Inventory quartet and initial leases

20-identity/templates/README.md

@@ -0,0 +1,7 @@
+# Templates
+
+Use these templates to keep identity material consistent:
+
+- `role.md`
+- `lease.md`
+

20-identity/templates/lease.md

@@ -0,0 +1,24 @@
+# Lease: <device-or-system>
+
+## Grant
+
+- Lease type:
+- Issued to role:
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- What this lease permits:
+- What it explicitly forbids:
+
+## Rotation / revocation
+
+- Revocation procedure:
+- Post-revoke verification:
+
+## Evidence
+
+What you record when granting/rotating/revoking (timestamps, IDs, logs).
+

20-identity/templates/role.md

@@ -0,0 +1,29 @@
+# Role: <name>
+
+## Purpose
+
+What this role exists to do.
+
+## Scope
+
+- Allowed actions:
+- Forbidden actions:
+
+## Allowed origins
+
+Where this role is allowed to be used from (e.g., `op-core-vm`).
+
+## Credentials
+
+What mechanisms this role uses (keys/tokens), and where the encrypted material lives.
+
+## Rotation / revocation
+
+- How to revoke fast:
+- How to rotate predictably:
+- Proof you record:
+
+## Notes
+
+Anything future-you must remember.
+