API Surface

All routes require authentication unless noted. Tenant-scoped routes enforce WHERE organization_id = req.user.organizationId via scopeToOrg middleware.

Student / Tenant Routes

/api/users

Method	Path	Description	Auth
GET	/me	Calling user’s profile	auth
GET	/me/enrollment	Enrollment context	auth
GET	/me/active-course	Active enrolled course	auth
GET	/me/quiz-attempts	All quiz attempts	auth
GET	/me/exam-readiness	Domain readiness breakdown	auth
GET	/me/stats	Dashboard stats	auth
GET	/me/checklist	Checklist items	auth
POST	/me/enrollment-state	Update enrollment state	auth

/api/progress

Method	Path	Description	Auth
POST	/:lessonId/complete	Mark lesson complete + seat time	auth
POST	/:lessonId/quiz	Submit quiz attempt	auth
POST	/highlight-failure	Log highlight failure	auth
GET	/highlight-failures	List highlight failures	auth + admin

/api/diagnostic

Method	Path	Description	Auth
GET	/questions	Placement exam questions	auth
POST	/submit	Submit placement assessment	auth + rate limited
GET	/results	Placement results	auth

/api/admin (tenant admin, org-scoped)

Method	Path	Description	Auth
GET	/compliance/students	All students — compliance view	auth + orgAdmin
GET	/list-users	All users in org	auth + orgAdmin
GET	/exports/tpr	ELDT certificate export	auth + orgAdmin
POST	/reset-curriculum	Wipe student progress	auth + orgAdmin

Platform Admin Routes (/api/platform/*)

Require requirePlatformAdmin. Only accessible to users in the gritcert-internal organization with role owner or support.

Method	Path	Description
GET	/tenants	All tenant orgs
POST	/tenants	Create new tenant
GET	/tenants/:id	Tenant detail
PATCH	/tenants/:id	Update org name, billing contact
GET	/courses	Platform course catalog
GET	/stats	Cross-tenant dashboard stats
GET	/students	Cross-tenant student search