Merge branch 'chore/inventory-quartet' into 'main'

Inventory quartet and initial leases See merge request vaultsovereign/ops!1
2025-12-17 15:59:15 +00:00
parent 44edf6734b 901444a6d5
commit 08b0a93c10
21 changed files with 291 additions and 0 deletions
--- a/10-inventory/hosts/README.md
+++ b/10-inventory/hosts/README.md
@@ -0,0 +1,14 @@
 # Hosts
 Each host lives in its own directory:
 ```
 10-inventory/hosts/<role>-<scope>-<id>/
 ```
 Minimum:
 - `README.md` (purpose + trust boundary)
 - `hardware.md` (what it is)
 - `os.md` (what it runs)
--- a/10-inventory/hosts/op-console-mac/README.md
+++ b/10-inventory/hosts/op-console-mac/README.md
@@ -0,0 +1,16 @@
 # op-console-mac
 ## Purpose
 Console host used to run `op-core-vm`.
 ## Trust boundary
 - The host is a console, not a source of trust.
 - Critical actions happen only inside `op-core-vm`.
 - No long-lived secrets are kept on the host if avoidable.
 ## References
 - Doctrine: `00-doctrine/operator-charter.md`
 - Lease: `20-identity/leases/op-console-mac.md`
--- a/10-inventory/hosts/op-console-mac/hardware.md
+++ b/10-inventory/hosts/op-console-mac/hardware.md
@@ -0,0 +1,10 @@
 # Hardware (op-console-mac)
 - Model:
 - Serial:
 - CPU:
 - RAM:
 - Storage:
 - Network:
 - Location:
--- a/10-inventory/hosts/op-console-mac/os.md
+++ b/10-inventory/hosts/op-console-mac/os.md
@@ -0,0 +1,12 @@
 # OS (op-console-mac)
 - OS:
 - Version:
 - Install method:
 - Disk encryption:
 - Update policy:
 ## Notes
 - The VM is the authority source; the host is replaceable.
--- a/10-inventory/hosts/op-witness-phone/README.md
+++ b/10-inventory/hosts/op-witness-phone/README.md
@@ -0,0 +1,15 @@
 # op-witness-phone
 ## Purpose
 Witness device for verification (alerts, confirmations, second factors).
 ## Trust boundary
 - The phone is a witness, not a workstation.
 - Prefer read-only access; no critical admin actions originate here.
 ## References
 - Doctrine: `00-doctrine/operator-charter.md`
 - Lease: `20-identity/leases/op-witness-phone.md`
--- a/10-inventory/hosts/op-witness-phone/hardware.md
+++ b/10-inventory/hosts/op-witness-phone/hardware.md
@@ -0,0 +1,7 @@
 # Hardware (op-witness-phone)
 - Model:
 - Serial/IMEI:
 - Storage:
 - Network:
--- a/10-inventory/hosts/op-witness-phone/os.md
+++ b/10-inventory/hosts/op-witness-phone/os.md
@@ -0,0 +1,7 @@
 # OS (op-witness-phone)
 - OS:
 - Version:
 - Update policy:
 - Lock screen policy:
--- a/10-inventory/hosts/srv-local-core/README.md
+++ b/10-inventory/hosts/srv-local-core/README.md
@@ -0,0 +1,11 @@
 # srv-local-core
 ## Purpose
 Local core server: stable services and state that must still be rebuildable.
 ## Authority boundary
 - Provisioning and changes originate from `op-core-vm`.
 - Host state is treated as disposable; the source of truth lives in `ops/`.
--- a/10-inventory/hosts/srv-local-core/hardware.md
+++ b/10-inventory/hosts/srv-local-core/hardware.md
@@ -0,0 +1,10 @@
 # Hardware (srv-local-core)
 - Model:
 - Serial:
 - CPU:
 - RAM:
 - Storage:
 - Network:
 - Location:
--- a/10-inventory/hosts/srv-local-core/os.md
+++ b/10-inventory/hosts/srv-local-core/os.md
@@ -0,0 +1,8 @@
 # OS (srv-local-core)
 - OS:
 - Version:
 - Install method:
 - Disk encryption:
 - Update policy:
--- a/10-inventory/hosts/srv-local-shield/README.md
+++ b/10-inventory/hosts/srv-local-shield/README.md
@@ -0,0 +1,11 @@
 # srv-local-shield
 ## Purpose
 Local shield node: boundary services (gateway, filtering, segmentation).
 ## Authority boundary
 - Provisioning and changes originate from `op-core-vm`.
 - Configuration is managed as code; rebuilds are expected.
