Flow Capabilities: governed operations in automation¶
Flow capabilities let you invoke platform operations — like querying a metric or sending a notification — from inside a flow, without writing code or pasting webhook URLs. Every capability runs through governed contracts: the platform handles credentials, audit logging, and access control.
When to use capabilities¶
Use flowCapability nodes when you want to:
- Query a metric on a schedule and branch on the result (e.g. "if revenue dropped >10%, notify finance").
- Send a notification through a pre-configured Microsoft 365 or Google Workspace channel without embedding URLs or tokens.
- Chain platform operations — run a metric, evaluate a condition, then notify if the threshold is breached.
You do not need capabilities for:
- Calling an external API — use a
flowAction(HTTP) node. - Data mapping or context manipulation — use a
flowTransformnode. - Branching on a value — use a
flowConditionnode.
Available capabilities¶
| Capability | What it does | Inputs | Output |
|---|---|---|---|
| Run Metric | Executes a governed metric query against a warehouse integration | Metric, integration, period, compare kind | { current, comparison, delta, metadata } |
| Notify | Sends a message through an integration channel (M365 Teams/Outlook, GWS Chat/Gmail) | Integration, channel, subject, body | { status, ok, error_message } |
Configuring a capability node¶
- In the flow builder, drag a Capability node onto the canvas.
- In the config panel, select the capability type (Run Metric or Notify).
- Fill in the required inputs. The picker only shows assets that exist in Datahub — metrics you've defined, integrations an admin has configured. If the list is empty, define the asset first.
- Set the output key — this is the context variable name where the result lands. Downstream nodes can reference it with
{{output_key}}syntax.
Run Metric inputs¶
| Field | Required | Description |
|---|---|---|
| Metric | Yes | Select from your governed metric definitions |
| Integration | Yes | The warehouse integration to query through (PAT or service principal only) |
| Period grain | Yes | day, week, month, quarter, or year |
| Period start | Yes | ISO date or {{variable}} from flow context |
| Period end | Yes | ISO date or {{variable}} from flow context |
| Compare kind | Yes | none, previous_period, or yoy_calendar_aligned |
| Output key | Yes | Context key for the result (default: metric_result) |
Notify inputs¶
| Field | Required | Description |
|---|---|---|
| Integration | Yes | The M365 or GWS integration to send through |
| Channel | Yes | The specific channel (Teams webhook, Outlook, Chat webhook, Gmail) |
| Subject | No | Message subject — supports {{variable}} |
| Message body | No | Message body — supports {{variable}} |
| Event type | No | Defaults to flow.capability.notify |
| Output key | Yes | Context key for the result (default: notify_result) |
Limitations¶
- OAuth U2M integrations are not supported for Run Metric. Flows execute headlessly (no interactive user), so integrations that require user delegation cannot be used. Use a PAT or service principal integration instead. The flow will return a clear error message if you select an OAuth U2M integration.
- Only registered capabilities can be invoked. A flow cannot call arbitrary platform internals — the set of capabilities is explicitly registered in the engine.
- Grant check: each flow can only invoke capabilities that appear as
flowCapabilitynodes in its graph. A tampered graph cannot invoke undeclared operations.
Pilot flow: threshold-based metric alert¶
A common pattern:
- Scheduled trigger (e.g. daily at 8 AM)
- flowCapability (Run Metric) — query
revenue_mtdwithmonthgrain,yoy_calendar_alignedcompare - flowCondition — check if
{{metric_result.delta.percentage}}< -10 - flowCapability (Notify) — if threshold breached, send alert to the finance Teams channel with the metric value in the body
This flow runs entirely through governed operations — no raw URLs, no embedded credentials, no code execution.
Troubleshooting¶
| Symptom | Cause | Fix |
|---|---|---|
| "OAUTH_U2M_UNSUPPORTED" in flow run | Metric uses an oauth_u2m integration |
Switch the metric's integration to PAT or service principal |
| "Capability not registered" | Flow references a capability the engine doesn't know about | Check spelling; available capabilities: run_metric, notify |
| "Capability not granted" | The version's approved capability set does not include this capability — it was added after approval or the version was not approved with it | Submit a new version with the capability node for approval |
| Empty metric/integration picker | No governed assets exist yet | Define a metric or configure an integration first |
| Notify status "blocked" | Integration inactive, channel disabled, or capability flag off | Check integration status and channel configuration in Admin → Integrations |
Approval governance¶
Every flow version must pass through the approval workflow before activation. At approval time, the platform freezes the exact set of capabilities the version declares. At runtime, the engine checks every capability invocation against this frozen set — a flow cannot execute capabilities it was not approved for.
This means: - Adding a new capability node to an already-active flow requires creating a new version and getting it approved. - The approved capability set is immutable on the active version — no drift between what was reviewed and what runs. - The temporal record (SCD Type 2) lets auditors and the brain reconstruct which capabilities were active at any point in time.