╭──────────────────────────────────────────────────────────────╮
│ CHAT SURFACE  ->  ENDPOINT GRAMMAR  ->  OPERATING RECEIPT   │
│ intent            schema / authority      proof              │
│                                                              │
│ The product is the boundary the model can safely inhabit.    │
╰──────────────────────────────────────────────────────────────╯
Research

Endpoint Construction Is Product Construction

This paper argues that endpoint construction is product construction in AI-native systems. Using Atlas as the case study, it shows how typed objects, bounded mutations, tiered limits, durable state, fallback behavior, and inspectable readiness turn a canvas from a diagram into an agent-operable product surface.

June 24, 2026
18 min read
intermediate

Boundary model

AI-native product power lives in the endpoint grammar.

The visual model turns a chat request into a bounded endpoint contract with intent, schema, authority, state, limits, errors, evidence, and fallback.

Intent

Name the business capability.

Authority

Separate read, propose, approve, apply, and rollback.

State

Persist sessions, events, limits, and artifacts.

Receipt

Return evidence and recovery paths.

Executive Thesis

The product is not the chat box.

The product is the capability boundary the model is allowed to inhabit.

In conventional software, an endpoint can look like implementation detail. It receives input, touches state, and returns output. In AI-native software, that endpoint becomes a product surface. It tells the model what exists, what it can do, how much authority it has, which failures matter, and what evidence must remain after the work runs.

This is the lesson from the recent Atlas and Canvas work. Atlas became more useful as the endpoint grammar became more specific:

  • typed map objects
  • bounded mutations
  • run, wait, stop, and unknown states
  • anonymous and warm-lead tiers
  • persisted events
  • deterministic fallback
  • readiness scoring
  • explicit refusal of production actions

Those are not incidental backend details. They are the product.

Endpoint construction is product construction because agent experience improves when the system gives the model a better world to operate inside.

What This Paper Gives You

Use this paper when an AI workflow feels promising in chat but vague in operation.

It gives you three practical outputs:

  1. A way to explain why "we connected the API" is not the same as "the agent can safely inherit work."
  2. A grammar for designing endpoints as product surfaces: intent, schema, authority, state, limits, errors, evidence, and fallback.
  3. A starter endpoint contract that can be used before turning a workflow map into code.

The target reader is the operator, founder, product lead, or builder deciding what should become callable by an AI system.

The Shift From Interface To Capability

The first wave of AI product thinking centered on prompts and chat surfaces. That was understandable. Chat was the visible interface. The model appeared to be the product.

But a chat surface without endpoints is mostly interpretation. It can explain, summarize, and suggest, but it cannot reliably inherit work. The moment the model is expected to operate in a real workflow, the center of gravity moves from:

What should the model say?

to:

What can the model safely do?

That question is answered by endpoints.

Tool calling makes the shift explicit. AI systems can interact with APIs, databases, and external services instead of relying only on static model knowledge. The product implication is not merely that models can call APIs. It is that every callable endpoint becomes part of the model's action space.

MCP sharpens the distinction. Tools expose model-controlled capabilities. Resources expose context by URI. Prompts carry guidance. Together, these primitives turn product architecture into an agent-readable capability graph.

The design question changes:

Old product question AI-native product question
What screen should we build? What capability boundary should exist?
What should the user click? What should the agent be allowed to invoke?
What data should be displayed? What context should be exposed, when, and to whom?
What validation should the form run? What schema, rate, policy, and audit boundary should govern action?
What error should the UI show? What failure artifact should the agent and operator receive?

The screen still matters. But the screen becomes one touchpoint over a deeper contract.

The Endpoint As Touchpoint

The Three-Tier Framework names the relevant structure:

  • Database: what exists.
  • Automation: what happens.
  • Judgment: what should happen.
  • Touchpoints: where interaction happens across those tiers.
  • Artifacts: what flows between boundaries.

An endpoint is a touchpoint that can carry all five concerns at once.

A weak endpoint exposes raw capability:

  • post message
  • create record
  • update node
  • run sync

It gives a model an action but little judgment. The model must infer the rest.

A strong endpoint exposes a product-shaped capability:

  • named intent
  • typed input
  • bounded authority
  • durable state
  • explicit limits
  • machine-readable errors
  • inspectable output
  • audit evidence
  • fallback behavior
  • human approval path

The difference is the product.

In traditional software, product judgment is often spread across UI copy, validation logic, route handlers, database constraints, runbooks, and support practice. In AI-native software, that distribution becomes dangerous if the model can act across the gaps. The endpoint has to compress product judgment into a contract the model can use.

