Auto-generated by
rails system:skills:generate_catalogon 2026-06-03 17:31 UTC. Source:descriptor()class methods onextensions/system/server/app/services/system/ai/skills/*_executor.rb. Do NOT edit by hand — re-run the rake task instead.
48 executors across 7 categories.
For architecture context (agent bindings, plan vs. execute pattern, invocation surfaces), see SKILL_EXECUTORS.md.
acme_certificate_provision— Provision (issue) a new ACME TLS certificate for the platform's public listeners. Creates the certificate record and drives it through issuance via the ACME server (Let's Encrypt by default). Use this skill when the operator asks to obtain a new TLS cert for a hostname — specify the common name, the issuer, and the challenge type (dns-01 needs a DNS provider credential).attach_storage— Provision a cloud volume, attach it to a running NodeInstance, and mount it at the requested path. Composes VolumeManagementService.provision/attach + SshExecutionService for filesystem setup.attribute_failure— Given a failed NodeInstance, rank recent module changes + promotions by likelihood of being the causecapacity_recommend— Recommend instance count or instance-type adjustments for a Template's fleet based on heartbeat health and assignment densityconfigure_sdwan_for_project— Create an SDWAN network for a project, attach the supplied instances as peers, optionally provision a project VIP, and compile the topology preview. Composes Sdwan::Network + Sdwan::PeerEnroller + Sdwan::VirtualIp + Sdwan::TopologyCompiler.deploy_app_code— Deploy a Git repository onto a provisioned NodeInstance via SSH+systemddiscover_packages_by_intent— Intent-based package discovery — describe a capability need ('reverse proxy', 'distributed cache') and get ranked packages from accessible repositories. Use system_search_packages instead when you already know the package name and just want filter/browse.docker_provision— Provision a managed Docker daemon on a NodeInstance — auto-registers as a Devops::DockerHost bound to the SDWAN overlay /128drift_remediate— Reconcile a NodeInstance's running modules against its assigned modules; returns a planned action set + estimated disruption %expose_service_publicly— Expose a backend service to the public internet end-to-end — provisions an SDWAN Virtual IP, a hub DNAT port mapping (443 for https / 80 for http), an ACME TLS certificate for the hostname, and regenerates the reverse proxy. Use this when an operator asks to 'make reachable from the internet at ', 'put a public endpoint in front of ', or otherwise publish an internal service with TLS.list_package_repositories_summary— Summarize the package repositories configured for the operator's account — counts, kinds (apt/rpm/dnf), visibility (shared vs account), sync status. Use for 'how many package repos', 'what package sources', 'list my repositories', or similar inventory queries.module_compose— Compose a Template draft from a workload description — keyword-matches modules and proposes a composition with conflict checkspackage_module_create— Materialize an apt/rpm package + transitive dep closure as NodeModule rows + ModuleDependency edges, then dispatch a CI buildpackage_module_refresh— Re-materialize a NodeModule's source package when upstream drifts (replays persisted recommends_chosen for determinism)package_repository_sync— Sync upstream apt/rpm metadata for one package repository (account-scoped or shared)platform_maintenance— Routine platform maintenance — certificate renewal, drift checks, health snapshots. Use this skill when the operator asks about (a) which certs are expiring soon, (b) whether they should rotate something, (c) the current platform health, or (d) whether any instances have drifted from their template.platform_resilience— Platform incident response — drain an instance, scale a deployment up/down, or triage peer/instance health. Use this skill when the operator describes a stress event (instance misbehaving, capacity pressure, peer heartbeats stale) or asks 'what should I do about X'.provision_cluster— Provision N instances of a Template in a region — composes create_node + provision_instance for eachprovision_full_stack— Provision a full compute+network+storage stack from a template — composes provision_instance + optional storage volume + optional SDWAN topology compilerelocate_workload— Relocate a project's compute workload from one region to another via blue/green or drain cutover. Composes ProvisionFullStackExecutor (target) + ProvisioningService.terminate_instance (source).reverse_proxy_compose— Regenerate the reverse-proxy (Traefik) dynamic config for a certificate's account. Use this skill when an operator wants a valid certificate's HTTPS routers brought online (or refreshed) in the reverse proxy — it re-emits the account's dynamic YAML from its valid certs; Traefik file-watches and reloads automatically.rolling_module_upgrade— Plan a batched rolling upgrade of a NodeModule across all instances of a Template, with circuit-breaker and health gatingscale_project— Adapt a provisioning project's footprint — add replicas in-region, plan a vertical resize, or expand into a new region. Composes ProvisionFullStackExecutor + RollingModuleUpgradeExecutor.sdwan_compose_full_topology— Orchestrate the three SDWAN composition primitives (HostBridge, OVN, IPFIX) in one tool call. Composes SdwanHostBridgeComposeExecutor + SdwanOvnComposeTopologyExecutor + SdwanIpfixCollectorComposeExecutor.sdwan_host_bridge_compose— Allocate per-host SDWAN bridges (Linux for lightweight profile, OVS for heavyweight) for a set of NodeInstances. Composes Sdwan::HostBridgeAllocator. Idempotent.sdwan_ipfix_collector_compose— Register an IPFIX collector for an account so the topology compiler can stamp ipfix exporter config onto every heavyweight (ovs-kind) HostBridge in the per-host payload. Idempotent on (account, name). Composes Sdwan::IpfixCollector.sdwan_ovn_apply_acl— Apply OVN ACLs (firewall rules) to a logical switch — heavyweight-profile only. Composes Sdwan::OvnAcl entries scoped to one switch and re-compiles the deployment plan. Idempotent on (switch, acl_name).sdwan_ovn_compose_topology— Compose an OVN logical-network topology (deployment + logical switches + ports) for a heavyweight-profile account, then compile the ovn-nbctl plan. Composes Sdwan::OvnDeployment + Sdwan::OvnLogicalSwitch + Sdwan::OvnLogicalSwitchPort + Sdwan::OvnCompiler.service_discovery_composer— Make a backend service discoverable across the fleet over the SDWAN overlay end-to-end — provisions a Virtual IP (auto-advertised via iBGP for in-overlay discovery), publishes a VIP-backed federation service-catalog offering for federated peers, regenerates the local Traefik routes, and OPTIONALLY publishes a public DNS record (A/AAAA/CNAME) for internet-facing names. Use this when an operator asks to 'make discoverable', 'publish to the service catalog', or 'advertise to other sites'.suggest_architectures_for_fleet— Suggest which canonical architectures to materialize a package for, based on the current fleet's NodePlatform coverage and the repository's served architectures.
