Auto-generated by
rails system:skills:generate_catalogon 2026-05-17 13:19 UTC. Source:descriptor()class methods onextensions/system/server/app/services/system/ai/skills/*_executor.rb. Do NOT edit by hand — re-run the rake task instead.
40 executors across 7 categories.
For architecture context (agent bindings, plan vs. execute pattern, invocation surfaces), see SKILL_EXECUTORS.md.
attach_storage— Provision a cloud volume, attach it to a running NodeInstance, and mount it at the requested path. Composes VolumeManagementService.provision/attach + SshExecutionService for filesystem setup.attribute_failure— Given a failed NodeInstance, rank recent module changes + promotions by likelihood of being the causecapacity_recommend— Recommend instance count or instance-type adjustments for a Template's fleet based on heartbeat health and assignment densityconfigure_sdwan_for_project— Create an SDWAN network for a project, attach the supplied instances as peers, optionally provision a project VIP, and compile the topology preview. Composes Sdwan::Network + Sdwan::PeerEnroller + Sdwan::VirtualIp + Sdwan::TopologyCompiler.deploy_app_code— Deploy a Git repository onto a provisioned NodeInstance via SSH+systemddiscover_packages_by_intent— Intent-based package discovery — describe a capability need ('reverse proxy', 'distributed cache') and get ranked packages from accessible repositories. Use system_search_packages instead when you already know the package name and just want filter/browse.docker_provision— Provision a managed Docker daemon on a NodeInstance — auto-registers as a Devops::DockerHost bound to the SDWAN overlay /128drift_remediate— Reconcile a NodeInstance's running modules against its assigned modules; returns a planned action set + estimated disruption %list_package_repositories_summary— Summarize the package repositories configured for the operator's account — counts, kinds (apt/rpm/dnf), visibility (shared vs account), sync status. Use for 'how many package repos', 'what package sources', 'list my repositories', or similar inventory queries.module_compose— Compose a Template draft from a workload description — keyword-matches modules and proposes a composition with conflict checkspackage_module_create— Materialize an apt/rpm package + transitive dep closure as NodeModule rows + ModuleDependency edges, then dispatch a CI buildpackage_module_refresh— Re-materialize a NodeModule's source package when upstream drifts (replays persisted recommends_chosen for determinism)package_repository_sync— Sync upstream apt/rpm metadata for one package repository (account-scoped or shared)platform_maintenance— Routine platform maintenance — certificate renewal, drift checks, health snapshots. Use this skill when the operator asks about (a) which certs are expiring soon, (b) whether they should rotate something, (c) the current platform health, or (d) whether any instances have drifted from their template.platform_resilience— Platform incident response — drain an instance, scale a deployment up/down, or triage peer/instance health. Use this skill when the operator describes a stress event (instance misbehaving, capacity pressure, peer heartbeats stale) or asks 'what should I do about X'.provision_cluster— Provision N instances of a Template in a region — composes create_node + provision_instance for eachprovision_full_stack— Provision a full compute+network+storage stack from a template — composes provision_instance + optional storage volume + optional SDWAN topology compilerelocate_workload— Relocate a project's compute workload from one region to another via blue/green or drain cutover. Composes ProvisionFullStackExecutor (target) + ProvisioningService.terminate_instance (source).rolling_module_upgrade— Plan a batched rolling upgrade of a NodeModule across all instances of a Template, with circuit-breaker and health gatingscale_project— Adapt a provisioning project's footprint — add replicas in-region, plan a vertical resize, or expand into a new region. Composes ProvisionFullStackExecutor + RollingModuleUpgradeExecutor.sdwan_compose_full_topology— Orchestrate the three SDWAN composition primitives (HostBridge, OVN, IPFIX) in one tool call. Composes SdwanHostBridgeComposeExecutor + SdwanOvnComposeTopologyExecutor + SdwanIpfixCollectorComposeExecutor.sdwan_host_bridge_compose— Allocate per-host SDWAN bridges (Linux for lightweight profile, OVS for heavyweight) for a set of NodeInstances. Composes Sdwan::HostBridgeAllocator. Idempotent.sdwan_ipfix_collector_compose— Register an IPFIX collector for an account so the topology compiler can stamp ipfix exporter config onto every heavyweight (ovs-kind) HostBridge in the per-host payload. Idempotent on (account, name). Composes Sdwan::IpfixCollector.sdwan_ovn_apply_acl— Apply OVN ACLs (firewall rules) to a logical switch — heavyweight-profile only. Composes Sdwan::OvnAcl entries scoped to one switch and re-compiles the deployment plan. Idempotent on (switch, acl_name).sdwan_ovn_compose_topology— Compose an OVN logical-network topology (deployment + logical switches + ports) for a heavyweight-profile account, then compile the ovn-nbctl plan. Composes Sdwan::OvnDeployment + Sdwan::OvnLogicalSwitch + Sdwan::OvnLogicalSwitchPort + Sdwan::OvnCompiler.suggest_architectures_for_fleet— Suggest which canonical architectures to materialize a package for, based on the current fleet's NodePlatform coverage and the repository's served architectures.
