omnius 1.0.158 → 1.0.160

package/docs/guides/telegram.md

@@ -0,0 +1,95 @@
+# Telegram Bridge
+
+The Telegram bridge is a scoped public ingress and egress layer. It supports admin DMs, admin group mode, public group mode, media intake, generated artifact return, scoped memory, and persona documents.
+
+## Start And Configure
+
+```text
+/telegram --key <bot-token>
+/telegram --admin <telegram-user-id>
+/telegram
+/telegram status
+/telegram stop
+```
+
+## BotFather Setup
+
+1. Create the bot with BotFather and save the token through `/telegram --key <bot-token>`.
+2. Disable privacy mode if the bot must read all group messages; leave privacy mode on if it should only see commands, mentions, and replies.
+3. Add the bot to the target group and grant only the permissions it needs.
+4. Send `/telegram --admin <telegram-user-id>` from the TUI before enabling public contexts.
+5. Run `/telegram status` and verify bot username, admin user, mode, and connected chats.
+
+## Access Matrix
+
+| Context | Read Messages | Send Messages | Tools | Memory Scope |
+| --- | --- | --- | --- | --- |
+| Admin DM | yes | yes | admin policy | admin user |
+| Admin group | replies, mentions, or all messages depending on BotFather privacy | only if Telegram grants send rights | configured group policy | group plus sender |
+| Public group | scoped public intake | only if Telegram grants send rights | creative/public policy | group plus sender |
+| No send rights | observed incoming messages only | no | no outbound retry loop | failure noted for that chat |
+
+If Telegram returns a send failure, store the raw failed tool output in the conversation trajectory. The agent should reason from the observed failure and avoid repeated sends to a chat where it lacks rights.
+
+## Scope Model
+
+Telegram context must preserve:
+
+- chat ID
+- user ID
+- sender identity
+- reply target
+- media references
+- group versus private scope
+
+The agent must not collapse every participant into "the user." Persona and preference state is scoped by user and by group.
+
+## Reply Preferences
+
+Supported preference modes:
+
+- quick full-context reply first, then notes after
+- notes first, reply after
+- simple rapid reply with tools and context but no extra notes stage
+
+Preferences should be stored only when a user explicitly expresses a preference or an admin configures one. They should live in persona/state docs for that user or group scope.
+
+| Mode | Behavior |
+| --- | --- |
+| `reply-first` | send the reply with full context first, then store notes/reflection after |
+| `notes-first` | store notes/reflection first, then send the reply |
+| `rapid` | reply with current tools and context, no extra notes stage |
+
+Preference writes require an explicit tool decision. They are not selected by regex or chat heuristics.
+
+## Failure Feedback
+
+Telegram platform and tool failures should be passed back to the agent loop as raw observed output. Do not hardcode behavior around a specific Telegram error string. The model should see the observed failure and choose a corrected action.
+
+Failure feedback should include:
+
+- attempted method and destination chat ID
+- Telegram API error object as returned
+- message or media type attempted
+- whether the failure happened before or after content generation
+- current chat/user preference scope
+
+The feedback is ordinary trajectory evidence. It should not be converted into reward hacks, hidden classifiers, or error-specific branches.
+
+## Public Creative Tools
+
+Public users can create files, images, and audio through scoped creative workspaces under:
+
+```text
+.omnius/telegram-creative/<chat>/
+```
+
+These tools should not grant arbitrary filesystem access.
+
+## Media Intake
+
+Photos, documents, audio, video, and voice messages should be downloaded, summarized, scoped, and linked into memory with sender/message/reply metadata where enabled.
+
+## Verification
+
+Relevant focused tests include Telegram delivery preferences, inference error suppression, reflection corpus, and Bot API compatibility tests.