runbook_generate— Generate a markdown operational runbook for a NodeTemplate — boot order, common failure modes, recovery procedures
federation_acceptance— Complete a federation handshake from a single-use acceptance token — runs the full accept chain (accept transition, platform enroll, managed-child operator grant, node_api bootstrap-token issuance, SDWAN overlay attach, and a federation governance health scan). Use when an operator wants to finish peering with a proposed federation peer whose acceptance token they hold.federation_manager— Survey federation peer + grant + cert health for an account and surface findings the operator (or a future autonomy loop) should action.federation_peer_remediate— Remediate a stale or cert-expiring federation peer: re-handshake a stale peer over mTLS (recovering it if reachable), degrade an unreachable active peer, or alert the operator that a federation cert needs an operator-driven rotation. Invoked by the fleet DecisionEngine off the FederationPeerLivenessSensor.multi_tenant_isolation— Provision a fully-isolated SDWAN network slice for a single tenant inside the account: a dedicated overlay network with its own VRF + isolated iBGP RIB (no shared routing table), a non-overlapping /64 (Sdwan::PrefixAllocator), default-deny nftables firewall rules scoped to the tenant CIDR, an OVN logical switch, and tenant-CIDR OVN ACLs. Composes Sdwan::Network + Sdwan::PrefixAllocator + Sdwan::FirewallRule + SdwanOvnComposeTopologyExecutor + SdwanOvnApplyAclExecutor. SDWAN-native — no k8s NetworkPolicy, no VLAN. Use when an operator asks to 'isolate tenant ', 'give its own segregated network', or 'stand up a blast-radius boundary for '.sdwan_federation_compose— Stand up a federation overlay topology (hub-and-spoke OR full-mesh) by composing per-peer Sdwan::PeerEnroller + Sdwan::TopologyCompiler + Sdwan::Bgp::RoutePolicyCompiler. Creates one Sdwan::Network, enrolls each member as a peer (hubs publicly_reachable), and compiles the per-peer WireGuard + FRR route-policy envelope.
architecture_create— Directly create a custom (non-canonical) architecture. Requires system.architectures.manage; surfaces for operator approval via intervention policy.architecture_delete— Delete a non-canonical architecture. Fails if any NodePlatform still references it. Canonical rows are immutable and return an error.architecture_propose— Propose adding a new architecture to the platform-wide catalog (creates an Ai::AgentProposal for human review).architecture_update— Update a non-canonical architecture's fields. Canonical rows are immutable and return an error.
sdwan_bgp_session_remediate— Triage an unhealthy iBGP session; returns a plan with likely cause + recommended next step. v1 does NOT auto-restart FRR.sdwan_failover— Plan an SDWAN hub failover for an unreachable network; identifies promotion candidates without auto-flippingsdwan_peer_remediate— Rotate an SDWAN peer's keypair and force the agent to re-establish its tunnel on next reconcilesdwan_vip_failover— Promote the next failover candidate of a silent-holder Sdwan::VirtualIp. Anycast VIPs return informational only.
cve_remediation_orchestration— Orchestrate the full CVE → exposure → rebuild → rolling-upgrade chain for one CVEcve_response— Triage a CVE entry against the fleet — enumerates exposure, scores risk, proposes a remediation plancve_runbook_generate— Generate a markdown remediation runbook for a CVE — exposed modules, recommended steps, verification commands
platform_deploy— Deploy a new Powernode platform. Pass mode='standalone' for a sovereign platform or mode='federated' for one that handshakes back with this platform on first boot. With no params, returns a wizard payload describing the form the operator should fill in.
Provision (issue) a new ACME TLS certificate for the platform's public listeners. Creates the certificate record and drives it through issuance via the ACME server (Let's Encrypt by default). Use this skill when the operator asks to obtain a new TLS cert for a hostname — specify the common name, the issuer, and the challenge type (dns-01 needs a DNS provider credential).
- Class:
System::Ai::Skills::AcmeCertificateProvisionExecutor - Source:
extensions/system/server/app/services/system/ai/skills/acme_certificate_provision_executor.rb - Category: devops
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
common_name |
string | Yes | Primary hostname the cert secures (e.g. ops.example.com) |
sans |
array | No | Subject Alternative Names — additional hostnames the cert also secures |
issuer |
string | Yes | ACME issuer; one of: letsencrypt-prod, letsencrypt-staging, internal-ca |
challenge_type |
string | Yes | ACME challenge; one of: dns-01, http-01, tls-alpn-01 |
dns_credential_id |
string | No | System::AcmeDnsCredential id — REQUIRED when challenge_type is dns-01 (publishes the validation record) |
acme_email |
string | No | Operator contact email for ACME registration; falls back to platform/account default if omitted |
Outputs
certificate_id: stringcommon_name: stringissuer: stringchallenge_type: stringstatus: stringissued_at: stringexpires_at: stringvault_path_certificate: stringvault_path_private_key: stringvault_path_chain: string
Provision a cloud volume, attach it to a running NodeInstance, and mount it at the requested path. Composes VolumeManagementService.provision/attach + SshExecutionService for filesystem setup.
