naftiko: 1.0.0-alpha2
info:
  title: Naftiko Secure Capability Reference
  description: A reference capability demonstrating the Naftiko secure-capability pattern — secrets via Vault, mTLS to upstreams, audit on every call.
  tags: [Naftiko, Secure, Reference]
  created: '2026-05-01'
  modified: '2026-05-04'
binds:
- namespace: vault-env
  keys: {VAULT_HOST: VAULT_HOST, VAULT_TOKEN: VAULT_TOKEN}
capability:
  consumes:
  - namespace: vault
    type: http
    baseUri: https://{{VAULT_HOST}}
    authentication: {type: bearer, token: '{{VAULT_TOKEN}}'}
    resources:
    - name: secret
      path: '/v1/secret/data/{{path}}'
      operations:
      - {name: get-secret, method: GET, inputParameters: [{name: path, in: path}]}
    - {name: lease, path: /v1/sys/leases/lookup, operations: [{name: lookup-lease, method: POST}]}
  exposes:
  - type: rest
    address: 0.0.0.0
    port: 8080
    namespace: naftiko-secure-capability-reference-rest
    description: REST surface for the secure-capability reference.
    resources:
    - {name: secret, path: '/secrets/{{path}}', operations: [{method: GET, name: get-secret, inputParameters: [{name: path, in: path, type: string}], call: vault.get-secret}]}
  - type: mcp
    address: 0.0.0.0
    port: 3010
    namespace: naftiko-secure-capability-reference-mcp
    description: MCP for secure-capability reference.
    tools:
    - name: get-secret
      hints: {readOnly: true}
      inputParameters: [{name: path, type: string, required: true}]
      call: vault.get-secret
  - type: skill
    address: 0.0.0.0
    port: 3011
    namespace: naftiko-secure-capability-reference-skills
    description: Skill for secure-capability reference.
    skills:
    - name: naftiko-secure-capability-reference
      description: Secure-capability reference.
      location: file:///opt/naftiko/skills/naftiko-secure-capability-reference
      allowed-tools: get-secret
      tools:
      - {name: get-secret, from: {sourceNamespace: naftiko-secure-capability-reference-mcp, action: get-secret}}