Inventory quartet and initial leases
This commit is contained in:
vaultsovereign
20
20-identity/roles/operator.md
Normal file
20
20-identity/roles/operator.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# Role: operator
|
||||
|
||||
## Purpose
|
||||
|
||||
Execute critical operational actions from the core boundary.
|
||||
|
||||
## Scope
|
||||
|
||||
- Allowed: provisioning, configuration, recovery, decommission.
|
||||
- Forbidden: ad-hoc changes outside `op-core-vm`.
|
||||
|
||||
## Allowed origins
|
||||
|
||||
- `op-core-vm` only.
|
||||
|
||||
## Rotation / revocation
|
||||
|
||||
- Revoke: invalidate leases, rotate credentials, and sever device trust.
|
||||
- Prove: record the action in `70-audits/reports/`.
|
||||
|
||||
20
20-identity/roles/witness.md
Normal file
20
20-identity/roles/witness.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# Role: witness
|
||||
|
||||
## Purpose
|
||||
|
||||
Observe and confirm (alerts, read-only checks, second-factor confirmations).
|
||||
|
||||
## Scope
|
||||
|
||||
- Allowed: read-only verification and confirmations.
|
||||
- Forbidden: provisioning and configuration changes.
|
||||
|
||||
## Allowed origins
|
||||
|
||||
- `op-witness-phone` only.
|
||||
|
||||
## Rotation / revocation
|
||||
|
||||
- Revoke: remove device access and rotate any linked factors.
|
||||
- Prove: record the action in `70-audits/reports/`.
|
||||
|
||||
Reference in New Issue
Block a user