Atlas As Case Study

The public Atlas canvas is the working case study.

The visible surface is a workflow map. The agent-operable product is the contract behind it:

  • node kinds: actor, human task, AI task, system operation, data artifact, constraint, touchpoint
  • node statuses: run, wait, stop, unknown
  • graph operations: add node, update node, add edge
  • mutation budgets
  • message limits
  • anonymous and warm-lead tiers
  • hashed visitor identity for persistence and rate limits
  • D1-backed event and session storage when available
  • in-memory fallback when the database is unavailable
  • deterministic fallback mode when OPENAI_API_KEY is absent
  • readiness scoring
  • concise suggestions
  • refusal to create secrets, credentials, private records, or production-tool actions

That endpoint grammar turned the canvas from a diagram into a governed mapping surface. The model could operate because the system had already answered the product questions:

  • What kinds of things exist on the map?
  • Which changes are allowed?
  • How many changes can happen in one turn?
  • Which user tier gets more room?
  • What happens when the model is unavailable?
  • What state is persisted?
  • What evidence survives the interaction?
  • Which requests must become constraints instead of actions?

The product did not become more AI-native because the chat got more verbose. It became more AI-native because the endpoint made the canvas legible to the model and safe for the operator.

The Construction Moat

The MCP-First Thesis says that MCP consumption is commoditized and MCP creation is not. Endpoint construction is the narrower version of that claim.

Scaffolding a route is easy. Generating an MCP wrapper is becoming easier. Unified API providers can expose broad tool catalogs, and some platforms can derive MCP servers from existing integration definitions and documentation.

That does not remove the product work.

The moat is not "we can make an endpoint." The moat is knowing what endpoint should exist.

That requires:

  • domain understanding
  • workflow decomposition
  • policy judgment
  • data-shape discipline
  • security boundaries
  • operator experience design
  • failure-mode design
  • validation and evidence design

This is why endpoint construction belongs inside the same product language as Policy OS. A Policy OS engagement does not merely connect a tool to a model. It constructs the capability boundary through which the model can safely participate in work.

Endpoint Grammar

If endpoints are product surfaces, they need a grammar.

Intent

The endpoint should expose a named business capability, not just a database mutation.

create_invoice_adjustment_proposal is a different product from update_invoice.

Intent gives the model a usable handle and gives the operator a reviewable claim.

Schema

The schema is not only type safety. It is affordance design.

Every field says what the agent can ask for, what it must know, and what is intentionally unavailable. MCP tool definitions make this visible through input schemas, output schemas, descriptions, and structured content. The better the schema, the less the model must improvise.

Authority

Every endpoint should answer:

  • read
  • propose
  • approve
  • apply
  • rollback

The most important product distinction is often not "can the agent do this?" It is "can the agent propose this without applying it?"

Atlas follows this pattern by letting the agent mutate a local/public map while prohibiting production-system action.

State

AI-native endpoints need durable memory of work, not just stateless responses.

This does not mean every endpoint needs a complex database. It means the product has to decide what survives:

  • session state
  • event log
  • generated artifact
  • approval status
  • failure reason
  • usage count
  • rollback pointer

Without state, the agent cannot inherit a workflow. It can only take turns.

Limits

Limits are product semantics.

Rate limits, mutation limits, message limits, node limits, cost limits, and timeout limits all express what kind of interaction the product believes is safe.

Atlas became more trustworthy because it did not give the mapping agent unbounded canvas authority. It gave the agent a small number of meaningful changes per turn.

Errors

Errors should teach the agent and the operator what boundary was hit.

"Forbidden" is less useful than "This request would exceed the public Atlas map limit" or "This operation requires approval before application."

Machine-readable error behavior is part of the endpoint grammar because agents need to recover without guessing.

Evidence

An endpoint that changes or evaluates work should leave a receipt.

That receipt can be public, private, or operator-only, but it should exist. Evidence is where a capability becomes governable. It also gives the next agent or human reviewer enough context to continue the work.

Fallback

Fallback behavior is product behavior.

Atlas can run deterministically when model access is missing. That matters because it separates the product contract from the model dependency.

A strong endpoint should clarify what degrades, what stops, and what remains inspectable when the model, database, third-party API, or auth provider fails.

