Blog

RESTful

Tuesday, November 11, 2025Print Subscribe

For over a decade, Code On Time has been the fastest way to build secure, database-driven applications for humans. The industry calls this Rapid Application Development (RAD). But recently, we realized that the rigorous, metadata-driven architecture we built for humans is also the perfect foundation for something much more powerful.

Today, we are announcing a shift in our vision. We are not just building interfaces for people anymore. We are evolving from a RAD tool for web apps into a RAD for the Digital Workforce. The same blueprints that drive your user interface are now the key to unlocking the next generation of autonomous, secure Artificial Intelligence.

The Digital Co-Worker (The "Glass Box")

Imagine an app that looks like Chat GPT. This app executes every prompt as if it is operating the "invisible UI" of your own database. Just like the human user, it inspects the menu options, selects data items, presses buttons, and makes notes as it goes. Then it reports back by arranging the notes into an easy-to-understand summary.

This is possible because a developer has designed the app with a real UI for your database. Both the DigitalI "Co-Worker" and the human UI are built from the exact same "blueprints" (called data controllers). These blueprints define the data, actions, and business logic for your application. When a user logs in (using their organization's existing security), the AI "digital employee" inherits your exact identity, meaning it sees only what you see and can only perform the actions available to you.

The AI "navigates" a system that has already been "security-trimmed" by user roles and simple, declarative SQL-based rules. This means if you aren't allowed to see "Salary" data, the AI is never shown the "Salary" option - it doesn't exist for that session. A "heartbeat" process allows these tasks to run 24/7, and the AI's "notes" (its step-by-step log) create a perfect, unchangeable audit trail of every decision it has made.

The Genius (The "Black Box")

Imagine another app that also looks like Chat GPT. To understand your database, this app employs a powerful, sophisticated AI model as its "brain". It operates by first consulting a comprehensive "manifest" - a detailed catalog of every "tool" and data entity it can access. This allows the AI to have a full, upfront understanding of its capabilities, so when you submit a prompt, it can process this entire catalog to create a complete, multi-step plan in a single "one-shot" operation.

This architecture is often built as a flexible, component-based system, which involves deploying several specialized services: one for the chat UI, another for the AI's "brain" (the orchestrator), and a dedicated "server" for each tool. Security is an explicit and granular consideration, requiring careful, deliberate configuration. Each tool-server's permissions must be managed, and the AI "brain" is trusted to orchestrate these tools correctly. This design allows for fine-tuning access (like "read/write all customer data") but means that security and prompt-based access must be actively managed and secured.

This "one-shot" planning model has a clear cost structure: the primary charge is for the single, complex "planning" call to the sophisticated "brain" model, which is required for every prompt. The success of the entire operation relies on the quality of this initial plan. If the AI's plan contains an error (for example, using incorrect database filter syntax) the operation may not complete as intended, and the cost of the "planning" call is incurred. This model prioritizes a powerful, upfront planning phase and depends on the AI's reasoning to be correct the first time.

How to Choose: The Auditable Co-Worker or the "Black Box" Genius

Your choice between the "Digital Co-Worker" and the "Genius" architecture is a strategic decision about what you value most: trust and durability or raw, unconstrained reasoning. The "Digital Co-Worker," built on the CoT framework, is an "invisible UI" operator. Its primary strength is its security-by-design. Because it inherits the user's exact, security-trimmed permissions, it is impossible for it to access data or perform actions it isn't allowed to. It operates within a "fenced-in yard" defined by your business rules. This makes it the perfect, auditable solution for the real-world workflows that require a quick response or need to run reliably for days or even months.

The "Genius" model, built on LLM+MCP, is a "one-shot" planner. Its primary strength is its power to reason over a massive, pre-defined database "map". It's designed for highly complex, one-time questions where the "planning" is the hardest part. This power comes at the cost of security and predictability; you are trusting a "black box" with a full set of tools, and its complex plans can be brittle, expensive, and difficult to audit. This model is best suited for scenarios where the sheer "intelligence" of the answer is more important than the security and durability of the process.

For a business, the choice is clear. The "Digital Co-Worker" is a platform you can build your entire company on. This is where it has a huge advantage: it can operate with a smart model for deep reasoning, but it also works perfectly with a fast, lightweight, and cheap model for 99% of tasks. The "Genius" model, by contrast, requires the most expensive model just to parse its complex manifest. Furthermore, the "Genius" model requires a massive upfront investment, potentially costing hundreds of thousands of dollars in custom development, integration, and security engineering before the first prompt is ever entered. The "Digital Co-Worker" platform, with its "BYOK" model and 100 free digital co-workers, makes it a risk-free, frictionless way to adopt a true workforce multiplier.

