# Role: operator

## Purpose

Execute critical operational actions from the core boundary.

## Scope

- Allowed: provisioning, configuration, recovery, decommission.
- Forbidden: ad-hoc changes outside `op-core-vm`.

## Allowed origins

- `op-core-vm` only.

## Rotation / revocation

- Revoke: invalidate leases, rotate credentials, and sever device trust.
- Prove: record the action in `70-audits/reports/`.