A Starter Endpoint Contract

A first endpoint contract can be small.

endpoint: create_support_reply_proposal
intent: Draft a customer-safe support reply for review.
authority: propose
owner:
  approval: support_lead
  source_system: helpdesk
inputs:
  ticket_id:
    type: string
    required: true
  customer_context:
    source: authorized_account_lookup
    pii_boundary: internal_only
allowed_reads:
  - read_ticket
  - read_customer_account_status
  - search_approved_help_content
allowed_writes:
  - create_internal_note
  - create_reply_draft
must_wait:
  - send_customer_reply
  - issue_refund
  - change_subscription_state
must_stop:
  - missing_ticket_record
  - unclear_payment_state
  - legal_or_security_escalation
limits:
  max_tool_calls: 6
  max_output_chars: 1800
fallback:
  model_unavailable: create_empty_review_packet
evidence:
  receipt:
    - ticket_id
    - policy_version
    - source_links
    - blocked_or_waiting_reason
    - reviewer_next_action

The contract does not need to be large. It needs to make the operating boundary explicit.

Implications For CREATE SOMETHING

This reframes the CREATE SOMETHING offer.

The product is not generic AI app development. That phrase is too broad and too easy to collapse into screens, prompts, or vendor glue.

The product is workflow endpoint construction:

We construct the trusted endpoint surface through which AI can safely read, propose, act, wait, and prove its work.

This language fits the existing service ladder:

Offer Endpoint construction interpretation
Workflow Infrastructure Build the first trusted endpoint surface for one workflow.
Policy OS Add policy artifacts, approval states, evidence, regression gates, and ongoing governed operation.
Enterprise Extension Extend endpoint authority across higher-risk systems with stronger identity, audit, rollout, and rollback boundaries.
Workflow Mapping Session Identify the endpoint grammar before implementation begins.

It also clarifies the role of Atlas.

Atlas is not just a sales widget. It is a pre-endpoint modeling surface. It helps identify the actor, data artifact, system operation, AI task, human approval point, constraint, and touchpoint before code turns those categories into routes, tools, resources, prompts, and policies.

Design Principles

Build Endpoints Around Delegation Points

Do not start with the SaaS API object model. Start with the first safe delegation point in the workflow.

The right endpoint may combine several underlying API calls. It may also intentionally expose less than the underlying API allows.

Prefer Proposal Before Mutation

When risk is non-trivial, the first endpoint should create a proposal artifact. The apply endpoint should be separate and approval-gated.

This keeps the agent useful before it is trusted with writes.

Make Constraints First-Class

Constraints should not live only in prose. They should appear in schemas, route names, response objects, policy files, approval states, and UI touchpoints.

If a constraint matters, the endpoint should know about it.

Preserve Human Inspection

The operator should be able to see what the endpoint saw, what it changed or proposed, what it refused, and what should happen next.

This is not merely observability. It is product trust.

Design For Agent Recovery

Agents need clear next moves. A good endpoint does not only fail; it returns the boundary, the reason, and the safe alternative.

Conclusion

The core product work in AI-native systems is the construction of capability boundaries. The model supplies reasoning. The interface supplies experience. But the endpoint supplies the world the model is allowed to inhabit.

Atlas made this visible. The canvas became more powerful as its endpoint surface became more specific: typed nodes, bounded mutations, persistence, fallback, limits, readiness, and constraints. The improvement was not just more intelligence. It was better endpoint construction.

That is the creation moat in operational form.

MCP consumption will keep getting easier. Tool catalogs will keep expanding. Wrappers will keep improving. But businesses will still need someone to decide what work should become callable, which authority should be withheld, which artifacts should persist, which errors should guide recovery, and which evidence proves the system behaved correctly.

That is product work.

Endpoint construction is product construction.

Transparency And Evidence Status

This paper is a living research artifact. Its core claim is currently supported by a combination of CREATE SOMETHING implementation evidence, official protocol and platform documentation, market writing about agent-callable APIs, and emerging benchmarks that test whether agents can actually discover endpoints, follow policy, and complete cross-application work.