package/docs/guides/tui-workflows.md

@@ -0,0 +1,48 @@
+# TUI Workflows
+
+The TUI is the primary Omnius control surface for interactive use.
+
+## Core Commands
+
+```text
+/help
+/model
+/endpoint
+/realtime
+/broker
+/sponsor
+/cohere
+/telegram
+/skills
+/pause
+/stop
+/resume
+```
+
+## Input Behavior
+
+Shift+Enter inserts a newline in the prompt box and expands the input area. Enter submits the prompt.
+
+The input box should preserve Unicode line boundaries and avoid overwriting previous lower entries.
+
+## Shell Output
+
+Shell command output is rendered inside bounded Unicode cards. Dynamic installer output should update inside the shell block with a mini-scroll effect instead of corrupting adjacent UI.
+
+## Status Row
+
+The bottom data row reports:
+
+- local system stats
+- remote sponsor stats when applicable
+- tokens in
+- tokens out
+- token production rate as `t/s`
+- model/endpoint state
+- Ollama pressure where available
+
+Sponsor consumer mode can alternate local and remote peer telemetry.
+
+## Mid-Task Steering
+
+Added context and steering should pass through an intake layer that interprets the new requirement relative to the active task. It should not duplicate "Context added" text as prompt content or rely on hardcoded acknowledgements.

package/docs/index.md

@@ -0,0 +1,30 @@
+# Omnius Documentation
+
+Omnius is an autonomous local-first agent runtime with a TUI, REST daemon, P2P sponsor mesh, Telegram bridge, realtime conversation mode, media generation routes, and AIWG-compatible documentation skills.
+
+## Start Here
+
+- [Install](./getting-started/install.md)
+- [First Run](./getting-started/first-run.md)
+- [Model Providers](./getting-started/model-providers.md)
+- [Architecture](./architecture/overview.md)
+
+## Workflows
+
+- [TUI Workflows](./guides/tui-workflows.md)
+- [Sponsor And COHERE](./guides/sponsor-and-cohere.md)
+- [Realtime Conversation](./guides/realtime.md)
+- [Telegram](./guides/telegram.md)
+- [Media Generation](./guides/media-generation.md)
+
+## Reference
+
+- [REST API](./reference/rest-api.md)
+- [Slash Commands](./reference/slash-commands.md)
+- [Configuration](./reference/configuration.md)
+- [Agent Memory Index](./agent-memory/)
+
+## Operations
+
+- [Security And Remote Access](./operations/security-and-remote-access.md)
+- [Runtime Hygiene](./operations/runtime-hygiene.md)

package/docs/operations/runtime-hygiene.md

@@ -0,0 +1,75 @@
+# Runtime Hygiene
+
+Runtime hygiene keeps long-running Omnius instances from accumulating stale state, stuck child processes, or leaked project artifacts.
+
+## `.omnius/`
+
+`.omnius/` is runtime state and should not be committed. Omnius automatically adds it to `.gitignore` for repositories that have or later create a `.gitignore`.
+
+## Ollama Pool Cleanup
+
+Ollama servers spawned by the pool should run as process-group leaders. Cleanup must account for:
+
+- direct `ollama serve` children
+- orphaned `ollama runner` children
+- stale pool records
+- protected base services
+- active runners that should not be killed
+
+Use dry-run first:
+
+```text
+/ollama cleanup
+```
+
+Execute only when the cleanup decision looks correct:
+
+```text
+/ollama cleanup --execute
+```
+
+## Model Broker
+
+```text
+/broker
+/broker evict <host>:<name>
+/broker threshold <ram|vram|idle> <value>
+```
+
+The broker reports loaded models, in-flight loads, RAM/VRAM headroom, GPU slots, idle eviction thresholds, and manual eviction actions.
+
+## Installer Elevation
+
+Installers that need elevation should temporarily suspend the TUI, present the password prompt directly in the terminal, consume it through the system elevation path, and restore TUI state after completion.
+
+## Raw Failure Capture
+
+Shell, installer, Telegram, sponsor, and API failures should be captured as observed output and fed back to the agent loop. Avoid hardcoded string-specific reward or routing hacks.
+
+## Update And Install Triage
+
+`/update full` may touch npm packages, Python virtualenvs, cloudflared, voice dependencies, media backends, and system packages. The updater should classify failure by the command that failed and the raw process result, then try the next safe remediation:
+
+| Failure Surface | First Remediation |
+| --- | --- |
+| npm cache permission | rerun with the configured local npm cache |
+| missing Python wheel | prefer binary wheels, then surface the package and Python version |
+| system dependency missing | request elevation and run the documented package install |
+| password prompt needed over SSH | suspend the TUI, clear the terminal, read the system prompt, then restore |
+| model backend install failed | record backend, command, exit code, stderr, and next suggested command |
+
+The runtime should never hide installer output behind a generic spinner. Dynamic output should stream into the bounded shell block, preserving the last visible lines and a clean overflow indicator.
+
+## TUI State During Elevation
+
+When an elevated install is required:
+
+1. save the current TUI render state and input buffer
+2. stop alternate-screen drawing if active
+3. show the real password request in the terminal
+4. run only the requested elevated command
+5. clear sensitive prompt residue
+6. restore the TUI frame and input buffer
+7. add the raw command result to the agent trajectory
+
+This path is required for SSH sessions where a desktop password modal cannot appear.

