Skip to content
GOVERN Admin

Real-Time Alert Feed

The SOC Command Center alert feed updates in real time via WebSocket. Alerts appear on screen within 500ms of detection. No polling, no page refresh.

Connection

The real-time feed connects automatically when the SOC interface loads:

wss://api.govern.archetypal.ai/v1/soc/feed
Authorization: Bearer <session-token>

The WebSocket connection is maintained with automatic reconnect (exponential backoff with max 30s interval).

Event Types

EventDescription
alert.newNew alert detected
alert.updatedAlert status, severity, or assignee changed
alert.resolvedAlert resolved or closed
alert.commentInvestigation note added
system.score_changedAI system assessment score changed
system.probe_disconnectedProbe lost connection
system.probe_connectedProbe reconnected
feed.heartbeatKeep-alive (every 30s)

Event Payload

alert.new

{
  "event": "alert.new",
  "data": {
    "id": "alrt_01JBXYZ123",
    "severity": "high",
    "type": "policy_violation",
    "title": "PII detected in customer-support-bot output",
    "ai_system": {
      "id": "sys_01JABC789",
      "name": "customer-support-bot",
      "score": 74
    },
    "policy": {
      "id": "GOV-POL-042",
      "name": "PII_OUTPUT_PREVENTION"
    },
    "created_at": "2026-04-12T14:23:10Z",
    "sla_expires_at": "2026-04-12T15:23:10Z"
  },
  "ts": 1744123456789
}

system.score_changed

{
  "event": "system.score_changed",
  "data": {
    "system_id": "sys_01JABC789",
    "system_name": "customer-support-bot",
    "previous_score": 82,
    "current_score": 67,
    "delta": -15,
    "threshold_crossed": true,
    "threshold": 70,
    "changed_at": "2026-04-12T14:20:00Z"
  },
  "ts": 1744123200000
}

Subscription Filtering

Filter the feed to reduce noise for focused monitoring:

// Send filter config after connecting
ws.send(JSON.stringify({
  action: 'subscribe',
  filters: {
    severities: ['critical', 'high'],
    types: ['policy_violation', 'security_event'],
    systems: ['customer-support-bot', 'document-analyzer']
  }
}));

Feed Health

The feed shows connection status in the SOC header:

  • Green dot — Connected, receiving events
  • Yellow dot — Reconnecting (events may be delayed)
  • Red dot — Disconnected (check network or auth)

The feed.heartbeat event fires every 30 seconds. If no heartbeat is received for 60 seconds, the feed automatically attempts to reconnect.

Missed Events

On reconnect, GOVERN delivers missed events from the last 5 minutes:

{
  "event": "feed.replay",
  "data": {
    "from": "2026-04-12T14:18:10Z",
    "to": "2026-04-12T14:23:10Z",
    "events": [ ... ]
  }
}

Feed API for Custom Clients

The real-time feed is also available via Server-Sent Events for clients that cannot maintain WebSocket connections:

Terminal window
curl -N https://api.govern.archetypal.ai/v1/soc/feed/sse \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Accept: text/event-stream"