# Generated from openapi.json — do not edit by hand. # Regenerate: pnpm openapi:sync openapi: 3.1.0 info: title: Hoist Assets API description: PPSR + ABN due diligence for Australian asset finance. Org-only scope (organisation-grantor + serial-number searches, no PII) — does not search individuals. version: 1.0.0 termsOfService: https://hoistai.com/terms/ contact: name: Hoist Assets API access url: https://hoistai.com/contact/ license: name: Proprietary url: https://hoistai.com/terms/ servers: - url: https://api.assets.hoistai.com/v1 description: Published v1 contract and reachability host. Health/auth responses confirm setup only; live PPSR/ABN source traffic and paid operations require account access and source readiness. - url: https://api.assets.hoistai.com/v1?sandbox=true description: Sandbox/sample mode on the v1 contract host. Fixtures only; no real register traffic or billing. components: schemas: EvidencePackError: type: object required: - ok - code - message properties: ok: type: boolean const: false description: Always false on a non-2xx response code: type: string enum: - invalid_input - invalid_id - not_found - r2_unavailable - pdf_render_error - upstream_error message: type: string AssetInvoiceCanonicalIdentifier: type: object required: - kind - raw - canonical - display properties: kind: type: string enum: - vin - chassis_number - engine_number - serial_number raw: type: string canonical: type: string display: type: string EvidencePackSubject: type: object required: - abn - vin - purpose properties: abn: type: - string - 'null' vin: type: - string - 'null' purpose: type: - string - 'null' EvidencePackSourceTrust: type: object description: Additive, OpenAPI-safe source trust metadata derived from the static source manifest. Does not include source credentials, raw queries, query hashes, raw payload refs, or Evidence Pack internals. required: - source_id - owner - detail - freshness - snapshot - parser - limitations properties: source_id: type: string description: Canonical manifest source id for this check. Alias rows such as ppsr-org and ppsr-serial map to afsa-ppsr. owner: type: object required: - name - kind - jurisdiction - website properties: name: type: string kind: type: string enum: - hoist - government - regulator - intergovernmental jurisdiction: type: string website: type: string format: uri detail: type: string description: How Hoist obtains or snapshots the source without exposing credentials. freshness: type: object required: - cadence properties: cadence: type: string snapshot: type: object required: - source_version properties: source_version: type: string parser: type: object required: - parser_version - notes properties: parser_version: type: string notes: type: string limitations: type: array items: type: string additionalProperties: false EvidencePackSourceCheck: type: object required: - source - verdict - freshness - certificate_sha256 - source_snapshot_id - raw_artifact_ref properties: source: type: string verdict: type: string freshness: type: string format: date-time certificate_sha256: type: - string - 'null' source_trust: $ref: '#/components/schemas/EvidencePackSourceTrust' source_snapshot_id: type: - string - 'null' description: Stable source snapshot identifier used by audit-grade Evidence Packs, when the source publishes one. raw_artifact_ref: type: - string - 'null' description: Audit-bucket artifact reference for the source-check projection. This is a reference, not a raw upstream payload. EvidencePackRiskFlag: type: object required: - code - category - severity - message - confidence - evidence_refs - source_refs - source_backing - recommended_next_check properties: code: type: string category: type: string enum: - identity_risk - licence_risk - asset_encumbrance_risk - sanctions_risk - insolvency_risk - address_risk - charity_status_risk - procurement_risk - director_or_control_risk - source_conflict_risk description: Typed risk ontology category for source interpretation. severity: type: string enum: - info - low - medium - high - critical message: type: string confidence: type: number minimum: 0 maximum: 1 evidence_refs: type: array items: type: string source_refs: type: array items: type: string source_backing: type: string description: Plain-language source backing for the flag. This is evidence wording, not a clearance claim. recommended_next_check: type: string additionalProperties: false EvidencePackEnvelope: type: object required: - ok - export_id - download_url - generated_at - verdict - confidence - subject - source_checks - risk_flags - recommended_next_check - risk_explanation - risk_score - human_review_items - r2_key - audit_manifest_key - machine_pack - human_pack - audit_pack properties: ok: type: boolean const: true export_id: type: string description: Canonical pack identifier (UUID v4). download_url: type: string description: Worker-relative path for retrieving the Due Diligence Record PDF (GET /v1/exports/{id}). generated_at: type: string format: date-time verdict: type: string confidence: type: number minimum: 0 maximum: 1 subject: $ref: '#/components/schemas/EvidencePackSubject' source_checks: type: array items: $ref: '#/components/schemas/EvidencePackSourceCheck' risk_flags: type: array items: $ref: '#/components/schemas/EvidencePackRiskFlag' human_review_items: type: array items: type: string r2_key: type: string audit_manifest_key: type: string description: R2 key for the audit artifact manifest JSON stored beside the PDF. machine_pack: $ref: '#/components/schemas/EvidencePackMachinePack' human_pack: $ref: '#/components/schemas/EvidencePackHumanPack' audit_pack: $ref: '#/components/schemas/EvidencePackAuditPack' risk_score: type: integer minimum: 0 maximum: 100 description: 0-100 source-interpretation risk score computed from typed risk flags. risk_explanation: $ref: '#/components/schemas/EvidencePackRiskExplanation' recommended_next_check: type: string description: Next source-backed check or review action recommended by the risk ontology. AbnLookupError: type: object required: - ok - code - message properties: ok: type: boolean const: false description: Always false on a non-2xx response code: type: string enum: - invalid_abn - abn_not_found - rate_limited - upstream_error - network_error - parse_error description: Stable error sentinel. Clients should branch on this rather than parsing message. message: type: string description: Human-readable error message. May change between releases — do not parse. AddressLookupError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - invalid_source_version - incomplete_address - invalid_state - invalid_postcode - unsupported_street_type - shard_read_failed - unauthorized description: Stable error sentinel. Clients should branch on this rather than parsing message. message: type: string description: Human-readable error message. May change between releases - do not parse. AddressLookupRequest: type: object required: - source_version - raw_address properties: source_version: type: string minLength: 1 description: G-NAF source snapshot version to query. example: GNAF-2026-05 raw_address: type: string minLength: 1 description: Single-line Australian address. Parsed by the shared address normalizer before lookup. example: 10 Main St, Sydney NSW 2000 limit: type: integer minimum: 1 maximum: 25 default: 10 description: Maximum candidate count. Values above 25 are capped by the service. additionalProperties: false AddressLookupMismatchFlag: type: object required: - severity - code - message properties: severity: type: string enum: - low - medium code: type: string enum: - fuzzy_street_name - suburb_mismatch - postcode_mismatch - state_mismatch - ambiguous_match message: type: string input_component: type: string candidate_component: type: string additionalProperties: false AddressLookupCandidate: type: object required: - gnaf_pid - full_address - locality - state - postcode - latitude - longitude - geocode_type - source - evidence - match properties: gnaf_pid: type: string full_address: type: string locality: type: string state: type: string enum: - ACT - NSW - NT - QLD - SA - TAS - VIC - WA postcode: type: string pattern: ^[0-9]{4}$ latitude: type: - number - 'null' longitude: type: - number - 'null' geocode_type: type: - string - 'null' source: type: object required: - source_id - source_version - source_kind - registry_truth - snapshot_backed properties: source_id: type: string const: gnaf source_version: type: string source_kind: type: string const: versioned_snapshot registry_truth: type: string const: snapshot_not_realtime snapshot_backed: type: boolean const: true additionalProperties: false evidence: type: object required: - r2_shard_key - row_offset properties: r2_shard_key: type: string row_offset: type: integer minimum: 0 additionalProperties: false match: type: object required: - method - confidence - component_scores - mismatch_flags properties: method: type: string enum: - exact_normalized - fuzzy_components confidence: type: number minimum: 0 maximum: 1 component_scores: type: object required: - street_number - street_name - street_type - suburb - state - postcode properties: street_number: type: number minimum: 0 maximum: 1 street_name: type: number minimum: 0 maximum: 1 street_type: type: number minimum: 0 maximum: 1 suburb: type: number minimum: 0 maximum: 1 state: type: number minimum: 0 maximum: 1 postcode: type: number minimum: 0 maximum: 1 additionalProperties: false mismatch_flags: type: array items: $ref: '#/components/schemas/AddressLookupMismatchFlag' additionalProperties: false additionalProperties: false AddressLookupResponse: type: object required: - ok - tool - status - matched_on - normalized_address_key - confidence - mismatch_flags - candidate_count - candidates properties: ok: type: boolean const: true tool: type: string const: address_lookup status: type: string enum: - exact_match - fuzzy_match - ambiguous - no_match matched_on: type: string enum: - normalized_full_address - address_components - none normalized_address_key: type: string confidence: type: number minimum: 0 maximum: 1 mismatch_flags: type: array items: $ref: '#/components/schemas/AddressLookupMismatchFlag' candidate_count: type: integer minimum: 0 candidates: type: array items: $ref: '#/components/schemas/AddressLookupCandidate' additionalProperties: false WhatChangedError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - snapshot_not_found - snapshot_mismatch - ambiguous_target - storage_error - unauthorized description: Stable error sentinel. Clients should branch on this rather than parsing message. message: type: string description: Human-readable error message. May change between releases - do not parse. additionalProperties: false WhatChangedRequest: type: object required: - tenant_id - account_id oneOf: - required: - previous_pack_id - current_pack_id - required: - target_type - target_hash - from - to properties: tenant_id: type: string minLength: 1 description: Tenant scope for the monitor evidence snapshots. account_id: type: string minLength: 1 description: Account scope for the monitor evidence snapshots. previous_pack_id: type: string minLength: 1 description: Evidence pack ID for the earlier snapshot. example: pack_previous current_pack_id: type: string minLength: 1 description: Evidence pack ID for the later snapshot. example: pack_current target_type: type: string enum: - ABN - ACN - VIN - address description: Monitor target type for a target/time-range comparison. target_hash: type: string minLength: 1 description: Privacy-preserving monitor target hash. Raw address input is never accepted here. subscription_id: type: string minLength: 1 description: Optional monitor subscription ID used to disambiguate duplicate target monitors. from: type: integer minimum: 1 description: Inclusive created_at lower bound in epoch milliseconds. to: type: integer minimum: 1 description: Inclusive created_at upper bound in epoch milliseconds. additionalProperties: false WhatChangedSourceVersion: type: object required: - source_id - source_version - observed_at properties: source_id: type: string source_version: type: string observed_at: type: integer additionalProperties: false WhatChangedRiskFlag: type: object required: - code - severity properties: code: type: string severity: type: string enum: - info - low - medium - high evidence_ref: type: string additionalProperties: false WhatChangedSnapshotRef: type: object required: - snapshot_id - subscription_id - role - evidence_pack_id - evidence_pack_ref - target_type - target_hash - created_at - source_observed_at - source_versions - risk_flags properties: snapshot_id: type: string subscription_id: type: string role: type: string enum: - baseline - check evidence_pack_id: type: string evidence_pack_ref: type: - string - 'null' target_type: type: string enum: - ABN - ACN - VIN - address target_hash: type: string created_at: type: integer source_observed_at: type: integer source_versions: type: array items: $ref: '#/components/schemas/WhatChangedSourceVersion' risk_flags: type: array items: $ref: '#/components/schemas/WhatChangedRiskFlag' additionalProperties: false WhatChangedEvidenceRef: type: object required: - snapshot_id - evidence_pack_id - evidence_pack_ref properties: snapshot_id: type: string evidence_pack_id: type: string evidence_pack_ref: type: - string - 