The Digital Co-Worker is Not a Chatbot

It is easy to mistake the "Digital Co-Worker" for a chatbot because they both speak your language. However, the difference is fundamental. As industry experts note, standard chatbots are "all talk and no action." They are engines of prediction, trained to guess the next word in a sentence based on frozen knowledge from the past. They can summarize a meeting or write a poem, but they are fundamentally passive observers that cannot touch your business operations.

The Digital Co-Worker is different because it is agentic. It is defined not by what it says, but by its ability to take actions autonomously on a person's behalf. When you give a chatbot a task, it tells you how to do it. When you give a Digital Co-Worker a task, it does it. It acts as an "autonomous teammate," capable of breaking down a high-level goal (like "review all pending orders and expedite shipping for anything delayed by more than two days") into a series of concrete steps and executing them without needing you to hold its hand.

This distinction changes the return on investment entirely. A chatbot is a tool for drafting text; a Digital Co-Worker is a tool for finishing jobs. It doesn't just help you draft an email to a client; it finds the client in the database, checks their order status, drafts the response, and with your permission, sends it. It moves beyond conversation into orchestration, bridging the gap between your intent and the complex reality of your database transactions.

The Co-Worker's "Glass Box": A Look Inside the HATEOAS State Machine

The "AI Co-Worker" operates by acting as a "digital human," using the application's REST Level 3 (HATEOAS) API as its "invisible UI." The entire process is driven by a built-in State Machine (SM). When a prompt is submitted, the SM's "heartbeat" processor wakes up. Its only "worldview" is the HATEOAS API response. It uses a fast, lightweight LLM (like Gemini Flash) to read the _links (the "buttons") and hints (the "tooltips") to decide the next logical step. As it works, it "makes notes" in its state_array, which serves as both its "memory" and a perfect, unchangeable audit log. This is how it auto-corrects: if an API call fails, the API returns the error with the _schema, which is just the next "note" in the log, allowing the AI to build a correct query in the next iteration.

This "glass box" model is inherently secure. The HATEOAS API is not a static catalog; it is "security-trimmed" by the server before the AI ever sees it. The app's engine uses declarative rules (like SACR) to filter the data and remove links to any actions the user isn't allowed to perform. If you don't have permission to "Approve" an order, the Digital Co-Worker will not see an "approve" link. The guardrails are not a suggestion; they are an architectural-level boundary, making it impossible for the AI to go rogue.

This architecture also enables true, durable autonomy. The "heartbeat" that runs the SM is designed to handle tasks that last for months. A user can "pause" or "resume" an agent simply by issuing a new prompt, as the AI can see and follow the pause link on its own "task" resource. Because the AI can also discover links to create new prompts (e.g., rel: "create_new_prompt" in the menu), a "smart" agent can decompose a complex prompt ("review 500 contracts") into 500 "child" tasks, which the heartbeat then patiently executes in parallel.

Beyond the Database: The Universal Interface

The power of the Digital Co-Worker extends far beyond the SQL database. The same "blueprints" (data controllers) that define your customer tables can also define "API Entities" (virtual tables that connect to external systems like SharePoint, Google Drive, or third-party CRMs).

To the AI, these external sources look exactly like the rest of the "invisible UI." It doesn't need to learn a new API, manage complex keys, or navigate different security protocols. It simply follows a link to "Documents" or "Spreadsheets" in its menu, and the application's engine handles the complex connection logic behind the scenes, presenting the external data as just another set of rows and actions.

This solves the single hardest problem in enterprise AI: secure access to unstructured data. Just like with the database, the system applies declarative security rules to these external sources. If a user is only allowed to see SharePoint files they created, the Digital Co-Worker will only discover those specific files. It enables a secure, federated search and action capability (allowing the AI to "read" a contract PDF and "update" a database record in one smooth motion) without ever exposing the organization's entire document repository to a "black box."

The Future is Built-In: Rapid Agent Development

The age of the expensive, brittle "Genius" AI is ending. The age of the secure, durable "Digital Co-Worker" has arrived. We believe that building a Digital Workforce shouldn't require a team of data scientists and six months of integration; it should be a standard feature of your application platform.

In our upcoming releases, we are delivering the tools to make this a reality. By simply building your application as you always have, you will be simultaneously architecting the secure, HATEOAS-driven environment where your Digital Co-Workers will live and work, powered by the Axiom Engine. Your database is ready to talk. Stay tuned for our updated roadmap - the workforce is coming under the full control and permission of the human user.

