RequestPolicyApprovalExecutionReceipt

Tessra

API / SQL reference

Request and track governed actions from Snowflake — Native App procedures, operator views, and the Action Service those calls use.

This is the surface Tessra exposes for requesting and tracking actions from Snowflake.

Every action follows: request → approval → execution → receipt

Execution flow

One governed run advances only after each gate succeeds. Policy and budget evaluate on every REQUEST_ACTION; human approval is out-of-band (Slack or email); execution finishes when the downstream path reports completion back to Tessra.

Entity map

What you configure and what Tessra records — catalog, executor, intents, policy and budget verdicts, approvals, execution, and receipts — live in APP.* on your installed Native App. The Action Service reads and writes that ledger using the app database you configure.

Parameter	Type	Required	Description
ACTION_DEFINITION (+ ORG_ACTION)	catalog	—	Registers the action key, JSON Schema for params, and whether the org has the action enabled.
ORG_POLICY	rules	—	Ordered numeric rules per action and environment. Evaluated at request time; first matching band wins.
INTENT	ACTION_INTENT	per request	Primary row for the run: idempotency key, params, mode, current STATUS, org/env/team.
POLICY / BUDGET EVAL	ACTION_POLICY_EVAL, ACTION_BUDGET_EVAL	per request	Immutable ledger rows for the verdict shown on receipts and status API.
APPROVAL	ACTION_APPROVAL	if REQUIRE_APPROVAL	Pending then decided via Slack or email; no SQL approve procedure.
EXECUTION	ACTION_EXECUTION + APP.EXECUTIONS	after allow path	Connector attempts, callback outcome, external transaction id. Native app table mirrors attempts for UI.
RECEIPT	APP.RECEIPTS_VIEW	read model	One denormalized row per intent joining intent, ledger, approval, execution, and queue.

Relational diagram

Intent status (state machine)

ACTION_INTENT.STATUS is the single source of truth for where the run sits. Shadow mode uses the SIMULATED_* variants.

Parameter	Type	Required	Description
PENDING_EVALUATION	string	initial	Row inserted; service is running enrichment, budget, and policy before committing the next status.
DENIED / SIMULATED_DENY	string	terminal	Policy or budget returned DENY (or shadow equivalent).
PENDING_APPROVAL / SIMULATED_REQUIRE_APPROVAL	string	gate	Policy returned REQUIRE_APPROVAL; human decision is outstanding (or shadow).
APPROVED / SIMULATED_ALLOW	string	gate passed	APPROVED: auto-allow after policy/budget, or human approved from PENDING_APPROVAL. SIMULATED_ALLOW: shadow run that would have auto-allowed without downstream execution.
EXECUTING	string	in-flight	Executor has started work; wait for callback or failure.
EXECUTED	string	success terminal	Downstream reported success; receipt is complete.
FAILED	string	failure terminal	Execution or callback failed after approval.

Allowed transitions (enforce mode)

PENDING_EVALUATION → DENIED, PENDING_APPROVAL, or APPROVED (first successful evaluation path).
PENDING_APPROVAL → APPROVED or DENIED when Slack/email approval resolves.
APPROVED → EXECUTING when the executor run starts → EXECUTED or FAILED when the callback completes.
Terminal states (DENIED, EXECUTED, FAILED, SIMULATED_*) do not advance except via operator repair flows outside this contract.

APP.UPSERT_ACTION_DEFINITION

Registers or updates a catalog action and toggles org-level enablement. Resolves ORG_ID from APP.DURABLE_ORG using the current account and database.

Signature

SQL

CREATE OR REPLACE PROCEDURE APP.UPSERT_ACTION_DEFINITION(
  ACTION_NAME VARCHAR,
  DISPLAY_NAME VARCHAR,
  DESCRIPTION VARCHAR,
  SOURCE_TYPE VARCHAR,
  PARAM_SCHEMA VARIANT,
  EXECUTION_MODE VARCHAR,
  ENABLED BOOLEAN
)
RETURNS VARCHAR