- Class:
System::Ai::Skills::AttachStorageExecutor - Source:
extensions/system/server/app/services/system/ai/skills/attach_storage_executor.rb - Category: devops
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | System::NodeInstance to attach the volume to |
size_gb |
integer | Yes | Volume size in GiB (1-16384) |
volume_type |
string | No | Optional ProviderVolumeType name (e.g. 'gp3'); falls back to provider default when nil |
mount_point |
string | No | Filesystem mount path on the instance |
dry_run |
boolean | No | Plan only — no volume creation, no SSH |
Outputs
dry_run: booleancount: integerplanned_actions: arrayoutputs: {:node_instance_ids=>[:string], :storage_volume_ids=>[:string], :mount=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::AttributeFailureExecutor - Source:
extensions/system/server/app/services/system/ai/skills/attribute_failure_executor.rb - Category: devops
candidates: arraytop_candidate: objectconfidence: decimalreasoning: string- Class:
System::Ai::Skills::CapacityRecommendExecutor - Source:
extensions/system/server/app/services/system/ai/skills/capacity_recommend_executor.rb - Category: devops
template_id: stringtotal_count: integeractive_count: integersilent_count: integererrored_count: integerrecommendation: objectconfidence: string- Class:
System::Ai::Skills::ConfigureSdwanForProjectExecutor - Source:
extensions/system/server/app/services/system/ai/skills/configure_sdwan_for_project_executor.rb - Category: devops
dry_run: booleancount: integertopology: stringplanned_actions: arrayoutputs: {:sdwan_network_id=>:string, :sdwan_peer_ids=>[:string], :virtual_ip_id=>:string, :topology_preview=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::DeployAppCodeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/deploy_app_code_executor.rb - Category: devops
deployment_id: stringcommit_sha: stringpublic_url: string- Class:
System::Ai::Skills::DiscoverPackagesByIntentExecutor - Source:
extensions/system/server/app/services/system/ai/skills/discover_packages_by_intent_executor.rb - Category: devops
intent: stringresults: arrayseed_count: integerconfidence: string- Class:
System::Ai::Skills::DockerProvisionExecutor - Source:
extensions/system/server/app/services/system/ai/skills/docker_provision_executor.rb - Category: devops
dry_run: booleanhost_id: stringhost_status: stringapi_endpoint: stringalready_provisioned: booleanplan: object- Class:
System::Ai::Skills::DriftRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/drift_remediate_executor.rb - Category: devops
resolved: booleanrequires_approval: booleandisruption_pct: integerplanned_actions: {:attach=>[:string], :detach=>[:string], :update=>[:string]}- Class:
System::Ai::Skills::ExposeServicePubliclyExecutor - Source:
extensions/system/server/app/services/system/ai/skills/expose_service_publicly_executor.rb - Category: devops
service_hostname: stringvip_id: stringvip_cidr: stringport_mapping_id: stringcertificate_id: stringcertificate_status: stringpublic_endpoints: arraysteps_completed: arraywarnings: array- Class:
System::Ai::Skills::ListPackageRepositoriesSummaryExecutor - Source:
extensions/system/server/app/services/system/ai/skills/list_package_repositories_summary_executor.rb - Category: devops
total: integerby_kind: objectby_visibility: objectby_sync_status: objectrepositories: arraysummary: string- Class:
System::Ai::Skills::ModuleComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/module_compose_executor.rb - Category: devops
draft_template: objectconflicts: arraycandidate_count: integerreasoning: string- Class:
System::Ai::Skills::PackageModuleCreateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_module_create_executor.rb - Category: devops
top_level_module_id: stringdependency_count: integerrecommends_count: integerbuild_dispatches: arraywarnings: array- Class:
System::Ai::Skills::PackageModuleRefreshExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_module_refresh_executor.rb - Category: devops
enqueued: booleanpackage_module_link_id: string- Class:
System::Ai::Skills::PackageRepositorySyncExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_repository_sync_executor.rb - Category: devops
ok: booleanupserted: integerobsoleted: integerpackage_count: integererror: string- Class:
System::Ai::Skills::PlatformMaintenanceExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_maintenance_executor.rb - Category: devops
action: stringdata: objectrecommendations: array- Class:
System::Ai::Skills::PlatformResilienceExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_resilience_executor.rb - Category: devops
action: stringdata: objectrecommendations: array- Class:
System::Ai::Skills::ProvisionClusterExecutor - Source:
extensions/system/server/app/services/system/ai/skills/provision_cluster_executor.rb - Category: devops
dry_run: booleancount: integercreated_nodes: arrayprovisioned: arrayfailures: arraypartial: boolean- Class:
System::Ai::Skills::ProvisionFullStackExecutor - Source:
extensions/system/server/app/services/system/ai/skills/provision_full_stack_executor.rb - Category: devops
dry_run: booleancount: integerplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string]}failures: arraypartial: boolean- Class:
System::Ai::Skills::RelocateWorkloadExecutor - Source:
extensions/system/server/app/services/system/ai/skills/relocate_workload_executor.rb - Category: devops
dry_run: booleancount: integercutover_strategy: stringplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string], :terminated_instance_ids=>[:string]}failures: arraypartial: boolean- Class:
System::Ai::Skills::ReverseProxyComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/reverse_proxy_compose_executor.rb - Category: devops
certificate_id: stringcommon_name: stringstatus: stringdynamic_config_path: stringrouters_configured: integer- Class:
System::Ai::Skills::RollingModuleUpgradeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/rolling_module_upgrade_executor.rb - Category: devops
total_instances: integerbatch_size: integerbatch_count: integerestimated_total_seconds: integercircuit_breaker: objectbatches: arrayAdapt a provisioning project's footprint — add replicas in-region, plan a vertical resize, or expand into a new region. Composes ProvisionFullStackExecutor + RollingModuleUpgradeExecutor.