package/docs/operations/security-and-remote-access.md

@@ -0,0 +1,70 @@
+# Security And Remote Access
+
+Omnius is local-first by default. Remote access should be explicit, authenticated, and scoped.
+
+## Local Binding
+
+Default daemon URL:
+
+```text
+http://127.0.0.1:11435
+```
+
+Bind to a network interface only when you also configure auth:
+
+```bash
+OMNIUS_HOST=0.0.0.0:11435 \
+OMNIUS_API_KEYS="read-key:read:grafana,run-key:run:ci:60:100000:3,admin-key:admin:ops" \
+omnius serve
+```
+
+## Scopes
+
+- `read`: inspect state, usage, models, events, skills, memory search, and metadata.
+- `run`: submit tasks and execute permitted run-scope tools.
+- `admin`: mutate config, keys, high-risk controls, and admin-only tools.
+
+Tool policy still applies after auth scope is accepted.
+
+## Sponsor Safety
+
+Sponsor providers should expose model and media capacity without exposing raw upstream URLs or provider secrets. Consumers should see sponsor models and telemetry, not implementation credentials.
+
+## Telegram Public Contexts
+
+Public Telegram contexts must use scoped tools and scoped memory. No arbitrary shell, local filesystem access, or unscoped private memory should be exposed to public users.
+
+## Secret Handling
+
+Secrets should be redacted before requests reach untrusted inference peers. Runtime API keys live under `~/.omnius/keys.json` when minted through the daemon.
+
+## Hardening Checklist
+
+| Area | Required Control |
+| --- | --- |
+| Binding | keep `127.0.0.1` unless remote access is intentional |
+| Auth | require API keys before binding to LAN or public interfaces |
+| Scopes | issue separate `read`, `run`, and `admin` keys per caller |
+| Tool policy | attach restricted profiles for CI, public Telegram, and remote peers |
+| Secrets | redact provider keys before sponsor, COHERE, Telegram, or remote model calls |
+| Logs | avoid storing raw secrets in `.omnius/`, audit logs, or crash output |
+| Sponsors | enforce concurrency, RPM, daily tokens, and model/media allowlists server-side |
+| Telegram | verify group permissions and public/private policy before enabling group mode |
+| Updates | treat `/update full` as installer code; preserve password prompts outside the TUI frame |
+| Reverse proxy | use TLS, preserve WebSocket upgrades, and forward only intended paths |
+
+## Remote Daemon Exposure
+
+For a LAN daemon, prefer a scoped key set:
+
+```bash
+OMNIUS_HOST=0.0.0.0:11435 \
+OMNIUS_API_KEYS="dash:read:grafana:600::,ci:run:ci:60:100000:3,ops:admin:ops:120:500000:10" \
+omnius serve
+```
+
+For internet exposure, put Omnius behind a reverse proxy with TLS and a narrow route allowlist. Expose `/v1/chat`, `/v1/chat/completions`, `/v1/run`, `/v1/events`, and `/v1/voicechat/ws` only when the caller and tool profile need them.
+
+## Public Tool Profiles
+
+Public or group-facing agents should run with a profile that denies shell, arbitrary file writes outside scoped creative directories, project destruction, sponsor/provider mutation, key mutation, and raw secret access. Creative media paths should be rooted under chat/session directories, not user-provided absolute paths.

