K Knowledge Engine

Reference

REST API & CLI

The API serves the web UI and a JSON corpus interface on the same origin. Automation never needs the UI — objects are addressable directly by hash.

REST API

EndpointDoes
GET /bucketsList buckets with object counts.
GET /search?q=Search the corpus by hash prefix, tag, or filename.
PUT /buckets/{bucket}/objects/{key}Upload bytes (?conflict=reject|replace|version).
GET /buckets/{bucket}/objects?prefix=List a bucket's objects.
POST .../objects/{key}/move · DELETE .../objects/{key}Move / hide a location.
GET .../objects/{key}/versionsVersion history for a location.
GET /objects/{sha256}/contentDownload bytes by hash.
GET /objects/{sha256}/locationsEvery live bucket/key for an object.
GET|POST /objects/{sha256}/tags · /aliases · /annotations · /childrenRead/attach metadata and relations.
GET /objects/{sha256}/jobsPer-plugin processing status for an object (queued / running / done / dead + error).
GET /pluginsList plugins with their accepted content types and operations.
POST /plugins/{id}/operations/{op}Run a plugin operation (e.g. similarity match, metadata) and return its rows.
GET|POST /repos · POST /repos/from-selectionList/create repos; build a repo from a corpus selection.
POST /gitea/webhookProject a Gitea push.
# run a similarity match over the corpus, then read the metadata + processing status
curl -X POST -H 'content-type: application/json' \
  -d '{"bucket":"malware-corpus","key":"family-a/crackme.i64","limit":5}' \
  http://127.0.0.1:3000/plugins/kep-bbsh/operations/match_resource

curl -X POST -H 'content-type: application/json' \
  -d '{"bucket":"malware-corpus","key":"family-a/crackme.i64"}' \
  http://127.0.0.1:3000/plugins/kep-metadata/operations/get_metadata

curl http://127.0.0.1:3000/objects/<sha256>/jobs
# upload (content type from the header, else inferred from the key)
curl -X PUT -H 'content-type: application/x-ida-i64' \
  --data-binary @crackme.i64 \
  http://127.0.0.1:3000/buckets/malware-corpus/objects/family-a/crackme.i64

# download by hash, list locations, tag it
curl http://127.0.0.1:3000/objects/<sha256>/content --output crackme.i64
curl http://127.0.0.1:3000/objects/<sha256>/locations
curl -X POST -H 'content-type: application/json' -d '{"name":"vmprotect"}' \
  http://127.0.0.1:3000/objects/<sha256>/tags

CLI

The same operations are available from the command line (bun run <command>). Run bun run src/main.ts help for the full list.

CommandDoes
setupBoot dependencies, migrate, provision extractors.
devRun api + reactor + worker together in one process.
api · reactor · workerRun the platform parts separately (API/UI, event→job, extract).
ingest <files…>Upload into a bucket (--bucket, --key, --reset, --replace).
operation <plugin> <op> <json>Run a plugin operation (see Plugins).
object:get <sha256> [path] · object:locations <sha256>Fetch bytes / list locations by hash.
git:init-bucket · git:import · git:validateLocal bare-repo Git transport.
gitea:create|sync|webhook|user|rotateGitea-hosted repos and identity.
# ingest two IDBs, project them, run extraction, then query similarity
bun run ingest --reset --bucket idb-analysis a.i64 b.i64
bun run reactor --once
bun run worker --concurrency 4
bun run operation kep-bbsh match_resource '{"bucket":"idb-analysis","key":"a.i64","limit":5}'
Operations run from the CLI or over REST (POST /plugins/{id}/operations/{op} — see above), so the web UI, scripts, and IDA plugins share one path. Each plugin declares its request/response JSON Schemas in its plugin.json.