naftiko: 1.0.0-alpha2 info: label: HashiCorp Vault API — Secrets description: 'HashiCorp Vault API — Secrets. 14 operations. Lead operation: HashiCorp Retrieve the secret at the specified location.. Self-contained Naftiko capability covering one Hashicorp business surface.' tags: - Hashicorp - Secrets created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: HASHICORP_API_KEY: HASHICORP_API_KEY capability: consumes: - type: http namespace: vault-secrets baseUri: '' description: HashiCorp Vault API — Secrets business capability. Self-contained, no shared references. resources: - name: cubbyhole-path path: /cubbyhole/{path} operations: - name: getcubbyholepath method: GET description: HashiCorp Retrieve the secret at the specified location. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: list in: query type: string description: Return a list if `true` - name: postcubbyholepath method: POST description: HashiCorp Store a secret at the specified location. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deletecubbyholepath method: DELETE description: HashiCorp Deletes the secret at the specified location. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: secret-config path: /secret/config operations: - name: getsecretconfig method: GET description: HashiCorp Read the backend level settings. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postsecretconfig method: POST description: HashiCorp Configure backend level settings that are applied to every key in the key-value store. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: secret-data-path path: /secret/data/{path} operations: - name: getsecretdatapath method: GET description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postsecretdatapath method: POST description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: deletesecretdatapath method: DELETE description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: secret-delete-path path: /secret/delete/{path} operations: - name: postsecretdeletepath method: POST description: HashiCorp Marks one or more versions as deleted in the KV store. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: secret-destroy-path path: /secret/destroy/{path} operations: - name: postsecretdestroypath method: POST description: HashiCorp Permanently removes one or more versions in the KV store outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: secret-metadata-path path: /secret/metadata/{path} operations: - name: getsecretmetadatapath method: GET description: HashiCorp Configures settings for the KV store outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: list in: query type: string description: Return a list if `true` - name: postsecretmetadatapath method: POST description: HashiCorp Configures settings for the KV store outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: deletesecretmetadatapath method: DELETE description: HashiCorp Configures settings for the KV store outputRawFormat: json outputParameters: - name: result type: object value: $. - name: secret-undelete-path path: /secret/undelete/{path} operations: - name: postsecretundeletepath method: POST description: HashiCorp Undeletes one or more versions from the KV store. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false exposes: - type: rest namespace: vault-secrets-rest port: 8080 description: REST adapter for HashiCorp Vault API — Secrets. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/cubbyhole/{path} name: cubbyhole-path description: REST surface for cubbyhole-path. operations: - method: GET name: getcubbyholepath description: HashiCorp Retrieve the secret at the specified location. call: vault-secrets.getcubbyholepath with: list: rest.list outputParameters: - type: object mapping: $. - method: POST name: postcubbyholepath description: HashiCorp Store a secret at the specified location. call: vault-secrets.postcubbyholepath outputParameters: - type: object mapping: $. - method: DELETE name: deletecubbyholepath description: HashiCorp Deletes the secret at the specified location. call: vault-secrets.deletecubbyholepath outputParameters: - type: object mapping: $. - path: /v1/secret/config name: secret-config description: REST surface for secret-config. operations: - method: GET name: getsecretconfig description: HashiCorp Read the backend level settings. call: vault-secrets.getsecretconfig outputParameters: - type: object mapping: $. - method: POST name: postsecretconfig description: HashiCorp Configure backend level settings that are applied to every key in the key-value store. call: vault-secrets.postsecretconfig with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/secret/data/{path} name: secret-data-path description: REST surface for secret-data-path. operations: - method: GET name: getsecretdatapath description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. call: vault-secrets.getsecretdatapath outputParameters: - type: object mapping: $. - method: POST name: postsecretdatapath description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. call: vault-secrets.postsecretdatapath with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deletesecretdatapath description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. call: vault-secrets.deletesecretdatapath outputParameters: - type: object mapping: $. - path: /v1/secret/delete/{path} name: secret-delete-path description: REST surface for secret-delete-path. operations: - method: POST name: postsecretdeletepath description: HashiCorp Marks one or more versions as deleted in the KV store. call: vault-secrets.postsecretdeletepath with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/secret/destroy/{path} name: secret-destroy-path description: REST surface for secret-destroy-path. operations: - method: POST name: postsecretdestroypath description: HashiCorp Permanently removes one or more versions in the KV store call: vault-secrets.postsecretdestroypath with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/secret/metadata/{path} name: secret-metadata-path description: REST surface for secret-metadata-path. operations: - method: GET name: getsecretmetadatapath description: HashiCorp Configures settings for the KV store call: vault-secrets.getsecretmetadatapath with: list: rest.list outputParameters: - type: object mapping: $. - method: POST name: postsecretmetadatapath description: HashiCorp Configures settings for the KV store call: vault-secrets.postsecretmetadatapath with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deletesecretmetadatapath description: HashiCorp Configures settings for the KV store call: vault-secrets.deletesecretmetadatapath outputParameters: - type: object mapping: $. - path: /v1/secret/undelete/{path} name: secret-undelete-path description: REST surface for secret-undelete-path. operations: - method: POST name: postsecretundeletepath description: HashiCorp Undeletes one or more versions from the KV store. call: vault-secrets.postsecretundeletepath with: body: rest.body outputParameters: - type: object mapping: $. - type: mcp namespace: vault-secrets-mcp port: 9090 transport: http description: MCP adapter for HashiCorp Vault API — Secrets. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: hashicorp-retrieve-secret-specified-location description: HashiCorp Retrieve the secret at the specified location. hints: readOnly: true destructive: false idempotent: true call: vault-secrets.getcubbyholepath with: list: tools.list outputParameters: - type: object mapping: $. - name: hashicorp-store-secret-specified-location description: HashiCorp Store a secret at the specified location. hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postcubbyholepath outputParameters: - type: object mapping: $. - name: hashicorp-deletes-secret-specified-location description: HashiCorp Deletes the secret at the specified location. hints: readOnly: false destructive: true idempotent: true call: vault-secrets.deletecubbyholepath outputParameters: - type: object mapping: $. - name: hashicorp-read-backend-level-settings description: HashiCorp Read the backend level settings. hints: readOnly: true destructive: false idempotent: true call: vault-secrets.getsecretconfig outputParameters: - type: object mapping: $. - name: hashicorp-configure-backend-level-settings description: HashiCorp Configure backend level settings that are applied to every key in the key-value store. hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretconfig with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-write-patch-read-and description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. hints: readOnly: true destructive: false idempotent: true call: vault-secrets.getsecretdatapath outputParameters: - type: object mapping: $. - name: hashicorp-write-patch-read-and-2 description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretdatapath with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-write-patch-read-and-3 description: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. hints: readOnly: false destructive: true idempotent: true call: vault-secrets.deletesecretdatapath outputParameters: - type: object mapping: $. - name: hashicorp-marks-one-more-versions description: HashiCorp Marks one or more versions as deleted in the KV store. hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretdeletepath with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-permanently-removes-one-more description: HashiCorp Permanently removes one or more versions in the KV store hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretdestroypath with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-configures-settings-kv-store description: HashiCorp Configures settings for the KV store hints: readOnly: true destructive: false idempotent: true call: vault-secrets.getsecretmetadatapath with: list: tools.list outputParameters: - type: object mapping: $. - name: hashicorp-configures-settings-kv-store-2 description: HashiCorp Configures settings for the KV store hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretmetadatapath with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-configures-settings-kv-store-3 description: HashiCorp Configures settings for the KV store hints: readOnly: false destructive: true idempotent: true call: vault-secrets.deletesecretmetadatapath outputParameters: - type: object mapping: $. - name: hashicorp-undeletes-one-more-versions description: HashiCorp Undeletes one or more versions from the KV store. hints: readOnly: false destructive: false idempotent: false call: vault-secrets.postsecretundeletepath with: body: tools.body outputParameters: - type: object mapping: $.