aiwg/agentic/code/frameworks/ops-complete/capabilities/cert-issue.yaml

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

apiVersion: ops.aiwg.io/v1
kind: OpsCapability
metadata:
  name: cert-issue
  labels:
    category: pki
  annotations:
    blast-radius: "single-host — replaces TLS cert on target; services using the old cert will need reload"
spec:
  description: Issue a TLS certificate from the internal CA, push key and cert to the target host, and trigger service reload
  version: "1.0.0"
  inputs:
    - name: common_name
      type: string
      required: true
    - name: sans
      type: list
      required: false
      default: []
    - name: target_host
      type: string
      required: true
    - name: cert_path
      type: path
      required: false
      default: /etc/ssl/private
    - name: ca_url
      type: string
      required: true
    - name: validity_days
      type: integer
      required: false
      default: 365
    - name: key_type
      type: string
      required: false
      default: ec-p256
    - name: reload_command
      type: string
      required: false
      default: "systemctl reload nginx"
  outputs:
    - name: status
      type: string
    - name: cert_serial
      type: string
    - name: expiry_date
      type: datetime
    - name: fingerprint_sha256
      type: string
    - name: deployed_path
      type: path
  target_requirements:
    os: [linux]
    capabilities: [openssl, ssh, step-cli]
  agent: pki-operator
  idempotent: false
  verification:
    command: "openssl s_client -connect {{ target_host }}:443 -servername {{ common_name }} </dev/null 2>/dev/null | openssl x509 -noout -serial -fingerprint -sha256"
    expect: "serial={{ cert_serial }}"