transparency:
  claim_status: "supported"
  confidence: "medium"
  evidence_grade: "field-signal"
  last_reviewed_at: "2026-06-24"
  next_review_due: "2026-09-24"
  review_owner: "CREATE SOMETHING"
  primary_claim: "AI-native product quality is determined by the capability boundaries that models and operators can safely inhabit."
  current_read: "The strongest evidence supports endpoint construction as a product discipline, not simply an API implementation task. APIs, CLIs, and MCPs appear best understood as different projections of one capability contract: API as durable system contract, CLI as developer execution rail, and MCP as agent-facing capability membrane."
  supports:
    - "Atlas and Canvas implementation evidence: typed map objects, bounded mutations, persisted events, deterministic fallback, readiness scoring, and refusal of production actions made the product more agent-operable."
    - "MCP specification: tools, resources, and prompts define model-callable capability, application-provided context, and user-selected guidance."
    - "OpenAI Apps SDK and function-calling documentation: structured content, schemas, tool metadata, and strict structured outputs make endpoint shape visible to models and clients."
    - "Market writing on agent-callable APIs: current API-readiness discussions emphasize schemas, error semantics, auth, rate limits, and machine-actionable responses."
    - "AutomationBench: realistic cross-application workflows require endpoint discovery, policy adherence, and correct writes, and current frontier agents still struggle."
  counter_signals:
    - "More endpoints can make an agent system worse if the surface mirrors raw SaaS APIs instead of meaningful delegation points."
    - "CLIs remain better for many local developer inner-loop tasks because they are cheap, fast, familiar to models, and composable."
    - "MCP adoption does not remove the need for underlying API quality, identity, observability, and governance."
    - "Benchmarks showing low agent success rates mean endpoint construction is necessary but not sufficient for reliable autonomy."
  open_questions:
    - "Which endpoint grammar fields should become mandatory in CREATE SOMETHING delivery contracts?"
    - "When should a capability remain a CLI command instead of becoming an MCP tool?"
    - "Which evidence threshold justifies moving an endpoint from proposal-only to write-capable?"
    - "How should source freshness be rendered in the public .io paper UI?"
  source_review:
    - title: "Model Context Protocol Specification 2025-06-18"
      url_or_path: "https://modelcontextprotocol.io/specification/2025-06-18"
      source_type: "official-doc"
      supports: "MCP provides a standardized way to connect LLM applications with external data sources and tools."
      freshness: "current"
      reviewed_at: "2026-06-24"
      notes: "Use as the authority for tools, resources, prompts, and MCP control boundaries."
    - title: "Model Context Protocol: Tools"
      url_or_path: "https://modelcontextprotocol.io/specification/2025-06-18/server/tools"
      source_type: "official-doc"
      supports: "Tools expose named, schema-described capabilities that language models can invoke."
      freshness: "current"
      reviewed_at: "2026-06-24"
      notes: "Supports the claim that endpoint/tool shape is part of model action space."
    - title: "OpenAI Apps SDK Reference"
      url_or_path: "https://developers.openai.com/apps-sdk/reference"
      source_type: "official-doc"
      supports: "Tool results separate structuredContent, content, and component-only _meta data."
      freshness: "current"
      reviewed_at: "2026-06-24"
      notes: "Supports evidence and UI hydration boundaries for agent-facing products."
    - title: "OpenAI Function Calling"
      url_or_path: "https://developers.openai.com/api/docs/guides/function-calling"
      source_type: "official-doc"
      supports: "Strict mode and schemas improve reliability of model-generated function arguments."
      freshness: "current"
      reviewed_at: "2026-06-24"
      notes: "Supports schema as product affordance, not only type safety."
    - title: "Zuplo: The API Readiness Gap"
      url_or_path: "https://zuplo.com/learning-center/api-readiness-gap-agent-callable-apis"
      source_type: "market-signal"
      supports: "Agent-callable APIs need different design attention than human-developer APIs."
      freshness: "watch"
      reviewed_at: "2026-06-24"
      notes: "Useful market framing; statistics should be refreshed before sales-heavy reuse."
    - title: "AutomationBench"
      url_or_path: "https://arxiv.org/abs/2604.18934"
      source_type: "benchmark"
      supports: "Realistic agent workflows require endpoint discovery, policy adherence, and correct data writes."
      freshness: "current"
      reviewed_at: "2026-06-24"
      notes: "Important counterweight: strong endpoint construction does not by itself solve autonomy."
    - title: "Tinybird: MCP vs APIs"
      url_or_path: "https://www.tinybird.co/blog/mcp-vs-apis-when-to-use-which-for-ai-agent-development"
      source_type: "market-signal"
      supports: "MCP and APIs are complementary; MCP often wraps APIs rather than replacing them."
      freshness: "watch"
      reviewed_at: "2026-06-24"
      notes: "Supports the layered API, CLI, MCP framing."
    - title: "CircleCI: MCP vs CLI for AI-native development"
      url_or_path: "https://circleci.com/blog/mcp-vs-cli/"
      source_type: "market-signal"
      supports: "CLI and MCP fit different development loops rather than competing directly."
      freshness: "watch"
      reviewed_at: "2026-06-24"
      notes: "Use to temper MCP-first claims with inner-loop CLI pragmatism."
  update_log:
    - date: "2026-06-24"
      change: "Added living-document transparency ledger and expanded source review after comparing API, CLI, MCP, and AI-native system sentiment."
      reason: "The paper now serves as an active claim surface, not only a static thesis."

Sources

Back to all papers