runbook_generate— Generate a markdown operational runbook for a NodeTemplate — boot order, common failure modes, recovery procedures
federation_manager— Survey federation peer + grant + cert health for an account and surface findings the operator (or a future autonomy loop) should action.
architecture_create— Directly create a custom (non-canonical) architecture. Requires system.architectures.manage; surfaces for operator approval via intervention policy.architecture_delete— Delete a non-canonical architecture. Fails if any NodePlatform still references it. Canonical rows are immutable and return an error.architecture_propose— Propose adding a new architecture to the platform-wide catalog (creates an Ai::AgentProposal for human review).architecture_update— Update a non-canonical architecture's fields. Canonical rows are immutable and return an error.
sdwan_bgp_session_remediate— Triage an unhealthy iBGP session; returns a plan with likely cause + recommended next step. v1 does NOT auto-restart FRR.sdwan_failover— Plan an SDWAN hub failover for an unreachable network; identifies promotion candidates without auto-flippingsdwan_peer_remediate— Rotate an SDWAN peer's keypair and force the agent to re-establish its tunnel on next reconcilesdwan_vip_failover— Promote the next failover candidate of a silent-holder Sdwan::VirtualIp. Anycast VIPs return informational only.
cve_remediation_orchestration— Orchestrate the full CVE → exposure → rebuild → rolling-upgrade chain for one CVEcve_response— Triage a CVE entry against the fleet — enumerates exposure, scores risk, proposes a remediation plancve_runbook_generate— Generate a markdown remediation runbook for a CVE — exposed modules, recommended steps, verification commands
platform_deploy— Deploy a new Powernode platform. Pass mode='standalone' for a sovereign platform or mode='federated' for one that handshakes back with this platform on first boot. With no params, returns a wizard payload describing the form the operator should fill in.
Provision a cloud volume, attach it to a running NodeInstance, and mount it at the requested path. Composes VolumeManagementService.provision/attach + SshExecutionService for filesystem setup.
- Class:
System::Ai::Skills::AttachStorageExecutor - Source:
extensions/system/server/app/services/system/ai/skills/attach_storage_executor.rb - Category: devops
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | System::NodeInstance to attach the volume to |
size_gb |
integer | Yes | Volume size in GiB (1-16384) |
volume_type |
string | No | Optional ProviderVolumeType name (e.g. 'gp3'); falls back to provider default when nil |
mount_point |
string | No | Filesystem mount path on the instance |
dry_run |
boolean | No | Plan only — no volume creation, no SSH |
Outputs
dry_run: booleancount: integerplanned_actions: arrayoutputs: {:node_instance_ids=>[:string], :storage_volume_ids=>[:string], :mount=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::AttributeFailureExecutor - Source:
extensions/system/server/app/services/system/ai/skills/attribute_failure_executor.rb - Category: devops
candidates: arraytop_candidate: objectconfidence: decimalreasoning: string- Class:
System::Ai::Skills::CapacityRecommendExecutor - Source:
extensions/system/server/app/services/system/ai/skills/capacity_recommend_executor.rb - Category: devops
template_id: stringtotal_count: integeractive_count: integersilent_count: integererrored_count: integerrecommendation: objectconfidence: string- Class:
System::Ai::Skills::ConfigureSdwanForProjectExecutor - Source:
extensions/system/server/app/services/system/ai/skills/configure_sdwan_for_project_executor.rb - Category: devops
dry_run: booleancount: integertopology: stringplanned_actions: arrayoutputs: {:sdwan_network_id=>:string, :sdwan_peer_ids=>[:string], :virtual_ip_id=>:string, :topology_preview=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::DeployAppCodeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/deploy_app_code_executor.rb - Category: devops
deployment_id: stringcommit_sha: stringpublic_url: string- Class:
System::Ai::Skills::DiscoverPackagesByIntentExecutor - Source:
extensions/system/server/app/services/system/ai/skills/discover_packages_by_intent_executor.rb - Category: devops
intent: stringresults: arrayseed_count: integerconfidence: string- Class:
