Actions & Manifests

What is an action?

An action is a declared, versioned definition of a protected operation. Every action maps to a WASM provider module and specifies exactly what the provider is allowed to do: which I/O imports it needs, what inputs are valid, what targets it can reach, and how its results should be verified.

Action definitions live in YAML manifests. After latchgate init, manifests are in ./manifests/. In the source tree, they are in definitions/manifests/.

Action catalog

LatchGate ships built-in actions. Most use the builtin:http_api template provider — each manifest configures it for a specific API, method, domain, and risk level. Three actions (fs_read, fs_write, fs_delete) use the builtin:fs template provider for sandboxed filesystem access.

Approval is enforced by OPA policy based on risk level. The default policy requires human approval for high and critical actions.

Generic HTTP

Action ID	Method	Risk	Description
http_fetch	GET	low	Read-only HTTP fetch
http_post	POST	medium	Generic HTTP write
http_put	PUT	medium	Generic HTTP replace
http_patch	PATCH	medium	Generic HTTP partial update
http_delete	DELETE	high	Generic HTTP delete
http_bearer_get	GET	low	GET with bearer token injection
http_sensitive_read	GET	high	Read requiring approval (PII/sensitive data)
web_read	GET	low	Web page read
webhook_notify	POST	medium	Generic outbound webhook

GitHub

Action ID	Method	Risk	Description
github_read	GET	low	Read repos, files, metadata
github_search	GET	low	Search repositories and code
github_create_issue	POST	medium	Create issue
github_comment_issue	POST	medium	Comment on issue
github_delete	DELETE	critical	Delete resource
github_pr_create	POST	high	Create pull request
github_pr_comment	POST	medium	Comment on PR
github_pr_review	POST	medium	Submit PR review
github_pr_merge	PUT	critical	Merge pull request
github_actions_read	GET	low	Read GitHub Actions workflows and runs
github_actions_trigger	POST	high	Trigger GitHub Actions workflow

GitLab & Bitbucket

Action ID	Method	Risk	Description
gitlab_read	GET	low	Read projects and resources
gitlab_create_issue	POST	medium	Create issue
gitlab_mr_create	POST	high	Create merge request
gitlab_mr_merge	PUT	critical	Merge merge request
bitbucket_read	GET	low	Read repositories
bitbucket_pr_create	POST	high	Create pull request
bitbucket_pr_merge	POST	critical	Merge pull request

Google Calendar

Action ID	Method	Risk	Description
gcal_list	GET	low	List calendars/events
gcal_read_event	GET	low	Read single event
gcal_create_event	POST	high	Create calendar event
gcal_update_event	PUT	high	Update event
gcal_delete_event	DELETE	high	Delete event

Gmail & Google Tasks

Action ID	Method	Risk	Description
gmail_list	GET	medium	List messages
gmail_read	GET	medium	Read message
gmail_send	POST	high	Send email
gmail_delete	DELETE	high	Delete message
google_tasks_list	GET	low	List tasks
google_tasks_create	POST	medium	Create task
google_tasks_update	PATCH	medium	Update task
google_tasks_delete	DELETE	high	Delete task

Slack

Action ID	Method	Risk	Description
slack_read	GET	low	Read channels/messages
slack_post	POST	medium	Post message

Communication

Action ID	Method	Risk	Description
discord_post	POST	medium	Post to Discord webhook
teams_post	POST	medium	Post to Microsoft Teams
telegram_send	POST	medium	Send Telegram message
sendgrid_send	POST	high	Send email via SendGrid

Task tracking

Action ID	Method	Risk	Description
jira_read	GET	low	Read Jira issues and projects
jira_api	POST	medium	Jira API call
linear_api	POST	medium	Linear API call
notion_read	GET	low	Read Notion pages and databases
notion_api	POST	medium	Notion API call
todoist_list	GET	low	List Todoist tasks
todoist_create	POST	medium	Create task
todoist_update	POST	medium	Update task
todoist_complete	POST	medium	Complete task
todoist_delete	DELETE	high	Delete task
asana_read	GET	low	Read Asana tasks and projects
asana_create	POST	medium	Create Asana task
asana_update	PUT	medium	Update Asana task
asana_delete	DELETE	high	Delete Asana task

Cloud & DevOps

Action ID	Method	Risk	Description
cloudflare_dns_list	GET	low	List DNS records
cloudflare_dns_create	POST	high	Create DNS record
vercel_deployments	GET	low	List Vercel deployments
vercel_deploy	POST	high	Trigger deployment
render_services	GET	low	List Render services
docker_hub_read	GET	low	Read Docker Hub repository info
s3_read	GET / HEAD	medium	Read S3 object (pre-signed or IAM-authed URL)
s3_write	PUT / DELETE	high	Write or delete S3 object

s3_read and s3_write accept a method enum in the request body (GET / HEAD for reads, PUT / DELETE for writes). The split enforces read/write separation at the action boundary so a principal can be granted read-only S3 access without unlocking write or delete.

Finance

Action ID	Method	Risk	Description
stripe_read	GET	high	Read Stripe data
stripe_create_invoice	POST	critical	Create invoice
exchange_rate	GET	low	Currency exchange rate lookup

Knowledge & data

Action ID	Method	Risk	Description
wikipedia_read	GET	low	Read Wikipedia article
arxiv_search	GET	low	Search arXiv papers
hn_top	GET	low	Hacker News top stories
rss_fetch	GET	low	Fetch RSS/Atom feed
confluence_read	GET	low	Read Confluence pages
confluence_write	POST	medium	Write Confluence page
npm_read	GET	low	Read npm package metadata

Notes & files

Action ID	Method	Risk	Description
obsidian_read	GET	low	Read Obsidian vault
obsidian_write	PUT	medium	Write to Obsidian vault

Filesystem

Action ID	Method	Risk	Description
fs_read	—	low	Read file from configured fs_root_path
fs_write	—	high	Write file under configured fs_root_path
fs_delete	—	critical	Delete file under configured fs_root_path

Filesystem actions use the fs provider (fs.wasm). All paths are resolved relative to fs_root_path configured in latchgate.toml. The provider has no network access — only io/fs and io/log imports.