- Class:
System::Ai::Skills::ScaleProjectExecutor - Source:
extensions/system/server/app/services/system/ai/skills/scale_project_executor.rb - Category: devops
Inputs
Field Type Required Description project_idstring Yes Ai::Mission id (the provisioning project being scaled) target_countinteger Yes Number of new instances (add_replicas / add_region) — bounded 1..50. Ignored for vertical_resize. scaling_strategystring Yes One of: add_replicas, vertical_resize, add_region template_idstring No System::NodeTemplate to instantiate (add_replicas / add_region) or whose fleet is being resized (vertical_resize) provider_region_idstring No Region for new instances (add_replicas: same as project; add_region: NEW region) provider_instance_type_idstring No Instance type for new instances module_idstring No vertical_resize: System::NodeModule whose target_version replaces in-place target_version_idstring No vertical_resize: target System::NodeModuleVersion id network_idstring No add_region: optional Sdwan::Network to attach new instances to with_storage_gbinteger No add_region: optional per-instance volume size dry_runboolean No Plan only — return projected actions without creating any cloud resources Outputs
dry_run: booleancount: integerscaling_strategy: stringplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string], :rolling_upgrade_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanComposeFullTopologyExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_compose_full_topology_executor.rb - Category: devops
dry_run: booleanplanned_actions: arrayoutputs: {:host_bridges=>:object, :ovn=>:object, :ipfix=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanHostBridgeComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_host_bridge_compose_executor.rb - Category: devops
dry_run: booleanbridge_count: integerplanned_actions: arrayoutputs: {:host_bridge_ids=>[:string], :allocations=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanIpfixCollectorComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ipfix_collector_compose_executor.rb - Category: devops
dry_run: booleanplanned_actions: arrayoutputs: {:ipfix_collector_id=>:string, :created=>:boolean, :name=>:string, :target_endpoint=>:string, :sampling_rate=>:integer, :state=>:string, :is_winning_collector=>:boolean}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanOvnApplyAclExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ovn_apply_acl_executor.rb - Category: devops
dry_run: booleanacl_count: integerplanned_actions: arrayoutputs: {:logical_switch_id=>:string, :ovn_acl_ids=>[:string], :allocations=>[:object], :compiled_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanOvnComposeTopologyExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ovn_compose_topology_executor.rb - Category: devops
dry_run: booleanswitch_count: integerport_count: integerplanned_actions: arrayoutputs: {:ovn_deployment_id=>:string, :created_deployment=>:boolean, :logical_switch_ids=>[:string], :logical_switch_port_ids=>[:string], :compiled_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::ServiceDiscoveryComposerExecutor - Source:
extensions/system/server/app/services/system/ai/skills/service_discovery_composer_executor.rb - Category: devops
service_slug: stringvip_id: stringvip_cidr: stringvip_address: stringoffering_id: stringoffering_slug: stringroute_output_path: stringroute_count: integerdns_record_id: stringdns_record_fqdn: stringpublic_dns_published: booleansteps_completed: arraywarnings: array- Class:
System::Ai::Skills::SuggestArchitecturesForFleetExecutor - Source:
extensions/system/server/app/services/system/ai/skills/suggest_architectures_for_fleet_executor.rb - Category: devops
repository_id: stringsuggested: arrayrationale: arrayfallback: booleanconfidence: string- Class:
System::Ai::Skills::RunbookGenerateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/runbook_generate_executor.rb - Category: documentation
runbook_markdown: stringsection_count: integerpersisted_page_id: stringsource_artifacts: object- Class:
System::Ai::Skills::FederationAcceptanceExecutor - Source:
extensions/system/server/app/services/system/ai/skills/federation_acceptance_executor.rb - Category: federation
peer_id: stringstatus: stringpeer_kind: stringcontract_version_agreed: integeraccepted_at: stringhandshake_at: stringnode_enrollment: objectsdwan_attach: objectgovernance: objectwarnings: array- Class:
System::Ai::Skills::FederationManagerExecutor - Source:
extensions/system/server/app/services/system/ai/skills/federation_manager_executor.rb - Category: federation
account_id: stringran_at: stringcert_rotation_candidates: arraygrants_approaching_expiry: arraygrants_overdue_for_review: arraybroad_scope_grants: arraycapability_drift: arrayfinding_count: integer- Class:
System::Ai::Skills::FederationPeerRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/federation_peer_remediate_executor.rb - Category: federation
remediated: booleanaction: stringreason: stringfederation_peer_id: stringpeer_status: stringreachable: booleandetail: string- Class:
System::Ai::Skills::MultiTenantIsolationExecutor - Source:
extensions/system/server/app/services/system/ai/skills/multi_tenant_isolation_executor.rb - Category: federation
dry_run: booleantenant_key: stringtenant_cidr: stringplanned_actions: arrayoutputs: {:sdwan_network_id=>:string, :sdwan_network_handle=>:string, :vrf_name=>:string, :tenant_cidr=>:string, :firewall_rule_ids=>[:string], :ovn_deployment_id=>:string, :ovn_logical_switch_id=>:string, :ovn_acl_ids=>[:string], :ovn_acl_allocations=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanFederationComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_federation_compose_executor.rb - Category: federation
dry_run: booleancount: integertopology: stringrouting_protocol: stringplanned_actions: arrayoutputs: {:sdwan_network_id=>:string, :sdwan_peer_ids=>[:string], :hub_peer_ids=>[:string], :topology_preview=>[:object], :route_policy_preview=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::ArchitectureCreateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_create_executor.rb - Category: fleet
architecture: object- Class:
System::Ai::Skills::ArchitectureDeleteExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_delete_executor.rb - Category: fleet
deleted: booleanarchitecture_id: string- Class:
System::Ai::Skills::ArchitectureProposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_propose_executor.rb - Category: fleet
proposal_id: stringstatus: stringreview_deadline: datetime- Class:
System::Ai::Skills::ArchitectureUpdateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_update_executor.rb - Category: fleet
architecture: object- Class:
System::Ai::Skills::SdwanBgpSessionRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_bgp_session_remediate_executor.rb - Category: sdwan
resolved: booleansession_id: stringstate: stringlikely_cause: stringrecommended_action: string- Class:
System::Ai::Skills::SdwanFailoverExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_failover_executor.rb - Category: sdwan
resolved: booleannetwork_id: stringcurrent_hub_count: integercandidates: {:peer_id=>:string, :endpoint_host=>:string, :endpoint_port=>:integer, :last_handshake_at=>:string}- Class:
System::Ai::Skills::SdwanPeerRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_peer_remediate_executor.rb - Category: sdwan
resolved: booleanrotated_from_key_id: stringnew_key_id: stringnew_public_key: string- Class:
System::Ai::Skills::SdwanVipFailoverExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_vip_failover_executor.rb - Category: sdwan
resolved: booleanvirtual_ip_id: stringprevious_holder_peer_id: stringnew_holder_peer_id: stringanycast: boolean- Class:
System::Ai::Skills::CveRemediationOrchestrationExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_remediation_orchestration_executor.rb - Category: security
cve_id: stringtriage: objectrefresh_dispatches: arrayrolling_upgrade_plans: arrayexposures_remediating: integerskipped_reason: string- Class:
System::Ai::Skills::CveResponseExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_response_executor.rb - Category: security
cve_id: stringseverity: stringrisk_score: integerexposed_modules: arrayexposed_instance_count: integerremediation_plan: objectrequires_approval: boolean- Class:
System::Ai::Skills::CveRunbookGenerateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_runbook_generate_executor.rb - Category: security
runbook_markdown: stringcve_id: stringexposed_module_count: integerexposed_instance_count: integerrisk_score: integerrequires_approval: booleanpersisted_page_id: string- Class:
System::Ai::Skills::PlatformDeployExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_deploy_executor.rb - Category: system
ok: booleancard: objectdeployment: objectacceptance_token: stringspawn_payload: object
Orchestrate the three SDWAN composition primitives (HostBridge, OVN, IPFIX) in one tool call. Composes SdwanHostBridgeComposeExecutor + SdwanOvnComposeTopologyExecutor + SdwanIpfixCollectorComposeExecutor.
