From 196e029fbadd56a61d8bca844f5a10856a73a7aa Mon Sep 17 00:00:00 2001 From: Jack Zhuang <277994282+os-zhuang@users.noreply.github.com> Date: Fri, 17 Jul 2026 20:09:22 +0800 Subject: [PATCH] =?UTF-8?q?docs(ai):=20connect-mcp=20=E2=80=94=20`api`=20a?= =?UTF-8?q?ctions=20have=20no=20headless=20dispatch=20either?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The exposure rules and the troubleshooting table listed `url` / `modal` / `form` as the types that never reach `list_actions`, omitting `api`. isHeadlessInvokableAction only admits `script` (with target or body) and `flow` (with an automation service) — everything else, `api` included, returns false in the open framework. (`api` dispatch exists only in the ObjectOS runtime bridge, which actions-as-tools.mdx already scopes correctly.) Co-Authored-By: Claude Fable 5 --- content/docs/ai/connect-mcp.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/docs/ai/connect-mcp.mdx b/content/docs/ai/connect-mcp.mdx index 47e0cfebc..0448d0a93 100644 --- a/content/docs/ai/connect-mcp.mdx +++ b/content/docs/ai/connect-mcp.mdx @@ -103,8 +103,10 @@ Two exposure rules to know: are blocked fail-closed. - **Actions require the author's opt-in**: `ai: { exposed: true }` plus an `ai.description` of at least 40 characters, and the action must be callable - without a UI (`script` with a body or registered handler, or `flow`). - See [Actions as Tools](/docs/ai/actions-as-tools) and + without a UI. In the open framework that means exactly two types — `script` + (with an inline body or a registered handler) and `flow` (with the automation + service registered). `url`, `modal`, `form`, and `api` have no headless + dispatch here. See [Actions as Tools](/docs/ai/actions-as-tools) and [Actions](/docs/ui/actions). ## The security model @@ -148,7 +150,7 @@ skill and a guided `/objectstack:connect` command. | `501 Not Implemented` | The MCP plugin isn't part of this build — check your stack's plugins | | `401` on every call | Anonymous or invalid credentials. Interactive clients: complete the browser login (the `WWW-Authenticate` header advertises the OAuth metadata). Headless: check the `osk_` key and header spelling | | `403 insufficient_scope` | The OAuth token lacks the scope for that tool family (e.g. writes without `data:write`) — reconnect and grant the scope | -| An action is missing from `list_actions` | `ai.exposed` is not `true`, `ai.description` is shorter than 40 characters, the type isn't headless-callable (`url` / `modal` / `form` never appear), it targets a `sys_*` object, or the caller fails its `requiredPermissions` | +| An action is missing from `list_actions` | `ai.exposed` is not `true`, `ai.description` is shorter than 40 characters, the type isn't headless-callable here (only `script` with a body/handler and `flow` with an automation service are — `url`, `modal`, `form`, and `api` never appear), it targets a `sys_*` object, or the caller fails its `requiredPermissions` | | Reads return few rows / writes denied | Working as designed — the caller's permissions and RLS apply. Verify with the same user in the Console | ## Related