System::Ai::Skills::DockerProvisionExecutor - Source:
extensions/system/server/app/services/system/ai/skills/docker_provision_executor.rb - Category: devops
dry_run: booleanhost_id: stringhost_status: stringapi_endpoint: stringalready_provisioned: booleanplan: object- Class:
System::Ai::Skills::DriftRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/drift_remediate_executor.rb - Category: devops
resolved: booleanrequires_approval: booleandisruption_pct: integerplanned_actions: {:attach=>[:string], :detach=>[:string], :update=>[:string]}- Class:
System::Ai::Skills::ListPackageRepositoriesSummaryExecutor - Source:
extensions/system/server/app/services/system/ai/skills/list_package_repositories_summary_executor.rb - Category: devops
total: integerby_kind: objectby_visibility: objectby_sync_status: objectrepositories: arraysummary: string- Class:
System::Ai::Skills::ModuleComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/module_compose_executor.rb - Category: devops
draft_template: objectconflicts: arraycandidate_count: integerreasoning: string- Class:
System::Ai::Skills::PackageModuleCreateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_module_create_executor.rb - Category: devops
top_level_module_id: stringdependency_count: integerrecommends_count: integerbuild_dispatches: arraywarnings: array- Class:
System::Ai::Skills::PackageModuleRefreshExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_module_refresh_executor.rb - Category: devops
enqueued: booleanpackage_module_link_id: string- Class:
System::Ai::Skills::PackageRepositorySyncExecutor - Source:
extensions/system/server/app/services/system/ai/skills/package_repository_sync_executor.rb - Category: devops
ok: booleanupserted: integerobsoleted: integerpackage_count: integererror: string- Class:
System::Ai::Skills::PlatformMaintenanceExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_maintenance_executor.rb - Category: devops
action: stringdata: objectrecommendations: array- Class:
System::Ai::Skills::PlatformResilienceExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_resilience_executor.rb - Category: devops
action: stringdata: objectrecommendations: array- Class:
System::Ai::Skills::ProvisionClusterExecutor - Source:
extensions/system/server/app/services/system/ai/skills/provision_cluster_executor.rb - Category: devops
dry_run: booleancount: integercreated_nodes: arrayprovisioned: arrayfailures: arrayProvision a full compute+network+storage stack from a template — composes provision_instance + optional storage volume + optional SDWAN topology compile
- Class:
System::Ai::Skills::ProvisionFullStackExecutor - Source:
extensions/system/server/app/services/system/ai/skills/provision_full_stack_executor.rb - Category: devops
Inputs
Field Type Required Description template_idstring Yes System::NodeTemplate to instantiate countinteger Yes Number of node instances to provision (1-50) provider_region_idstring Yes System::ProviderRegion target provider_instance_type_idstring Yes System::ProviderInstanceType for each instance network_idstring No Sdwan::Network — when present, the SDWAN topology is compiled and the resulting peer ids are returned for downstream attach with_storage_gbinteger No When present, provision a per-instance ProviderVolume of this size dry_runboolean No Plan only — return projected actions without creating any cloud resources Outputs
dry_run: booleancount: integerplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string]}failures: arraypartial: boolean- Class:
System::Ai::Skills::RelocateWorkloadExecutor - Source:
extensions/system/server/app/services/system/ai/skills/relocate_workload_executor.rb - Category: devops
dry_run: booleancount: integercutover_strategy: stringplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string], :terminated_instance_ids=>[:string]}failures: arraypartial: boolean- Class:
System::Ai::Skills::RollingModuleUpgradeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/rolling_module_upgrade_executor.rb - Category: devops
total_instances: integerbatch_size: integerbatch_count: integerestimated_total_seconds: integercircuit_breaker: objectbatches: arrayAdapt a provisioning project's footprint — add replicas in-region, plan a vertical resize, or expand into a new region. Composes ProvisionFullStackExecutor + RollingModuleUpgradeExecutor.
