Definition
A Capability describes what exists. AnAgentAction is one attempted use of it.
That distinction matters. Policy cannot make useful decisions from tool_name = refund_customer. It needs the attempted use: which agent, acting for which principal, in which tenant, in which environment, with which arguments, right now.
The AgentAction captures all of that. It is the thing the runtime inspects, authorizes, modifies, audits, or blocks.
How Actions Are Created
When you call a capability decorated with@runtime.capability, Brane automatically creates the AgentAction from the runtime context and bound arguments.
Example Action
Lifecycle
- Created before the
before_capabilitypolicy stage - Before decision when policy evaluates the action and returns a Decision
- Executed if allowed, when the function runs
- After record when a new AgentAction is created with
outputpopulated - After decision when
after_capabilitypolicy evaluates the output - Returned or denied when output is returned or
CapabilityDeniedErroris raised
Fields
Computed Property
is_prod:Trueifenvironment == "prod". Exposed on PolicyContext asctx.is_prod.
Action Types
Identity Fields
The combination ofagent_id, principal_id, and tenant_id answers the most important governance question: who is doing this, on behalf of whom, for which customer.
Policy can check these via ctx.agent_id, ctx.principal_id, and ctx.tenant_id.
Trace Fields
trace_id links all actions in a single workflow run. parent_action_id links nested actions, for example when an agent spawns a subagent. These fields form the action tree that becomes the trace timeline in the dashboard.