operations:
  verify:
    description: "Verify username/password credentials"
    input:
      required: [username, password]
    output: boolean
    acl_required: []
    public: true
    rate_limit:
      max_attempts: 5
      window_seconds: 300
    errors:
      - UNAUTHORIZED: "Invalid credentials"
      - RATE_LIMIT_EXCEEDED: "Too many login attempts"
      
  set:
    description: "Set or update password for user"
    input:
      required: [username, password_hash]
    output: boolean
    acl_required: ["credential:write"]
    system_only: true
    security:
      audit: true
      never_log_password: true
    errors:
      - NOT_FOUND: "User not found"
      
  set_first_login_flag:
    description: "Set first login flag"
    input:
      required: [username, first_login]
    output: boolean
    acl_required: ["credential:write"]
    system_only: true
    errors:
      - NOT_FOUND: "User not found"
      
  get_first_login_flag:
    description: "Get first login flag"
    input:
      required: [username]
    output: boolean
    acl_required: ["credential:read"]
    system_only: true
    errors:
      - NOT_FOUND: "User not found"
      
  delete:
    description: "Delete credentials for user"
    input:
      required: [username]
    output: boolean
    acl_required: ["credential:delete"]
    system_only: true
    security:
      audit: true
    errors:
      - NOT_FOUND: "User not found"