- Class:
System::Ai::Skills::ScaleProjectExecutor - Source:
extensions/system/server/app/services/system/ai/skills/scale_project_executor.rb - Category: devops
Inputs
Field Type Required Description project_idstring Yes Ai::Mission id (the provisioning project being scaled) target_countinteger Yes Number of new instances (add_replicas / add_region) — bounded 1..50. Ignored for vertical_resize. scaling_strategystring Yes One of: add_replicas, vertical_resize, add_region template_idstring No System::NodeTemplate to instantiate (add_replicas / add_region) or whose fleet is being resized (vertical_resize) provider_region_idstring No Region for new instances (add_replicas: same as project; add_region: NEW region) provider_instance_type_idstring No Instance type for new instances module_idstring No vertical_resize: System::NodeModule whose target_version replaces in-place target_version_idstring No vertical_resize: target System::NodeModuleVersion id network_idstring No add_region: optional Sdwan::Network to attach new instances to with_storage_gbinteger No add_region: optional per-instance volume size dry_runboolean No Plan only — return projected actions without creating any cloud resources Outputs
dry_run: booleancount: integerscaling_strategy: stringplanned_actions: arrayoutputs: {:node_ids=>[:string], :node_instance_ids=>[:string], :sdwan_peer_ids=>[:string], :storage_volume_ids=>[:string], :rolling_upgrade_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanComposeFullTopologyExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_compose_full_topology_executor.rb - Category: devops
dry_run: booleanplanned_actions: arrayoutputs: {:host_bridges=>:object, :ovn=>:object, :ipfix=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanHostBridgeComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_host_bridge_compose_executor.rb - Category: devops
dry_run: booleanbridge_count: integerplanned_actions: arrayoutputs: {:host_bridge_ids=>[:string], :allocations=>[:object]}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanIpfixCollectorComposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ipfix_collector_compose_executor.rb - Category: devops
dry_run: booleanplanned_actions: arrayoutputs: {:ipfix_collector_id=>:string, :created=>:boolean, :name=>:string, :target_endpoint=>:string, :sampling_rate=>:integer, :state=>:string, :is_winning_collector=>:boolean}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanOvnApplyAclExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ovn_apply_acl_executor.rb - Category: devops
dry_run: booleanacl_count: integerplanned_actions: arrayoutputs: {:logical_switch_id=>:string, :ovn_acl_ids=>[:string], :allocations=>[:object], :compiled_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SdwanOvnComposeTopologyExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_ovn_compose_topology_executor.rb - Category: devops
dry_run: booleanswitch_count: integerport_count: integerplanned_actions: arrayoutputs: {:ovn_deployment_id=>:string, :created_deployment=>:boolean, :logical_switch_ids=>[:string], :logical_switch_port_ids=>[:string], :compiled_plan=>:object}failures: arraypartial: boolean- Class:
System::Ai::Skills::SuggestArchitecturesForFleetExecutor - Source:
extensions/system/server/app/services/system/ai/skills/suggest_architectures_for_fleet_executor.rb - Category: devops
repository_id: stringsuggested: arrayrationale: arrayfallback: booleanconfidence: string- Class:
System::Ai::Skills::RunbookGenerateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/runbook_generate_executor.rb - Category: documentation
runbook_markdown: stringsection_count: integerpersisted_page_id: stringsource_artifacts: object- Class:
System::Ai::Skills::FederationManagerExecutor - Source:
extensions/system/server/app/services/system/ai/skills/federation_manager_executor.rb - Category: federation
account_id: stringran_at: stringcert_rotation_candidates: arraygrants_approaching_expiry: arraygrants_overdue_for_review: arraybroad_scope_grants: arraycapability_drift: arrayfinding_count: integer- Class:
System::Ai::Skills::ArchitectureCreateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_create_executor.rb - Category: fleet
architecture: object- Class:
System::Ai::Skills::ArchitectureDeleteExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_delete_executor.rb - Category: fleet
deleted: booleanarchitecture_id: string- Class:
System::Ai::Skills::ArchitectureProposeExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_propose_executor.rb - Category: fleet
proposal_id: stringstatus: stringreview_deadline: datetime- Class:
System::Ai::Skills::ArchitectureUpdateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/architecture_update_executor.rb - Category: fleet
architecture: object- Class:
System::Ai::Skills::SdwanBgpSessionRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_bgp_session_remediate_executor.rb - Category: sdwan