Inputs
Field Type Required Description host_node_instance_idsarray Yes System::NodeInstance ids — passed through to host_bridge_compose kindstring No Optional explicit bridge kind override (linux ovn_topologyobject No Optional OVN composition payload: {nb_db_endpoint, sb_db_endpoint, northd_host?, switches} — when supplied, runs sdwan_ovn_compose_topology ipfix_collectorobject No Optional IPFIX collector payload: {name, host, port, sampling_rate?} — when supplied, runs sdwan_ipfix_collector_compose dry_runboolean No Plan only — invokes each sub-skill in dry_run mode Outputs
Allocate per-host SDWAN bridges (Linux for lightweight profile, OVS for heavyweight) for a set of NodeInstances. Composes Sdwan::HostBridgeAllocator. Idempotent.
Inputs
Field Type Required Description host_node_instance_idsarray Yes System::NodeInstance ids to allocate bridges for (1-100) kindstring No Optional explicit bridge kind override: linux dry_runboolean No Plan only — no Sdwan::HostBridge rows are persisted Outputs
Register an IPFIX collector for an account so the topology compiler can stamp ipfix exporter config onto every heavyweight (ovs-kind) HostBridge in the per-host payload. Idempotent on (account, name). Composes Sdwan::IpfixCollector.
Inputs
Field Type Required Description namestring Yes Display name for the collector — unique per account; reused on re-execution hoststring Yes Collector host (IPv4, IPv6, or hostname). IPv6 addresses are bracketed automatically when emitted to ovs-vsctl. portinteger Yes Collector UDP port (1-65535) sampling_rateinteger No Sampling rate (1 = export every flow). Ignored when re-using an existing collector. dry_runboolean No Plan only — no Sdwan::IpfixCollector row is persisted Outputs
Apply OVN ACLs (firewall rules) to a logical switch — heavyweight-profile only. Composes Sdwan::OvnAcl entries scoped to one switch and re-compiles the deployment plan. Idempotent on (switch, acl_name).
Inputs
Field Type Required Description logical_switch_idstring Yes Sdwan::OvnLogicalSwitch id the ACLs apply to (must belong to the executing account) aclsarray Yes Array of {name, direction, priority?, match, action} (1-100). direction: from-lport dry_runboolean No Plan only — no Sdwan::OvnAcl rows are persisted Outputs
Compose an OVN logical-network topology (deployment + logical switches + ports) for a heavyweight-profile account, then compile the ovn-nbctl plan. Composes Sdwan::OvnDeployment + Sdwan::OvnLogicalSwitch + Sdwan::OvnLogicalSwitchPort + Sdwan::OvnCompiler.
Inputs
Field Type Required Description switchesarray Yes Array of {name, cidr?, ports: [{name, kind, addresses?, host_node_instance_id?}]} (1-50) nb_db_endpointstring No OVN NB DB endpoint (e.g., tcp:127.0.0.1:6641) — required only when the account has no OvnDeployment yet sb_db_endpointstring No OVN SB DB endpoint (e.g., tcp:127.0.0.1:6642) — required only when the account has no OvnDeployment yet northd_hoststring No Advisory hint for which host runs ovn-northd — only used when creating a new deployment dry_runboolean No Plan only — no Sdwan rows are persisted Outputs
Make a backend service discoverable across the fleet over the SDWAN overlay end-to-end — provisions a Virtual IP (auto-advertised via iBGP for in-overlay discovery), publishes a VIP-backed federation service-catalog offering for federated peers, regenerates the local Traefik routes, and OPTIONALLY publishes a public DNS record (A/AAAA/CNAME) for internet-facing names. Use this when an operator asks to 'make discoverable', 'publish to the service catalog', or 'advertise to other sites'.
Inputs
Field Type Required Description service_namestring Yes Human-readable name of the service (catalog display name) service_slugstring Yes Lowercase-alphanumeric-hyphen slug — the catalog's natural key (also names the VIP). e.g. 'orders-api' sdwan_network_idstring Yes SDWAN network the VIP lives in backend_peer_idstring Yes Sdwan::Peer that hosts the service; seated as the VIP's primary holder (and thus the iBGP advertiser) backend_portinteger Yes Port the backend service listens on (advertised in the catalog offering) vip_cidrstring Yes Operator-supplied host CIDR for the VIP (a /128 v6 or /32 v4) within the SDWAN network's /64 protocolstring No Service protocol advertised in the catalog: one of https, http, tcp, tls grant_scopesarray No Default FederationGrant scopes subscribers receive (subset of read, write, admin, migrate). Defaults to ['read'] grant_ttl_daysinteger No Default grant TTL in days (>= 7). Defaults to the offering default traefik_dynamic_dirstring No Override for the Traefik dynamic-config directory (defaults to /etc/traefik/dynamic) public_dnsobject No INTERNET-FACING name only: { dns_credential_id, record_name, record_type? (A Outputs
Suggest which canonical architectures to materialize a package for, based on the current fleet's NodePlatform coverage and the repository's served architectures.