'null' fact_evidence_ref: type: string additionalProperties: false WhatChangedStructuredDiff: type: object required: - kind - severity - field - old_value - new_value - old_hash - new_hash - evidence properties: kind: type: string enum: - identity - registration - status - address - risk - source_version - unknown severity: type: string enum: - info - low - medium - high field: type: string old_value: type: - string - 'null' new_value: type: - string - 'null' old_hash: type: - string - 'null' new_hash: type: - string - 'null' evidence: type: object required: - previous - current properties: previous: $ref: '#/components/schemas/WhatChangedEvidenceRef' current: $ref: '#/components/schemas/WhatChangedEvidenceRef' additionalProperties: false additionalProperties: false WhatChangedResponse: type: object required: - ok - tool - selector - outcome - severity - target - previous_snapshot - current_snapshot - change_count - changes - generated_at properties: ok: type: boolean const: true tool: type: string const: what_changed selector: type: string enum: - pack_pair - target_window outcome: type: string enum: - no_change - changed severity: type: string enum: - info - low - medium - high target: type: object required: - type - hash properties: type: type: string enum: - ABN - ACN - VIN - address hash: type: string additionalProperties: false previous_snapshot: $ref: '#/components/schemas/WhatChangedSnapshotRef' current_snapshot: $ref: '#/components/schemas/WhatChangedSnapshotRef' change_count: type: integer minimum: 0 changes: type: array items: $ref: '#/components/schemas/WhatChangedStructuredDiff' generated_at: type: integer additionalProperties: false ConfirmNoChangesError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - unauthorized - monitor_not_found - baseline_not_captured - baseline_mismatch - recheck_failed message: type: string additionalProperties: false ConfirmNoChangesComparisonFact: type: object required: - field - value_hash properties: field: type: string value_hash: type: string normalized_value: type: string evidence_ref: type: string additionalProperties: false ConfirmNoChangesComparison: type: object required: - fingerprint - fact_hashes properties: fingerprint: type: string fact_hashes: type: array items: type: string facts: type: array items: $ref: '#/components/schemas/ConfirmNoChangesComparisonFact' additionalProperties: false ConfirmNoChangesCurrentEvidence: type: object required: - evidence_pack_id - comparison - source_versions - source_observed_at properties: evidence_pack_id: type: string minLength: 1 evidence_pack_ref: type: string comparison: $ref: '#/components/schemas/ConfirmNoChangesComparison' source_versions: type: array minItems: 1 items: $ref: '#/components/schemas/WhatChangedSourceVersion' source_observed_at: type: integer minimum: 1 risk_flags: type: array items: $ref: '#/components/schemas/WhatChangedRiskFlag' additionalProperties: false ConfirmNoChangesRequest: type: object required: - tenant_id - account_id - subscription_id - baseline_evidence_pack_id - current_evidence properties: tenant_id: type: string minLength: 1 account_id: type: string minLength: 1 subscription_id: type: string minLength: 1 baseline_evidence_pack_id: type: string minLength: 1 idempotency_key: type: string minLength: 1 current_evidence: $ref: '#/components/schemas/ConfirmNoChangesCurrentEvidence' additionalProperties: false ConfirmNoChangesCheckRef: type: object required: - check_id - status - trigger - baseline_snapshot_id - result_snapshot_id - evidence_pack_id - audit_correlation_id - completed_at properties: check_id: type: string status: type: string enum: - queued - running - no_change - changed - failed trigger: type: string const: before_funding baseline_snapshot_id: type: - string - 'null' result_snapshot_id: type: - string - 'null' evidence_pack_id: type: - string - 'null' audit_correlation_id: type: string completed_at: type: - integer - 'null' additionalProperties: false ConfirmNoChangesSnapshotRef: type: object required: - snapshot_id - evidence_pack_id - evidence_pack_ref - source_versions - source_observed_at - created_at properties: snapshot_id: type: string evidence_pack_id: type: string evidence_pack_ref: type: - string - 'null' source_versions: type: array items: $ref: '#/components/schemas/WhatChangedSourceVersion' source_observed_at: type: integer created_at: type: integer additionalProperties: false ConfirmNoChangesResponse: type: object required: - ok - tool - outcome - subscription_id - check - baseline_snapshot - current_snapshot - change_count - severity - changes - generated_at properties: ok: type: boolean const: true tool: type: string const: confirm_no_changes outcome: type: string enum: - no_changes - changes_detected subscription_id: type: string check: $ref: '#/components/schemas/ConfirmNoChangesCheckRef' baseline_snapshot: $ref: '#/components/schemas/ConfirmNoChangesSnapshotRef' current_snapshot: $ref: '#/components/schemas/ConfirmNoChangesSnapshotRef' change_count: type: integer minimum: 0 severity: type: string enum: - info - low - medium - high changes: type: array items: $ref: '#/components/schemas/WhatChangedStructuredDiff' generated_at: type: string format: date-time additionalProperties: false MonitorOwner: type: object required: - tenant_id - account_id properties: tenant_id: type: string minLength: 1 maxLength: 128 account_id: type: string minLength: 1 maxLength: 128 user_id: type: string minLength: 1 maxLength: 128 oauth_grant_id: type: string minLength: 1 maxLength: 128 additionalProperties: false MonitorTarget: oneOf: - type: object required: - type - abn properties: type: type: string const: ABN abn: type: string minLength: 1 maxLength: 32 additionalProperties: false - type: object required: - type - acn properties: type: type: string const: ACN acn: type: string minLength: 1 maxLength: 32 additionalProperties: false - type: object required: - type - vin properties: type: type: string const: VIN vin: type: string minLength: 1 maxLength: 64 additionalProperties: false - type: object required: - type - address_hash properties: type: type: string const: address address_hash: type: string minLength: 1 maxLength: 256 gnaf_pid: type: string minLength: 1 maxLength: 128 locality: type: string minLength: 1 maxLength: 128 state: type: string enum: - ACT - NSW - NT - QLD - SA - TAS - VIC - WA postcode: type: string minLength: 1 maxLength: 16 additionalProperties: false - type: object required: - kind properties: kind: type: string const: banned_disqualified_person description: Verify against ASIC Banned and Disqualified Persons public snapshot. document_number: type: string minLength: 1 description: ASIC source document number where available. Matches still require independent identity review. name: type: string minLength: 1 description: Person name. Same-name matches require manual review and do not prove identity. anyOf: - required: - document_number - required: - name additionalProperties: false MonitorNotificationPreference: type: object required: - channel - destination_ref - triggers properties: channel: type: string enum: - connector - email - webhook destination_ref: type: string minLength: 1 maxLength: 512 triggers: type: array items: type: string enum: - any_change - risk_change - check_failed minItems: 1 maxItems: 8 additionalProperties: false MonitorCreateRequest: type: object required: - tenant_id - account_id - target - interval properties: tenant_id: type: string minLength: 1 maxLength: 128 account_id: type: string minLength: 1 maxLength: 128 oauth_grant_id: type: string minLength: 1 maxLength: 128 target: $ref: '#/components/schemas/MonitorTarget' interval: type: string enum: - daily - weekly - monthly - before_funding next_check_not_before: type: - integer - 'null' minimum: 0 idempotency_key: type: string minLength: 1 maxLength: 256 notification_preferences: type: array items: $ref: '#/components/schemas/MonitorNotificationPreference' maxItems: 16 additionalProperties: false MonitorRevokeRequest: type: object required: - tenant_id - account_id - cancellation_reason - cancellation_audit_reason properties: tenant_id: type: string minLength: 1 maxLength: 128 account_id: type: string minLength: 1 maxLength: 128 oauth_grant_id: type: string minLength: 1 maxLength: 128 cancellation_reason: type: string enum: - user_revoked - grant_revoked - billing_ended - tenant_deleted - operator_disabled cancellation_audit_reason: type: string minLength: 1 maxLength: 512 additionalProperties: false MonitorSubscription: type: object required: - subscription_id - scope - owner - target - cadence - status - baseline - notifications - privacy - created_at - updated_at properties: subscription_id: type: string scope: type: string const: assets:monitor owner: $ref: '#/components/schemas/MonitorOwner' target: $ref: '#/components/schemas/MonitorTarget' cadence: type: object required: - interval - next_check_not_before properties: interval: type: string enum: - daily - weekly - monthly - before_funding next_check_not_before: type: - integer - 'null' minimum: 0 additionalProperties: false status: type: object required: - state - since properties: state: type: string enum: - pending_baseline - active - paused - canceled - failed since: type: integer minimum: 0 next_check_not_before: type: integer minimum: 0 pause_reason: type: string enum: - user_paused - billing_hold - operator_hold resume_not_before: type: integer minimum: 0 canceled_at: type: integer minimum: 0 cancellation: type: object required: - reason - audit_reason properties: reason: type: string enum: - user_revoked - grant_revoked - billing_ended - tenant_deleted - operator_disabled audit_reason: type: string additionalProperties: false failure_code: type: string retryable: type: boolean retry_after_ms: type: integer minimum: 0 additionalProperties: false baseline: type: object required: - status properties: status: type: string enum: - pending - captured - failed requested_at: type: integer minimum: 0 snapshot: type: object additionalProperties: true failed_at: type: integer minimum: 0 failure_code: type: string retry_after_ms: type: integer minimum: 0 additionalProperties: false notifications: type: array items: $ref: '#/components/schemas/MonitorNotificationPreference' privacy: type: object required: - user_query_stored - address_input_stored - individual_grantor_allowed - stores_free_text_as_hash_only properties: user_query_stored: type: boolean const: false address_input_stored: type: boolean const: false individual_grantor_allowed: type: boolean const: false stores_free_text_as_hash_only: type: boolean const: true additionalProperties: false created_at: type: integer minimum: 0 updated_at: type: integer minimum: 0 additionalProperties: false MonitorResponse: type: object required: - ok - monitor - audit - evidence properties: ok: type: boolean const: true monitor: $ref: '#/components/schemas/MonitorSubscription' audit: type: object required: - monitor_id - correlation_id properties: monitor_id: type: string correlation_id: type: string last_event: type: string enum: - monitor_created - monitor_revoked additionalProperties: false evidence: type: object required: - baseline_status properties: baseline_status: type: string enum: - pending - captured - failed snapshot_id: type: string evidence_pack_id: type: string additionalProperties: false additionalProperties: false MonitorListResponse: type: object required: - ok - monitors - count properties: ok: type: boolean const: true monitors: type: array items: $ref: '#/components/schemas/MonitorResponse' count: type: integer minimum: 0 additionalProperties: false MonitorError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - invalid_owner - invalid_target - invalid_interval - invalid_cancellation_reason - monitor_not_found - monitor_forbidden - monitor_terminal - unauthorized - monitor_operation_failed message: type: string additionalProperties: false PpsrSearchError: type: object required: - ok - code - message properties: ok: type: boolean const: false description: Always false on a non-2xx response code: type: string enum: - invalid_input - not_found - rate_limited - upstream_error - network_error - audit_persist_failed - billing_cap_reached - unauthorized description: Stable error sentinel. Clients should branch on this rather than parsing message. message: type: string description: Human-readable error message. May change between releases — do not parse. PpsrSearchRequest: type: object required: - subject_kind description: 'Discriminated request body. Pass either { subject_kind: "organisation", acn: .. } or { subject_kind: "serial_number", serial: .., type: .. }.' properties: subject_kind: type: string enum: - organisation - serial_number description: 'Search target: by company (ACN) or by serial number (VIN/motor/aircraft/watercraft).' acn: type: string description: 9-digit Australian Company Number; required when subject_kind is "organisation". Spaces and hyphens accepted. pattern: ^[0-9 -]{9,11}$ example: 123 456 789 purpose: type: string description: Optional free-text purpose recorded with the search for the user's own records (max 256 chars). Not used for access control. maxLength: 256 serial: type: string description: Serial number; required when subject_kind is "serial_number". Letters, digits, hyphens; 3-32 chars. minLength: 3 maxLength: 32 example: VIN1234567890ABCD