package/docs/reference/configuration.md

@@ -0,0 +1,45 @@
+# Configuration Reference
+
+Configuration is layered from environment, global user settings, project settings, and active TUI state.
+
+## Common Environment Variables
+
+| Variable | Purpose |
+| --- | --- |
+| `OMNIUS_HOST` | Bind host and port, for example `0.0.0.0:11435` |
+| `OMNIUS_API_KEY` | Single admin bearer token |
+| `OMNIUS_API_KEYS` | Multi-key auth: `key:scope:owner:rpm:tpd:max_jobs` |
+| `OMNIUS_ACCESS` | Network access policy for the daemon |
+| `OMNIUS_DAEMON` | Start in daemon mode when set to `1` |
+| `OMNIUS_FORCE_NO_THINK` | Force `think: false` for Qwen-style backends |
+| `OMNIUS_THINK_AUTO` | Enable opt-in automatic thinking mode trigger |
+
+## Runtime State
+
+Project runtime state:
+
+```text
+.omnius/
+  settings.json
+  jobs/
+  context/
+  sponsor/
+  scoped-personality/
+  telegram-creative/
+```
+
+User-global state may live under `~/.omnius/`, including runtime API keys and voice clone references.
+
+## Auth Key Format
+
+```text
+key:scope:owner:rpm:tpd:max_jobs
+```
+
+Scopes:
+
+- `read`
+- `run`
+- `admin`
+
+Rate and concurrency fields are optional.

