naftiko: 1.0.0-alpha2 info: label: Azure Key Vault Data Plane API — Keys description: 'Azure Key Vault Data Plane API — Keys. 11 operations. Lead operation: Azure Key Vault List Keys. Self-contained Naftiko capability covering one Azure Key Vault business surface.' tags: - Azure Key Vault - Keys created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: AZURE_KEY_VAULT_API_KEY: AZURE_KEY_VAULT_API_KEY capability: consumes: - type: http namespace: data-plane-keys baseUri: https://{vaultName}.vault.azure.net description: Azure Key Vault Data Plane API — Keys business capability. Self-contained, no shared references. resources: - name: keys path: /keys operations: - name: keysgetkeys method: GET description: Azure Key Vault List Keys outputRawFormat: json outputParameters: - name: result type: object value: $. - name: keys-key-name path: /keys/{key-name} operations: - name: keysdeletekey method: DELETE description: Azure Key Vault Delete Key outputRawFormat: json outputParameters: - name: result type: object value: $. - name: keys-key-name-create path: /keys/{key-name}/create operations: - name: keyscreatekey method: POST description: Azure Key Vault Create Key outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version path: /keys/{key-name}/{key-version} operations: - name: keysgetkey method: GET description: Azure Key Vault Get Key outputRawFormat: json outputParameters: - name: result type: object value: $. - name: keysupdatekey method: PATCH description: Azure Key Vault Update Key outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-decrypt path: /keys/{key-name}/{key-version}/decrypt operations: - name: keysdecrypt method: POST description: Azure Key Vault Decrypt outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-encrypt path: /keys/{key-name}/{key-version}/encrypt operations: - name: keysencrypt method: POST description: Azure Key Vault Encrypt outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-sign path: /keys/{key-name}/{key-version}/sign operations: - name: keyssign method: POST description: Azure Key Vault Sign outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-unwrapkey path: /keys/{key-name}/{key-version}/unwrapkey operations: - name: keysunwrapkey method: POST description: Azure Key Vault Unwrap Key outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-verify path: /keys/{key-name}/{key-version}/verify operations: - name: keysverify method: POST description: Azure Key Vault Verify outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: keys-key-name-key-version-wrapkey path: /keys/{key-name}/{key-version}/wrapkey operations: - name: keyswrapkey method: POST description: Azure Key Vault Wrap Key outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true authentication: type: bearer token: '{{env.AZURE_KEY_VAULT_API_KEY}}' exposes: - type: rest namespace: data-plane-keys-rest port: 8080 description: REST adapter for Azure Key Vault Data Plane API — Keys. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/keys name: keys description: REST surface for keys. operations: - method: GET name: keysgetkeys description: Azure Key Vault List Keys call: data-plane-keys.keysgetkeys outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name} name: keys-key-name description: REST surface for keys-key-name. operations: - method: DELETE name: keysdeletekey description: Azure Key Vault Delete Key call: data-plane-keys.keysdeletekey outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/create name: keys-key-name-create description: REST surface for keys-key-name-create. operations: - method: POST name: keyscreatekey description: Azure Key Vault Create Key call: data-plane-keys.keyscreatekey with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version} name: keys-key-name-key-version description: REST surface for keys-key-name-key-version. operations: - method: GET name: keysgetkey description: Azure Key Vault Get Key call: data-plane-keys.keysgetkey outputParameters: - type: object mapping: $. - method: PATCH name: keysupdatekey description: Azure Key Vault Update Key call: data-plane-keys.keysupdatekey with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/decrypt name: keys-key-name-key-version-decrypt description: REST surface for keys-key-name-key-version-decrypt. operations: - method: POST name: keysdecrypt description: Azure Key Vault Decrypt call: data-plane-keys.keysdecrypt with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/encrypt name: keys-key-name-key-version-encrypt description: REST surface for keys-key-name-key-version-encrypt. operations: - method: POST name: keysencrypt description: Azure Key Vault Encrypt call: data-plane-keys.keysencrypt with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/sign name: keys-key-name-key-version-sign description: REST surface for keys-key-name-key-version-sign. operations: - method: POST name: keyssign description: Azure Key Vault Sign call: data-plane-keys.keyssign with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/unwrapkey name: keys-key-name-key-version-unwrapkey description: REST surface for keys-key-name-key-version-unwrapkey. operations: - method: POST name: keysunwrapkey description: Azure Key Vault Unwrap Key call: data-plane-keys.keysunwrapkey with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/verify name: keys-key-name-key-version-verify description: REST surface for keys-key-name-key-version-verify. operations: - method: POST name: keysverify description: Azure Key Vault Verify call: data-plane-keys.keysverify with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/keys/{key-name}/{key-version}/wrapkey name: keys-key-name-key-version-wrapkey description: REST surface for keys-key-name-key-version-wrapkey. operations: - method: POST name: keyswrapkey description: Azure Key Vault Wrap Key call: data-plane-keys.keyswrapkey with: body: rest.body outputParameters: - type: object mapping: $. - type: mcp namespace: data-plane-keys-mcp port: 9090 transport: http description: MCP adapter for Azure Key Vault Data Plane API — Keys. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: azure-key-vault-list-keys description: Azure Key Vault List Keys hints: readOnly: true destructive: false idempotent: true call: data-plane-keys.keysgetkeys outputParameters: - type: object mapping: $. - name: azure-key-vault-delete-key description: Azure Key Vault Delete Key hints: readOnly: false destructive: true idempotent: true call: data-plane-keys.keysdeletekey outputParameters: - type: object mapping: $. - name: azure-key-vault-create-key description: Azure Key Vault Create Key hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keyscreatekey with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-get-key description: Azure Key Vault Get Key hints: readOnly: true destructive: false idempotent: true call: data-plane-keys.keysgetkey outputParameters: - type: object mapping: $. - name: azure-key-vault-update-key description: Azure Key Vault Update Key hints: readOnly: false destructive: false idempotent: true call: data-plane-keys.keysupdatekey with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-decrypt description: Azure Key Vault Decrypt hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keysdecrypt with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-encrypt description: Azure Key Vault Encrypt hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keysencrypt with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-sign description: Azure Key Vault Sign hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keyssign with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-unwrap-key description: Azure Key Vault Unwrap Key hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keysunwrapkey with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-verify description: Azure Key Vault Verify hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keysverify with: body: tools.body outputParameters: - type: object mapping: $. - name: azure-key-vault-wrap-key description: Azure Key Vault Wrap Key hints: readOnly: false destructive: false idempotent: false call: data-plane-keys.keyswrapkey with: body: tools.body outputParameters: - type: object mapping: $.