AI Actions · safe by design

AI that does things. Safely.

Action contracts let your AI run approved backend operations (refund an invoice, suspend a license, route a ticket) without ever touching your raw database. The AI proposes a typed action, OpsIQ checks the role, validates the params, a human confirms the write, the call goes out HMAC-signed, and every step is audited and reversible.

Typed action contractsConfirm-on-write gateHMAC-signed callsAudited & reversible
AI can't invent a call
Every write is approved & logged
Live One gate. Every action. AI REQUEST refund_invoice $48 · adam@… CONTRACT GATE role: owner params valid in scope CONFIRM Approve human gate · on write HMAC-SHA256 signed POST → AUDIT LOG verified actor: admin · owner result: 200 · 188ms sig 4f9a…c20b reversible · 2:41 PM "surface": ["admin"] "roles": ["owner"] "confirm": "always" "reversible": true
The action contract

Watch one action travel the whole pipeline.

An action is a typed contract you register once: a name like saas.refund_invoice, its parameters, the surface it lives on, the roles allowed to run it, a confirmation policy and a signed endpoint. No raw SQL, no arbitrary calls. Follow a single request (“refund Adam’s last invoice”) and you’ll see exactly what happens every time: the AI proposes, a human confirms, the call goes out signed, and the receipt is written.

The AI cannot invent a call. It can only run yours.

Now playing · saas.refund_invoice
01 Propose 02 Check & confirm 03 Sign 04 Audit
01 · Propose

It proposes a registered contract, or nothing at all.

When an admin types “refund Adam’s last invoice,” the AI matches the intent to a contract it already knows and fills the parameters from your live records. It never improvises a call, and it never reaches your raw database. If the intent doesn’t map to a registered action, nothing is proposed. Full stop.

  • Intent, not improvisation. Plain English resolves to a registered key like saas.refund_invoice, or to nothing at all.
  • Params from your live data. Customer, amount and #INV-2291 are pulled from your records, never the model’s guess.
  • Unknown key = rejected. Anything that isn’t a registered contract is refused before it can run.
  • No raw database access. The proposal is a contract reference, never SQL and never an arbitrary call.
Intent → contract match ADMIN TYPES "refund Adam's last invoice" ACTION REGISTRY saas.suspend_license saas.refund_invoice crm.add_note delete_everything unknown key · rejected LIVE DATA customer [email protected] amount · invoice $48.00 · #INV-2291 Proposed — not executed. The AI fills slots; a person decides next.
Beat 02 · the gate

A person decides, and the server checks everything first.

Before anything can run, OpsIQ validates the proposal server-side: is this role allowed, is the action in scope for this surface, are the parameters the right types? Mutating actions then wait for an explicit human Approve by default: one click on a confirmation card, or dismiss it. The actor is always the verified signed-in admin or token-verified customer, never whoever the model claims to be.

Action proposed by AI PROPOSED ACTION saas.refund_invoice customer [email protected] amount · invoice $48.00 · #INV-2291 Approve Dismiss actor: verified admin AUDIT LOG refund_invoice · admin · owner · 200 · 188ms HMAC-SHA256 sig 4f9a…c20b · reversible · 2:41 PM Role, scope and params checked — then a human clicks.
Role & scope checkedserver-side, before any write
Parameters validatedby type; wrong types rejected
Human Approve by defaultactor is the verified identity
03–04 · Sign & audit

Signed to your endpoint, then written to a permanent record.

OpsIQ POSTs an HMAC-signed payload to your own endpoint. The signature covers the raw body plus a timestamp, so a replayed or tampered request is rejected at your door. The moment it returns, OpsIQ writes an append-only audit row capturing who ran it, what ran, the result, how long it took and the signature.