Parameter	Type	Required	Description
ACTION_NAME	VARCHAR	Yes	Action key; must match ^[a-z][a-z0-9_]\.[a-z][a-z0-9_]$ (e.g. customer.credit_issue). Stored as ACTION_KEY.
DISPLAY_NAME	VARCHAR	Yes	Human label; max 512 characters, non-empty.
DESCRIPTION	VARCHAR	No	Optional; max 4000 characters.
SOURCE_TYPE	VARCHAR	Yes	Origin of the definition (e.g. user, catalog). Drives whether PARAM_SCHEMA is mandatory.
PARAM_SCHEMA	VARIANT	Conditional	JSON Schema object with type "object" and properties map. Required when SOURCE_TYPE is user/custom/manual.
EXECUTION_MODE	VARCHAR	No	Optional execution hint; max 64 characters.
ENABLED	BOOLEAN	No	Default true: upsert ORG_ACTION with ENABLED true. If false, sets ORG_ACTION.ENABLED false for this org.

Example

SQL

CALL APP.UPSERT_ACTION_DEFINITION(
  'customer.credit_issue',
  'Customer credit',
  'Goodwill or recovery credit',
  'user',
  PARSE_JSON('{"type":"object","properties":{"amount":{"type":"number"},"currency":{"type":"string"}},"required":["amount"]}'),
  NULL,
  TRUE
);

Creates / updates (Snowflake APP schema)

APP.ACTION_DEFINITION — MERGE on ACTION_KEY.
APP.ORG_ACTION — MERGE or UPDATE for org + action enablement and source pack id.

Lifecycle impact

No intent rows. Required before UPSERT_ORG_POLICY_RULE, CONFIGURE_EXECUTOR, and catalog-backed REQUEST_ACTION paths that validate against the registered key.

APP.UPSERT_ORG_POLICY_RULE

Inserts or replaces one ordered policy band for an action and environment. Rules are evaluated in RULE_ORDER ascending; the first matching band determines ALLOW, REQUIRE_APPROVAL, or DENY.

Signature

SQL

CREATE OR REPLACE PROCEDURE APP.UPSERT_ORG_POLICY_RULE(
  ACTION_NAME VARCHAR,
  ENVIRONMENT VARCHAR,
  RULE_ORDER NUMBER,
  OPERATOR VARCHAR,
  THRESHOLD_VALUE FLOAT,
  OUTCOME VARCHAR,
  ENABLED BOOLEAN
)
RETURNS VARCHAR

Parameter	Type	Required	Description
ACTION_NAME	VARCHAR	Yes	Same action key rules as UPSERT_ACTION_DEFINITION.
ENVIRONMENT	VARCHAR	No	Defaults to prod; max 64 characters.
RULE_ORDER	NUMBER	Yes	Positive integer; lower numbers run first.
OPERATOR	VARCHAR	Yes	One of <=, >, <, >=, =, ==.
THRESHOLD_VALUE	FLOAT	No	Numeric threshold for the band; NULL when the operator does not need a numeric compare.
OUTCOME	VARCHAR	Yes	ALLOW, REQUIRE_APPROVAL, or DENY (case-insensitive input).
ENABLED	BOOLEAN	No	If false, deletes the rule row for that org/action/env/order.

Example

SQL

CALL APP.UPSERT_ORG_POLICY_RULE(
  'customer.credit_issue',
  'prod',
  1,
  '<=',
  100,
  'ALLOW',
  TRUE
);
CALL APP.UPSERT_ORG_POLICY_RULE(
  'customer.credit_issue',
  'prod',
  2,
  '<=',
  500,
  'REQUIRE_APPROVAL',
  TRUE
);

Creates / updates / deletes

APP.ORG_POLICY — MERGE when enabled; DELETE when disabled.

Lifecycle impact

Changes apply to the next REQUEST_ACTION evaluation only; existing intents keep their persisted policy eval row.

APP.CONFIGURE_EXECUTOR

Stores the downstream webhook for an org and action. Catalog-backed requests require an active http_webhook executor before the Action Service accepts the call.

