Inventory quartet and initial leases

2025-12-17 15:54:20 +00:00
parent 44edf6734b
commit 901444a6d5
21 changed files with 291 additions and 0 deletions
--- a/20-identity/roles/operator.md
+++ b/20-identity/roles/operator.md
@@ -0,0 +1,20 @@
+# Role: operator
+
+## Purpose
+
+Execute critical operational actions from the core boundary.
+
+## Scope
+
+- Allowed: provisioning, configuration, recovery, decommission.
+- Forbidden: ad-hoc changes outside `op-core-vm`.
+
+## Allowed origins
+
+- `op-core-vm` only.
+
+## Rotation / revocation
+
+- Revoke: invalidate leases, rotate credentials, and sever device trust.
+- Prove: record the action in `70-audits/reports/`.
+