> ## Documentation Index
> Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Verification Events

> List verification probe events for a migration, and manually mark a migration or item as verified clean.

## GET /admin/migrations/:id/verification-events

Returns verification probe events for a migration (most-recent first, up to 500), plus the current safe-to-delete state from the migration row.

**No pagination** — the response is capped at 500 events.

### Response

```json theme={"dark"}
{
  "migration_id": "550e8400-e29b-41d4-a716-446655440000",
  "safe_to_delete": false,
  "verified_at": null,
  "verification_window_days": 30,
  "events": [
    {
      "id": "evt-uuid",
      "secret_migration_item_id": "item-uuid",
      "event_type": "operator_confirmed_clean",
      "endpoint_url": null,
      "outcome": "clean",
      "details": { "confirmed_by": "user-uuid", "notes": null },
      "source": "manual",
      "created_at": "2026-05-25T10:25:00Z"
    }
  ]
}
```

| Field                      | Description                                                                       |
| -------------------------- | --------------------------------------------------------------------------------- |
| `safe_to_delete`           | `true` once the operator has confirmed the migration clean at the migration level |
| `verified_at`              | Timestamp of the first migration-level confirmation, or `null`                    |
| `verification_window_days` | Days the system waits before allowing source-store deletion                       |
| `events[].event_type`      | e.g. `operator_confirmed_clean`, or system probe event types                      |
| `events[].outcome`         | `clean` or probe result                                                           |
| `events[].source`          | `manual` (operator) or `auto` (system probe)                                      |

***

## POST /admin/migrations/:id/verification-events

Manually mark a migration (or a single migration item) as verified clean. Requires `migration_reviewer` permission + **5-minute step-up**.

When called without `secret_migration_item_id`, marks the entire migration as `safe_to_delete = true` and sets `verified_at` if not already set.

### Request body

| Field                      | Required | Description                                                                                          |
| -------------------------- | -------- | ---------------------------------------------------------------------------------------------------- |
| `secret_migration_item_id` | —        | If provided, the confirmation is scoped to a single item. If omitted, confirms the entire migration. |
| `notes`                    | —        | Optional operator note (stored in `details.notes`)                                                   |

### Response

```json theme={"dark"}
{ "id": "evt-uuid" }
```

Status `201 Created`.

Returns `403` if the caller lacks `migration_reviewer`. Returns `404` if the migration is not found.

```bash theme={"dark"}
curl -X POST https://admin.knoxcall.com/admin/migrations/550e8400.../verification-events \
  -H "Authorization: Bearer $KC_ADMIN_JWT" \
  -H "X-Tenant-ID: $KC_TENANT_ID" \
  -H "Content-Type: application/json" \
  -d '{ "notes": "All secrets validated in production — safe to remove from AWS SM." }'
```
