compliance-framework · gusfcarvalho · Apr 14, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 14, 2026
diff --git a/docs/docs.go b/docs/docs.go
diff --git a/docs/swagger.json b/docs/swagger.json
diff --git a/docs/swagger.yaml b/docs/swagger.yaml
@@ -571,6 +571,14 @@ definitions:
           $ref: '#/definitions/handler.poamItemResponse'
         type: array
     type: object
+  handler.GenericDataListResponse-handler_riskScoreTimeseriesResponse:
+    properties:
+      data:
+        description: Items from the list response
+        items:
+          $ref: '#/definitions/handler.riskScoreTimeseriesResponse'
+        type: array
+    type: object
   handler.GenericDataListResponse-handler_selectableUserResponse:
     properties:
       data:
@@ -2051,6 +2059,46 @@ definitions:
       updated-at:
         type: string
     type: object
+  handler.riskScoreResponse:
+    properties:
+      actor-user-id:
+        type: string
+      baseline-score:
+        type: integer
+      created-at:
+        type: string
+      id:
+        type: string
+      impact:
+        type: string
+      likelihood:
+        type: string
+      occurred-at:
+        type: string
+      open-baseline-score:
+        type: integer
+      open-residual-score:
+        type: integer
+      residual-score:
+        type: integer
+      risk-id:
+        type: string
+      source-event-type:
+        type: string
+      ssp-id:
+        type: string
+      status:
+        type: string
+    type: object
+  handler.riskScoreTimeseriesResponse:
+    properties:
+      bucket-start:
+        type: string
+      open-baseline-score:
+        type: integer
+      open-residual-score:
+        type: integer
+    type: object
   handler.selectableUserResponse:
     properties:
       displayName:
@@ -7468,6 +7516,21 @@ definitions:
       totalPages:
         type: integer
     type: object
+  service.ListResponse-handler_riskScoreResponse:
+    properties:
+      data:
+        items:
+          $ref: '#/definitions/handler.riskScoreResponse'
+        type: array
+      limit:
+        type: integer
+      page:
+        type: integer
+      total:
+        type: integer
+      totalPages:
+        type: integer
+    type: object
   service.ListResponse-handler_threatIDResponse:
     properties:
       data:
@@ -21559,6 +21622,52 @@ paths:
       summary: List risk audit trail for SSP
       tags:
       - Risks
+  /oscal/system-security-plans/{sspId}/risks/{id}/score-history:
+    get:
+      description: Lists score snapshots for a risk scoped to an SSP.
+      parameters:
+      - description: SSP ID
+        in: path
+        name: sspId
+        required: true
+        type: string
+      - description: Risk ID
+        in: path
+        name: id
+        required: true
+        type: string
+      - description: Page number
+        in: query
+        name: page
+        type: integer
+      - description: Page size
+        in: query
+        name: limit
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/service.ListResponse-handler_riskScoreResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.Error'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api.Error'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api.Error'
+      security:
+      - OAuth2Password: []
+      summary: List risk score history for SSP
+      tags:
+      - Risks
   /oscal/system-security-plans/{sspId}/risks/{id}/threat-ids:
     get:
       description: Lists threat references linked to a risk scoped to an SSP.
@@ -21783,6 +21892,52 @@ paths:
       summary: Update risk threat reference for SSP
       tags:
       - Risks
+  /oscal/system-security-plans/{sspId}/risks/score-timeseries:
+    get:
+      description: Returns aggregate open baseline and residual score time series
+        for an SSP.
+      parameters:
+      - description: SSP ID
+        in: path
+        name: sspId
+        required: true
+        type: string
+      - description: Start timestamp (RFC3339)
+        in: query
+        name: from
+        type: string
+      - description: End timestamp (RFC3339)
+        in: query
+        name: to
+        type: string
+      - description: Bucket size; only day is supported
+        in: query
+        name: bucket
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handler.GenericDataListResponse-handler_riskScoreTimeseriesResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.Error'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api.Error'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api.Error'
+      security:
+      - OAuth2Password: []
+      summary: Get risk score timeseries for SSP
+      tags:
+      - Risks
   /poam-items:
     get:
       parameters:
@@ -23462,6 +23617,47 @@ paths:
       summary: List risk audit trail
       tags:
       - Risks
+  /risks/{id}/score-history:
+    get:
+      description: Lists score snapshots for a risk.
+      parameters:
+      - description: Risk ID
+        in: path
+        name: id
+        required: true
+        type: string
+      - description: Page number
+        in: query
+        name: page
+        type: integer
+      - description: Page size
+        in: query
+        name: limit
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/service.ListResponse-handler_riskScoreResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.Error'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api.Error'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api.Error'
+      security:
+      - OAuth2Password: []
+      summary: List risk score history
+      tags:
+      - Risks
   /risks/{id}/subjects:
     get:
       description: Lists subjects linked to a risk.
@@ -23742,6 +23938,46 @@ paths:
       summary: Update risk threat reference
       tags:
       - Risks
+  /risks/score-timeseries:
+    get:
+      description: Returns aggregate open baseline and residual score time series.
+      parameters:
+      - description: SSP ID
+        in: query
+        name: sspId
+        type: string
+      - description: Start timestamp (RFC3339)
+        in: query
+        name: from
+        type: string
+      - description: End timestamp (RFC3339)
+        in: query
+        name: to
+        type: string
+      - description: Bucket size; only day is supported
+        in: query
+        name: bucket
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handler.GenericDataListResponse-handler_riskScoreTimeseriesResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.Error'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api.Error'
+      security:
+      - OAuth2Password: []
+      summary: Get risk score timeseries
+      tags:
+      - Risks
   /users/{id}:
     get:
       description: Get minimal user details by user ID