Alerting

Action ID	Method	Risk	Description
pagerduty_event	POST	medium	Create PagerDuty event
datadog_read	GET	low	Read Datadog monitors and metrics
grafana_read	GET	low	Read Grafana dashboards and alerts
sentry_read	GET	low	Read Sentry issues and events

Planned for future releases

The following actions are planned for future releases. Their WIT interfaces are committed (wit/io-database.wit, wit/io-smtp.wit, wit/io-queue.wit, wit/io-storage.wit) and provider source code exists under providers/, but the providers are excluded from the v0.1 workspace build and no manifests are shipped for them yet.

Action ID	Provider	I/O imports	Risk	Verifier
smtp_send	email.wasm	io/smtp, io/log	high	message_id
database_query	database.wasm	io/database, io/log	high	rows_affected
queue_publish	queue.wasm	io/queue, io/log	medium	queue_ack
file_write	artifact_store.wasm	io/storage, io/log	medium	—

To see the full list including any custom manifests in your deployment, run:

latchgate actions

Manifest format

Every action is defined by a YAML manifest. The manifest is the complete security policy for that action — there is no implicit behavior.

action_id: "my_api_read"
version: "1.0.0"
provider_module_digest: "builtin:http_api"

required_imports:
  - "latchgate:io/http"
  - "latchgate:io/log"

template:
  method: GET
  url_template: "https://api.example.com/v1/{{resource}}/{{id}}"
  headers:
    Accept: "application/json"

io:
  request_schema:
    type: object
    properties:
      resource:
        type: string
        enum: ["users", "orders", "products"]
      id:
        type: string
        minLength: 1
        maxLength: 64
    required: [resource, id]
    additionalProperties: false
  max_request_bytes: 4096
  max_response_bytes: 1048576

resource_limits:
  fuel: 5000000
  memory_mb: 128
  timeout_seconds: 15
  max_io_calls: 3

secrets:
  - name: "MY_API_KEY"
    required: true

egress:
  profile: "proxy_allowlist"
  allowed_domains:
    - "api.example.com"

risk_level: "low"
verifier_kind: http_status

declared_side_effects:
  - "http_read"

For actions backed by a custom WASM provider (non-template), replace builtin:http_api with a SHA-256 digest and add provider_source so the CLI can rehash the digest after a rebuild:

provider_module_digest: "sha256:52fa188826aec99431f4047a21968abcf002d6a811edf61def76dbaf22cb5848"
provider_source: "database.wasm"

Key fields

action_id — unique identifier. Used in API calls (POST /v1/actions/{action_id}/execute) and policy rules.

provider_module_digest — either builtin:http_api (template provider) or a sha256:... digest of a custom WASM module. For custom modules, pair with provider_source (filename relative to wasm_providers_dir) so the digest can be updated after a rebuild (run make providers which handles digest computation).

required_imports — WIT imports the provider is allowed to link at instantiation. Undeclared imports cause instantiation to fail — the kernel refuses to load a module that asks for capabilities the manifest did not declare. In v0.1, supported values are latchgate:io/http, latchgate:io/fs, and latchgate:io/log. The non-HTTP imports (io/database, io/smtp, io/queue, io/storage) are declared in the WIT package for future releases but not linked by the v0.1 runtime.

template — for builtin:http_api actions: HTTP method, URL template with {{variable}} placeholders, headers, and body template. Variables are resolved from the validated request input.

io.request_schema / io.response_schema — JSON Schema for input validation and output verification. Requests that fail schema validation are rejected before policy evaluation. Response schema violations fail the action in deny mode (production default).

resource_limits — CPU fuel, memory cap, wall-clock timeout (epoch-enforced), and I/O call budget. Exceeding any limit terminates the provider immediately.

secrets — secret names to inject from the SOPS-encrypted secrets file. required: true means the action fails if the secret is missing. Secrets are injected at the host I/O transport layer — they never enter the WASM sandbox.

egress.profile — proxy_allowlist routes HTTP through the egress proxy with allowed_domains enforcement. none for actions whose I/O does not go over HTTP (the planned database, queue, SMTP, and storage providers all set this to none).

risk_level — low, medium, high, or critical. The default OPA policy uses this to determine approval requirements. high and critical require human approval.

verifier_kind — how the kernel verifies the provider’s result. http_status checks HTTP response codes (the v0.1 verifier). rows_affected, message_id, and queue_ack are provider-specific verifiers planned for future releases.

declared_side_effects — what the action does in the real world. Sinks derived from these are informational for policy (auto-derived in ACL) and audit — not enforced by the kernel.

Template actions vs custom providers

Most actions use builtin:http_api — a single WASM module that handles all HTTP patterns. The manifest configures it via template (method, URL, headers, body). No code to write.

For non-HTTP protocols (SMTP, SQL, AMQP, object storage), custom WASM providers will be supported when the corresponding host I/O backends ship in future releases. The provider source is preserved in providers/ under workspace exclude for preview. See Custom Actions for the YAML-only path supported in v0.1, and WASM Providers for the sandbox model.

Reviewing actions

Before deploying an action, review its security posture:

latchgate actions github_create_issue

This shows the complete security summary — resolved URL pattern, allowed domains, secrets, limits — without starting the gate. See CLI Reference for details.