  • HMAC-signed POST. Your endpoint verifies X-OpsIQ-Signature over the body before acting.
  • Replay-proof. The signed timestamp means an old payload can’t be re-fired.
  • Permanent audit row: actor, action, result 200, duration 188ms and signature, append-only.
  • Reversible by design. Every mutating row can be rolled back, which sets up the controls next.
refund_invoice · admin · owner200 · 188ms · sig 4f9a…c20b · 2:41 PM
reversible ↩
POST /your-endpoint
# headers
X-OpsIQ-Signature: t=1718…,v1=4f9a8e…c20b
Content-Type: application/json

{
  "action": "saas.refund_invoice",
  "actor":  "admin · owner",
  "params": {
    "customer": "[email protected]",
    "amount":   48.00,
    "invoice":  "#INV-2291"
  },
  "ts": 1718902861,
  "reversible": true
}
The governance layer

Three controls you set around every action.

These are the controls you wrap around the trip you just watched: the dial that decided whether beat two waited for you, the gate that decides whether the action is even offered, and the undo that makes a write safe to make.

The Trust Dial

Set autonomy per action and dial it back anytime, and every run is still audited.

Suggest Copilot Autopilot
  • Suggest drafts only; nothing runs without a person.
  • Copilot shows a one-click Approve card.
  • Autopilot runs only within rate, value & scope guardrails.

Permission & scope

Surface scoping plus role gating that fails closed: a mismatch hides the action entirely.

offered hidden · fails closed
  • A mismatch hides the action, so it’s never offered, not just blocked.
  • Roles gate every contract: owner / admin / support / custom.
  • The actor is the verified signed-in admin or token-verified customer.

Reversible by design

A mutating action can declare its inverse, so a wrong call rolls back from the same audit row.

suspend reactivate refund re-charge
  • Pairs like suspendreactivate and refundre-charge.
  • One-click rollback straight from the audit row.
  • The reversal is linked, signed and itself audited.
Autopilot, fenced

Autopilot runs without a click, never without limits.

When you remove the human click, three fences take its place, all enforced server-side, before the signed POST ever goes out. An action that hits any one of them isn’t quietly skipped; it’s parked back into the human approval queue, exactly where beat two lived.

01 · RATE

Rate limit

Cap how often an action fires per hour, per day or per week so a runaway loop can’t drain anything.

02 · VALUE

Value cap

Bound the money any single call or a whole day can move: a maximum per transaction and per day.

03 · SCOPE

Scope fence

Confine Autopilot to a department, region or segment, per action.

→ PARKED

Human queue

Hit a limit and the action returns to the human queue for an explicit Approve, never silently dropped.

Autopilot · inside guardrails GUARDRAIL FENCE rate limit · value cap · scope fires within limits RATE / hr VALUE / day SCOPE dept: billing limit reached → parked for human HUMAN APPROVAL QUEUE Anything over a guardrail waits for a person — never silently dropped.
Declare it once

Declare it once, and the AI learns it instantly.

This is the contract that made the whole journey possible. You declare an action once and the AI can propose it immediately; every field on the contract is governance made real and self-documenting. And actions aren’t only born from a typed prompt; workflows and rules can propose them too, through the exact same gate.

Register once

  • One contract, fully described: name, params, surface, roles, confirmation, endpoint and inverse describe the action and govern it at the same time.
  • Connectors auto-register. Stripe, Shopify, WHMCS and OpsIQ SaaS bring their actions with them, no hand-wiring.
  • Prove it first. A sandbox plus a signed webhook tester verify an action before it touches production.

Triggered, not just typed

  • Workflows hand off. A workflow step (send_email, webhook, set_status…) advances on the cron tick and hands off to an action.
  • Lifecycle & proactive rules too. A stage promotion (lead → trial → paying) or a visitor-behaviour rule can propose an action, through the same scope, role, confirm, sign and audit gate.
Auto-registered by connector Stripe Shopify WHMCS OpsIQ SaaS
actions.json · contract { "key" : "saas.suspend_license", "surface" : ["admin"], "roles" : ["owner"], "confirm" : "always", "reversible" : true, "endpoint" : "https://api.you…" } Action discovered · AI can now propose it
Trigger → action pipeline WORKFLOW step · send_email LIFECYCLE RULE trial → paying PROACTIVE RULE time_on_page ≥ 60s ACTION GATE scope · role · sign executed Every trigger funnels through the same gate — and the same audit log.
Self-documenting

One contract powered the journey, and wrote its own docs.

