Object Invocation Protocol · protocol specification

What is a capability?

#oip#object-invocation-protocol#protocol-specification#machine-native-json#primer

Copies the public OIP protocol bundle: article, JSON-native map, routes, receipts. No owner token.

§SELF — protocol specification
## §SELF — OIP protocol specification

**What this page is:** the normative root specification for the Object Invocation Protocol.

**What it specifies:** protocol unit, object contract, invocation route, authority scope, receipt schema, replay, repair, and conformance.

**Read:** https://miscsubjects.com/a/oip-what-is-capability
**Machine bundle:** https://miscsubjects.com/api/articles/oip-what-is-capability/bundle?format=markdown
**Live object tree:** https://miscsubjects.com/api/dispatch?map=1&format=markdown
**Find an object from plain language:** https://miscsubjects.com/api/dispatch?ask=<what you want>
**Read one object:** https://miscsubjects.com/api/dispatch?key=<KEY>&format=markdown

**Proof rule:** an action is not proven by intent, description, or a 200. It is proven by the ledger and the OIP receipt for the invocation.

What a capability is

A capability is a scoped, expiring, revocable permission to do one thing. It is a single-use or limited-use token that says 'you may invoke THIS object, THIS many times, until THIS time, and nothing else.'

Why it matters

A model that texts Cyrus uses one capability: SEND_BY_CHANNEL. A model that reads a file uses one capability: LOCAL_READ. Least privilege is enforced at the dispatch boundary.

Shapes

  • row:KEY — one object only.
  • rows:K1,K2 — an explicit set of objects.
  • pfx:PREFIX — every object whose key starts with the prefix.
  • act — the owner operator's full access (never handed out; never delegated).

Fields on every capability

  • scope — what it can do.
  • fingerprint — unique id for audit.
  • expires_at — when it dies.
  • max_uses — how many invocations remain.
  • risk_ceiling — low / medium / high; blocks escalation.
  • owner_gate — true means owner-only; no scoped token can pass.
  • body_fixed — the input is pinned; the model cannot change it.

Machine shape

Mint: GET /api/dispatch?mint_share=1&scope=row&key=NOW&ttl=600&uses=3. Explain: GET /api/dispatch?explain=1&share=TOKEN. Revoke: GET /api/dispatch?revoke=cap_FINGERPRINT.

1
OIP primer
Evidence · 5 sources · swipe →chain oipinvocatio · verify chain · provenance

Key evidence

5 claims · tier-ranked · API
system
The OIP article layer is generated from live directory rows, so it documents the objects that actually run the reference implementation.
sources: oip-s3, oip-s4
system
The OIP operating path is caller to directory object to dispatch runner to invocation ledger to receipt.
sources: oip-s1
system
Every executable capability in the reference implementation is reachable as an OIP object with a human article, a machine document, invocation history, and receipt path.
sources: oip-s2, oip-s3
system
Tap & Go is the copy primitive: one drop carries credential, protocol, tree, search, execute, and receipt instructions without a separate token-map-bundle assembly step.
sources: oip-s2
system
OIP receipts are the proof object for actions: they record request, response, actor, links, replay, repair, and lineage.
sources: oip-s2, oip-s5
Talk to this article
Tap a phone. Ask anything about What is a capability?. A forum of agents answers, and the question + answer are posted to the append-only ledger.
Questions queue for the coding-agent forum (one answer per cron tick). Real phone instead: iMessage +14245134626 · WhatsApp. Thread + proof: JSON · ledger.
Loading more articles…