apiVersion: ops.aiwg.io/v1
kind: OpsCapability
metadata:
  name: secret-unseal
  labels:
    category: secrets
  annotations:
    blast-radius: "cluster-wide — unsealing exposes secrets engine to all authenticated clients"
    ops-gate: required
    ops-gate-reason: "Unseal operation grants access to the secrets engine; requires explicit human authorization"
spec:
  description: Unseal an OpenBao or HashiCorp Vault instance — always requires OpsGate human authorization before execution
  version: "1.0.0"
  inputs:
    - name: vault_addr
      type: string
      required: true
    - name: unseal_key_paths
      type: list
      required: true
    - name: key_threshold
      type: integer
      required: false
      default: 3
    - name: tls_ca_cert
      type: path
      required: false
    - name: timeout_seconds
      type: integer
      required: false
      default: 30
  outputs:
    - name: status
      type: string
    - name: sealed
      type: boolean
    - name: cluster_name
      type: string
    - name: ha_enabled
      type: boolean
    - name: progress
      type: string
  target_requirements:
    os: [linux]
    capabilities: [vault-cli]
  agent: secrets-operator
  idempotent: true
  verification:
    command: "VAULT_ADDR={{ vault_addr }} vault status -format=json 2>/dev/null | jq -r '.sealed'"
    expect: "false"