Signature

SQL

CREATE OR REPLACE PROCEDURE APP.CONFIGURE_EXECUTOR(
  ACTION_NAME VARCHAR,
  EXECUTOR_TYPE VARCHAR,
  EXECUTOR_CONFIG VARIANT,
  ENABLED BOOLEAN DEFAULT TRUE
)
RETURNS VARCHAR

Parameter	Type	Required	Description
ACTION_NAME	VARCHAR	Yes	Action key; must exist and be org-enabled.
EXECUTOR_TYPE	VARCHAR	Yes	Only webhook is supported (case-insensitive).
EXECUTOR_CONFIG	VARIANT	Yes	Object: type "webhook", url (required), optional auth (header or header_ref), headers map, body_template, idempotency_header, idempotency_template.
ENABLED	BOOLEAN	No	Default TRUE; marks executor row active or inactive.

The url is your downstream executor, not the Tessra Action Service host. See examples/tessra-downstream-worker/README.md in this repo for a runnable pattern.

Example

SQL

CALL APP.CONFIGURE_EXECUTOR(
  'customer.credit_issue',
  'webhook',
  PARSE_JSON('{
    "type": "webhook",
    "url": "https://YOUR_DOWNSTREAM_HOST/tessra/webhook",
    "headers": {"X-Source": "tessra"}
  }'),
  TRUE
);

Creates / updates

APP.ORG_EXECUTOR_CONFIG — MERGE on org + action; stores normalized JSON, endpoint URL, optional auth material, and static headers.

Lifecycle impact

Required for catalog-driven execution enqueue. Misconfiguration surfaces as EXECUTOR_NOT_CONFIGURED on request, not as a SQL error.

APP.REQUEST_ACTION

POSTs /v1/actions/request on the Action Service. Body includes org resolved from APP.DURABLE_ORG, validated params, optional context, and idempotency key. Returns JSON as a VARCHAR string to SQL callers.

Signature

SQL

CREATE OR REPLACE PROCEDURE APP.REQUEST_ACTION(
  ACTION_TYPE VARCHAR,
  PARAMS_PAYLOAD VARIANT,
  ENVIRONMENT VARCHAR DEFAULT '',
  TEAM VARCHAR DEFAULT '',
  REQUESTED_BY VARCHAR DEFAULT 'snowflake_sql',
  REASON VARCHAR DEFAULT 'Snowflake Native Action API',
  IDEMPOTENCY_KEY VARCHAR DEFAULT '',
  HARNESS_SECRET VARCHAR DEFAULT '',
  SERVICE_BASE_HOST VARCHAR DEFAULT '',
  SOURCE_SYSTEM VARCHAR DEFAULT 'snowflake_sql',
  CONTEXT_JSON VARIANT DEFAULT NULL
)
RETURNS VARCHAR

Parameter	Type	Required	Description
ACTION_TYPE	VARCHAR	Yes	Action key; must match catalog entry when using APP.* definitions.
PARAMS_PAYLOAD	VARIANT	Yes	Object conforming to PARAM_SCHEMA for that action.
ENVIRONMENT / TEAM	VARCHAR	No	Passed through to policy evaluation and ledger.
REQUESTED_BY / REASON	VARCHAR	No	Audit fields on ACTION_INTENT.
IDEMPOTENCY_KEY	VARCHAR	No	If empty after trim, the procedure generates a new UUID — every call is then a new intent. Supply a stable key to dedupe.
HARNESS_SECRET	VARCHAR	No	Sent as x-tessra-test-harness-secret when non-empty.
SERVICE_BASE_HOST	VARCHAR	Yes	Action Service base URL (no trailing slash required). If empty, the call fails before HTTP.
SOURCE_SYSTEM	VARCHAR	No	Default snowflake_sql; cortex agents pass cortex.
CONTEXT_JSON	VARIANT	No	Merged into stored context JSON for enrichment and receipts.

Example

SQL

CALL APP.REQUEST_ACTION(
  'customer.credit_issue',
  PARSE_JSON('{"customer_id":"c_1","amount":50,"currency":"USD"}'),
  'prod',
  '',
  '[email protected]',
  'Goodwill credit',
  'idem_20250421_001',
  '<HARNESS_SECRET>',
  'https://api.tessra.ai',
  'snowflake_sql',
  NULL
);

Ledger (what gets written)

A successful call creates the intent row, context snapshot, policy and budget verdicts, an approval row when required, and execution state as the run progresses — all queryable from the views below.

