naftiko: 1.0.0-alpha2 info: label: SSH Key Management description: Unified workflow capability for SSH key lifecycle management, certificate authority operations, and access control. Enables security and infrastructure teams to manage SSH keys, sign short-lived certificates, control user access via authorized_keys, and maintain known_hosts integrity. tags: - SSH - Key Management - Certificate Authority - Access Control - Security - Infrastructure created: '2026-05-02' modified: '2026-05-06' binds: - namespace: env keys: SSH_MGMT_API_TOKEN: SSH_MGMT_API_TOKEN capability: consumes: - type: http namespace: ssh-key-management baseUri: https://api.openssh.example.com/v1 description: SSH Key Management REST API authentication: type: bearer token: '{{SSH_MGMT_API_TOKEN}}' resources: - name: keys path: /keys description: SSH key registration and management operations: - name: list-keys method: GET description: List registered SSH keys inputParameters: - name: userId in: query type: string required: false - name: keyType in: query type: string required: false outputRawFormat: json outputParameters: - name: result type: object value: $. - name: add-key method: POST description: Register a new SSH public key outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: publicKey: '{{tools.publicKey}}' comment: '{{tools.comment}}' - name: generate-key-pair path: /keys/generate description: SSH key pair generation operations: - name: generate-key-pair method: POST description: Generate a new SSH key pair outputRawFormat: json outputParameters: - name: result type: object value: $. - name: key-by-id path: /keys/{keyId} description: Individual key management operations: - name: get-key method: GET description: Get SSH key details inputParameters: - name: keyId in: path type: string required: true outputRawFormat: json outputParameters: - name: result type: object value: $. - name: delete-key method: DELETE description: Delete an SSH key inputParameters: - name: keyId in: path type: string required: true outputRawFormat: json outputParameters: - name: result type: object value: $. - name: certificates path: /certificates description: SSH certificate authority operations operations: - name: sign-certificate method: POST description: Sign an SSH public key to create a certificate outputRawFormat: json outputParameters: - name: result type: object value: $. - name: list-certificates method: GET description: List issued SSH certificates inputParameters: - name: principal in: query type: string required: false - name: expired in: query type: boolean required: false outputRawFormat: json outputParameters: - name: result type: object value: $. - name: authorized-keys path: /authorized-keys/{username} description: Authorized keys management operations: - name: get-authorized-keys method: GET description: Get authorized keys for a user inputParameters: - name: username in: path type: string required: true outputRawFormat: json outputParameters: - name: result type: object value: $. - name: add-authorized-key method: POST description: Add a key to user authorized_keys inputParameters: - name: username in: path type: string required: true outputRawFormat: json outputParameters: - name: result type: object value: $. - name: known-hosts path: /known-hosts description: Known hosts management operations: - name: list-known-hosts method: GET description: List known SSH hosts outputRawFormat: json outputParameters: - name: result type: object value: $. - name: add-known-host method: POST description: Add a host to known_hosts outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: ssh-key-management-workflow-api description: Unified REST API for SSH key management and certificate authority operations. resources: - path: /v1/keys name: keys description: SSH key registration operations: - method: GET name: list-keys description: List registered SSH public keys call: ssh-key-management.list-keys with: userId: rest.userId keyType: rest.keyType outputParameters: - type: object mapping: $. - method: POST name: add-key description: Register a new SSH public key call: ssh-key-management.add-key outputParameters: - type: object mapping: $. - path: /v1/keys/generate name: key-generation description: Key pair generation operations: - method: POST name: generate-key-pair description: Generate a new SSH key pair call: ssh-key-management.generate-key-pair outputParameters: - type: object mapping: $. - path: /v1/keys/{keyId} name: key-detail description: Individual key management operations: - method: GET name: get-key description: Get SSH key details call: ssh-key-management.get-key with: keyId: rest.keyId outputParameters: - type: object mapping: $. - method: DELETE name: delete-key description: Delete an SSH key call: ssh-key-management.delete-key with: keyId: rest.keyId outputParameters: - type: object mapping: $. - path: /v1/certificates name: certificates description: SSH certificate management operations: - method: GET name: list-certificates description: List issued SSH certificates call: ssh-key-management.list-certificates with: principal: rest.principal expired: rest.expired outputParameters: - type: object mapping: $. - method: POST name: sign-certificate description: Sign a public key to create a certificate call: ssh-key-management.sign-certificate outputParameters: - type: object mapping: $. - path: /v1/authorized-keys/{username} name: authorized-keys description: User authorized keys operations: - method: GET name: get-authorized-keys description: Get authorized keys for a user call: ssh-key-management.get-authorized-keys with: username: rest.username outputParameters: - type: object mapping: $. - method: POST name: add-authorized-key description: Add a key to user authorized_keys call: ssh-key-management.add-authorized-key with: username: rest.username outputParameters: - type: object mapping: $. - path: /v1/known-hosts name: known-hosts description: Known hosts management operations: - method: GET name: list-known-hosts description: List known SSH hosts call: ssh-key-management.list-known-hosts outputParameters: - type: object mapping: $. - method: POST name: add-known-host description: Add a host to known_hosts call: ssh-key-management.add-known-host outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: ssh-key-management-mcp transport: http description: MCP server for AI-assisted SSH key management and certificate operations. tools: - name: list-keys description: List registered SSH public keys with optional user and type filtering hints: readOnly: true idempotent: true call: ssh-key-management.list-keys with: userId: tools.userId keyType: tools.keyType outputParameters: - type: object mapping: $. - name: add-key description: Register a new SSH public key in the system hints: readOnly: false idempotent: false call: ssh-key-management.add-key outputParameters: - type: object mapping: $. - name: generate-key-pair description: Generate a new SSH key pair (ed25519 recommended) hints: readOnly: false idempotent: false call: ssh-key-management.generate-key-pair outputParameters: - type: object mapping: $. - name: get-key description: Get SSH key details including fingerprint and last use hints: readOnly: true idempotent: true call: ssh-key-management.get-key with: keyId: tools.keyId outputParameters: - type: object mapping: $. - name: delete-key description: Delete a registered SSH key hints: readOnly: false destructive: true idempotent: true call: ssh-key-management.delete-key with: keyId: tools.keyId outputParameters: - type: object mapping: $. - name: sign-certificate description: Sign an SSH public key with the CA to create a short-lived certificate hints: readOnly: false idempotent: false call: ssh-key-management.sign-certificate outputParameters: - type: object mapping: $. - name: list-certificates description: List issued SSH certificates with principals and validity periods hints: readOnly: true idempotent: true call: ssh-key-management.list-certificates with: principal: tools.principal expired: tools.expired outputParameters: - type: object mapping: $. - name: get-authorized-keys description: Get all authorized SSH keys for a user hints: readOnly: true idempotent: true call: ssh-key-management.get-authorized-keys with: username: tools.username outputParameters: - type: object mapping: $. - name: add-authorized-key description: Add an SSH public key to a user's authorized_keys hints: readOnly: false idempotent: false call: ssh-key-management.add-authorized-key with: username: tools.username outputParameters: - type: object mapping: $. - name: list-known-hosts description: List known SSH hosts and their verified public keys hints: readOnly: true idempotent: true call: ssh-key-management.list-known-hosts outputParameters: - type: object mapping: $. - name: add-known-host description: Add a host and its public key to the known_hosts database hints: readOnly: false idempotent: false call: ssh-key-management.add-known-host outputParameters: - type: object mapping: $.