MeshOS API
REST API for application management, AI review orchestration, and component federation. All endpoints require an API key in the Authorization: Bearer header. See Authentication for key setup.
Applications
Upload Application — POST /applications
Upload an application as a ZIP file. Returns an application record with a unique ID and initial analyzing status. Analysis begins immediately.
Get Application — GET /applications/:id
Retrieve application details including analysis metrics, readiness scores (cloud, library, mesh), language breakdown, complexity stats, and security vulnerability counts.
List Applications — GET /applications
Query applications with filtering by status, minimum readiness score, security status, and pagination. Supports status, min_score, has_vulnerabilities, limit, and offset parameters.
AI Review
Trigger Review — POST /applications/:id/review
Start a multi-agent review. Specify agent categories to run (security, architecture, quality, testing, performance, documentation, meta) or pass "all" for a full 23-agent review. Optionally enable patch generation. Returns a review ID and estimated duration.
Get Review Status — GET /reviews/:id
Check progress of a running review: completed agent count, failed count, remaining count, and per-category results.
Get Review Results — GET /reviews/:id/results
Retrieve the full findings report: severity-ranked list of findings, each annotated with file, line number, description, recommendation, and optional patch. Includes a summary breakdown by severity.
Readiness Scoring
Cloud Readiness — GET /applications/:id/readiness/cloud
Returns a 0–100 score and letter grade based on containerization, twelve-factor compliance, statelessness, and observability. Includes per-factor scores and a prioritized recommendation list.
Library Readiness — GET /applications/:id/readiness/library
Returns a score assessing the application's readiness to be promoted as a reusable library.
Mesh Readiness — GET /applications/:id/readiness/mesh
Returns a score assessing service mesh compatibility.
Component Federation
List Components — GET /applications/:id/components
Lists reusable components detected in the application with reusability scores, maturity ratings, and dependency information.
Promote Component — POST /components/:id/promote
Promotes a component to the shared library with a specified version and maturity level.
Events
Query Events — GET /events
Query the event spine for this application. Filter by event type (supports wildcards), application ID, correlation ID, and time range. Returns paginated event records with full payloads.
Subscribe to Events — POST /subscriptions
Create a webhook subscription for specific event types. Provide a URL and webhook secret for signature verification.
Rate Limits
| Resource | Limit | |----------|-------| | Application uploads | 100 / hour | | Review triggers | 50 / hour | | API queries | 1,000 / hour |
Rate limit status is returned in X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset response headers.
Error Codes
| Code | Status | Description |
|------|--------|-------------|
| invalid_zip | 400 | ZIP file corrupted or invalid format |
| file_too_large | 413 | Application exceeds 500MB limit |
| analysis_failed | 500 | Code analysis engine error |
| review_timeout | 504 | AI review exceeded time limit |
| unauthorized | 401 | Invalid or missing API key |
| rate_limit_exceeded | 429 | Too many requests |
Webhook Events
Events delivered to your subscribed endpoint:
application.uploaded— New application uploadedanalysis.completed— Static analysis finishedreview.started— AI review startedreview.completed— AI review finished with full resultsapproval.granted— Application approvedcomponent.promoted— Component promoted to shared library
All webhook payloads are signed with HMAC-SHA256 using your webhook secret. Verify the signature before processing.