Lifecycle impact

Starts or resumes the state machine for one intent. Duplicate IDEMPOTENCY_KEY for the same org and action returns the existing intent payload without creating a second row.

APP.GET_ACTION_STATUS

GET /v1/actions/<intent_id>/status. Returns JSON as VARCHAR merged from intent, ledger, execution surface, and approval delivery metadata.

Signature

SQL

CREATE OR REPLACE PROCEDURE APP.GET_ACTION_STATUS(
  INTENT_ID VARCHAR,
  SERVICE_BASE_HOST VARCHAR,
  HARNESS_SECRET VARCHAR DEFAULT ''
)
RETURNS VARCHAR

Parameter	Type	Required	Description
INTENT_ID	VARCHAR	Yes	UUID returned from REQUEST_ACTION or duplicate-idempotency response.
SERVICE_BASE_HOST	VARCHAR	Yes	Same Action Service base URL used for the request path.
HARNESS_SECRET	VARCHAR	No	Optional harness header for test deployments.

Example

SQL

CALL APP.GET_ACTION_STATUS(
  'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
  'https://api.tessra.ai',
  '<HARNESS_SECRET>'
);

Creates / updates (Snowflake)

None — read-only HTTP from Snowflake.

Lifecycle impact

Observes status only. Typical JSON fields include status, policy_verdict, budget_verdict, approval_decision, execution_status, execution_id, external_tx_id.

Related: APP.GET_ACTION_RECEIPT

Same host and secret pattern; GET /v1/receipts/<intent_id> for a receipt-shaped document. Use status for polling state machines; use receipt when a signed summary is required downstream.

Operator views

Created by CALL APP.CREATE_OR_REFRESH_UI_VIEWS() after install or whenever you upgrade the app package (re-run after upgrades). Column sets below match the shipped installer DDL.

APP.ACTION_INTENTS_VIEW

Thin read on ACTION_INTENT for operators and Streamlit.

Parameter	Type	Required	Description
intent_id	STRING	row	Primary intent UUID.
org_id	STRING	row	Tenant identifier from the intent row.
action_type	STRING	row	Same value as action key for catalog actions.
status	STRING	row	ACTION_INTENT.STATUS (see state machine).
requested_by	STRING	row	Caller identity.
reason	STRING	row	Operator-supplied reason text.
amount	NUMBER?	derived	TRY_TO_NUMBER(params_json:amount) when present.
environment / team	STRING	row	Policy routing dimensions.
created_at	TIMESTAMP	row	Intent creation time.

SQL

Example

SELECT intent_id, status, action_type, amount, created_at
FROM APP.ACTION_INTENTS_VIEW
ORDER BY created_at DESC
LIMIT 25;

APP.APPROVALS_VIEW

One row per approval record with channel metadata and decision timestamps.

Parameter	Type	Required	Description
approval_id	STRING	row	Approval UUID.
intent_id / org_id	STRING	row	Join keys back to the intent.
approval_channel	STRING	row	slack, email, or future channels.
approved_by	STRING	nullable	Actor id once decided.
decision / decision_reason	STRING	nullable	APPROVED or DENIED plus optional reason.
decided_at / updated_at	TIMESTAMP	nullable	Audit timestamps.

SQL

Example

SELECT intent_id, approval_channel, decision, decided_at
FROM APP.APPROVALS_VIEW
WHERE intent_id = '<INTENT_ID>';

APP.RECEIPTS_VIEW

One audit-ready row per intent: policy summary, approval flags, execution phase, derived next_step, and terminal boolean for UI and Cortex helpers.

Parameter	Type	Required	Description
intent_id … created_at	various	core	Identity, org, action_type/action_key, params VARIANT, request_reason, request_source, requested_by, status, environment, created_at.
policy_decision / budget_verdict	STRING	nullable	Ledger verdicts used for UI coloring.
policy_rule_matched / policy_summary	STRING	nullable	Which band fired and human-readable explanation.
approval_required / approval_decision / approval_channel / approved_by / approved_at	mixed	nullable	Human gate snapshot.
execution_status / execution_phase / queue_execution_status	STRING	nullable	Canonical execution state plus derived phase (PENDING, EXECUTING, COMPLETED, FAILED).
execution_id / external_tx_id / result_json	mixed	nullable	Downstream identifiers and JSON result payload.
next_step / terminal	STRING / BOOLEAN	derived	next_step in DONE \| DENIED \| FAILED \| WAIT_FOR_APPROVAL \| IN_PROGRESS; terminal true when finished.

