Developer Documentation

API, Schemas, and Starter Files

Everything you need to integrate incidents, automate products, and manage Playbooks, RIFs, Mission Folders, and Net Assessments — all grounded in TEW doctrine.

AuthSSO + MFARBAC/ABAC enforced
FormatsJSON + YAMLGit-friendly
TransportHTTPS/mTLSNo default egress
AuditImmutableChain-of-custody

API overview

REST-style JSON over HTTPS (optional mTLS). All endpoints require SSO tokens and pass RBAC/ABAC checks.

Base URL

https://<your-domain>/api/v1/

Auth

OIDC bearer token + optional mTLS (client cert). Short TTL; refresh required.

Content-Type

application/json (UTF-8). All responses are JSON.

Core endpoints

Create incidents, move states, manage artifacts, and generate products.

Incidents

POST /incidents
{
  "title": "Stadium smoke reports",
  "source_cluster_id": "CL-2025-0412",
  "priority": "High",
  "initial_state": "Alert",
  "tags": ["stadium","smoke","911-calls"]
}

200 OK
{
  "incident_id": "INC-2025-0214",
  "state": "Alert",
  "created_at": "2025-08-28T12:01:15Z"
}
POST /incidents/{id}/transition
{
  "to_state": "Warning",
  "reason": "Multiple corroborated calls, OSINT photos, smoke visible",
  "notify": true
}

200 OK
{
  "incident_id": "INC-2025-0214",
  "state": "Warning",
  "notified": ["IC","UC","EOC"]
}

RIF / Target Folders

GET  /rif/{jurisdiction}/{site_uid}
POST /rif/{jurisdiction}/{site_uid}     # create/update (JSON body mirrors rif.schema.json)
Example response:
{
  "rif_id": "RIF-LAX-T4-0001",
  "site_name": "LAX – Terminal 4",
  "jurisdiction": "Los Angeles County",
  "status": "active",
  "linked_playbooks": ["chemical","lvb","radiological_nuclear"],
  "fields": {
    "site_plans": ["site_plans/overview.pdf"],
    "terrain": ["terrain/oakoc.md"],
    "plume_models": {"interior": ["models/plume/int_floor2.json"]},
    "vulnerability_map": ["vulnerability_map/vuln.geojson"]
  },
  "info_gaps": ["No current HVAC zoning drawings"]
}

Mission Folders

GET  /mission_folders/{incident_id}
POST /mission_folders/{incident_id}     # upsert (body ~ mission_folder.schema.json)
Example snippet:
{
  "incident_id": "INC-2025-0214",
  "period": "OP1 2025-08-28T12:00Z–18:00Z",
  "ic_uc": ["LASD-IC","LAFD-UC"],
  "commander_end_state": "Secure terminal, resume ops ≤ 6h",
  "intel_annex": {"sitreps_dir": "intelligence_annex/sitreps/"},
  "rif_links": ["../../rif_target_folders/los_angeles/lax_t4"],
  "coas": {"opfor": "coas/opfor_coas.md","friendly": "coas/friendly_coas.md"}
}

Net Assessments

POST /net_assessments
{
  "incident_id": "INC-2025-0214",
  "scope_magnitude": "Terminal-level, potential spillover",
  "threat_envelope": "LV-IED / CBRN unknown",
  "consequence_forecast": "Ops degradation ≥ 6h",
  "inputs": ["RIF LAX-T4","Playbook: chemical"],
  "rams": ["Random canine patrols","Unpredictable badge checks"]
}

200 OK
{ "net_assessment_id": "NA-2025-0098", "status": "draft" }

Products

POST /products/{type}/draft       # type: advisory|warning|iap|sitrep
{
  "incident_id": "INC-2025-0214",
  "audience": "IC",
  "redaction_level": "Secret",
  "include_sections": ["situation","actions","resources"]
}

POST /products/{id}/approve
{ "reason": "IC sign-off", "distribution": ["UCS","ICP","EOC","JRIC"] }

Intelligence Requirements (IRM)

POST /irm/requirements
{
  "id": "IR-2025-0031",
  "originator": "County PH",
  "gap_statement": "Need unclassified assessment of X-linked outbreak near CI/KR sites.",
  "priority": "High",
  "related_incidents": ["INC-2025-0214"],
  "routing": ["FusionCenter","DHS-IA"],
  "due_date": "2025-09-05",
  "deliverable_level": "Unclassified",
  "refresh_cadence_days": 14
}

Data schemas

JSON schema snippets for core artifacts. See the starter kit for full files.

RIF

rif.schema.json

required: ["rif_id","site_name","jurisdiction","fields"]
properties:
  rif_id: string
  site_name: string
  jurisdiction: string
  status: enum(active|draft|archived)
  linked_playbooks: string[]
  fields:
    site_plans: string[]
    terrain: string[]
    plume_models: object
    blast_models: string[]
    vulnerability_map: string[]
    support_sites_map: string[]
  info_gaps: string[]
Mission

mission_folder.schema.json

required: ["incident_id","period","ic_uc","attachments","coas"]
properties:
  incident_id: string
  period: string
  ic_uc: string[]
  commander_end_state: string
  intel_annex: object
  rif_links: string[]
  attachments: object
  coas: object
  dissemination: string[]
Net Assessment

net_assessment.schema.json

required: ["incident_id","scope_magnitude","consequence_forecast"]
properties:
  scope_magnitude: string
  threat_envelope: string
  consequence_forecast: string
  resources_profile_ref: string
  rams: string[]
  inputs: string[]

Repository structure

Standard project layout for doctrine artifacts and ops data.

tew/
├─ docs/                       # Doctrine refs, SOPs, training
├─ playbooks/                  # Threat-class playbooks
├─ rif_target_folders/         # RIF/Target Folders by jurisdiction/site
├─ mission_folders/            # Incident-specific packages
├─ net_assessments/            # Decision support artifacts
├─ irm/                        # Intelligence Requirements
├─ products/                   # Advisories, Warnings, IAPs, SITREPs
├─ modules/                    # cuas/, port_maritime/, cyber/
└─ shared/
   ├─ taxonomies/              # RAND tactics/targets, etc.
   └─ schemas/                 # rif.schema.json, mission_folder.schema.json, net_assessment.schema.json

Downloads

Starter kit: folder skeletons, JSON schemas, and sample data.

TEW Starter Kit

Includes playbooks/, rif_target_folders/, mission_folders/, net_assessments/, and shared/schemas/.

Download ZIP See artifact guide

Versioning & changelog

Keep artifacts and APIs predictable and auditable.

Semantic versions

Pin versions in YAML/JSON (version: 1.3.0) and include in product manifests. Use Git tags for releases.

Changelog

Maintain CHANGELOG.md with breaking changes, new endpoints/fields, and deprecations.

Deprecations

Mark old endpoints as deprecated and provide a sunset date; keep read-only until sunset passes.

Need deeper integration?

Ask for the full OpenAPI spec, SDK stubs, and sample data packs.

Contact Security posture