type: type: string enum: - vin - motor - aircraft - watercraft description: Serial type bucket; required when subject_kind is "serial_number". PpsrPaidSearchRequest: description: Strict canonical paid PPSR search request. Extra top-level fields such as user_id, serial_type, confirm_cost, asset_type, source_status, and as_of are rejected. oneOf: - type: object additionalProperties: false required: - subject_kind - acn properties: subject_kind: type: string enum: - organisation description: 'Search target: by company (ACN).' acn: type: string description: 9-digit Australian Company Number. Spaces and hyphens accepted. pattern: ^[0-9 -]{9,11}$ example: 123 456 789 purpose: type: string description: Optional free-text purpose recorded with the search for the user's own records (max 256 chars). Not used for access control. maxLength: 256 - type: object additionalProperties: false required: - subject_kind - serial - type properties: subject_kind: type: string enum: - serial_number description: 'Search target: by serial number (VIN/motor/aircraft/watercraft).' serial: type: string description: Serial number. Letters, digits, hyphens; 3-32 chars. minLength: 3 maxLength: 32 example: VIN1234567890ABCD type: type: string enum: - vin - motor - aircraft - watercraft description: Serial type bucket. PpsrCostBreakdown: type: object required: - cost_cents - gst_cents - total_cents - cost_aud - gst_aud - total_aud - currency properties: cost_cents: type: integer description: Ex-GST search fee in Australian cents. example: 200 gst_cents: type: integer description: GST amount in Australian cents. example: 20 total_cents: type: integer description: Inclusive total in Australian cents. example: 220 cost_aud: type: string description: Ex-GST search fee formatted as `N.NN`. example: '2.00' gst_aud: type: string description: GST formatted as `N.NN`. example: '0.20' total_aud: type: string description: Inclusive total formatted as `N.NN`. example: '2.20' currency: type: string enum: - AUD description: Currency code. AsicLicenceLookupRequest: type: object required: - licence_number additionalProperties: false properties: licence_number: type: string description: Six-digit AFSL/ACL number. AFSL/ACL prefixes and spaces are accepted. licence_type: type: string enum: - afsl - acl description: Optional ASIC licence type filter. include_current_extract: type: boolean default: false description: When true, request the paid ASIC current-extract confirmation gate instead of fixture lookup. user_confirmation_for_paid_searches: type: boolean default: false description: Explicit user confirmation for paid ASIC searches. budget_gate_confirmed: type: boolean default: false description: Budget gate confirmation for paid ASIC searches. AsicLicenceRecord: type: object required: - licence_number - licence_type - status - holder_name - holder_acn - holder_abn - authorised_services - issued_on - expires_on - cancelled_on - source - source_version properties: licence_number: type: string licence_type: type: string enum: - afsl - acl status: type: string enum: - current - expired - cancelled holder_name: type: string holder_acn: type: - string - 'null' holder_abn: type: - string - 'null' authorised_services: type: array items: type: string issued_on: type: string format: date expires_on: type: - string - 'null' format: date cancelled_on: type: - string - 'null' format: date source: type: string const: asic-fixture source_version: type: string AsicLicenceLookupResponse: oneOf: - type: object required: - ok - tool - status - licence - live_search_dispatched - pending_confirmation - confidence properties: ok: type: boolean const: true tool: type: string const: lookup_licence status: type: string const: found licence: $ref: '#/components/schemas/AsicLicenceRecord' live_search_dispatched: type: boolean const: false pending_confirmation: type: 'null' confidence: type: number const: 1 - type: object required: - ok - tool - status - licence_number - live_search_dispatched - pending_confirmation properties: ok: type: boolean const: true tool: type: string const: lookup_licence status: type: string const: pending_confirmation licence_type: type: - string - 'null' enum: - afsl - acl - null licence_number: type: string live_search_dispatched: type: boolean const: false pending_confirmation: type: object - type: object required: - ok - tool - status - licence_number - live_search_dispatched - provider_status properties: ok: type: boolean const: true tool: type: string const: lookup_licence status: type: string const: ready_for_paid_dispatch licence_type: type: - string - 'null' enum: - afsl - acl - null licence_number: type: string live_search_dispatched: type: boolean const: false provider_status: type: string const: not_wired cost_cents_estimate: type: integer currency: type: string const: AUD AsicLicenceLookupError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - licence_not_found - unauthorized message: type: string VerifyProfessionalRequest: oneOf: - type: object required: - kind properties: kind: type: string const: liquidator description: Verify against ASIC Registered and Official Liquidators. registered_liquidator_number: type: string minLength: 1 description: ASIC Registered Liquidator number, spaces optional. official_liquidator_number: type: string minLength: 1 description: ASIC Official Liquidator number, spaces optional. name: type: string minLength: 1 description: Liquidator name. Same-name matches require manual review. anyOf: - required: - registered_liquidator_number - required: - official_liquidator_number - required: - name additionalProperties: false - type: object required: - kind properties: kind: type: string const: banned_disqualified_person description: Verify against ASIC Banned and Disqualified Persons public snapshot. document_number: type: string minLength: 1 description: ASIC source document number where available. Matches still require independent identity review. name: type: string minLength: 1 description: Person name. Same-name matches require manual review and do not prove identity. anyOf: - required: - document_number - required: - name additionalProperties: false - type: object required: - kind properties: kind: type: string const: financial_adviser description: Verify against the ASIC Financial Advisers Register public snapshot. adviser_number: type: string minLength: 1 description: ASIC Financial Advisers Register adviser number, leading zeroes preserved. financial_adviser_number: type: string minLength: 1 description: Alias for adviser_number. name: type: string minLength: 1 description: Adviser name. Same-name matches require manual review. anyOf: - required: - adviser_number - required: - financial_adviser_number - required: - name additionalProperties: false - type: object required: - kind properties: kind: type: string const: afs_representative description: Verify against ASIC AFS Representatives public snapshot. representative_number: type: string minLength: 1 description: ASIC AFS representative number, leading zeroes preserved. afs_representative_number: type: string minLength: 1 description: Alias for representative_number. licence_number: type: string minLength: 1 description: Linked AFSL number. afs_licence_number: type: string minLength: 1 description: Alias for licence_number. name: type: string minLength: 1 description: Representative name. Same-name matches require manual review. abn: type: string minLength: 1 description: Representative ABN, spaces optional. acn: type: string minLength: 1 description: Representative ACN, spaces optional. anyOf: - required: - representative_number - required: - afs_representative_number - required: - licence_number - required: - afs_licence_number - required: - name - required: - abn - required: - acn additionalProperties: false - type: object required: - kind properties: kind: type: string const: credit_representative description: Verify against ASIC Credit Representatives public snapshot. representative_number: type: string minLength: 1 description: ASIC credit representative number. credit_representative_number: type: string minLength: 1 description: Alias for representative_number. licence_number: type: string minLength: 1 description: Linked credit licence number. credit_licence_number: type: string minLength: 1 description: Alias for licence_number. name: type: string minLength: 1 description: Representative name. Same-name matches require manual review. abn: type: string minLength: 1 description: Representative ABN, spaces optional. acn: type: string minLength: 1 description: Representative ACN, spaces optional. representative_identifier: type: string minLength: 1 description: Representative ABN/ACN-style identifier from the source row. anyOf: - required: - representative_number - required: - credit_representative_number - required: - licence_number - required: - credit_licence_number - required: - name - required: - abn - required: - acn - required: - representative_identifier additionalProperties: false - type: object required: - kind properties: kind: type: string const: registered_auditor description: Verify against ASIC Registered Auditors public snapshot. auditor_number: type: string minLength: 1 description: ASIC Registered Auditor number. registered_auditor_number: type: string minLength: 1 description: Alias for auditor_number. name: type: string minLength: 1 description: Auditor name. Same-name matches require manual review. acn: type: string minLength: 1 description: Registered auditor firm ACN, spaces optional. anyOf: - required: - auditor_number - required: - registered_auditor_number - required: - name - required: - acn additionalProperties: false - type: object required: - kind properties: kind: type: string const: smsf_auditor description: Verify against ASIC SMSF Auditors public snapshot. auditor_number: type: string minLength: 1 description: ASIC SMSF Auditor number. smsf_auditor_number: type: string minLength: 1 description: Alias for auditor_number. name: type: string minLength: 1 description: SMSF auditor name. Same-name matches require manual review. abn: type: string minLength: 1 description: SMSF auditor person ABN, spaces optional. anyOf: - required: - auditor_number - required: - smsf_auditor_number - required: - name - required: - abn additionalProperties: false VerifyProfessionalAddress: type: object required: - town - state - postcode - country properties: town: type: - string - 'null' state: type: - string - 'null' postcode: type: - string - 'null' country: type: - string - 'null' additionalProperties: false VerifyProfessionalMatch: oneOf: - $ref: '#/components/schemas/VerifyProfessionalLiquidatorMatch' - $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserMatch' - $ref: '#/components/schemas/VerifyProfessionalBannedDisqualifiedPersonMatch' - $ref: '#/components/schemas/VerifyProfessionalAfsRepresentativeMatch' - $ref: '#/components/schemas/VerifyProfessionalCreditRepresentativeMatch' - $ref: '#/components/schemas/VerifyProfessionalRegisteredAuditorMatch' - $ref: '#/components/schemas/VerifyProfessionalSmsfAuditorMatch' VerifyProfessionalEvidence: type: object required: - evidence_id - raw_payload_ref - source_id - source_version - fetched_at - source_effective_date - certificate_sha256 - cost_cents - result_summary properties: evidence_id: type: string raw_payload_ref: type: string source_id: type: string enum: - asic-liquidators - asic-financial-advisers - asic-banned-disqualified - asic-afs-licensees - asic-credit-licensees - asic-auditors source_version: type: string fetched_at: type: integer source_effective_date: type: - string - 'null' certificate_sha256: type: string pattern: ^[0-9a-f]{64}$ cost_cents: type: integer minimum: 0 result_summary: type: string additionalProperties: false VerifyProfessionalResponse: type: object required: - ok - status - source_id - source_version - source_effective_date - matches - evidence - summary - manual_review_required properties: ok: type: boolean const: true status: type: string enum: - source_backed_match - not_found source_id: type: string enum: - asic-liquidators - asic-financial-advisers - asic-banned-disqualified - asic-afs-licensees - asic-credit-licensees - asic-auditors source_version: type: string source_effective_date: type: - string - 'null' matches: type: array items: $ref: '#/components/schemas/VerifyProfessionalMatch' evidence: $ref: '#/components/schemas/VerifyProfessionalEvidence' summary: type: string manual_review_required: type: boolean additionalProperties: false VerifyProfessionalError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - source_unavailable - unauthorized message: type: string additionalProperties: false VerifyProfessionalFinancialAdviserAddress: type: object required: - locality - state - postcode - country properties: locality: type: - string - 'null' state: type: - string - 'null' postcode: type: - string - 'null' country: type: - string - 'null' additionalProperties: false VerifyProfessionalFinancialAdviserLicence: type: object required: - name - number - abn - controlled_by properties: name: type: - string - 'null' number: type: - string - 'null' abn: type: - string - 'null' controlled_by: type: array items: type: string additionalProperties: false VerifyProfessionalFinancialAdviserRepresentative: type: object required: - name - number - abn properties: name: type: - string - 'null' number: type: - string - 'null' abn: type: - string - 'null' additionalProperties: false VerifyProfessionalFinancialAdviserDisciplinaryAction: type: object required: - start_date - end_date - type - description properties: start_date: type: - string - 'null' end_date: type: - string - 'null' type: type: - string - 'null' description: type: - string - 'null' additionalProperties: false VerifyProfessionalLiquidatorMatch: type: object required: - source_id - register_name - liquidator_name - registered_liquidator_number - official_liquidator_number - registered_liquidator_start_date - official_liquidator_start_date - status - suspension_date - principal_business_address - firm_membership - record_key properties: source_id: type: string const: asic-liquidators register_name: type: - string - 'null' liquidator_name: type: string registered_liquidator_number: type: - string - 'null' official_liquidator_number: type: - string - 'null' registered_liquidator_start_date: type: - string - 'null' official_liquidator_start_date: type: - string - 'null' status: type: - string - 'null' suspension_date: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalAddress' firm_membership: type: array items: type: string record_key: type: string additionalProperties: false VerifyProfessionalFinancialAdviserMatch: type: object required: - source_id - register_name - adviser_name - adviser_number - adviser_role - adviser_sub_type - adviser_role_status - adviser_abn - first_provided_advice_year - licence - adviser_start_date - adviser_end_date - overall_registration_status - registration_status_under_afsl - registration_start_date_under_afsl - registration_end_date_under_afsl - cpd_failure_year - principal_business_address - appointing_representative - disciplinary_action - product_authorisations - able_to_provide_tfas - qualifications_and_training - memberships - further_restrictions - record_key properties: source_id: type: string const: asic-financial-advisers register_name: type: - string - 'null' adviser_name: type: string adviser_number: type: - string - 'null' adviser_role: type: - string - 'null' adviser_sub_type: type: - string - 'null' adviser_role_status: type: - string - 'null' adviser_abn: type: - string - 'null' first_provided_advice_year: type: - string - 'null' licence: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserLicence' adviser_start_date: type: - string - 'null' adviser_end_date: type: - string - 'null' overall_registration_status: type: - string - 'null' registration_status_under_afsl: type: - string - 'null' registration_start_date_under_afsl: type: - string - 'null' registration_end_date_under_afsl: type: - string - 'null' cpd_failure_year: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserAddress' appointing_representative: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserRepresentative' disciplinary_action: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserDisciplinaryAction' product_authorisations: type: array items: type: string able_to_provide_tfas: type: - string - 'null' qualifications_and_training: type: array items: type: string memberships: type: array items: type: string further_restrictions: type: - string - 'null' record_key: type: string additionalProperties: false VerifyProfessionalBannedDisqualifiedPersonMatch: type: object required: - source_id - register_name - person_name - banning_type - document_number - start_date - end_date - address - comments - record_key properties: source_id: type: string const: asic-banned-disqualified register_name: type: - string - 'null' person_name: type: string banning_type: type: - string - 'null' document_number: type: - string - 'null' start_date: type: - string - 'null' end_date: type: - string - 'null' address: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserAddress' comments: type: - string - 'null' record_key: type: string additionalProperties: false VerifyProfessionalAfsRepresentativeMatch: type: object required: - source_id - register_name - representative_number - licence_number - representative_name - representative_abn - representative_acn - other_role - start_date - status - end_date - principal_business_address - cross_endorse - may_appoint - appointed_by - authorisations - same_auth - related_business_names - record_key properties: source_id: type: string const: asic-afs-licensees register_name: type: - string - 'null' representative_number: type: - string - 'null' licence_number: type: - string - 'null' representative_name: type: string representative_abn: type: - string - 'null' representative_acn: type: - string - 'null' other_role: type: - string - 'null' start_date: type: - string - 'null' status: type: - string - 'null' end_date: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalFinancialAdviserAddress' cross_endorse: type: - string - 'null' may_appoint: type: - string - 'null' appointed_by: type: - string - 'null' authorisations: type: array items: type: string same_auth: type: - string - 'null' related_business_names: type: array items: type: string record_key: type: string additionalProperties: false VerifyProfessionalCreditRepresentativeAddress: type: object required: - locality - state - postcode properties: locality: type: - string - 'null' state: type: - string - 'null' postcode: type: - string - 'null' additionalProperties: false VerifyProfessionalCreditRepresentativeMatch: type: object required: - source_id - register_name - representative_number - licence_number - representative_name - representative_identifier - start_date - end_date - principal_business_address - edrs - authorisations - cross_endorse - record_key properties: source_id: type: string const: asic-credit-licensees register_name: type: - string - 'null' representative_number: type: - string - 'null' licence_number: type: - string - 'null' representative_name: type: string representative_identifier: type: - string - 'null' start_date: type: - string - 'null' end_date: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalCreditRepresentativeAddress' edrs: type: - string - 'null' authorisations: type: array items: type: string cross_endorse: type: - string - 'null' record_key: type: string additionalProperties: false VerifyProfessionalRegisteredAuditorAddress: type: object required: - locality - state - postcode - country properties: locality: type: - string - 'null' state: type: - string - 'null' postcode: type: - string - 'null' country: type: - string - 'null' additionalProperties: false VerifyProfessionalSmsfAuditorAddress: type: object required: - locality - state - postcode properties: locality: type: - string - 'null' state: type: - string - 'null' postcode: type: - string - 'null' additionalProperties: false VerifyProfessionalRegisteredAuditorMatch: type: object required: - source_id - register_name - auditor_number - auditor_name - auditor_acn - start_date - status - suspension_date - principal_business_address - record_key properties: source_id: type: string const: asic-auditors register_name: type: - string - 'null' auditor_number: type: - string - 'null' auditor_name: type: string auditor_acn: type: - string - 'null' start_date: type: - string - 'null' status: type: - string - 'null' suspension_date: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalRegisteredAuditorAddress' record_key: type: string additionalProperties: false VerifyProfessionalSmsfAuditorCondition: type: object required: - attribute_type - capacity - condition_number - capacity_firm_name - capacity_start_date - condition - condition_detail - condition_start_date properties: attribute_type: type: - string - 'null' capacity: type: - string - 'null' condition_number: type: - string - 'null' capacity_firm_name: type: - string - 'null' capacity_start_date: type: - string - 'null' condition: type: - string - 'null' condition_detail: type: - string - 'null' condition_start_date: type: - string - 'null' additionalProperties: false VerifyProfessionalSmsfAuditorMatch: type: object required: - source_id - register_name - auditor_number - auditor_name - status - person_abn - registration_date - suspension_start_date - suspension_end_date - principal_business_address - conditions - record_key properties: source_id: type: string const: asic-auditors register_name: type: - string - 'null' auditor_number: type: - string - 'null' auditor_name: type: string status: type: - string - 'null' person_abn: type: - string - 'null' registration_date: type: - string - 'null' suspension_start_date: type: - string - 'null' suspension_end_date: type: - string - 'null' principal_business_address: $ref: '#/components/schemas/VerifyProfessionalSmsfAuditorAddress' conditions: type: array items: $ref: '#/components/schemas/VerifyProfessionalSmsfAuditorCondition' record_key: type: string additionalProperties: false EvidencePackMachinePack: type: object description: Machine-readable signed EvidencePack projection. pack is null when signing is unavailable because EVIDENCE_PACK_HMAC_KEY is absent. required: - format - signing_status - pack - evidence_item_count - finding_count properties: format: type: string const: signed_evidence_pack_v1 signing_status: type: string enum: - signed - unavailable pack: type: - object - 'null' description: Canonical signed EvidencePack when signing_status is signed. Purpose text is represented only as purpose_hash. additionalProperties: true evidence_item_count: type: integer minimum: 0 finding_count: type: integer minimum: 0 additionalProperties: false EvidencePackHumanPack: type: object required: - format - report_title - content_type - page_count - r2_key - artifact_ref - sha256 - download_url - generated_at properties: format: type: string const: due_diligence_record_pdf_v1 report_title: type: string const: Due Diligence Record content_type: type: string const: application/pdf page_count: type: integer minimum: 1 r2_key: type: string artifact_ref: type: string sha256: type: string pattern: ^[a-f0-9]{64}$ download_url: type: string generated_at: type: string format: date-time additionalProperties: false EvidencePackAuditPackArtifact: type: object required: - artifact_id - artifact_type - r2_key - artifact_ref - content_type - sha256 - retention_policy properties: artifact_id: type: string artifact_type: type: string enum: - human_report_pdf - audit_manifest_json - source_check_projection r2_key: type: string artifact_ref: type: string content_type: type: string enum: - application/pdf - application/json sha256: type: - string - 'null' pattern: ^[a-f0-9]{64}$ retention_policy: type: string const: account_audit_retention additionalProperties: false EvidencePackAuditPackSourceSnapshot: type: object required: - source - source_snapshot_id - source_version - parser_version properties: source: type: string source_snapshot_id: type: - string - 'null' source_version: type: - string - 'null' parser_version: type: - string - 'null' additionalProperties: false EvidencePackAuditPack: type: object required: - manifest_version - pack_id - generated_at - retention_policy - manifest_r2_key - manifest_artifact_ref - artifacts - source_snapshots - raw_artifact_refs properties: manifest_version: type: string const: audit_artifact_manifest_v1 pack_id: type: string generated_at: type: string format: date-time retention_policy: type: string const: account_audit_retention manifest_r2_key: type: string manifest_artifact_ref: type: string artifacts: type: array items: $ref: '#/components/schemas/EvidencePackAuditPackArtifact' source_snapshots: type: array items: $ref: '#/components/schemas/EvidencePackAuditPackSourceSnapshot' raw_artifact_refs: type: array items: type: string additionalProperties: false EvidencePackRiskCategorySummary: type: object required: - category - severity - flag_count - summary properties: category: $ref: '#/components/schemas/EvidencePackRiskFlag/properties/category' severity: $ref: '#/components/schemas/EvidencePackRiskFlag/properties/severity' flag_count: type: integer minimum: 0 summary: type: string additionalProperties: false EvidencePackRiskExplanation: type: object required: - summary - category_summaries - scoring_model properties: summary: type: string description: Source-backed risk interpretation summary. Avoids legal/commercial clearance wording. category_summaries: type: array items: $ref: '#/components/schemas/EvidencePackRiskCategorySummary' scoring_model: type: string enum: - max_severity_weighted_by_confidence_v1 additionalProperties: false VerificationPolicyRequirements: type: object additionalProperties: false properties: gst_required: type: boolean licence_required: type: boolean charity_status_required: type: boolean VerificationPolicyEvidenceSubject: type: object additionalProperties: false properties: abn: type: string nullable: true acn: type: string nullable: true vin: type: string nullable: true amount_cents: type: integer nullable: true minimum: 0 VerificationPolicyEvidenceSourceCheck: type: object additionalProperties: false required: - source - verdict properties: source: type: string verdict: type: string freshness: type: string nullable: true source_snapshot_id: type: string nullable: true raw_artifact_ref: type: string nullable: true VerificationPolicyEvidence: type: object additionalProperties: false properties: pack_id: type: string nullable: true subject: $ref: '#/components/schemas/VerificationPolicyEvidenceSubject' source_checks: type: array items: $ref: '#/components/schemas/VerificationPolicyEvidenceSourceCheck' risk_flags: type: array items: $ref: '#/components/schemas/EvidencePackRiskFlag' risk_score: type: integer nullable: true minimum: 0 maximum: 100 VerificationPolicyEvaluateRequest: type: object additionalProperties: false required: - evidence properties: policy_template: type: string enum: - asset_finance_under_50k_v1 - supplier_onboarding_v1 default: asset_finance_under_50k_v1 organization_id: type: string nullable: true policy_id: type: string nullable: true policy_version: type: string nullable: true requirements: $ref: '#/components/schemas/VerificationPolicyRequirements' evidence: $ref: '#/components/schemas/VerificationPolicyEvidence' VerificationPolicyRuleResult: type: object additionalProperties: false required: - rule_id - status - severity - message - source_refs - evidence_refs - recommended_next_action properties: rule_id: type: string status: type: string enum: - satisfied - failed - needs_review - missing_evidence severity: type: string enum: - info - review - blocking message: type: string source_refs: type: array items: type: string evidence_refs: type: array items: type: string recommended_next_action: type: string VerificationPolicyEnvelope: type: object additionalProperties: false required: - ok - schema_version - policy - outcome - summary - rule_results - missing_evidence - review_items - failure_reasons - recommended_next_action properties: ok: type: boolean enum: - true schema_version: type: string enum: - 1.0.0 policy: type: object additionalProperties: false required: - template_id - policy_version - organization_id - policy_id properties: template_id: type: string enum: - asset_finance_under_50k_v1 - supplier_onboarding_v1 policy_version: type: string organization_id: type: string nullable: true policy_id: type: string nullable: true outcome: type: string enum: - pass - fail - needs_review - missing_evidence summary: type: string rule_results: type: array items: $ref: '#/components/schemas/VerificationPolicyRuleResult' missing_evidence: type: array items: $ref: '#/components/schemas/VerificationPolicyRuleResult' review_items: type: array items: $ref: '#/components/schemas/VerificationPolicyRuleResult' failure_reasons: type: array items: $ref: '#/components/schemas/VerificationPolicyRuleResult' recommended_next_action: type: string VerificationPolicyError: type: object additionalProperties: false required: - ok - code - message properties: ok: type: boolean enum: - false code: type: string enum: - invalid_input - unknown_policy_template message: type: string DecisionMemoryOutcome: type: string enum: - accepted - rejected - needs_review - false_positive - resolved_manually - escalated - approved_despite_risk DecisionMemorySubjectType: type: string enum: - evidence_pack - risk_flag - source_assertion - source_match - policy_evaluation DecisionMemoryEvent: type: object required: - decision_id - org_id - reviewer_user_id - outcome - subject_type - evidence_pack_id - policy_id - policy_version - policy_evaluation_id - risk_flag_code - risk_flag_ref - source_assertion_id - source_match_ref - reviewer_action_refs - reason_codes - notes - metadata - schema_version - created_at properties: decision_id: type: string org_id: type: string reviewer_user_id: type: string description: Server-trusted reviewer id from the authenticated bearer context. outcome: $ref: '#/components/schemas/DecisionMemoryOutcome' subject_type: $ref: '#/components/schemas/DecisionMemorySubjectType' evidence_pack_id: type: - string - 'null' policy_id: type: - string - 'null' policy_version: type: - string - 'null' policy_evaluation_id: type: - string - 'null' risk_flag_code: type: - string - 'null' risk_flag_ref: type: - string - 'null' source_assertion_id: type: - string - 'null' source_match_ref: type: - string - 'null' reviewer_action_refs: type: array items: type: string reason_codes: type: array items: type: string notes: type: - string - 'null' maxLength: 2000 metadata: type: object additionalProperties: true schema_version: type: string const: 1.0.0 created_at: type: integer description: Unix epoch milliseconds. additionalProperties: false DecisionMemoryRecordRequest: type: object required: - org_id - outcome - subject_type properties: decision_id: type: string org_id: type: string outcome: $ref: '#/components/schemas/DecisionMemoryOutcome' subject_type: $ref: '#/components/schemas/DecisionMemorySubjectType' evidence_pack_id: type: string policy_id: type: string policy_version: type: string policy_evaluation_id: type: string risk_flag_code: type: string risk_flag_ref: type: string source_assertion_id: type: string source_match_ref: type: string reviewer_action_refs: type: array items: type: string reason_codes: type: array items: type: string notes: type: string maxLength: 2000 metadata: type: object additionalProperties: true additionalProperties: false description: Record append-only reviewer feedback. reviewer_user_id is resolved from bearer authentication and is not accepted in the request body. DecisionMemoryRecordEnvelope: type: object required: - ok - event properties: ok: type: boolean const: true event: $ref: '#/components/schemas/DecisionMemoryEvent' DecisionMemoryListEnvelope: type: object required: - ok - events - count properties: ok: type: boolean const: true events: type: array items: $ref: '#/components/schemas/DecisionMemoryEvent' count: type: integer DecisionMemoryError: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input - unauthorized - duplicate_decision - decision_memory_operation_failed message: type: string securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: API-Key oauth2: type: oauth2 x-issuer: https://mcp.assets.hoistai.com x-authorization-server-metadata-url: https://mcp.assets.hoistai.com/.well-known/oauth-authorization-server x-protected-resource-metadata-url: https://mcp.assets.hoistai.com/.well-known/oauth-protected-resource x-resource: https://mcp.assets.hoistai.com/mcp x-registration-url: https://mcp.assets.hoistai.com/oauth/register x-revocation-url: https://mcp.assets.hoistai.com/oauth/revoke flows: authorizationCode: authorizationUrl: https://mcp.assets.hoistai.com/oauth/authorize tokenUrl: https://mcp.assets.hoistai.com/oauth/token scopes: ppsr:search.org: Run PPSR organisation-grantor searches by ACN ppsr:search.serial: Run PPSR serial-number searches by VIN, chassis, motor, aircraft, or watercraft identifier abn:lookup: Run ABN and business-name lookups gst:status: Read GST registration status assets:receipts: Read Due Diligence Records and evidence receipts exports:write: Create Evidence Pack exports and audit artifacts assets:monitor: Monitor approved entities and assets for source-backed changes mcp:account.receipts: Read session-scoped MCP account receipts security: - bearerAuth: [] paths: /_health: get: operationId: getHealth summary: Liveness probe description: Returns a public health envelope confirming API reachability. No authentication required. This is a setup signal only; it is not a claim that production source endpoints or paid operations are open. security: [] responses: '200': description: API is healthy content: application/json: schema: type: object required: - ok - version - time properties: ok: type: boolean const: true description: Always true on a 200 response version: type: string description: Worker package version (semver) example: 0.0.700 time: type: string format: date-time description: ISO 8601 timestamp of the probe example: '2026-05-20T12:00:00.000Z' /ppsr/preview: post: operationId: ppsrPreview summary: Preview the price of a PPSR search description: 'Returns the planned cost (ex-GST + GST + total in AUD) for a PPSR org-grantor or serial-number search WITHOUT hitting the register. No audit emission, no R2 write, no per-call fee. Paid PPSR dispatch requires account, billing, confirmation, and source readiness. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PpsrSearchRequest' responses: '200': description: Price quote returned content: application/json: schema: allOf: - $ref: '#/components/schemas/PpsrCostBreakdown' - type: object required: - ok - subject_kind - estimate_token properties: ok: type: boolean const: true subject_kind: type: string enum: - organisation - serial_number estimate_token: type: string description: Opaque token (hex 32 chars) that future paid-search confirmation flows may use to bind a preview to its search. Informational only. example: ab12cd34ef56789012345678abcdef01 '400': description: Invalid request body content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '401': description: Authentication required content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' /ppsr/search: post: operationId: ppsrSearch summary: Run a PPSR organisation or serial-number search description: 'Contract for a PPSR search (org-grantor by ACN OR serial-number by VIN/motor/aircraft/watercraft). Returns the search reference, financing-statement registrations, certificate-XML descriptor, and cost breakdown when the operation is enabled. Org-only scope: never searches individuals. Today the public validation path uses deterministic sample data and stub certificate XML. Real AFSA/PPSR dispatch is not open until source and billing gates pass. Auth: bearer credential when provisioned.' security: - oauth2: - ppsr:search.org - oauth2: - ppsr:search.serial - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PpsrPaidSearchRequest' responses: '200': description: Search ran successfully content: application/json: schema: allOf: - $ref: '#/components/schemas/PpsrCostBreakdown' - type: object required: - ok - subject_kind - search_ref - searched_at - registration_count - registrations - certificate - audit_metadata properties: ok: type: boolean const: true subject_kind: type: string enum: - organisation - serial_number search_ref: type: string description: AFSA/partner-issued reference number for this search. example: PPSR-MOCK-ORG-001 searched_at: type: string format: date-time description: ISO-8601 timestamp from the provider for when the search ran. registration_count: type: integer minimum: 0 description: Count of financing-statement registrations returned. registrations: type: array description: Compact projection of each registration. Org-only-safe (no individual-grantor PII). items: type: object required: - registration_number - registration_kind - start_time - end_time - collateral_class - collateral_summary - secured_party_name properties: registration_number: type: string registration_kind: type: string start_time: type: string format: date-time end_time: type: - string - 'null' format: date-time collateral_class: type: string collateral_summary: type: string secured_party_name: type: string certificate: type: - object - 'null' description: Certificate descriptor if the provider issued one. Null for "not found" sentinels or partner providers without cert support. required: - r2_key - sha256 - content_type - bytes properties: r2_key: type: string example: ppsr-certs/2026-05-20/01234567-89ab-cdef-0123-456789abcdef.xml sha256: type: string pattern: ^[0-9a-f]{64}$ content_type: type: string enum: - application/xml bytes: type: integer minimum: 0 audit_metadata: type: object description: Audit metadata used by MCP tool handlers to construct the register_search_initiated / _completed audit pair (rule 17). Echoed for HTTP callers for observability. required: - search_id - input_hash - subject_kind - started_at_ms - finished_at_ms - duration_ms properties: search_id: type: string input_hash: type: string pattern: ^[0-9a-f]{32}$ subject_kind: type: string enum: - organisation - serial_number started_at_ms: type: integer finished_at_ms: type: integer duration_ms: type: integer minimum: 0 '400': description: Invalid request body content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '401': description: Authentication required content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '403': description: Bearer token is valid but missing the required PPSR search scope for this subject_kind. content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '429': description: Monthly billing cap reached for this user. content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '502': description: Upstream provider failure content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' x-hoist-required-scopes: organisation: ppsr:search.org serial_number: ppsr:search.serial /asic/company/lookup: post: operationId: lookupCompany summary: Look up an ASIC company fixture description: 'sample-data ASIC company lookup by ACN, ABN, or exact normalised company name. Uses local ASIC open-data sample data only: no live ASIC dispatch, no secrets, and no paid ASIC product search.