Labels: AI, RESTful

Monday, August 7, 2023Print Subscribe

Browser-Based Installer in App Studio

Code On Time release 8.9.30.0 moves the installation of the code generation library from the Windows-based executable to the browser-based App Studio. The studio homepage performs the check for updates when Code On Time starts on the developer’s workstation. The code generation library files are downloaded automatically. Developers are prompted to install the update when the new product releases become available.

Learn about the new Installer in the App Studio.

App Studio home page will display a prompt when the new product update is available. Developers can opt to continue using the current version of Code On Time or proceed with the installation.

App Studio offers the new option to generate the HTML template for the active form. Select the “more” menu in the top toolbar of the App Studio and choose the Form Template command. You will see a prompt to save the HTML file with the corresponding form layout. The layout will be configured to render when the window matches the width of the selected device. Make sure to choose the right device and experiment with device orientation.

The *Form Template* command will create the form layout for the active form or survey. The prompt to save the HTML file will appear when the command is selected while a form is the top-most view in the app.

The following features and enhancements are included in the release:

(App Studio) The 'Form Template' command in the studio context menu will create an HTML file with the template of the active form.
(Touch UI) The radio button list and checkbox list with horizontal scrolling and cascading dependency on another field will not cause the fields below to shift while the values are fetched in response to the changed parent field.
(App Gen) A tap on the product activation code will send the default browser to https://my.codeontime.com with "studio parameters". Developers must sign in with their credentials to activate the product.
(App Gen) Up to 10 attempts to access the started app are performed before the default browser is launched at the app URL. This eliminates the “site not found” error displayed by the browsers while the app is being configured for the first time to run with Microsoft IIS Express.
(App Gen) The news feed has been removed from the start page of the app generator. The newsfeed is now displayed in the App Studio application that will be launched when Code On Time is started on the workstation.
(App Gen) The news feed area provides the links to the v9 roadmap.
(App Gen) The installation of the code generation library is now performed by the App Studio application. The app generator will hide when the installation of the code generation library and product updates are performed. The app generator will reappear when the updates are completed.
(Touch UI) Content pages preserve the scroll top with the new $app.touch.contentScrollTip('save|restore') API.
(Touch UI) Notification toasts appear above the active progress screen.
(Touch UI) The width of the progress text depends on the view port of the device.
(RESTful) The binary parameter values can be specified in multipart/form-data payload in the custom actions of the RESTful API. The name of the parameter is specified as "parameters.PARAM_NAME". The value of the parameter is set to file://request/FILE_NAME by the RESTful API Engine where the FILE_NAME is the name of the file. Custom business rules can fetch the binary value from HttpContext.Current.Request.Files by using the value of the FILE_NAME as file index.
(RESTful) An improved detection of the invalid link name specified in the 'hypermedia' option.
(RESTful) The action ID specified in the path with the POST method will trigger the action identification on collections.
(RESTful) The arguments in the path are validated against the primary key fields if the target is the singleton object.
(Touch UI) The "cancel" icon on the form toolbar will call the _cancelCallback property of the dataview if specified. Otherwise the navigation will return one step back.
(App Gen) Library downloader included the builderVersion key into the studio.json exchange file. The builder version is used to install the code generation from App Studio.
(App Gen) Metadata builder now reports errors when the data provider is not able to return the requested information. Metadata builder queries the database to find information about data types, reserved words, tables, columns, relationships, etc. On rare occasions an exception may be raised if the database server is missing some configuration settings, which makes it impossible to fetch the metadata.

Our next goal is to deliver the hierarchy of the project settings directly in the live apps. The new Properties Window and Project Explorer will make it easy to configure the apps.

Labels: App Studio, Release Notes, RESTful

Monday, July 3, 2023Print Subscribe

App Studio and SSO

App Studio

Code On Time release 8.9.29.0 introduces the first iteration of App Studio, the new integrated development environment is available directly in the live apps. It delivers unparalleled productivity and transforms an individual with the basic database management skills into an expert UI and API developer. Users without an account are required to sign in when they run the app generator. Authenticated users will see a brief prompt when the App Studio is starting locally. App Studio will become the primary user interface for the app builder starting with the version 9.

View the App Studio Roadmap and delivery schedule.

Single Sign-On

Any app with the ability to execute HTTP requests can implement the Single Sign-On with the Code On Time application configured for Federated Identity Management. An app created with Code On Time now has the ability to use another Code On Time application as an identity provider.