resolved: booleansession_id: stringstate: stringlikely_cause: stringrecommended_action: string- Class:
System::Ai::Skills::SdwanFailoverExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_failover_executor.rb - Category: sdwan
resolved: booleannetwork_id: stringcurrent_hub_count: integercandidates: {:peer_id=>:string, :endpoint_host=>:string, :endpoint_port=>:integer, :last_handshake_at=>:string}- Class:
System::Ai::Skills::SdwanPeerRemediateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_peer_remediate_executor.rb - Category: sdwan
resolved: booleanrotated_from_key_id: stringnew_key_id: stringnew_public_key: string- Class:
System::Ai::Skills::SdwanVipFailoverExecutor - Source:
extensions/system/server/app/services/system/ai/skills/sdwan_vip_failover_executor.rb - Category: sdwan
resolved: booleanvirtual_ip_id: stringprevious_holder_peer_id: stringnew_holder_peer_id: stringanycast: boolean- Class:
System::Ai::Skills::CveRemediationOrchestrationExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_remediation_orchestration_executor.rb - Category: security
cve_id: stringtriage: objectrefresh_dispatches: arrayrolling_upgrade_plans: arrayexposures_remediating: integerskipped_reason: string- Class:
System::Ai::Skills::CveResponseExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_response_executor.rb - Category: security
cve_id: stringseverity: stringrisk_score: integerexposed_modules: arrayexposed_instance_count: integerremediation_plan: objectrequires_approval: boolean- Class:
System::Ai::Skills::CveRunbookGenerateExecutor - Source:
extensions/system/server/app/services/system/ai/skills/cve_runbook_generate_executor.rb - Category: security
runbook_markdown: stringcve_id: stringexposed_module_count: integerexposed_instance_count: integerrisk_score: integerrequires_approval: booleanpersisted_page_id: string- Class:
System::Ai::Skills::PlatformDeployExecutor - Source:
extensions/system/server/app/services/system/ai/skills/platform_deploy_executor.rb - Category: system
ok: booleancard: objectdeployment: objectacceptance_token: stringspawn_payload: object
Orchestrate the three SDWAN composition primitives (HostBridge, OVN, IPFIX) in one tool call. Composes SdwanHostBridgeComposeExecutor + SdwanOvnComposeTopologyExecutor + SdwanIpfixCollectorComposeExecutor.
Inputs
Field Type Required Description host_node_instance_idsarray Yes System::NodeInstance ids — passed through to host_bridge_compose kindstring No Optional explicit bridge kind override (linux ovn_topologyobject No Optional OVN composition payload: {nb_db_endpoint, sb_db_endpoint, northd_host?, switches} — when supplied, runs sdwan_ovn_compose_topology ipfix_collectorobject No Optional IPFIX collector payload: {name, host, port, sampling_rate?} — when supplied, runs sdwan_ipfix_collector_compose dry_runboolean No Plan only — invokes each sub-skill in dry_run mode Outputs
Allocate per-host SDWAN bridges (Linux for lightweight profile, OVS for heavyweight) for a set of NodeInstances. Composes Sdwan::HostBridgeAllocator. Idempotent.
Inputs
Field Type Required Description host_node_instance_idsarray Yes System::NodeInstance ids to allocate bridges for (1-100) kindstring No Optional explicit bridge kind override: linux dry_runboolean No Plan only — no Sdwan::HostBridge rows are persisted Outputs
Register an IPFIX collector for an account so the topology compiler can stamp ipfix exporter config onto every heavyweight (ovs-kind) HostBridge in the per-host payload. Idempotent on (account, name). Composes Sdwan::IpfixCollector.
Inputs
Field Type Required Description namestring Yes Display name for the collector — unique per account; reused on re-execution hoststring Yes Collector host (IPv4, IPv6, or hostname). IPv6 addresses are bracketed automatically when emitted to ovs-vsctl. portinteger Yes Collector UDP port (1-65535) sampling_rateinteger No Sampling rate (1 = export every flow). Ignored when re-using an existing collector. dry_runboolean No Plan only — no Sdwan::IpfixCollector row is persisted Outputs
Apply OVN ACLs (firewall rules) to a logical switch — heavyweight-profile only. Composes Sdwan::OvnAcl entries scoped to one switch and re-compiles the deployment plan. Idempotent on (switch, acl_name).
Inputs
Field Type Required Description logical_switch_idstring Yes Sdwan::OvnLogicalSwitch id the ACLs apply to (must belong to the executing account) aclsarray Yes Array of {name, direction, priority?, match, action} (1-100). direction: from-lport dry_runboolean No Plan only — no Sdwan::OvnAcl rows are persisted Outputs
Compose an OVN logical-network topology (deployment + logical switches + ports) for a heavyweight-profile account, then compile the ovn-nbctl plan. Composes Sdwan::OvnDeployment + Sdwan::OvnLogicalSwitch + Sdwan::OvnLogicalSwitchPort + Sdwan::OvnCompiler.