Inputs
Field Type Required Description repository_idstring Yes PackageRepository.id whose architectures bound the suggestion set max_suggestionsinteger No Cap on the number of suggested arches (1-7) Outputs
Generate a markdown operational runbook for a NodeTemplate — boot order, common failure modes, recovery procedures
Inputs
Field Type Required Description template_idstring Yes - persist_as_pageboolean No Save the result as a Pages document so it's reachable via list_pages Outputs
Complete a federation handshake from a single-use acceptance token — runs the full accept chain (accept transition, platform enroll, managed-child operator grant, node_api bootstrap-token issuance, SDWAN overlay attach, and a federation governance health scan). Use when an operator wants to finish peering with a proposed federation peer whose acceptance token they hold.
Inputs
Field Type Required Description acceptance_tokenstring Yes The single-use acceptance token plaintext (from the propose step). Consumed on success. contract_versioninteger Yes Contract version to agree on. Must be one of the supported versions (currently [1]). capabilitiesobject No Forward-compat capability advertisement exchanged with the peer. extension_slugsarray No Extension slugs the peer carries (e.g. ['trading']). endpointsarray No Peer endpoints: array of { url, scope, priority, cidr_hint? }. Outputs
Survey federation peer + grant + cert health for an account and surface findings the operator (or a future autonomy loop) should action.
Outputs
Remediate a stale or cert-expiring federation peer: re-handshake a stale peer over mTLS (recovering it if reachable), degrade an unreachable active peer, or alert the operator that a federation cert needs an operator-driven rotation. Invoked by the fleet DecisionEngine off the FederationPeerLivenessSensor.
Inputs
Field Type Required Description federation_peer_idstring Yes System::FederationPeer to remediate reasonstring No Liveness failure class from the sensor: heartbeat_stale dry_runboolean No Plan-only mode — report the action that would be taken without probing, degrading, or alerting Outputs
Provision a fully-isolated SDWAN network slice for a single tenant inside the account: a dedicated overlay network with its own VRF + isolated iBGP RIB (no shared routing table), a non-overlapping /64 (Sdwan::PrefixAllocator), default-deny nftables firewall rules scoped to the tenant CIDR, an OVN logical switch, and tenant-CIDR OVN ACLs. Composes Sdwan::Network + Sdwan::PrefixAllocator + Sdwan::FirewallRule + SdwanOvnComposeTopologyExecutor + SdwanOvnApplyAclExecutor. SDWAN-native — no k8s NetworkPolicy, no VLAN. Use when an operator asks to 'isolate tenant ', 'give its own segregated network', or 'stand up a blast-radius boundary for '.
Inputs
Field Type Required Description tenant_keystring Yes Stable tenant identifier within the account (slug-safe; used to name the network, firewall rules, OVN switch, and ACLs). e.g. 'acme-prod'. network_namestring No Display name for the tenant's Sdwan::Network (defaults to 'tenant-<tenant_key>'). tenant_cidrstring No Explicit tenant CIDR for the firewall + ACL selectors. When omitted, the /64 auto-allocated for the new network (PrefixAllocator) is used — the recommended path. nb_db_endpointstring No OVN NB DB endpoint (e.g. tcp:127.0.0.1:6641) — required only when the account has no Sdwan::OvnDeployment yet. sb_db_endpointstring No OVN SB DB endpoint (e.g. tcp:127.0.0.1:6642) — required only when the account has no Sdwan::OvnDeployment yet. ovn_switch_namestring No Override the OVN logical switch name (defaults to 'ls-tenant-<tenant_key>'). dry_runboolean No Plan only — no Sdwan rows are persisted. Outputs
Stand up a federation overlay topology (hub-and-spoke OR full-mesh) by composing per-peer Sdwan::PeerEnroller + Sdwan::TopologyCompiler + Sdwan::Bgp::RoutePolicyCompiler. Creates one Sdwan::Network, enrolls each member as a peer (hubs publicly_reachable), and compiles the per-peer WireGuard + FRR route-policy envelope.
Inputs
Field Type Required Description network_namestring Yes Display name for the new federation Sdwan::Network topologystring Yes One of: hub_and_spoke, full_mesh peersarray Yes Member descriptors (1-200). Each: {node_instance_id (required), role: 'hub' routing_protocolstring No One of: static, ibgp — 'ibgp' enables FRR route-policy distribution dry_runboolean No Plan only — no Sdwan::Network/Peer rows are persisted Outputs
Directly create a custom (non-canonical) architecture. Requires system.architectures.manage; surfaces for operator approval via intervention policy.
Inputs
Field Type Required Description namestring Yes - familystring Yes - apt_namestring No - rpm_namestring No - display_namestring No - descriptionstring No - enabledboolean No - publicboolean No - Outputs
Delete a non-canonical architecture. Fails if any NodePlatform still references it. Canonical rows are immutable and return an error.
Inputs
Field Type Required Description architecture_idstring Yes - Outputs
Propose adding a new architecture to the platform-wide catalog (creates an Ai::AgentProposal for human review).
Inputs
Field Type Required Description namestring Yes Canonical lowercase name (e.g. loongarch64, mips64el) familystring Yes One of: x86, arm, power, z, risc-v, mips, other apt_namestring No apt-style name (e.g. amd64 for x86_64) rpm_namestring No rpm-style name (matches namefor most arches)display_namestring No - descriptionstring No - justificationstring No Why this arch is needed — surfaces in the approval UI Outputs
Update a non-canonical architecture's fields. Canonical rows are immutable and return an error.
Inputs
Field Type Required Description architecture_idstring Yes - attributesobject Yes Allowed: name, family, apt_name, rpm_name, display_name, description, kernel_options, enabled, public Outputs
Triage an unhealthy iBGP session; returns a plan with likely cause + recommended next step. v1 does NOT auto-restart FRR.
Inputs
Field Type Required Description bgp_session_idstring No - peer_idstring No Local peer (resolves session via peer_id + neighbor_address) neighbor_addressstring No - dry_runboolean No - Outputs
Plan an SDWAN hub failover for an unreachable network; identifies promotion candidates without auto-flipping
Inputs
Field Type Required Description network_idstring Yes - dry_runboolean No v1 only supports dry_run=true — auto-promotion deferred Outputs
Rotate an SDWAN peer's keypair and force the agent to re-establish its tunnel on next reconcile
Inputs
Field Type Required Description peer_idstring Yes Sdwan::Peer to remediate dry_runboolean No Plan-only mode — return what would happen without rotating keys Outputs
Promote the next failover candidate of a silent-holder Sdwan::VirtualIp. Anycast VIPs return informational only.
