idb-analysis","key":"a.i64","limit":5}'
Operations run from the CLI or over REST
(
POST /plugins/{id}/operations/{op} — see above), so the web UI, scripts, and IDA plugins
share one path. Each plugin declares its request/response JSON Schemas in its plugin.json.