schema_version: 2 provider: fai name: http-request version: 0.1.0 # Capability provided by this module. provides: - capability: http.request version: 0.1.0 # Inputs the invoke function accepts. inputs: # HTTP method as uppercase string. Supported: GET, POST, # PUT, PATCH, DELETE, HEAD, OPTIONS. method: text # Full URL including scheme. Must be https:// for production # use; http:// is permitted so loopback and air-gapped # internal services work, but operator policy can clamp it. url: text # Optional headers as JSON object string, e.g. # '{"Accept":"application/json","X-Tenant":"acme"}'. Empty # string means no extra headers (Content-Type is auto-set # when `body` is non-empty and the input is not already a # JSON-shaped string). headers: text # Optional request body. Treated as UTF-8 text — binary # payloads should use a future `http.request-bytes` variant. body: text # Outputs produced. outputs: # HTTP status code as decimal text (e.g. "200", "404"). # Text rather than number so the audit-log entry stays # operator-readable without JSON re-parsing. status: text # Response headers serialised as a JSON object (same shape # as the input format) so downstream flow steps can pluck # values like Content-Type or rate-limit headers. headers: text # Response body as UTF-8 text. Non-UTF-8 responses come # through with replacement characters; that's acceptable # for v0.1.0 since the bytes-shaped variant covers binary. body: text # Permissions required. # # v0.1.0 declares the broadest net: permission needed to call # arbitrary URLs. Operators clamp this per-host via their # operator-policy ceiling — installing http.request against a # policy that disallows wildcards fails fast at install time. permissions: - "net: *"