{ "systems": [ { "id": "ops-warden", "name": "Ops Warden", "resource_types": [ { "name": "ssh-certificate", "scope_level": "Resource", "planes": [ "Identity", "Secret", "Audit" ], "metadata": { "description": "Short-lived SSH certificate signing request." } } ], "actions": [ { "name": "sign", "capabilities": [ "Use", "Operate", "Audit" ], "planes": [ "Identity", "Secret", "Audit" ], "exposure_modes": [ "Metadata" ], "metadata": { "required_context": [ "principals", "actor_type", "pubkey_fingerprint", "ttl_hours" ] } } ], "caring_profiles": [ "caring-0.4.0-rc2" ], "metadata": { "flex_auth_contract": "protected-system-v0", "ops_warden_policy_gate": "v2", "policy_enabled_config": "policy.enabled", "tenant": "tenant:platform" } } ], "resource_manifests": [ { "id": "ops-warden-ssh-certificates", "system": "ops-warden", "resources": [ { "id": "ssh-cert:actor/adm-example", "type": "ssh-certificate", "labels": [ "ssh-signing", "adm" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "adm-example", "actor_type": "adm", "allowed_subjects": [ "adm-example", "iam:adm-example" ], "allowed_principals": [ "adm-full" ], "max_ttl_hours": 48 } }, { "id": "ssh-cert:actor/agt-codex-interhub-bootstrap", "type": "ssh-certificate", "labels": [ "ssh-signing", "agt" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "agt-codex-interhub-bootstrap", "actor_type": "agt", "allowed_subjects": [ "agt-codex-interhub-bootstrap", "iam:agt-codex-interhub-bootstrap" ], "allowed_principals": [ "agt-interhub-bootstrap" ], "max_ttl_hours": 2 } }, { "id": "ssh-cert:actor/agt-state-hub-bridge", "type": "ssh-certificate", "labels": [ "ssh-signing", "agt" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "agt-state-hub-bridge", "actor_type": "agt", "allowed_subjects": [ "agt-state-hub-bridge", "iam:agt-state-hub-bridge" ], "allowed_principals": [ "agt-task-bridge" ], "max_ttl_hours": 24 } }, { "id": "ssh-cert:actor/atm-backup-daily", "type": "ssh-certificate", "labels": [ "ssh-signing", "atm" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "atm-backup-daily", "actor_type": "atm", "allowed_subjects": [ "atm-backup-daily", "iam:atm-backup-daily" ], "allowed_principals": [ "atm-backup-daily" ], "max_ttl_hours": 8 } } ], "actions": [ "sign" ], "caring_profile": "caring-0.4.0-rc2", "metadata": { "flex_auth_contract": "resource-registration-v0", "tenant": "tenant:platform" } } ], "tenants": [ { "id": "tenant:platform", "name": "Platform Tenant" } ], "subjects": [ { "id": "adm-example", "type": "Agent", "display_name": "Example human operator \u2014 replace with per-person adm-* actors", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-admins" ], "tenant": "tenant:platform", "metadata": { "actor_type": "adm" } }, { "id": "agt-codex-interhub-bootstrap", "type": "Agent", "display_name": "Short-lived agent access for attended Inter-Hub bootstrap", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-agents" ], "tenant": "tenant:platform", "metadata": { "actor_type": "agt" } }, { "id": "agt-state-hub-bridge", "type": "Agent", "display_name": "ops-bridge tunnel agent for state-hub", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-agents" ], "tenant": "tenant:platform", "metadata": { "actor_type": "agt" } }, { "id": "atm-backup-daily", "type": "Automation", "display_name": "Example nightly automation actor", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-automations" ], "tenant": "tenant:platform", "metadata": { "actor_type": "atm" } } ], "groups": [ { "id": "group:ops-warden-admins", "display_name": "Ops Warden Admins", "members": [ "adm-example" ], "tenant": "tenant:platform" }, { "id": "group:ops-warden-agents", "display_name": "Ops Warden Agents", "members": [ "agt-codex-interhub-bootstrap", "agt-state-hub-bridge" ], "tenant": "tenant:platform" }, { "id": "group:ops-warden-automations", "display_name": "Ops Warden Automations", "members": [ "atm-backup-daily" ], "tenant": "tenant:platform" } ], "relationships": [ { "id": "rel:adm-example-sign-adm-example", "system": "ops-warden", "subject": "group:ops-warden-admins", "relation": "signer", "object": "ssh-cert:actor/adm-example", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-adm-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/adm-example", "tenant": "tenant:platform", "resource": "ssh-cert:actor/adm-example" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } }, { "id": "rel:agt-codex-interhub-bootstrap-sign-agt-codex-interhub-bootstrap", "system": "ops-warden", "subject": "group:ops-warden-agents", "relation": "signer", "object": "ssh-cert:actor/agt-codex-interhub-bootstrap", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-agt-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/agt-codex-interhub-bootstrap", "tenant": "tenant:platform", "resource": "ssh-cert:actor/agt-codex-interhub-bootstrap" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } }, { "id": "rel:agt-state-hub-bridge-sign-agt-state-hub-bridge", "system": "ops-warden", "subject": "group:ops-warden-agents", "relation": "signer", "object": "ssh-cert:actor/agt-state-hub-bridge", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-agt-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/agt-state-hub-bridge", "tenant": "tenant:platform", "resource": "ssh-cert:actor/agt-state-hub-bridge" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } }, { "id": "rel:atm-backup-daily-sign-atm-backup-daily", "system": "ops-warden", "subject": "group:ops-warden-automations", "relation": "signer", "object": "ssh-cert:actor/atm-backup-daily", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-atm-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/atm-backup-daily", "tenant": "tenant:platform", "resource": "ssh-cert:actor/atm-backup-daily" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } } ] }