Inputs
Field Type Required Description switchesarray Yes Array of {name, cidr?, ports: [{name, kind, addresses?, host_node_instance_id?}]} (1-50) nb_db_endpointstring No OVN NB DB endpoint (e.g., tcp:127.0.0.1:6641) — required only when the account has no OvnDeployment yet sb_db_endpointstring No OVN SB DB endpoint (e.g., tcp:127.0.0.1:6642) — required only when the account has no OvnDeployment yet northd_hoststring No Advisory hint for which host runs ovn-northd — only used when creating a new deployment dry_runboolean No Plan only — no Sdwan rows are persisted Outputs
Suggest which canonical architectures to materialize a package for, based on the current fleet's NodePlatform coverage and the repository's served architectures.
Inputs
Field Type Required Description repository_idstring Yes PackageRepository.id whose architectures bound the suggestion set max_suggestionsinteger No Cap on the number of suggested arches (1-7) Outputs
Generate a markdown operational runbook for a NodeTemplate — boot order, common failure modes, recovery procedures
Inputs
Field Type Required Description template_idstring Yes - persist_as_pageboolean No Save the result as a Pages document so it's reachable via list_pages Outputs
Survey federation peer + grant + cert health for an account and surface findings the operator (or a future autonomy loop) should action.
Outputs
Directly create a custom (non-canonical) architecture. Requires system.architectures.manage; surfaces for operator approval via intervention policy.
Inputs
Field Type Required Description namestring Yes - familystring Yes - apt_namestring No - rpm_namestring No - display_namestring No - descriptionstring No - enabledboolean No - publicboolean No - Outputs
Delete a non-canonical architecture. Fails if any NodePlatform still references it. Canonical rows are immutable and return an error.
Inputs
Field Type Required Description architecture_idstring Yes - Outputs
Propose adding a new architecture to the platform-wide catalog (creates an Ai::AgentProposal for human review).
Inputs
Field Type Required Description namestring Yes Canonical lowercase name (e.g. loongarch64, mips64el) familystring Yes One of: x86, arm, power, z, risc-v, mips, other apt_namestring No apt-style name (e.g. amd64 for x86_64) rpm_namestring No rpm-style name (matches namefor most arches)display_namestring No - descriptionstring No - justificationstring No Why this arch is needed — surfaces in the approval UI Outputs
Update a non-canonical architecture's fields. Canonical rows are immutable and return an error.
Inputs
Field Type Required Description architecture_idstring Yes - attributesobject Yes Allowed: name, family, apt_name, rpm_name, display_name, description, kernel_options, enabled, public Outputs
Triage an unhealthy iBGP session; returns a plan with likely cause + recommended next step. v1 does NOT auto-restart FRR.
Inputs
Field Type Required Description bgp_session_idstring No - peer_idstring No Local peer (resolves session via peer_id + neighbor_address) neighbor_addressstring No - dry_runboolean No - Outputs
Plan an SDWAN hub failover for an unreachable network; identifies promotion candidates without auto-flipping
Inputs
Field Type Required Description network_idstring Yes - dry_runboolean No v1 only supports dry_run=true — auto-promotion deferred Outputs
Rotate an SDWAN peer's keypair and force the agent to re-establish its tunnel on next reconcile
Inputs
Field Type Required Description peer_idstring Yes Sdwan::Peer to remediate dry_runboolean No Plan-only mode — return what would happen without rotating keys Outputs
Promote the next failover candidate of a silent-holder Sdwan::VirtualIp. Anycast VIPs return informational only.
Inputs
Field Type Required Description virtual_ip_idstring Yes - dry_runboolean No - Outputs
Orchestrate the full CVE → exposure → rebuild → rolling-upgrade chain for one CVE
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 severitystring No critical affected_module_idsarray No Optional pre-resolved list of module ids — when omitted, derived from CveExposure rows exposure_idsarray No Optional list of CveExposure ids to transition to remediating Outputs
Triage a CVE entry against the fleet — enumerates exposure, scores risk, proposes a remediation plan
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 severitystring Yes critical affected_packagesarray Yes [{name: 'openssl', version: '<3.1.4'}, ...] summarystring No - Outputs
Generate a markdown remediation runbook for a CVE — exposed modules, recommended steps, verification commands
Inputs
Field Type Required Description cve_idstring Yes Canonical CVE id, e.g. CVE-2026-12345 persist_as_pageboolean No Save the runbook as a Pages document so it's reachable via list_pages Outputs
Deploy a new Powernode platform. Pass mode='standalone' for a sovereign platform or mode='federated' for one that handshakes back with this platform on first boot. With no params, returns a wizard payload describing the form the operator should fill in.