Inputs
Field Type Required Description virtual_ip_idstring Yes - dry_runboolean No - Outputs
Orchestrate the full CVE → exposure → rebuild → rolling-upgrade chain for one CVE
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 severitystring No critical affected_module_idsarray No Optional pre-resolved list of module ids — when omitted, derived from CveExposure rows exposure_idsarray No Optional list of CveExposure ids to transition to remediating Outputs
Triage a CVE entry against the fleet — enumerates exposure, scores risk, proposes a remediation plan
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 severitystring Yes critical affected_packagesarray Yes [{name: 'openssl', version: '<3.1.4'}, ...] summarystring No - Outputs
Generate a markdown remediation runbook for a CVE — exposed modules, recommended steps, verification commands
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 persist_as_pageboolean No Save the runbook as a Pages document so it's reachable via list_pages Outputs
Deploy a new Powernode platform. Pass mode='standalone' for a sovereign platform or mode='federated' for one that handshakes back with this platform on first boot. With no params, returns a wizard payload describing the form the operator should fill in.
Inputs
Field Type Required Description modestring No Deployment mode: standalone namestring No Human-readable name for the new platform / deployment. template_slugstring No NodeTemplate slug to use (default: powernode-hub). parent_urlstring No Required for federated mode — reachable URL of THIS platform that the child posts back to. spawn_modestring No Required for federated mode — one of: managed_child, autonomous_peer, cluster_member. regionstring No Optional provider region preference. instance_sizestring No Optional provider instance type preference. service_rolestring No Service role for the PlatformDeployment row (default: api). public_dns_hostnamestring No Optional public DNS hostname for the new platform. token_ttl_secondsinteger No Acceptance-token TTL for federated spawns (default: 7 days). Outputs
- Class:
Given a failed NodeInstance, rank recent module changes + promotions by likelihood of being the cause
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | - |
lookback_hours |
integer | No | - |
Outputs
Recommend instance count or instance-type adjustments for a Template's fleet based on heartbeat health and assignment density
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | - |
target_min_active |
integer | No | Minimum number of healthy active instances the fleet must maintain |
Outputs
Create an SDWAN network for a project, attach the supplied instances as peers, optionally provision a project VIP, and compile the topology preview. Composes Sdwan::Network + Sdwan::PeerEnroller + Sdwan::VirtualIp + Sdwan::TopologyCompiler.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
project_id |
string | Yes | Ai::Mission id (the provisioning project receiving the overlay) |
instance_ids |
array | Yes | System::NodeInstance ids to enroll as peers (1-100) |
network_name |
string | Yes | Display name for the new Sdwan::Network |
topology |
string | Yes | One of: hub_and_spoke, mesh |
with_vip |
boolean | No | When true, provision a project-level VirtualIp held by the first peer |
vip_name |
string | No | Optional VIP name (defaults to '<network_name>-vip') |
vip_cidr |
string | No | VIP CIDR — required when with_vip is true (operator must provide a /128 in the network's /64) |
dry_run |
boolean | No | Plan only — no Sdwan::Network/Peer/VirtualIp rows are persisted |
Outputs
Deploy a Git repository onto a provisioned NodeInstance via SSH+systemd
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
node_instance_id |
string | Yes | Target System::NodeInstance.id (provisioned earlier in the plan) |
repo_url |
string | Yes | Git remote URL (https or ssh) |
branch |
string | No | Git branch to deploy |
start_command |
string | No | Command to run as the systemd ExecStart (e.g. 'npm start'). Inferred from repo if omitted. |
deploy_key_id |
string | No | Secret ID for a private repo deploy key (resolved by CodeDeployService) |
mission_id |
string | No | Auto-injected by PlanComposer — the Ai::Mission this deploy belongs to |
dry_run |
boolean | No | Plan only — return projected actions without touching the node |
Outputs
Intent-based package discovery — describe a capability need ('reverse proxy', 'distributed cache') and get ranked packages from accessible repositories. Use system_search_packages instead when you already know the package name and just want filter/browse.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
intent |
string | Yes | Free-text capability description — what the package should do |
repository_ids |
array | No | PackageRepository UUIDs to restrict the search to |
kind |
string | No | Repository kind filter — apt |
architectures |
array | No | Canonical arch names (amd64, arm64) to filter against — cross-kind expanded |
license |
string | No | Exact license string to require (e.g. 'MIT', 'Apache-2.0') |
top_k |
integer | No | Max results to return (1-50) |
Outputs
Provision a managed Docker daemon on a NodeInstance — auto-registers as a Devops::DockerHost bound to the SDWAN overlay /128
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
node_instance_id |
string | Yes | NodeInstance to provision (must already have an Sdwan::Peer with assigned overlay) |
dry_run |
boolean | No | Plan-only — return projected actions without creating the DockerHost row |
Outputs
Reconcile a NodeInstance's running modules against its assigned modules; returns a planned action set + estimated disruption %
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | NodeInstance to reconcile |
max_disruption_pct |
integer | No | Disruption threshold above which the skill returns requires_approval=true |
Outputs
Expose a backend service to the public internet end-to-end — provisions an SDWAN Virtual IP, a hub DNAT port mapping (443 for https / 80 for http), an ACME TLS certificate for the hostname, and regenerates the reverse proxy. Use this when an operator asks to 'make reachable from the internet at ', 'put a public endpoint in front of ', or otherwise publish an internal service with TLS.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
service_hostname |
string | Yes | Public DNS hostname the service will answer on, e.g. app.example.com |
service_protocol |
string | Yes | Public-facing protocol: http or https |
sdwan_network_id |
string | Yes | SDWAN network the VIP + port mapping live in |
sdwan_hub_peer_id |
string | Yes | Publicly-reachable hub peer that terminates the public port |
vip_cidr |
string | Yes | Operator-supplied host CIDR for the VIP (typically a /128 v6 or /32 v4) within the SDWAN network's /64 |
target_peer_id |
string | No | Backend peer to front (provide exactly one of target_peer_id / target_instance_id) |
target_instance_id |
string | No | Backend NodeInstance to front (provide exactly one of target_peer_id / target_instance_id) |
backend_port |
integer | Yes | Port the backend service listens on (the DNAT target_port) |
tls_issuer |
string | No | ACME issuer slug for the certificate |
challenge_type |
