> ## Documentation Index
> Fetch the complete documentation index at: https://agents.candu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Discover actions from your existing product

> Populate your action registry from an OpenAPI spec, network traffic, or manual definition so your AI agent can call your real product APIs.

Defining actions by hand works, but most teams have dozens of API endpoints worth wiring up. These three methods let you go from "I have an API" to "I have a draft action registry" without writing each definition manually.

**The codebase method** is fastest and most accurate — pick it when you have repo access. **The browser extension** has the lowest friction and works without code access — pick it when you can't grant repo access or want to start with the endpoints your team actually hits. **Running locally** is a fallback that works with any setup — copy a prompt, run it yourself, paste the results back.

<CardGroup cols={3}>
  <Card title="Codebase" icon="code">
    Scans your API routes via GitHub App.
  </Card>

  <Card title="Browser extension" icon="globe">
    Watches live API calls as you use your product.
  </Card>

  <Card title="Run locally" icon="terminal">
    Copy a prompt, run it yourself, paste the results back.
  </Card>
</CardGroup>

## After discovery

Discovered actions land in your registry as candidates. They're listed but not enabled — the AI can't call them yet. For each candidate you:

1. **Review the endpoint and inferred schema.** Confirm the method, path, and input fields are right.
2. **Edit the description.** The AI relies on this for intent matching, so make it specific to what the action does.
3. **Set the governance policy.** `Automatic` for reads, `Confirm required` for writes (see [Policies](/actions/policies)).
4. **Scope to roles if needed.** Restrict the action to specific user roles via `identifiers.role`.
5. **Enable.**

Discovery is a starting point, not an auto-publish. The AI only has access to enabled actions, and you control which ones get enabled.

## How we handle your code

For the codebase method, your source code is processed under strict guarantees:

| Risk                      | Mitigation                                                 |
| ------------------------- | ---------------------------------------------------------- |
| Persistent code storage   | Ephemeral, encrypted disks only. Destroyed on session end. |
| Cross-tenant access       | One isolated ECS task per session, no shared storage       |
| External container access | Private subnets, no public IPs                             |
| Token misuse              | Scoped, short-lived GitHub App tokens                      |
| Accidental logging        | File contents redacted from all logs                       |

<Tip>
  The browser extension path avoids all of this. It only observes API endpoint patterns from calls your browser is already making. No bodies, no credentials, no code access.
</Tip>