Federated Identity Management facilitates the Single Sign-On for internal and external applications.

The sign-in user experience of the “identity provider” application becomes the only way to access the protected content in an “identity consumer” app when the provider is forced as the sole login option.

GetPage / Login Loop

End users of your apps may have experienced their session hang if they have signed into the app on several tabs and not selected the “Remember Me” option in the login prompt.. The redirection loop used to happen when the access token was refreshed. The framework may have used the old access token to make the requests for data. The infinite sequence of Login / GetPage or Login / Logout requests could be observed in the network log of the browser when this was taking place. The problem has been resolved!

The token refresh is possible for up to seven days after the initial login unless an attentive value is specified in the membership.accountManager.refreshTokenDuration option in the ~/app/touch-settings.json configuration file. If the app is being used for longer than that, then users will see a prompt to sign in again. Note that offline users can continuously work with the app for up to 180 days.

Miscellaneous

The following features, enhancements, and bug fixes are included in the release:

(PWA) Service worker installation closes the "offline" IndexedDB database upon installation and when a blob is fetched. The former will prevent the occasional locking of the "offline" database when Offline Sync attempts to update it with the required data stored.
(PWA) The "offline" database is closed when the blob "GET" request is raising an error.
(Login) Resolved the GetPage/Login loop issue.
(Touch UI) The "Cancel" icon is displayed in the correct position in the filter of child data views.
(Framework) jQuery 3.6.4 is now included in the apps..
(Universal Input) Multi-line placeholders remain wrapped to the next line when the input becomes focused.
(Touch UI) Event panelclosed.app is raised on the document object. The canceled event property specifies if the panel was closed without a menu item selected .
(Touch UI) QR-Code input and Scanner input are using "thennable" $app.getScript when loading the corresponding 3rd-party libraries.
(App Gen) Files restful.min.js is placed in the ~/app/js/sys folder in the apps with the framework encapsulated in the Class Library. This enables correct uploading of BLOBs and signatures.
(Touch UI) The child DataView fields are not refreshed during transition between forms when the data fetch timeout is zero.
(Touch UI) The entire page is marked with 'data-form-max' attribute. Previously only the "form" inside of the page was marked with this attribute.
(Touch UI) Tag a "form" view with data-form-max-(xs|sm|md) to ensure that the form content will not exceed the specified logical width of 480, 576, 768, and 992 pixels when the page is wider than the specified value. The contents of the form will be centered horizontally.
(Touch UI) Fixed the position of the ">" icon in the group menu items of the minimized sidebar.
(Touch UI) Survey will not crash if both 'text' and 'text2' headers are specified and the pre-compiled survey is displayed more than once.
(Offline Sync) The "broken" "cloud" icon will not be displayed when the app is preparing to download the frontend.
(Data Aquarium) The Authorization header is not specified when Login and Logout methods are invoked by the framework
(Data Aquarium) The session-level user identity is correctly replaced when the user access token is renewed.
(Data Aquarium) The session-level token is removed when the user signs in with another identity and selects to have it remembered.
(Touch UI) Method $app.touch.notify() will force all messages by default. Previously the 'force:true' option had to be specified.
(App Gen) Sensitive values of Connection String and Secret Key parameters are obscured in the code generation log.
(App Gen) Command -Refresh will cause the app to rebuild the source code base.
(App Gen) The -Refresh switch will not re-create the data models if the -Session option is specified.
(Touch UI) Method $app.touch.show() accepts the definition of a survey as an argument. Use 'then' and 'fail' chain methods to handle the user selection. The 'then' method will have the data object representing the data values of the survey as an argument.
(RESTful) The "services" hypermedia is present in the RESTful API. The resource will always include the oauth2 link and an optional collection of hypermedia for the microservices.
(RESTful) Access tokens are validated against AppIdentity provider if the access token is not found in the app database. This enables microservices architecture based on multiple modular RESTful apps created with Code On Time. The cluster of the modules validates the tokens with the Federated Identity Management provider app.
(OAuth2) Endpoint /oauth2/v2/userinfo accepts the 'auth' parameter in the body. The value must be encoded in the Basic HTTP Authorization format. If there is a client with the 'client_id' and 'client_secret' values that match the auth parameter, then the 'appidentity' key is included in the output to complement the claims of the user specified in the Authorization header of the request.
