# Self-Service Intake Use this schema for customer-managed assessment input. Self-service customers normally supply these values through `/app/new-assessment`; customer-owned automation can supply the same values directly through `POST /api/self-service/assessment`. The endpoint is self-service, not public anonymous intake. Call it only from the configured self-hosted boundary with an actor authorized to create assessment runs, issue the Trust Passport path, and mark delivery ready. ## UI Path The current self-service flow is: 1. `/` public market entry. 2. `/login` local session login. 3. `/app` self-service workspace dashboard. 4. `/app/new-assessment` free complete option and source intake. 5. `/app/results/{runId}` delivered artifact view. 6. `/app/operations` internal operations console for owner/operator controls. The UI currently presents one `Free for now` Complete Agent Readiness Packet. It does not collect real payment, present paid tiers, or route customers through checkout in this stage. The public entry page explains the complete output before the customer signs in: readiness decision, Agent Readiness Report, Evidence Packet JSON/JSONL, signed Trust Passport JSON/JWS, SARIF findings, OPA policy bundle, delivery ZIP, and recommended permissions and restrictions. ## Common Fields - `audience`: customer workspace or enforcement audience for the Trust Passport. - `customer_id`: customer-local identifier. - `operator_id`: customer-local actor or service id submitting the assessment. - `passport_class`: `coding`, `mcp`, `browser`, or `memory`. ## Coding Repository Fields Use one of: - `local_path`: path to a local repository available to the self-hosted Nexmoot instance. - `repo_url`: repository URL or source reference. Optional: - `branch`; - `pull_request`; - `test_command`; - `github_fixture`. ## MCP Fields For `passport_class: "mcp"`, provide `mcp_server`: - `server_name`; - `auth_model`; - `command`; - `args`; - `env`; - `tools`; - `sample_calls`; - `denied_calls`; - `untrusted_outputs`. ## Browser Fields For `passport_class: "browser"`, provide `browser_agent`: - `agent_name`; - `allowlist`; - `denylist`; - `credential_policy`; - `form_submission_policy`; - `download_policy`; - `upload_policy`; - `actions`; - `blocked_actions`; - `dom_samples`. ## Memory Fields For `passport_class: "memory"`, provide `memory_system`: - `system_name`; - `retention_policy`; - `isolation_model`; - `writes`; - `reads`; - `deletion_checks`; - `poisoning_checks`. ## Data Handling Confirmation The customer must confirm internally before submission: - shared evidence does not contain production secrets; - shared evidence does not contain private signing material; - shared evidence does not contain compact offline license JWS values; - shared evidence does not contain backup keys; - the customer has authority to assess the scoped materials; - the customer accepts that Nexmoot provides evidence and recommendations, not unrestricted safety certification. ## Example Request ```json { "repo_url": "https://github.com/customer/repo", "branch": "main", "pull_request": 123, "audience": "customer-workspace", "customer_id": "customer-workspace", "operator_id": "customer-self-service" } ``` ## Example Result Shape ```json { "mode": "self_service", "human_intervention_required": false, "status": "delivered", "run": {}, "evidence_packet": {}, "passport": {}, "artifacts": [ { "type": "evidence_packet", "artifact_id": "evidence-packet", "download_url": "/api/exports/evidence-packet?run_id=..." } ] } ```