Inputs
Field Type Required Description modestring No Deployment mode: standalone namestring No Human-readable name for the new platform / deployment. template_slugstring No NodeTemplate slug to use (default: powernode-hub). parent_urlstring No Required for federated mode — reachable URL of THIS platform that the child posts back to. spawn_modestring No Required for federated mode — one of: managed_child, autonomous_peer, cluster_member. regionstring No Optional provider region preference. instance_sizestring No Optional provider instance type preference. service_rolestring No Service role for the PlatformDeployment row (default: api). public_dns_hostnamestring No Optional public DNS hostname for the new platform. token_ttl_secondsinteger No Acceptance-token TTL for federated spawns (default: 7 days). Outputs
- Class:
Relocate a project's compute workload from one region to another via blue/green or drain cutover. Composes ProvisionFullStackExecutor (target) + ProvisioningService.terminate_instance (source).
Inputs
Field Type Required Description project_idstring Yes Ai::Mission id (the provisioning project being relocated) from_region_idstring Yes System::ProviderRegion the workload is leaving (audit hint, no lookup) to_region_idstring Yes System::ProviderRegion the workload is moving to (target for new stack) cutover_strategystring Yes One of: blue_green, drain template_idstring Yes System::NodeTemplate to instantiate at the target region provider_instance_type_idstring Yes Instance type for the target stack countinteger Yes Number of new instances to bring up at the target (1-50) source_instance_idsarray Yes System::NodeInstance ids in the source region to terminate during cutover network_idstring No Sdwan::Network — when present, target instances are wired into the SDWAN topology and peer ids returned with_storage_gbinteger No When present, provision a per-instance ProviderVolume of this size at the target dry_runboolean No Plan only — return projected actions without provisioning or terminating Outputs
Plan a batched rolling upgrade of a NodeModule across all instances of a Template, with circuit-breaker and health gating
Inputs
Field Type Required Description template_idstring Yes - module_idstring Yes - target_version_idstring Yes - batch_pctinteger No Percent of fleet to upgrade per batch (1-100). Smaller = safer + slower. max_consecutive_failuresinteger No Trip the circuit-breaker after this many consecutive batch failures health_timeout_secinteger No How long to wait for a batch to report healthy heartbeats before marking failed Outputs
- Class:
Given a failed NodeInstance, rank recent module changes + promotions by likelihood of being the cause
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | - |
lookback_hours |
integer | No | - |
Outputs
Recommend instance count or instance-type adjustments for a Template's fleet based on heartbeat health and assignment density
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | - |
target_min_active |
integer | No | Minimum number of healthy active instances the fleet must maintain |
Outputs
Create an SDWAN network for a project, attach the supplied instances as peers, optionally provision a project VIP, and compile the topology preview. Composes Sdwan::Network + Sdwan::PeerEnroller + Sdwan::VirtualIp + Sdwan::TopologyCompiler.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
project_id |
string | Yes | Ai::Mission id (the provisioning project receiving the overlay) |
instance_ids |
array | Yes | System::NodeInstance ids to enroll as peers (1-100) |
network_name |
string | Yes | Display name for the new Sdwan::Network |
topology |
string | Yes | One of: hub_and_spoke, mesh |
with_vip |
boolean | No | When true, provision a project-level VirtualIp held by the first peer |
vip_name |
string | No | Optional VIP name (defaults to '<network_name>-vip') |
vip_cidr |
string | No | VIP CIDR — required when with_vip is true (operator must provide a /128 in the network's /64) |
dry_run |
boolean | No | Plan only — no Sdwan::Network/Peer/VirtualIp rows are persisted |
Outputs
Deploy a Git repository onto a provisioned NodeInstance via SSH+systemd
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
node_instance_id |
string | Yes | Target System::NodeInstance.id (provisioned earlier in the plan) |
repo_url |
string | Yes | Git remote URL (https or ssh) |
branch |
string | No | Git branch to deploy |
start_command |
string | No | Command to run as the systemd ExecStart (e.g. 'npm start'). Inferred from repo if omitted. |
deploy_key_id |
string | No | Secret ID for a private repo deploy key (resolved by CodeDeployService) |
mission_id |
string | No | Auto-injected by PlanComposer — the Ai::Mission this deploy belongs to |
dry_run |
boolean | No | Plan only — return projected actions without touching the node |
Outputs
Intent-based package discovery — describe a capability need ('reverse proxy', 'distributed cache') and get ranked packages from accessible repositories. Use system_search_packages instead when you already know the package name and just want filter/browse.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