string | No | ACME challenge type (dns-01 / http-01) |
dns_credential_id |
string | No | Credential id for the DNS provider (dns-01 challenges) |
Outputs
Summarize the package repositories configured for the operator's account — counts, kinds (apt/rpm/dnf), visibility (shared vs account), sync status. Use for 'how many package repos', 'what package sources', 'list my repositories', or similar inventory queries.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
intent |
string | Yes | Free-text query — typically the user's natural-language ask about repositories |
Outputs
Compose a Template draft from a workload description — keyword-matches modules and proposes a composition with conflict checks
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
description |
string | Yes | Free-form workload description, e.g. 'nginx web server with SSL and metrics' |
platform_id |
string | No | Restrict the search to modules for a specific NodePlatform |
max_modules |
integer | No | - |
Outputs
Materialize an apt/rpm package + transitive dep closure as NodeModule rows + ModuleDependency edges, then dispatch a CI build
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
repository_id |
string | Yes | - |
package_name |
string | Yes | - |
architectures |
array | No | Defaults to repository.architectures if omitted |
recommends_selected |
array | No | Per-edge recommends opt-in list (defaults to none) |
category_id |
string | No | - |
Outputs
Re-materialize a NodeModule's source package when upstream drifts (replays persisted recommends_chosen for determinism)
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
package_module_link_id |
string | Yes | PackageModuleLink.id of the module to refresh |
force |
boolean | No | - |
Outputs
Sync upstream apt/rpm metadata for one package repository (account-scoped or shared)
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
repository_id |
string | Yes | PackageRepository.id |
Outputs
Routine platform maintenance — certificate renewal, drift checks, health snapshots. Use this skill when the operator asks about (a) which certs are expiring soon, (b) whether they should rotate something, (c) the current platform health, or (d) whether any instances have drifted from their template.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
action |
string | Yes | One of: cert_status, cert_rotate, drift_check, health_check |
certificate_id |
string | No | Cert id (only for cert_rotate of a specific row; omit to rotate all expiring) |
deployment_id |
string | No | PlatformDeployment id (for drift_check; omit to scan all deployments) |
renewal_window_days |
integer | No | How many days ahead to consider a cert 'expiring soon' (cert_status / cert_rotate) |
Outputs
Platform incident response — drain an instance, scale a deployment up/down, or triage peer/instance health. Use this skill when the operator describes a stress event (instance misbehaving, capacity pressure, peer heartbeats stale) or asks 'what should I do about X'.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
action |
string | Yes | One of: drain_instance, scale, failover_check |
instance_id |
string | No | NodeInstance id (required for drain_instance) |
timeout_seconds |
integer | No | Drain timeout for in-flight work (drain_instance only) |
deployment_id |
string | No | PlatformDeployment id (required for scale) |
direction |
string | No | scale direction: set |
target_replicas |
integer | No | When direction=set, the new target_replicas value |
Outputs
Provision N instances of a Template in a region — composes create_node + provision_instance for each
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | - |
count |
integer | Yes | Number of nodes/instances to spin up (1-50) |
provider_region_id |
string | Yes | - |
provider_instance_type_id |
string | Yes | - |
name_prefix |
string | No | Prefix for node names (default: "node") |
dry_run |
boolean | No | Plan only — return projected actions without creating resources |
Outputs
Provision a full compute+network+storage stack from a template — composes provision_instance + optional storage volume + optional SDWAN topology compile
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | System::NodeTemplate to instantiate |
count |
integer | Yes | Number of node instances to provision (1-50) |
provider_region_id |
string | Yes | System::ProviderRegion target |
provider_instance_type_id |
string | Yes | System::ProviderInstanceType for each instance |
network_id |
string | No | Sdwan::Network — when present, the SDWAN topology is compiled and the resulting peer ids are returned for downstream attach |
with_storage_gb |
integer | No | When present, provision a per-instance ProviderVolume of this size |
dry_run |
boolean | No | Plan only — return projected actions without creating any cloud resources |
Outputs
Relocate a project's compute workload from one region to another via blue/green or drain cutover. Composes ProvisionFullStackExecutor (target) + ProvisioningService.terminate_instance (source).
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
project_id |
string | Yes | Ai::Mission id (the provisioning project being relocated) |
from_region_id |
string | Yes | System::ProviderRegion the workload is leaving (audit hint, no lookup) |
to_region_id |
string | Yes | System::ProviderRegion the workload is moving to (target for new stack) |
cutover_strategy |
string | Yes | One of: blue_green, drain |
template_id |
string | Yes | System::NodeTemplate to instantiate at the target region |
provider_instance_type_id |
string | Yes | Instance type for the target stack |
count |
integer | Yes | Number of new instances to bring up at the target (1-50) |
source_instance_ids |
array | Yes | System::NodeInstance ids in the source region to terminate during cutover |
network_id |
string | No | Sdwan::Network — when present, target instances are wired into the SDWAN topology and peer ids returned |
with_storage_gb |
integer | No | When present, provision a per-instance ProviderVolume of this size at the target |
dry_run |
boolean | No | Plan only — return projected actions without provisioning or terminating |
Outputs
Regenerate the reverse-proxy (Traefik) dynamic config for a certificate's account. Use this skill when an operator wants a valid certificate's HTTPS routers brought online (or refreshed) in the reverse proxy — it re-emits the account's dynamic YAML from its valid certs; Traefik file-watches and reloads automatically.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
certificate_id |
string | Yes | AcmeCertificate id (must be status=valid) whose account's reverse-proxy config to regenerate |
Outputs
Plan a batched rolling upgrade of a NodeModule across all instances of a Template, with circuit-breaker and health gating
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | - |
module_id |
string | Yes | - |
target_version_id |
string | Yes | - |
batch_pct |
integer | No | Percent of fleet to upgrade per batch (1-100). Smaller = safer + slower. |
max_consecutive_failures |
integer | No | Trip the circuit-breaker after this many consecutive batch failures |
health_timeout_sec |
integer | No | How long to wait for a batch to report healthy heartbeats before marking failed |
Outputs