(OAuth2) RESTful API engine enhances the OAuth data with 'auth_remote_addr' and 'token_remote_addr' to keep track of the access token authorization and refresh requests.
(Touch UI) The "login" app state will force the app to navigate to the state.redirect_uri. This state is activated when an OAuth provider is detected in the ID_PROVIDER cookie and the user is not authenticated. This state will cause the anonymous user to be redirected to the identity provider.
(Framework) OAuth providers allow switching accounts and adding new accounts in the app by default. Previously, only the "logout" option was available.
(Framework) Property 'RemoteAddress' of the ApplicationServices class returns the remote address of the client.
(OAuth Identity Providers) The '.TOKEN' and '.PROVIDER' cookies are renamed to '.ID_TOKEN' and '.ID_PROVIDER'.
(OAuth) Endpoint /oauth2/v2 included the "self" hyperlink and 'issuer' key that represents the display name of the application.
(OAuth) The 'appidentity' claim is included in the JWT (id_token) when the 'urn:appidentity:user' is requested. The claim includes the 'username', 'email', 'roles', and 'picture' keys.
(OAuth) The 'aud' claim in JWT (id_token) specifies the URI of the client application.
(Framework) Controller MyProfile will fetch the "display name" of the identity provider if the "App Identity" authorization is supported in the app.
(Touch UI) The built-in login form will persist the display name of the "App Identity" provider in the local storage. The name is configured in the server-side business rule of MyProfile data controller.
(App Identity) App Identity provider can be registered in the CMS of the app.
(App Identity) The self-referring App Identity is not visible as the login option in the identity provider application.
(RESTful) The property BusinessRules.RESTfulResult can be used to produce the "result" key in the resource output.
(Framework) Method ActionResult.Add(name, value) will add an instance of a FieldValue to the result.
(RESTful) The related errors have the error in the message property. Previously the related error descriptions were specified in the description property.
(App Gen) The Session parameter specified in the command line as "sessionid:frequence" will create a collection of the session log entries. Used by the App Studio to display the progress.
(RESTful API) The "PrimaryKey" field is removed from the confirmation controller schema in the parameters of a custom action.
(App Gen) The "builderLocation" key is added to the studio.json file. App Studio uses its value to start Code On Time app builder in the command line mode.
(RESTful) The engine will not include the 'count' key in the collection resource unless the 'count=true' query parameter is specified. Previously the count was produced when the parameter was not specified. The 'count' key is included in the collection if the 'page' query parameter is specified.
(Framework) Property ViewPage.TotalRowCount will not cause an exception when the value is assigned to the ViewPage instance with the PageSize equal to zero.
(RESTful) The engine will access the limt=0 parameter and return no data when a request to a collection is made. Previously only the positive 'limit' values where allowed
(RESTful) Method $app.restful performs enhanced parameter processing for hypermedia during transition. The transition properties 'query', 'body', 'files', and 'headers' can be specified as the object properties in the options. The name of the object must match the transition segment, e.g 'customers >>'.
(RESTful) Method $app.restful will use the 'transit' link in the current object during the hypermedia transition. Otherwise the 'self' link is used to figure the next request.
(RESTful) Filtering is supported on the data controllers based on "code" business rules.
(RESTful) Fixed business rules processing with the RESTful API when the data controller is based on "code" business rules. Previously only the GET operations were possible. The framework attempted to open a non-existing database connection for the custom data controllers.
(Framework) App "id" is embedded as 'appStudio/self/id' in the __settings variable.
(App Gen) The -Develop command line switch will start Visual Studio with project source code loaded.
(Framework) NUglify is used to compress the primary set of JS files.
(Framework) The appstudio.json file is located above the ~/app folder.
(CMS) The standard JavaScript business rules are removed from the definition of the SiteContent data controller. The rules are migrated to the ~/js/surveys/cms/site-content.js.
(Data Aquarium) Method $app.getScript returns an instance of the Promise object.
(Data Aquarium) The map of controllers with custom JavaScript business rules is specified in $app.getScript.controllers key. The framework will automatically load the rules when the data is selected via GetPage method.
(Data Aquarium) Definition of $app.cms is externalized to ~\app\js\surveys\cms\site-content.js.
(Data Aquarium) Implementation of $app.survey is moved from ~/app/js/daf/daf.js to ~/app/js/daf/daf-survey.js.
(Touch UI) Fixed teh vertical alignment of "check mark" in the checkboxes.
(Bootstrap) Vertical alignment of material icons matches the vertical alignment of display flow.
(Display Flow) Fixed icon positioning in display flow headers.

Labels: App Studio, OAuth, Release Notes, RESTful, Security