package/docs/reference/rest-api.md

@@ -0,0 +1,225 @@
+# REST API Reference
+
+This is the maintained human endpoint inventory for the Omnius daemon. The machine contract is generated by `packages/cli/src/api/openapi.ts` and served at `/openapi.json`.
+
+Run the drift check before publishing docs:
+
+```bash
+pnpm docs:check
+```
+
+## Docs And Compatibility Aliases
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/docs` | Swagger UI |
+| `GET` | `/api/docs` | Swagger UI alias |
+| `GET` | `/openapi.json` | OpenAPI JSON |
+| `GET` | `/openapi.yaml` | OpenAPI YAML |
+| `GET` | `/v3/api-docs` | OpenAPI alias |
+| `GET` | `/swagger.json` | Swagger-era alias |
+| `GET` | `/api-docs` | OpenAPI alias |
+| `GET` | `/swagger-ui` | Swagger UI alias |
+| `GET` | `/redoc` | ReDoc renderer |
+
+## Health And Observability
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/health` | Liveness probe |
+| `GET` | `/health/ready` | Backend readiness |
+| `GET` | `/health/startup` | Startup probe |
+| `GET` | `/version` | Package version and platform |
+| `GET` | `/metrics` | Prometheus metrics |
+| `GET` | `/v1/events` | Server-sent event stream |
+| `GET` | `/v1/usage` | Token usage and rate limits |
+| `GET` | `/v1/audit` | Audit log query |
+| `GET` | `/v1/cost` | Cost tracker |
+| `GET` | `/v1/system` | CPU, RAM, GPU, and system snapshot |
+
+## Inference And Chat
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/models` | Aggregated model list |
+| `POST` | `/v1/chat/completions` | OpenAI-compatible chat completion |
+| `POST` | `/v1/chat` | Stateful Omnius chat |
+| `POST` | `/api/chat` | Ollama-compatible chat alias |
+| `POST` | `/v1/generate` | Ollama-compatible one-shot generation |
+| `POST` | `/api/generate` | Ollama-compatible generate alias |
+| `POST` | `/v1/embeddings` | OpenAI-compatible embeddings |
+| `POST` | `/api/embed` | Ollama-compatible embeddings alias |
+| `GET` | `/api/tags` | Ollama-compatible model tags |
+| `GET` | `/v1/chat/sessions` | Active chat sessions |
+| `POST` | `/v1/chat/check-in` | Steering check-in for active chat |
+
+## Agentic Runs
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `POST` | `/v1/run` | Submit agentic task |
+| `GET` | `/v1/runs` | List runs |
+| `GET` | `/v1/runs/{id}` | Get run details |
+| `DELETE` | `/v1/runs/{id}` | Abort run |
+| `POST` | `/v1/todos` | Create or update todos for current session |
+| `GET` | `/v1/todos` | List sessions with todos |
+| `GET` | `/v1/todos/{session_id}` | Get session todos |
+| `DELETE` | `/v1/todos/{session_id}` | Delete session todos |
+| `POST` | `/v1/evaluate` | Evaluate a run |
+| `POST` | `/v1/index` | Trigger repository indexing |
+
+## Configuration, Keys, Profiles, Projects
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/config` | Read daemon config |
+| `PATCH` | `/v1/config` | Update daemon config |
+| `GET` | `/v1/config/model` | Current model |
+| `PUT` | `/v1/config/model` | Switch model |
+| `GET` | `/v1/config/endpoint` | Current endpoint |
+| `PUT` | `/v1/config/endpoint` | Switch endpoint |
+| `POST` | `/v1/config/endpoint/test` | Probe endpoint |
+| `GET` | `/v1/config/endpoint/history` | Endpoint history |
+| `DELETE` | `/v1/config/endpoint/history` | Remove endpoint history item |
+| `POST` | `/v1/share/generate` | Generate remote-access share URL |
+| `GET` | `/v1/keys` | List runtime API keys |
+| `POST` | `/v1/keys` | Mint runtime API key |
+| `DELETE` | `/v1/keys/{prefix}` | Revoke runtime API keys by prefix |
+| `GET` | `/v1/profiles` | List tool profiles |
+| `POST` | `/v1/profiles` | Create tool profile |
+| `GET` | `/v1/profiles/{name}` | Get profile |
+| `DELETE` | `/v1/profiles/{name}` | Delete profile |
+| `GET` | `/v1/projects` | List known projects |
+| `DELETE` | `/v1/projects` | Unregister a project |
+| `GET` | `/v1/projects/current` | Current project |
+| `POST` | `/v1/projects/switch` | Switch project |
+| `POST` | `/v1/projects/register` | Register project |
+| `POST` | `/v1/projects/rename` | Rename project |
+| `GET` | `/v1/projects/preferences` | Read project preferences |
+| `PUT` | `/v1/projects/preferences` | Patch project preferences |
+| `DELETE` | `/v1/projects/preferences` | Reset project preferences |
+
+## Skills, Commands, Tools, MCP
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/skills` | List skills |
+| `GET` | `/v1/skills/{name}` | Load skill content |
+| `GET` | `/v1/commands` | List slash commands |
+| `POST` | `/v1/commands/{cmd}` | Execute slash command |
+| `GET` | `/v1/tools` | List tools |
+| `GET` | `/v1/tools/{name}` | Tool metadata |
+| `POST` | `/v1/tools/{name}/call` | Call tool |
+| `GET` | `/v1/mcps` | List MCP servers |
+| `GET` | `/v1/mcps/{name}` | MCP server details |
+| `POST` | `/v1/mcps/{name}/call` | Call MCP tool |
+| `GET` | `/v1/hooks` | Hook registry |
+| `GET` | `/v1/agents` | Agent type registry |
+| `GET` | `/v1/codegraph/snapshot` | Code graph snapshot |
