naftiko: "1.0.0-alpha2"

info:
  label: "RubyGems.org Registry API — OIDC"
  description: >-
    OIDC surface — OIDC. 1 operation. Lead operation: Exchange OIDC Token For Trusted Publishing API Key.
    Self-contained Naftiko capability covering one RubyGems business surface.
  tags:
    - RubyGems
    - Registry
    - OIDC
    - Trusted Publishing
  created: "2026-05-23"
  modified: "2026-05-23"

binds:
  - namespace: env
    keys:
      CI_OIDC_TOKEN: CI_OIDC_TOKEN

capability:

  consumes:
    - type: http
      namespace: "rubygems-registry-oidc"
      baseUri: "https://rubygems.org"
      description: "RubyGems.org Registry — OIDC trusted-publishing surface. Self-contained, no shared references."
      resources:
        - name: "assume-role"
          path: "/api/v1/oidc/api_key_role/{token}/assume_role"
          operations:
            - name: "assumeOidcRole"
              method: POST
              description: "Exchange a CI OIDC token for a short-lived RubyGems API key."
              inputParameters:
                - name: "token"
                  in: path
                  type: string
                  required: true
                  description: "Trusted-publishing role token identifier."
                - name: "body"
                  in: body
                  type: object
                  required: true
                  description: "JSON body containing the CI-provided jwt."
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: "$."

  exposes:
    - type: rest
      namespace: "rubygems-registry-oidc-rest"
      port: 8080
      description: "REST adapter for RubyGems.org Registry — OIDC trusted publishing."
      resources:
        - path: "/v1/oidc/api-key-role/{token}/assume-role"
          name: "assume-role"
          description: "REST surface for exchanging a CI OIDC token for a scoped RubyGems API key."
          operations:
            - method: POST
              name: "assumeOidcRole"
              description: "Exchange a CI OIDC token for a short-lived RubyGems API key."
              call: "rubygems-registry-oidc.assumeOidcRole"
              with:
                token: "rest.token"
                body: "rest.body"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      namespace: "rubygems-registry-oidc-mcp"
      port: 9090
      transport: http
      description: "MCP adapter for RubyGems.org Registry — OIDC trusted publishing."
      tools:
        - name: "assume-oidc-role"
          description: "Exchange a CI OIDC token for a short-lived RubyGems API key."
          hints:
            readOnly: false
            destructive: false
            idempotent: false
          call: "rubygems-registry-oidc.assumeOidcRole"
          with:
            token: "tools.token"
            body: "tools.body"
          outputParameters:
            - type: object
              mapping: "$."