Scoped Capabilities
Fine-grained capabilities with constraint operators.
Coarse OAuth scopes like EXECUTE are too blunt for autonomous agents. ASAP v2.2 upgrades to capabilities — named, typed operations with per-invocation constraints enforced at the gateway.
A concrete example
Grant an agent the transfer_funds capability with:
- amount:
{ max: 1000 }— caps a single transfer. - currency:
{ in: ["USD", "EUR"] }— allow-list only. - destination:
"acc_456"— exact value match.
Any attempt to exceed the cap or target another account returns a structured constraint_violated error with a violations array, so orchestration loops can self-heal.
Capabilities are introspectable via GET /asap/capability/list and /describe, so consumers always know the exact surface they're granting.
Key Capabilities
Constraint operators
max, min, in, not_in, and exact-value constraints enforced at the gateway.
Partial approval
Users can approve some capabilities and deny others during registration.
OAuth-compatible
Existing OAuth scopes map cleanly into capability sets — migrate incrementally.