Because every field is part of the contract, the action describes itself. Parameters carry types and validation, so invalid params are rejected rather than improvised around; aliases map what people actually type to the canonical key; a destructive flag and source tracking are part of the record. Export the whole registry to an OpenAPI reference and your actions are documented the moment they exist.

actions.json ONE CONTRACT params schema label · desc · category AI hint aliases destructive flag source tracking
  • Typed parameter schema. Types and validation are built in; a pattern like INV-* is enforced, not guessed.
  • Self-describing fields. Label, description and category make each action readable to humans and the AI alike.
  • AI hint & aliases. Map natural phrasing to the canonical key so “give Adam his money back” still resolves to saas.refund_invoice.
  • Destructive flag & source tracking. Every contract records whether it mutates and where each run came from.
Exports to OpenAPI: /actions/refund_invoice and the full registry, generated automatically.
Connectors auto-registerStripe, Shopify, WHMCS, OpsIQ SaaS: actions appear on enable.
Sandbox + signed testerProve an action before it touches production.
Cloud or self-hostedThe same path, no behavioural drift.
Bring your own modelAnthropic, OpenAI, Gemini, Grok or self-hosted.
⚖️ Honest comparison

OpsIQ Actions vs an ungoverned AI agent.

Autonomous agents that wire an LLM straight to your tools are fast, and unbounded. The difference isn't intelligence; it's the contract, the gate and the trail around it. Here's the fair version.

CapabilityUngoverned AI agentOpsIQ Actions
What the AI can call Whatever the tool layer exposes Only registered typed contracts
Approval before a write Runs immediately Human gate by default (Copilot)
Permission & role scoping Usually one blanket credential Per action · surface + role · fails closed
Parameter validation Trusts the model output Typed schema · invalid input rejected
Tamper protection on calls Rarely signed HMAC-SHA256 over raw body + timestamp
Autonomy control All-or-nothing Trust Dial · Suggest → Copilot → Autopilot
Audit of every operation Partial logs, if any Immutable: actor, params, result, duration
Reversibility Manual cleanup Declared inverse · one-click rollback
Reaches raw database Often direct DB / shell Never, only your endpoints
Triggered by rules safely Separate, ungated paths Same gate for workflows & proactive rules
Bring your own model Usually yes Anthropic / OpenAI / Gemini / Grok / self-host
Full feature list

Everything in AI Actions.

Every capability, grouped. ★ marks a stand-out.

