Inventory quartet and initial leases

20-identity/leases/README.md

@@ -0,0 +1,12 @@
+# Leases
+
+Leases are time-bound grants of access tied to a device (or system) and a role.
+
+Rules:
+
+- A lease has an expiry.
+- A lease is revocable.
+- Every lease has a recorded grant and a recorded revoke/rotate event.
+
+Use `20-identity/templates/lease.md` for new leases.
+

20-identity/leases/op-console-mac.md

@@ -0,0 +1,20 @@
+# Lease: op-console-mac
+
+## Grant
+
+- Lease type: device (console)
+- Issued to role: operator
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- Permits: physical and local access required to operate `op-core-vm`.
+- Forbids: treating the host OS as a source of trust.
+
+## Rotation / revocation
+
+- Revoke: remove local access, rotate any credentials that could have been exposed, and rebuild `op-core-vm` if integrity is in doubt.
+- Verify: confirm operator access is only possible from a trusted, rebuilt core.
+

20-identity/leases/op-witness-phone.md

@@ -0,0 +1,20 @@
+# Lease: op-witness-phone
+
+## Grant
+
+- Lease type: device (witness)
+- Issued to role: witness
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- Permits: read-only verification and confirmations.
+- Forbids: initiating critical operational changes.
+
+## Rotation / revocation
+
+- Revoke: remove device access and rotate any linked factors.
+- Verify: confirm no critical role can originate from this device.
+