Cobalt External API (1.0.0)

Public route — no x-api-key required.

Order of checks:

1. If the contact's profile is already soft-deleted → 404.
2. If a user is still linked to the same profile → 400 (the user must be deleted first).
3. Otherwise: mark profiles.deleted=true, null external_id, recycle the email with a UUID prefix (<uuid>:<email>) so the address can be reused, and drop all groups_contacts rows for this contact.

Provisioning flow with pre-checks:

1. Validates role.id — 404 if the role doesn't exist, 400 if it's hidden=true (system roles can't be assigned through this API).
2. Resolves the contact's profile_id — 404 if contactId doesn't exist.
3. Enforces 1:1 contact↔user — 400 if any user is already linked to that contact's profile.
4. Username uniqueness — 400 if users.username is already taken.
5. Calls the legacy create_user_with_contact stored procedure. 400 if the per-tenant user/admin cap is exceeded (User limit exceeded / Admin limit exceeded).
6. Provisions a Cognito user in the tenant's User Pool via AdminCreateUser with MessageAction: SUPPRESS (no welcome email). Cognito failures are logged but do not roll back the MySQL row.

No password is accepted — Cognito owns authentication. The Cognito user starts in FORCE_CHANGE_PASSWORD state and goes through the standard reset-password flow on first login.

Calls update_user(...) for role/active (password is always NULL — Cognito owns auth). policyAgreed is patched directly. Profile fields belong to the contact resource and aren't accepted here.

Hidden-role guard: rejects with 400 if the target user's CURRENT role is hidden=true (system user — not mutable through this API), and rejects with 400 if the requested new role.id is hidden=true or 404 if it doesn't exist.

Hidden-role guard: rejects with 400 if the target user's role is hidden=true (system user — not deletable through this API).

Otherwise soft-deletes the legacy MySQL user (mark profiles.deleted=true, recycle email with a UUID prefix, drop the role link, hard-delete the linked security_agents row, prefix users.username with <uuid>:). After the MySQL transaction commits, calls AdminDeleteUser against the tenant's Cognito User Pool. If a SAML-linked variant saml_<email> exists it is also deleted. UserNotFoundException is treated as success.

Returns the original username and userEmail for downstream cleanup; the caller does not need to do their own Cognito teardown.

Inserts the group, then upserts the Mongo timestamps document { module: "mobileplan", lastModified: now } so mobile clients polling that key know to re-sync their group cache. The timestamp bump is non-fatal — a Mongo blip won't fail the create.

Cascading FK on groups_contacts removes membership rows automatically.

Symmetrical with POST /group/addContact. Sends { groupId, contactIds: [...] } in the body and receives a per-contact result. removed: false means the contact wasn't a member of the group — not an error.

Returns a normalized projection of legacy runtime-incidents.

Default excludes states ON_GOING, ALERT, MERGED, ARCHIVED. When type=ARCHIVED the exclusion flips to ON_GOING, ALERT, MERGED, CLOSED, IGNORED, COMPLETED so only archived rows surface.

declaredBy resolves from the runtime incident's declaredContactDetails snapshot first, falling back to a MySQL contact lookup.