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: type: object properties: acn: type: string description: Australian Company Number, spaces or hyphens accepted. abn: type: string description: Australian Business Number, spaces or hyphens accepted. company_name: type: string description: Exact company name matched after deterministic normalisation. additionalProperties: false responses: '200': description: ASIC company fixture matched. content: application/json: schema: type: object required: - ok - tool - status - company - matched_on - source - generated_at properties: ok: type: boolean const: true tool: type: string const: company_lookup status: type: string const: found company: type: object required: - acn - abn - name - status - entity_type - registered_at - deregistered_at - current_name - risk_flags properties: acn: type: string abn: type: - string - 'null' name: type: string status: type: string enum: - registered - deregistered entity_type: type: string registered_at: type: string format: date deregistered_at: type: - string - 'null' format: date current_name: type: boolean risk_flags: type: array items: type: string matched_on: type: string enum: - acn - abn - company_name source: type: object required: - provider - dataset - resource_id - extract_date - licence - live_search_dispatched - paid_searches_dispatched properties: provider: type: string const: asic-data-gov-fixture dataset: type: string const: ASIC Company Dataset resource_id: type: string extract_date: type: string format: date licence: type: string live_search_dispatched: type: boolean const: false paid_searches_dispatched: type: boolean const: false generated_at: type: string format: date-time '400': description: Invalid input. content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' '404': description: No matching company fixture. content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' /address/lookup: post: operationId: addressLookup summary: Look up an Australian address against G-NAF description: 'Returns G-NAF snapshot-backed address candidates, confidence, and mismatch flags from the shared address lookup service. No caller query text is persisted. Protected validation route; use only where access is provisioned. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddressLookupRequest' responses: '200': description: Address lookup completed. A no-match lookup still returns 200 with status=no_match and an empty candidates list. content: application/json: schema: $ref: '#/components/schemas/AddressLookupResponse' '400': description: Invalid request body or address/source input. content: application/json: schema: $ref: '#/components/schemas/AddressLookupError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/AddressLookupError' '502': description: G-NAF shard read failed. content: application/json: schema: $ref: '#/components/schemas/AddressLookupError' /what-changed: post: operationId: whatChanged summary: Compare monitor evidence snapshots description: 'Returns a structured no-change or changed diff between evidence pack snapshots, or between the first and latest owned snapshots for a target/time range. Raw address input and source payloads are not accepted or returned. Protected route; delivery surfaces require account access and source readiness. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WhatChangedRequest' responses: '200': description: Snapshot comparison completed. No-change comparisons return 200 with outcome=no_change and an empty changes array. content: application/json: schema: $ref: '#/components/schemas/WhatChangedResponse' '400': description: Invalid request body, selector, or non-comparable snapshots. content: application/json: schema: $ref: '#/components/schemas/WhatChangedError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/WhatChangedError' '404': description: No owned monitor evidence snapshots matched the requested selector. content: application/json: schema: $ref: '#/components/schemas/WhatChangedError' '409': description: Target/time-range selector matched multiple monitor subscriptions and needs subscription_id. content: application/json: schema: $ref: '#/components/schemas/WhatChangedError' '500': description: Snapshot diff storage or projection failed. content: application/json: schema: $ref: '#/components/schemas/WhatChangedError' /recheck-before-funding: post: operationId: confirmNoChanges summary: Recheck monitor evidence before funding description: 'Runs an explicit before-funding monitor check against a captured baseline and returns outcome=no_changes or outcome=changes_detected with evidence pack references. The caller supplies the current evidence payload produced by the source check; this endpoint does not create monitors, deliver notifications, or expose what_changed selectors. Protected route; delivery surfaces require account access and source readiness. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesRequest' responses: '200': description: Before-funding recheck completed. No-change and changed outcomes both return 200 with structured evidence references. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesResponse' '400': description: Invalid request body or current evidence payload. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesError' '404': description: No owned monitor subscription matched the requested subscription ID. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesError' '409': description: Captured baseline is missing or does not match the expected baseline evidence pack ID. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesError' '500': description: Before-funding recheck failed while running the monitor check. content: application/json: schema: $ref: '#/components/schemas/ConfirmNoChangesError' /monitors: post: operationId: monitorEntityOrAsset summary: Create an entity or asset monitor description: Creates a monitor subscription for an ABN, ACN, VIN, or address using the shared monitoring lifecycle service. The route records monitor audit events and returns durable subscription metadata; queue runners, delivery adapters, CLI, and MCP surfaces are separate endpoints. security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MonitorCreateRequest' responses: '201': description: Monitor subscription created. content: application/json: schema: $ref: '#/components/schemas/MonitorResponse' '400': description: Invalid owner, target, interval, or request body. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '500': description: Monitor operation failed. content: application/json: schema: $ref: '#/components/schemas/MonitorError' get: operationId: listMonitors summary: List monitor subscriptions description: Lists monitor subscriptions for the authenticated user and supplied tenant/account owner context. security: - bearerAuth: [] parameters: - name: tenant_id in: query required: true schema: type: string minLength: 1 maxLength: 128 - name: account_id in: query required: true schema: type: string minLength: 1 maxLength: 128 - name: status in: query required: false schema: type: string enum: - pending_baseline - active - paused - canceled - failed - name: limit in: query required: false schema: type: integer minimum: 1 maximum: 100 responses: '200': description: Monitor subscriptions for the requested owner context. content: application/json: schema: $ref: '#/components/schemas/MonitorListResponse' '400': description: Invalid owner or limit. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/MonitorError' /monitors/{id}: get: operationId: getMonitorStatus summary: Get monitor subscription status description: Returns a single monitor subscription for the authenticated user and supplied tenant/account owner context. security: - bearerAuth: [] parameters: - name: id in: path required: true schema: type: string minLength: 1 - name: tenant_id in: query required: true schema: type: string minLength: 1 maxLength: 128 - name: account_id in: query required: true schema: type: string minLength: 1 maxLength: 128 responses: '200': description: Monitor subscription status. content: application/json: schema: $ref: '#/components/schemas/MonitorResponse' '400': description: Invalid owner or monitor id. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '403': description: Monitor belongs to a different authenticated user or owner context. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '404': description: Monitor not found. content: application/json: schema: $ref: '#/components/schemas/MonitorError' delete: operationId: revokeMonitor summary: Revoke a monitor subscription description: Revokes an active monitor subscription for the authenticated user and supplied owner context. security: - bearerAuth: [] parameters: - name: id in: path required: true schema: type: string minLength: 1 requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MonitorRevokeRequest' responses: '200': description: Monitor subscription revoked. content: application/json: schema: $ref: '#/components/schemas/MonitorResponse' '400': description: Invalid owner, monitor id, or revocation reason. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '401': description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '403': description: Monitor belongs to a different authenticated user or owner context. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '404': description: Monitor not found. content: application/json: schema: $ref: '#/components/schemas/MonitorError' '409': description: Monitor is already terminal and cannot be revoked again. content: application/json: schema: $ref: '#/components/schemas/MonitorError' /asic/business-name/lookup: post: operationId: verifyBusinessNameRegistration summary: Look up an ASIC business name description: Looks up an ASIC Business Names public snapshot row by exact, alternate, or deterministic normalised name. Uses stored source snapshots when available, falls back to sample fixtures when no snapshot exists, and never dispatches a live or paid ASIC search. security: - bearerAuth: [] requestBody: required: true content: application/json: schema: type: object required: - business_name properties: business_name: type: string description: Business name to match against the ASIC Business Names public snapshot. abn: type: string description: Optional 11-digit ABN to constrain the source snapshot match. additionalProperties: false responses: '200': description: Business-name source snapshot or fallback fixture matched. No live or paid ASIC search was dispatched. content: application/json: schema: type: object required: - ok - tool - business_name - status - registered_at - cancelled_at - state_of_registration - abn - bn_state_number - match - source - raw - risk_flags - live_search_dispatched - paid_searches_dispatched - generated_at properties: ok: type: boolean const: true tool: type: string const: lookup_business_name business_name: type: string status: type: string enum: - registered - cancelled registered_at: type: string format: date cancelled_at: type: - string - 'null' format: date state_of_registration: type: string abn: type: - string - 'null' bn_state_number: type: string match: type: object required: - method - confidence - query - matched_name properties: method: type: string enum: - exact_normalised - alternate_name - fuzzy_token confidence: type: number minimum: 0 maximum: 1 query: type: string matched_name: type: string source: type: object description: ASIC data.gov.au snapshot provenance. `source_version` is present for source_records-backed public snapshots. raw: type: object description: Raw ASIC Business Names source fields. risk_flags: type: array items: type: object required: - severity - code - message properties: severity: type: string enum: - low - medium code: type: string message: type: string live_search_dispatched: type: boolean const: false paid_searches_dispatched: type: boolean const: false generated_at: type: string format: date-time '400': description: Invalid input or malformed JSON. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input message: type: string '401': description: Missing or invalid bearer identity. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - unauthorized message: type: string '404': description: No matching ASIC business-name source snapshot or fallback fixture was found. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - business_name_not_found message: type: string /verify-payment-or-invoice: post: operationId: verifyPaymentOrInvoice summary: Verify an invoice or payment before sending money description: 'Check an invoice, quote, or supplier payment instruction for deterministic consistency signals before the user pays. Parses untrusted invoice text locally, extracts ABN/ACN/business/payment fields, and returns a compact card with hard limitation language. Bank account ownership is NOT independently verified; callers must confirm payment details through a known independent channel. Protected route; production source and billing operations require account access and source readiness. Auth: bearer credential; the authenticated userId is derived from the bearer, not from the request body.