SQL

Example

SELECT intent_id, status, policy_decision, approval_required,
       execution_phase, next_step, terminal, result_json
FROM APP.RECEIPTS_VIEW
WHERE org_id = '<ORG_ID>'
ORDER BY created_at DESC
LIMIT 50;

Approval model

There is no SQL APPROVE_INTENT API. Humans act in Slack or email using links and tokens issued by the Action Service.
Slack and email channels are selected from deploy-time configuration (APP.DURABLE_ORG and related approval config consumed by the service), not from extra procedure parameters on REQUEST_ACTION.
Additional enterprise systems (for example ServiceNow) can be added as new approval delivery adapters behind the same pending row; the Native App contract stays stable.

Setup walkthrough: Configure approvals.

Execution callback

Webhook executors report completion back to Tessra so the intent can close cleanly. Treat callbacks as idempotent: the intent may stay non-terminal until Tessra records the outcome even if your side already applied a change. Path and auth follow your deployment; operators set this up with Tessra during onboarding.

Governance authoring (HTTP)

Phase 6 routes require the Action Service to be wired to your Native App database (SNOWFLAKE_NATIVE_APP_DATABASE). They list context, generate verified SQL from natural language, apply allowlisted CALL APP.* statements, and configure executor templates—mirroring MCP tools in tessra-action-mcp. Full request/response detail: repo docs/api-spec.md (Governance authoring section).

Governance authoring & context (narrative) →

GET /v1/governance/context-sources — list governance context sources
GET /v1/governance/context-sources/:context_name — describe one source
POST /v1/governance/generate-sql — NL → verified policy SQL (does not execute)
POST /v1/governance/apply-sql — run allowlisted governance CALLs
GET /v1/governance/executor-templates — static executor templates
POST /v1/governance/executors/configure — bind executor from template
POST /v1/governance/executors/mapping — field map for webhook params
POST /v1/governance/executors/validate — read back executor readiness

After configuration, use capability routes to simulate or request actions: POST /v1/actions/simulate, POST /v1/actions/request (see Entity map / capability discovery in docs/api-spec.md).

Cortex entrypoints

Thin wrappers that resolve ACTION_SERVICE_BASE_URL and harness secret from APP.DURABLE_ORG, then call the same HTTP contract as SQL operators.

SQL

-- Returns VARIANT (structured), not VARCHAR JSON
CALL APP.REQUEST_ACTION_FROM_CORTEX(
  '<action_key>',
  OBJECT_CONSTRUCT('amount', 50, 'currency', 'USD'),
  'Reason text'
);

CALL APP.GET_ACTION_STATUS_FOR_CORTEX('<intent_id>');

Workspace URL (operator SQL path)

Cortex path reads APP.DURABLE_ORG automatically. For REQUEST_ACTION, pass the base URL explicitly or centralize it in your SQL harness.

SQL

UPDATE APP.DURABLE_ORG
SET ACTION_SERVICE_BASE_URL = 'https://api.tessra.ai',
    ACTION_SERVICE_HARNESS_SECRET = '<secret>'
WHERE WORKSPACE_KEY = LOWER(TRIM(CURRENT_ACCOUNT()))
  || ':' || LOWER(TRIM(CURRENT_DATABASE()));

Common mistakes

Missing idempotency key — an empty IDEMPOTENCY_KEY generates a fresh UUID per call, so retries create duplicate intents. Always pass a deterministic key per logical operation.
Misconfigured executor — catalog actions without an active http_webhook row in APP.ORG_EXECUTOR_CONFIG fail fast with EXECUTOR_NOT_CONFIGURED even when policy would allow.
Policy band gaps or order — RULE_ORDER must cover the amounts you send; unexpected DENY often means no band matched or the first match is DENY.
Mixing service host and Native App DB — GET_ACTION_STATUS must target the same Action Service instance that received REQUEST_ACTION.