FeatureWhat it does
Core governance & confirmation
Typed action contract ★Every action is a declared JSON schema: name, params, scope, roles, policy, endpoint. AI fills the slots you defined.
Human approval gate ★Nothing mutating runs until a person clicks Approve.
Per-action confirmation policynever / once-per-session / always; risky actions always require confirmation.
Requires-confirmation flag NEWForce confirmation on sensitive actions, independent of the policy default.
Confirmation card UIExact action, params and roles preview before approval.
Security & trust
HMAC-SHA256 signing ★Signed POST over the raw body so endpoints verify with cryptographic proof.
Verified actor identity ★The actor comes from the session, never the AI's claim.
Timestamp & replay protection NEWOld timestamps are rejected, so a captured call can't be replayed.
Permission & access
Surface & role scoping ★One registry, audience-scoped by surface and role, fails closed, never overlapping.
Admin AI surfaces ★Privileged actions exist only on the admin surface; admin and customer AI never overlap.
Customer-facing read-only surfaceCustomer AI can read but cannot write, so it fails closed.
Write-only surface scope NEWSurfaces that execute without reading any context.
Autonomy control
Trust Dial autonomy levels ★Dial each action from Suggest to Copilot to Autopilot.
Autopilot guardrails ★Autopilot only runs inside server-side rate limits, value caps and scope fences.
Rate limiting per action NEWCap how often an action can fire per hour, day or week.
Value cap enforcement NEWBound the value any transaction (or a whole day) can move.
Scope fencing in Autopilot NEWLimit Autopilot to a department, region or segment.
Per-action autonomy toggle NEWDial each action independently and turn it back down anytime.
Suggestion mode (draft only) NEWAI drafts; a person approves before anything runs.
Copilot mode (one-click) NEWA confirmation card waits for one explicit Approve click.
Rollback & undo
Reversible actions by design ★Declare an inverse and roll back a wrong call in one click.
Action linked reversals NEWThe audit links original and reversal so the chain stays traceable.
Compliance & audit
Immutable audit log ★Actor, action, params, result, status, duration and signature, never lost.
Endpoint response logging NEWStatus, body and latency from your backend captured in the audit.
Automation integration
Triggered actions ★Workflows, lifecycle rules and proactive rules propose through the same gate.
Workflow action integrationWorkflow steps can hand off to an action contract.
Lifecycle rule action integrationStage promotions (lead → trial → paying) can propose a follow-on action.
Proactive rule action integrationVisitor-behaviour rules (views, time on page, scroll) can trigger an action.
AI alignment & workflow
Intent matching (not improvisation) ★Plain English resolves to a registered contract, or nothing at all.
Propose → approve → execute → audit ★Four explicit, traceable steps; every one of them yours.
Flexibility & integration
Model-neutral platformThe same action layer works for any provider or self-hosted model.
JSON backend compatibilityWHMCS, custom SaaS, WordPress, ERP: anything that speaks HTTP + JSON.
Action registry & discoveryactions.json plus connector auto-discovery: declare once, AI learns it instantly.
Connector-shipped actionsEnable a connector and its actions appear automatically.
Sandbox endpoint per action NEWPoint an action at a test endpoint before it touches production.
API discovery of actions NEWAn endpoint returns the full contracts so actions are discoverable via API.
Configuration & organisation
Action parameters schema NEWDeclare types and validation; invalid input is rejected, not improvised.
Contract as living documentation NEWThe contract documents itself: name, params and intent in one place.
Per-action description & label NEWA readable UI label and a prose description for each action.
Action category tagging NEWOrganise the registry by sales / support / billing / admin.
Source connector tracking NEWKnow which connector shipped each action.
AI hint text NEWA prose hint guides the model on when to use each action.
Destructive action flag NEWMark high-risk actions for stricter guardrails.
Action lookup aliasing NEWMap the common names people type to the canonical action key.
FAQ

Action questions, answered.

Everything teams ask before they let AI touch the backend: confirmation, autonomy, rollback, scope and models.

No. Confirmation policy is enforced server-side. The AI cannot fake a confirmed=true flag. The action runner ignores AI-supplied confirmed values for actions whose policy requires human approval.
Each action carries an autonomy level you control: Suggest (draft only), Copilot (one-click human approval), or Autopilot (runs inside rate limits, value caps and scope guardrails). You set it per action and can turn it back down at any time. New actions default to the safest level.
Yes, if it declares an inverse contract: suspend pairs with reactivate, refund with re-charge. From the audit log you click roll back; OpsIQ signs and runs the inverse and writes a linked audit row so the whole chain stays traceable.
Every action declares a surface (admin / customer / write-only) and the roles allowed to run it. The gate checks the verified actor against both and fails closed. Out-of-scope actions are never even offered to the AI, let alone executed.
Yes. Workflow steps, lifecycle-rule promotions and proactive rules (page views, time on page, scroll depth) can all propose an action. Every one flows through the same gate (scope, role, validation, confirmation policy, signed POST and audit row), so automation never bypasses your guardrails.
OpsIQ shows the error in the audit log and surfaces it back to the admin. The action is not retried automatically for non-idempotent operations.
Yes. The action layer is model-neutral: Anthropic, OpenAI, Gemini, Grok or a self-hosted model. Bring your own key (BYOK) or use managed billing; either way the contract, gate and audit log are identical.
The action contract is JSON. The endpoint can be in any language that handles HTTP and HMAC. PHP, Node, Python, Go, Rust: all fine.