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: type: object description: Provide `document_text` or at least one structured invoice/payment field. All fields are flat primitives; nested objects and arrays are rejected by the service. properties: document_text: type: string description: Raw invoice/payment text from paste or OCR. Treated as untrusted input and never reflected verbatim. supplier_name: type: string business_name: type: string abn: type: string description: Australian Business Number (11 digits, spaces optional). acn: type: string description: Australian Company Number (9 digits, spaces optional). invoice_number: type: string invoice_amount: oneOf: - type: string - type: number gst_amount: oneOf: - type: string - type: number bsb: type: string description: BSB shape only; does not verify bank-account ownership. account_number: type: string description: Account-number shape only; does not verify bank-account ownership. remittance_email: type: string payment_reference: type: string asset_vin: type: string description: Optional supplied asset VIN to compare against invoice text. asset_chassis_number: type: string description: Optional supplied asset chassis number to compare against invoice text. asset_serial_number: type: string description: Optional supplied asset serial number to compare against invoice text. responses: '200': description: Invoice/payment check completed. Bank-account ownership is explicitly not verified. content: application/json: schema: type: object required: - ok - card - generated_at properties: ok: type: boolean const: true card: type: object required: - tool - verdict - confidence - extracted_fields - verified_fields - not_verified_fields - supported_inputs - risk_flags - human_review_items - disclaimer - composition_hooks - asset_invoice_identifier_consistency - pending_confirmation properties: tool: type: string const: verify_payment_or_invoice verdict: type: string enum: - needs_review confidence: type: number minimum: 0 maximum: 1 extracted_fields: type: object description: Deterministically extracted or caller-supplied fields. Raw document_text is not returned. properties: abn: type: - string - 'null' acn: type: - string - 'null' supplier_name: type: - string - 'null' business_name: type: - string - 'null' invoice_number: type: - string - 'null' invoice_amount: type: - string - 'null' gst_amount: type: - string - 'null' bsb: type: - string - 'null' account_number: type: - string - 'null' remittance_email: type: - string - 'null' payment_reference: type: - string - 'null' verified_fields: type: array items: type: string description: Fields the current service can structurally verify. `account_number` is intentionally excluded. not_verified_fields: type: array items: type: string description: Includes `bank_account_ownership` on every success response. supported_inputs: type: array items: type: string risk_flags: type: array items: type: object required: - severity - code - message properties: severity: type: string enum: - medium - high code: type: string message: type: string human_review_items: type: array items: type: string disclaimer: type: string description: 'Always: Bank account ownership is NOT independently verified. Confirm payment details through a known independent channel before sending money.' composition_hooks: type: object description: Planned future composition points for verify_counterparty and verify_asset. asset_invoice_identifier_consistency: type: object description: Optional VIN/chassis/serial consistency check between supplied asset identifiers and invoice text. Mismatches add a high-risk flag but do not block unrelated invoice verification output. required: - status - asset_identifiers - invoice_identifiers - matched_identifiers - mismatches - human_review_item properties: status: type: string enum: - not_applicable - match - mismatch - invoice_identifier_missing - asset_identifier_missing asset_identifiers: type: array items: $ref: '#/components/schemas/AssetInvoiceCanonicalIdentifier' invoice_identifiers: type: array items: $ref: '#/components/schemas/AssetInvoiceCanonicalIdentifier' matched_identifiers: type: array items: $ref: '#/components/schemas/AssetInvoiceCanonicalIdentifier' mismatches: type: array items: type: object required: - kind - asset - invoice properties: kind: type: string enum: - vin - chassis_number - engine_number - serial_number asset: $ref: '#/components/schemas/AssetInvoiceCanonicalIdentifier' invoice: $ref: '#/components/schemas/AssetInvoiceCanonicalIdentifier' human_review_item: type: - string - 'null' pending_confirmation: type: - object - 'null' description: Present when invoice text contains asset identifiers and a paid PPSR/verify_asset search would require explicit user confirmation. No paid search is dispatched by this endpoint. required: - status - required_before - reason - confirmation_field - asset_identifiers - paid_searches_dispatched - recommended_action properties: status: type: string const: pending_confirmation required_before: type: string const: paid_ppsr_search reason: type: string confirmation_field: type: string const: user_confirmation_for_paid_search asset_identifiers: type: array items: type: object required: - kind - value properties: kind: type: string enum: - vin - chassis_number - serial_number value: type: string paid_searches_dispatched: type: boolean const: false recommended_action: type: string generated_at: type: string format: date-time '400': description: Invalid request body or insufficient invoice/payment fields. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input message: type: string '401': description: Authenticated user identity is required. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - unauthorized message: type: string /verify-counterparty: post: operationId: verifyCounterparty summary: Verify an Australian counterparty description: 'Verify a counterparty business against fixture-backed Australian register shapes (ABN + PPSR). Returns a compact Evidence Card with source-attributed facts, consistency findings, and audit metadata. Org-only scope: does not search individuals. Real ABN and AFSA/PPSR source traffic is not open until source and billing gates pass. Auth: bearer credential when provisioned; the authenticated userId is derived from the bearer, NOT from the request body.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: type: object description: 'At least one of `abn` or `acn` is required. `business_name` alone is insufficient until the ABR name-search adapter ships. ha-h6ak: the previous `user_id` body field is removed — the authenticated userId is derived from the OAuth bearer token.' properties: abn: type: string description: Australian Business Number (11 digits, spaces optional). pattern: ^[0-9 ]{11,13}$ example: 51 824 753 556 acn: type: string description: Australian Company Number (9 digits, spaces optional). pattern: ^[0-9 ]{9,11}$ example: 123 456 789 business_name: type: string description: Legal entity name. Used for soft-matching against ABR results when an `abn` is also supplied. NOT sufficient as the sole identifier. trading_name: type: string description: Trading-as / brand name. Recorded for context only. address: type: string description: Single-line formatted address. Used for G-NAF consistency with approved access. email_domain: type: string description: Email DOMAIN ONLY (e.g. "hoistai.com"). Full email addresses are rejected — emails are banned audit fields. example: hoistai.com phone: type: string description: Contact phone. Advisory metadata only — never used for identification. context: type: string description: Human-readable verification purpose. Stored as provenance metadata. Not used for access-control decisions. responses: '200': description: Counterparty verified. Returns a compact Evidence Card plus audit metadata. content: application/json: schema: type: object required: - ok - card - entity_candidates - pack_id - generated_at - audit_metadata properties: ok: type: boolean const: true card: type: object description: 'Compact Evidence Card (<2KB JSON-serialised). Mirrors `EvidenceCard` from src/canonical/evidence-card.ts. Source-attributed facts only — no raw input reflected. The previous schema shorthand (`verdict / confidence / evidence_summary / findings`) was aspirational and never matched the implementation; Stage-2 PR #311 review aligned this schema to the canonical type (ha-w8e3 follow-up).' required: - headline_verdict - one_sentence_reason - risk_flags - source_checks - recommended_actions - pack_id - generated_at properties: headline_verdict: type: string enum: - pass - review_required - high_risk - insufficient_data description: 'Top-level verdict derived from findings severity. `pass`: no critical/high findings. `review_required`: at least one high finding. `high_risk`: at least one critical finding. `insufficient_data`: no evidence items returned.' one_sentence_reason: type: string description: One sentence explaining the verdict, written for a financial professional audience. risk_flags: type: array description: Top N risk flags from findings (severity-sorted, critical first). Capped at 5 by default. items: type: object required: - finding_id - severity - message properties: finding_id: type: string description: Unique finding ID for back-reference to the full pack. severity: type: string enum: - critical - high - medium - low - info message: type: string description: Human-readable risk description. Must not contain raw PII. recommended_action: type: string description: Optional next action for the reviewer. source_checks: type: array description: Per-source check summaries — one row per unique source_id in the pack. Capped at 10 by default. items: type: object required: - source_id - source_checked_at - result_summary properties: source_id: type: string description: Source adapter ID, e.g. "abr-lookup", "afsa-ppsr". source_checked_at: type: integer description: Unix epoch milliseconds of the most recent fetch from this source. result_summary: type: string description: Short human-readable result description. recommended_actions: type: array description: Recommended actions from risk_flag findings (deduplicated, ordered by finding severity descending). items: type: string pack_id: type: string description: pack_id of the source EvidencePack — back-reference pointer. Mirrors the envelope's top-level pack_id. shareable_url: type: string description: 'Public shareable URL for this card, if a base URL was configured. Format: `/evidence/`.' generated_at: type: integer description: 'Unix epoch milliseconds copied from the source pack''s `generated_at`. NOTE: the envelope''s top-level `generated_at` is the same instant serialised as ISO-8601.' entity_candidates: type: array description: Deterministic company identity candidates derived from caller ACN and ABN-backed data. Carries ABN-to-ACN cross-walk evidence before live ASIC access is available. items: type: object required: - kind - abn - acn - entity_name - entity_type - source - confidence - evidence_ids properties: kind: type: string const: company abn: type: - string - 'null' description: Canonical spaced ABN when the candidate is ABN-backed. acn: type: string description: Canonical spaced ACN. entity_name: type: - string - 'null' description: ABN-backed entity name when available. entity_type: type: - string - 'null' description: ABN-backed entity type when available. source: type: string enum: - abn_record - caller_acn - abn_record_and_caller_acn confidence: type: number minimum: 0 maximum: 1 evidence_ids: type: array items: type: string pack_id: type: string description: Pack UUID — used by downstream tools like `create_due_diligence_pack`. example: 01900000-0000-7000-8000-000000000000 generated_at: type: string format: date-time description: ISO-8601 generation timestamp. audit_metadata: type: object description: Audit metadata for MCP tool handlers and HTTP callers. required: - search_id - input_hash - register - subject_kind - initiated_at_ms - completed_at_ms - duration_ms properties: search_id: type: string description: UUIDv7 identifier shared by both audit events. input_hash: type: string pattern: ^[0-9a-f]{64}$ description: Full SHA-256 (64 lowercase hex chars) of the canonical verify_counterparty input string. register: type: string enum: - abn - ppsr subject_kind: type: string enum: - abn - organisation initiated_at_ms: type: integer description: Date.now() snapshot from when the service call started. completed_at_ms: type: integer description: Date.now() snapshot from when the service returned. duration_ms: type: integer minimum: 0 description: Duration in milliseconds. '400': description: Invalid request (missing required fields, full email supplied as email_domain, etc.) content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - invalid_input message: type: string '429': description: Monthly billing cap reached for this user. content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - billing_cap_reached message: type: string '502': description: Source fetch failed (upstream provider error). content: application/json: schema: type: object required: - ok - code - message properties: ok: type: boolean const: false code: type: string enum: - source_fetch_failed message: type: string /ppsr/batch: post: summary: Batch PPSR (CSV in, ZIP out) /abn/{abn}: get: operationId: abnLookup summary: ABN lookup description: 'Look up an Australian Business Number against the ABN contract shape. Returns entity name, type, status, and registered address summary when enabled. Org-only: does not search individuals. Production ABN traffic is not open until source and billing gates pass; use sample flows unless access is explicitly provisioned. Auth: bearer credential when provisioned.' security: - oauth2: - abn:lookup - bearerAuth: [] parameters: - name: abn in: path required: true description: 11-digit Australian Business Number. Spaces and hyphens are accepted and stripped server-side. schema: type: string pattern: ^[0-9 -]{11,16}$ example: 12 345 678 901 responses: '200': description: ABN found content: application/json: schema: type: object required: - ok - abn - entityName - entityType - status - abnRegisteredDate - acn - state - postcode properties: ok: type: boolean const: true description: Always true on a 200 response abn: type: string description: Normalised 11-digit ABN (no spaces) example: '12345678901' entityName: type: string description: Registered entity name from the ABR example: MOCK BUILDING SUPPLIES PTY LTD entityType: type: string description: Entity type (e.g. Australian Private Company, Partnership) example: Australian Private Company status: type: string description: 'Current ABN status: Active or Cancelled' example: Active abnRegisteredDate: type: string description: ISO date the ABN was first registered example: '2010-03-15' acn: type: - string - 'null' description: ACN if the entity has one (companies + registered bodies); null otherwise example: 123 456 789 state: type: - string - 'null' description: Primary business location state code (NSW/VIC/etc.) or null example: NSW postcode: type: - string - 'null' description: Primary business location postcode or null example: '2000' '400': description: Invalid ABN input content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' '401': description: Authentication required content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '403': description: Bearer token is valid but missing the abn:lookup scope. content: application/json: schema: $ref: '#/components/schemas/PpsrSearchError' '404': description: ABN not found content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' '429': description: Upstream rate limit hit content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' '502': description: Upstream ABR error (network / parse / non-2xx) content: application/json: schema: $ref: '#/components/schemas/AbnLookupError' x-hoist-required-scopes: - abn:lookup /abn/{abn}/history: get: summary: ABN history /gst/{abn}: get: summary: GST registration as at date /receipts/due-diligence: get: operationId: showDueDiligenceReceipt summary: Due-diligence receipt for the authenticated user description: 'Retrieve the PPSR / ABN register-search audit chain for the AUTHENTICATED user: initiated, completed, and failed searches with certificate hashes and costs. PII-free; no raw query payloads. Production records require account access; use only where access is provisioned. The userId is derived from the bearer credential. Auth: bearer credential when provisioned.' security: - bearerAuth: [] parameters: - name: limit in: query required: false description: Maximum number of receipt records to return (default 50, hard cap 200). schema: type: integer minimum: 1 maximum: 200 - name: cursor in: query required: false description: Key-based cursor from a previous response for pagination. schema: type: string - name: from_date in: query required: false description: ISO-8601 inclusive lower bound on the event timestamp. schema: type: string format: date-time - name: to_date in: query required: false description: ISO-8601 inclusive upper bound on the event timestamp. schema: type: string format: date-time responses: '200': description: Receipt envelope containing PPSR-domain audit records content: application/json: schema: type: object required: - ok - data - generated_at - user_id_hash - freshness - partial - confidence - data_source properties: ok: type: boolean const: true data: type: object required: - records - nextCursor properties: records: type: array items: type: object required: - search_id - register - status properties: search_id: type: string register: type: string status: type: string enum: - initiated - completed - failed subject_kind: type: string initiated_at: type: number completed_at: type: number failed_at: type: number cert_sha256: type: string cost_cents: type: number reason: type: string nextCursor: type: - string - 'null' generated_at: type: string format: date-time user_id_hash: type: string description: First 24 hex chars of SHA-256(userId) freshness: type: string format: date-time partial: type: boolean confidence: type: number data_source: type: string const: hoist_assets_audit_due_diligence '400': description: Missing or invalid user_id content: application/json: schema: type: object properties: ok: type: boolean const: false code: type: string message: type: string '502': description: R2 audit-bucket scan failure content: application/json: schema: type: object properties: ok: type: boolean const: false code: type: string message: type: string /records/{id}: get: summary: Retrieve a record (PDF or JSON) /records/{id}/verify: get: summary: Verify a record hash /records: get: summary: List recent records /exports: post: operationId: createEvidencePack summary: Create an Evidence Pack description: 'Build an Evidence Pack containing machine-pack JSON, the Due Diligence Record PDF metadata, audit artifact manifest refs, source checks, timestamps, risk flags, confidence, and human review items when source-backed production operations are enabled. Sample packs may be available for validation. Production PDFs and paid source-backed packs require account access. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: type: object description: At least one of abn or vin is required. properties: abn: type: string description: Australian Business Number of the subject organisation (11 digits, spaces optional). vin: type: string description: Vehicle Identification Number (up to 17 chars). purpose: type: string description: Human-readable purpose for the evidence pack. Stored as provenance metadata only. responses: '200': description: Evidence Pack created content: application/json: schema: $ref: '#/components/schemas/EvidencePackEnvelope' '400': description: Invalid input (e.g. neither abn nor vin provided) content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' '502': description: Upstream (PDF renderer or R2 storage) failed content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' '503': description: Evidence Pack storage not available (env.AUDIT binding missing) content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' /exports/{id}: get: operationId: getEvidencePack summary: Retrieve an Evidence Pack PDF description: 'Stream the Due Diligence Record PDF bytes for a previously-created Evidence Pack. The id is the canonical UUID returned by POST /v1/exports. Production PDF retrieval requires account access; use only where access is provisioned. Auth: bearer credential when provisioned.' security: - bearerAuth: [] parameters: - name: id in: path required: true description: Pack identifier (UUID v4 8-4-4-4-12 hex shape). schema: type: string pattern: ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$ responses: '200': description: PDF bytes for the Due Diligence Record inside the Evidence Pack content: application/pdf: schema: type: string format: binary headers: x-hoist-r2-key: schema: type: string description: R2 key of the stored PDF. x-hoist-audit-manifest-key: schema: type: string description: R2 key of the audit artifact manifest JSON. x-hoist-source-snapshot-ids: schema: type: string description: Comma-separated source snapshot identifiers represented in the pack. x-hoist-raw-artifact-refs: schema: type: string description: Comma-separated audit artifact refs represented in the pack. '400': description: Invalid id shape content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' '404': description: Evidence Pack not found content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' '502': description: Upstream (R2) failed content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' '503': description: Evidence Pack storage not available (env.AUDIT binding missing) content: application/json: schema: $ref: '#/components/schemas/EvidencePackError' /asic/licence/lookup: post: operationId: asicLicenceLookup summary: ASIC AFSL/ACL licence lookup description: 'Look up an ASIC Australian Financial Services Licence or Australian Credit Licence status from sample-data provider data. No live ASIC dispatch or secrets are used. Paid current extracts return a confirmation gate and provider-not-wired status. Protected validation route; live ASIC current extracts are not claimed. Auth: bearer credential when provisioned.' security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AsicLicenceLookupRequest' responses: '200': description: Licence lookup result or paid-search confirmation gate content: application/json: schema: $ref: '#/components/schemas/AsicLicenceLookupResponse' '400': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/AsicLicenceLookupError' '401': description: Missing or invalid bearer token content: application/json: schema: $ref: '#/components/schemas/AsicLicenceLookupError' '404': description: Licence not found in sample-data provider data content: application/json: schema: $ref: '#/components/schemas/AsicLicenceLookupError' /usage: get: summary: Current usage and remaining allowance /verify-professional: post: operationId: verifyProfessional summary: Verify a professional register record description: Verify a professional-register role against source-backed ASIC public snapshots. Supports liquidators, financial advisers, banned/disqualified persons, AFS representatives, credit representatives, Registered Auditors, and SMSF Auditors. Representative, auditor-condition, suspension, and same-name matches require manual review before relying on them as authority evidence. security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyProfessionalRequest' responses: '200': description: Professional verification result with source-backed evidence wording content: application/json: schema: $ref: '#/components/schemas/VerifyProfessionalResponse' '400': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/VerifyProfessionalError' '401': description: Missing or invalid bearer token content: application/json: schema: $ref: '#/components/schemas/VerifyProfessionalError' '503': description: Required ASIC public-source snapshot is unavailable content: application/json: schema: $ref: '#/components/schemas/VerifyProfessionalError' x-hoist-required-scopes: - professional:verify /policies/evaluate: post: operationId: checkVerificationPolicy summary: Evaluate a verification policy description: Evaluate an Evidence Pack projection against a workflow policy template. Returns pass, fail, needs_review, or missing_evidence with rule-level source references. This applies customer/workflow thresholds above source-backed evidence and risk flags; it does not mutate Evidence Packs or source assertions. security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerificationPolicyEvaluateRequest' responses: '200': description: Policy evaluation result content: application/json: schema: $ref: '#/components/schemas/VerificationPolicyEnvelope' '400': description: Invalid input or unknown policy template content: application/json: schema: $ref: '#/components/schemas/VerificationPolicyError' /decision-memory/events: post: operationId: recordDecisionMemory summary: Record decision-memory feedback description: Record an append-only reviewer outcome event against an Evidence Pack, risk flag, source assertion, source match, or policy evaluation. The event is stored separately from source facts and does not mutate Evidence Packs, risk flags, source assertions, or policy results. security: - bearerAuth: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryRecordRequest' responses: '201': description: Decision-memory event recorded content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryRecordEnvelope' '400': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryError' '401': description: Missing authenticated reviewer identity content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryError' '409': description: Duplicate decision id content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryError' get: operationId: listDecisionMemoryEvents summary: List decision-memory feedback description: List append-only reviewer outcome events for future policy/risk tuning. Results are filtered by org_id and optional evidence/policy/source references. security: - bearerAuth: [] parameters: - name: org_id in: query required: true schema: type: string - name: evidence_pack_id in: query required: false schema: type: string - name: policy_id in: query required: false schema: type: string - name: policy_version in: query required: false schema: type: string - name: policy_evaluation_id in: query required: false schema: type: string - name: risk_flag_code in: query required: false schema: type: string - name: source_assertion_id in: query required: false schema: type: string - name: source_match_ref in: query required: false schema: type: string - name: reviewer_user_id in: query required: false schema: type: string - name: limit in: query required: false schema: type: integer minimum: 1 maximum: 100 responses: '200': description: Decision-memory events content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryListEnvelope' '400': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/DecisionMemoryError' x-org-only-scope: 'Hoist Assets operates under an org-only scope: organisation-grantor and serial-number searches only, no PII. The API does NOT accept individual-grantor searches and will reject them with a 400 response before any search runs. See https://hoistai.com/trust/npii-boundary.'