21 lines
413 B
Markdown
21 lines
413 B
Markdown
# Role: witness
|
|
|
|
## Purpose
|
|
|
|
Observe and confirm (alerts, read-only checks, second-factor confirmations).
|
|
|
|
## Scope
|
|
|
|
- Allowed: read-only verification and confirmations.
|
|
- Forbidden: provisioning and configuration changes.
|
|
|
|
## Allowed origins
|
|
|
|
- `op-witness-phone` only.
|
|
|
|
## Rotation / revocation
|
|
|
|
- Revoke: remove device access and rotate any linked factors.
|
|
- Prove: record the action in `70-audits/reports/`.
|
|
|