intent |
string | Yes | Free-text capability description — what the package should do |
repository_ids |
array | No | PackageRepository UUIDs to restrict the search to |
kind |
string | No | Repository kind filter — apt |
architectures |
array | No | Canonical arch names (amd64, arm64) to filter against — cross-kind expanded |
license |
string | No | Exact license string to require (e.g. 'MIT', 'Apache-2.0') |
top_k |
integer | No | Max results to return (1-50) |
Outputs
Provision a managed Docker daemon on a NodeInstance — auto-registers as a Devops::DockerHost bound to the SDWAN overlay /128
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
node_instance_id |
string | Yes | NodeInstance to provision (must already have an Sdwan::Peer with assigned overlay) |
dry_run |
boolean | No | Plan-only — return projected actions without creating the DockerHost row |
Outputs
Reconcile a NodeInstance's running modules against its assigned modules; returns a planned action set + estimated disruption %
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
instance_id |
string | Yes | NodeInstance to reconcile |
max_disruption_pct |
integer | No | Disruption threshold above which the skill returns requires_approval=true |
Outputs
Summarize the package repositories configured for the operator's account — counts, kinds (apt/rpm/dnf), visibility (shared vs account), sync status. Use for 'how many package repos', 'what package sources', 'list my repositories', or similar inventory queries.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
intent |
string | Yes | Free-text query — typically the user's natural-language ask about repositories |
Outputs
Compose a Template draft from a workload description — keyword-matches modules and proposes a composition with conflict checks
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
description |
string | Yes | Free-form workload description, e.g. 'nginx web server with SSL and metrics' |
platform_id |
string | No | Restrict the search to modules for a specific NodePlatform |
max_modules |
integer | No | - |
Outputs
Materialize an apt/rpm package + transitive dep closure as NodeModule rows + ModuleDependency edges, then dispatch a CI build
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
repository_id |
string | Yes | - |
package_name |
string | Yes | - |
architectures |
array | No | Defaults to repository.architectures if omitted |
recommends_selected |
array | No | Per-edge recommends opt-in list (defaults to none) |
category_id |
string | No | - |
Outputs
Re-materialize a NodeModule's source package when upstream drifts (replays persisted recommends_chosen for determinism)
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
package_module_link_id |
string | Yes | PackageModuleLink.id of the module to refresh |
force |
boolean | No | - |
Outputs
Sync upstream apt/rpm metadata for one package repository (account-scoped or shared)
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
repository_id |
string | Yes | PackageRepository.id |
Outputs
Routine platform maintenance — certificate renewal, drift checks, health snapshots. Use this skill when the operator asks about (a) which certs are expiring soon, (b) whether they should rotate something, (c) the current platform health, or (d) whether any instances have drifted from their template.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
action |
string | Yes | One of: cert_status, cert_rotate, drift_check, health_check |
certificate_id |
string | No | Cert id (only for cert_rotate of a specific row; omit to rotate all expiring) |
deployment_id |
string | No | PlatformDeployment id (for drift_check; omit to scan all deployments) |
renewal_window_days |
integer | No | How many days ahead to consider a cert 'expiring soon' (cert_status / cert_rotate) |
Outputs
Platform incident response — drain an instance, scale a deployment up/down, or triage peer/instance health. Use this skill when the operator describes a stress event (instance misbehaving, capacity pressure, peer heartbeats stale) or asks 'what should I do about X'.
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
action |
string | Yes | One of: drain_instance, scale, failover_check |
instance_id |
string | No | NodeInstance id (required for drain_instance) |
timeout_seconds |
integer | No | Drain timeout for in-flight work (drain_instance only) |
deployment_id |
string | No | PlatformDeployment id (required for scale) |
direction |
string | No | scale direction: set |
target_replicas |
integer | No | When direction=set, the new target_replicas value |
Outputs
Provision N instances of a Template in a region — composes create_node + provision_instance for each
Inputs
| Field | Type | Required | Description |
|---|---|---|---|
template_id |
string | Yes | - |
count |
integer | Yes | Number of nodes/instances to spin up (1-50) |
provider_region_id |
string | Yes | - |
provider_instance_type_id |
string | Yes | - |
name_prefix |
string | No | Prefix for node names (default: "node") |
dry_run |
boolean | No | Plan only — return projected actions without creating resources |
Outputs