version: "0.1"
name: account-breach-triage
description: |
  Workflow capability that takes an email address, returns a structured triage record
  combining breaches, pastes, and stealer log exposure. Designed for incident response
  and user-facing breach dashboards.
inputs:
  - name: email
    type: string
    format: email
    required: true
  - name: include_unverified
    type: boolean
    default: false
steps:
  - id: lookup-breaches
    capability: hibp.account.breaches
    with:
      account: "{{ email }}"
      truncateResponse: false
      IncludeUnverified: "{{ include_unverified }}"
  - id: lookup-pastes
    capability: hibp.paste.account
    with:
      account: "{{ email }}"
  - id: lookup-stealer-logs
    capability: hibp.stealerlogs.byEmail
    with:
      email: "{{ email }}"
    on_error: continue
outputs:
  - name: email
    value: "{{ email }}"
  - name: breaches
    value: "{{ steps.lookup-breaches.body }}"
  - name: pastes
    value: "{{ steps.lookup-pastes.body }}"
  - name: stealer_log_domains
    value: "{{ steps.lookup-stealer-logs.body }}"
  - name: severity
    value: "{{ length(steps.lookup-breaches.body) + length(steps.lookup-pastes.body) }}"