+| `GET` | `/v1/codegraph/events` | Code graph SSE |
+
+## AIWG
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/aiwg` | AIWG root and control map |
+| `GET` | `/v1/aiwg/frameworks` | List frameworks |
+| `GET` | `/v1/aiwg/frameworks/{name}` | Framework details |
+| `GET` | `/v1/aiwg/frameworks/{name}/content` | Tier-aware content |
+| `GET` | `/v1/aiwg/skills` | List AIWG skills |
+| `GET` | `/v1/aiwg/skills/{name}` | Load AIWG skill |
+| `GET` | `/v1/aiwg/agents` | List AIWG agents |
+| `GET` | `/v1/aiwg/agents/{name}` | Load AIWG agent |
+| `GET` | `/v1/aiwg/addons` | List AIWG addons |
+| `POST` | `/v1/aiwg/use` | Tier-sized activation bundle |
+| `POST` | `/v1/aiwg/expand` | Expand matching AIWG item |
+
+## Memory, Sessions, Context
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/memory` | Memory backend summary |
+| `POST` | `/v1/memory/search` | Search memory |
+| `POST` | `/v1/memory/write` | Write memory |
+| `GET` | `/v1/memory/episodes` | List episodes |
+| `GET` | `/v1/memory/failures` | List failure records |
+| `GET` | `/v1/sessions` | List task sessions |
+| `GET` | `/v1/sessions/{id}` | Get session history |
+| `GET` | `/v1/context` | Current context snapshot |
+| `POST` | `/v1/context/save` | Save context entry |
+| `GET` | `/v1/context/restore` | Build restore prompt |
+| `POST` | `/v1/context/compact` | Request compaction |
+
+## Files, Nexus, Ollama Pool
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/files` | List workspace directory |
+| `POST` | `/v1/files/read` | Read workspace file |
+| `GET` | `/v1/nexus/status` | Nexus peer state |
+| `GET` | `/v1/sponsors` | Sponsor directory cache |
+| `GET` | `/v1/ollama/pool/processes` | Ollama process inventory |
+| `POST` | `/v1/ollama/pool/cleanup` | Cleanup stale Ollama pool processes |
+
+## Voice, Audio, Vision
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/voice/state` | Voice runtime status |
+| `GET` | `/v1/voice/models` | TTS models |
+| `POST` | `/v1/voice/models/switch` | Switch TTS model |
+| `GET` | `/v1/voice/supertonic-settings` | Voice tuning settings |
+| `POST` | `/v1/voice/supertonic-settings` | Update voice tuning settings |
+| `GET` | `/v1/voice/asr-models` | ASR models |
+| `POST` | `/v1/voice/asr-models/switch` | Switch ASR model |
+| `POST` | `/v1/voice/tts` | Synthesize speech |
+| `POST` | `/v1/audio/speech` | OpenAI-compatible TTS alias |
+| `POST` | `/v1/voice/transcribe` | Transcribe audio |
+| `POST` | `/v1/audio/transcriptions` | OpenAI-compatible transcription alias |
+| `POST` | `/v1/voice/transcribe/stream` | Streaming transcription |
+| `POST` | `/v1/voice/clone-refs` | Upload voice clone reference |
+| `GET` | `/v1/voice/clone-refs` | List clone references |
+| `POST` | `/v1/voice/clone-refs/upload` | Upload clone reference |
+| `POST` | `/v1/voice/clone-refs/from-url` | Fetch clone reference |
+| `POST` | `/v1/voice/clone-refs/{filename}/activate` | Activate clone reference |
+| `POST` | `/v1/voice/clone-refs/{filename}/rename` | Rename clone reference |
+| `DELETE` | `/v1/voice/clone-refs/{filename}` | Delete clone reference |
+| `POST` | `/v1/voice/speak` | Broadcast speech to voicechat clients |
+| `GET` | `/v1/voicechat/ws` | WebSocket upgrade for full-duplex voicechat |
+| `POST` | `/v1/vision/describe` | Vision describe placeholder |
+
+## Engines And Scheduled Jobs
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/engines` | Long-running engine status |
+| `GET` | `/v1/scheduled` | List scheduled jobs |
+| `GET` | `/v1/scheduled/all` | List all scheduled jobs |
+| `GET` | `/v1/scheduled/status` | Scheduler status |
+| `POST` | `/v1/scheduled/kill` | Kill scheduled job |
+| `POST` | `/v1/scheduled/fixup` | Reconcile scheduled state |
+| `POST` | `/v1/scheduled/reconcile` | Force scheduled reconciliation |
+| `GET` | `/v1/services/systemd` | Systemd service status |
+| `GET` | `/v1/update` | Self-update status |
+
+## AIMS Governance
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/v1/aims` | AIMS root and endpoint index |
+| `GET` | `/v1/aims/policies` | Policy register |
+| `PUT` | `/v1/aims/policies` | Replace policy register |
+| `GET` | `/v1/aims/roles` | Roles and responsibilities |
+| `GET` | `/v1/aims/resources` | Resource inventory |
+| `GET` | `/v1/aims/impact-assessments` | Impact assessments |
+| `POST` | `/v1/aims/impact-assessments` | File impact assessment |
+| `GET` | `/v1/aims/lifecycle` | Lifecycle state |
+| `GET` | `/v1/aims/data-quality` | Data quality controls |
+| `GET` | `/v1/aims/transparency` | Model cards and transparency |
+| `GET` | `/v1/aims/usage` | AIMS usage view |
+| `GET` | `/v1/aims/suppliers` | Supplier inventory |
+| `GET` | `/v1/aims/incidents` | Incident records |
+| `POST` | `/v1/aims/incidents` | File incident |
+| `GET` | `/v1/aims/oversight` | Human oversight gates |
+| `GET` | `/v1/aims/decisions` | Consequential decision log |
+| `GET` | `/v1/aims/config-history` | Config change history |