--- a/10-inventory/hosts/srv-local-shield/hardware.md
+++ b/10-inventory/hosts/srv-local-shield/hardware.md
@@ -0,0 +1,10 @@
 # Hardware (srv-local-shield)
 - Model:
 - Serial:
 - CPU:
 - RAM:
 - Storage:
 - Network:
 - Location:
--- a/10-inventory/hosts/srv-local-shield/os.md
+++ b/10-inventory/hosts/srv-local-shield/os.md
@@ -0,0 +1,8 @@
 # OS (srv-local-shield)
 - OS:
 - Version:
 - Install method:
 - Disk encryption:
 - Update policy:
--- a/20-identity/leases/README.md
+++ b/20-identity/leases/README.md
@@ -0,0 +1,12 @@
 # Leases
 Leases are time-bound grants of access tied to a device (or system) and a role.
 Rules:
 - A lease has an expiry.
 - A lease is revocable.
 - Every lease has a recorded grant and a recorded revoke/rotate event.
 Use `20-identity/templates/lease.md` for new leases.
--- a/20-identity/leases/op-console-mac.md
+++ b/20-identity/leases/op-console-mac.md
@@ -0,0 +1,20 @@
 # Lease: op-console-mac
 ## Grant
 - Lease type: device (console)
 - Issued to role: operator
 - Issued at (UTC):
 - Expires at (UTC):
 - Revoked at (UTC):
 ## Scope
 - Permits: physical and local access required to operate `op-core-vm`.
 - Forbids: treating the host OS as a source of trust.
 ## Rotation / revocation
 - Revoke: remove local access, rotate any credentials that could have been exposed, and rebuild `op-core-vm` if integrity is in doubt.
 - Verify: confirm operator access is only possible from a trusted, rebuilt core.
--- a/20-identity/leases/op-witness-phone.md
+++ b/20-identity/leases/op-witness-phone.md
@@ -0,0 +1,20 @@
 # Lease: op-witness-phone
 ## Grant
 - Lease type: device (witness)
 - Issued to role: witness
 - Issued at (UTC):
 - Expires at (UTC):
 - Revoked at (UTC):
 ## Scope
 - Permits: read-only verification and confirmations.
 - Forbids: initiating critical operational changes.
 ## Rotation / revocation
 - Revoke: remove device access and rotate any linked factors.
 - Verify: confirm no critical role can originate from this device.
--- a/20-identity/roles/operator.md
+++ b/20-identity/roles/operator.md
@@ -0,0 +1,20 @@
 # Role: operator
 ## Purpose
 Execute critical operational actions from the core boundary.
 ## Scope
 - Allowed: provisioning, configuration, recovery, decommission.
 - Forbidden: ad-hoc changes outside `op-core-vm`.
 ## Allowed origins
 - `op-core-vm` only.
 ## Rotation / revocation
 - Revoke: invalidate leases, rotate credentials, and sever device trust.
 - Prove: record the action in `70-audits/reports/`.
--- a/20-identity/roles/witness.md
+++ b/20-identity/roles/witness.md
@@ -0,0 +1,20 @@
 # Role: witness
 ## Purpose
 Observe and confirm (alerts, read-only checks, second-factor confirmations).
 ## Scope
 - Allowed: read-only verification and confirmations.
 - Forbidden: provisioning and configuration changes.
 ## Allowed origins
 - `op-witness-phone` only.
 ## Rotation / revocation
 - Revoke: remove device access and rotate any linked factors.
 - Prove: record the action in `70-audits/reports/`.
--- a/20-identity/templates/README.md
+++ b/20-identity/templates/README.md
@@ -0,0 +1,7 @@
 # Templates
 Use these templates to keep identity material consistent:
 - `role.md`
 - `lease.md`
--- a/20-identity/templates/lease.md
+++ b/20-identity/templates/lease.md
@@ -0,0 +1,24 @@
 # Lease: <device-or-system>
 ## Grant
 - Lease type:
 - Issued to role:
 - Issued at (UTC):
 - Expires at (UTC):
 - Revoked at (UTC):
 ## Scope
 - What this lease permits:
 - What it explicitly forbids:
 ## Rotation / revocation
 - Revocation procedure:
 - Post-revoke verification:
 ## Evidence
 What you record when granting/rotating/revoking (timestamps, IDs, logs).
--- a/20-identity/templates/role.md
+++ b/20-identity/templates/role.md
@@ -0,0 +1,29 @@
 # Role: <name>
 ## Purpose
 What this role exists to do.
 ## Scope
 - Allowed actions:
 - Forbidden actions:
 ## Allowed origins
 Where this role is allowed to be used from (e.g., `op-core-vm`).
 ## Credentials
 What mechanisms this role uses (keys/tokens), and where the encrypted material lives.
 ## Rotation / revocation
 - How to revoke fast:
 - How to rotate predictably:
 - Proof you record:
 ## Notes
 Anything future-you must remember.