{ "systems": [ { "id": "ops-warden", "name": "Ops Warden", "resource_types": [ { "name": "ssh-certificate", "scope_level": "Resource", "planes": [ "Identity", "Secret", "Audit" ], "metadata": { "description": "Short-lived SSH certificate signing request." } } ], "actions": [ { "name": "sign", "capabilities": [ "Use", "Operate", "Audit" ], "planes": [ "Identity", "Secret", "Audit" ], "exposure_modes": [ "Metadata" ], "metadata": { "required_context": [ "principals", "actor_type", "pubkey_fingerprint", "ttl_hours" ] } } ], "caring_profiles": [ "caring-0.4.0-rc2" ], "metadata": { "flex_auth_contract": "protected-system-v0", "ops_warden_policy_gate": "v2", "policy_enabled_config": "policy.enabled", "tenant": "tenant:platform" } } ], "resource_manifests": [ { "id": "ops-warden-ssh-certificates", "system": "ops-warden", "resources": [ { "id": "ssh-cert:actor/platform-steward", "type": "ssh-certificate", "labels": [ "ssh-signing", "adm" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "platform-steward", "actor_type": "adm", "allowed_subjects": [ "platform-steward", "iam:platform-steward" ], "allowed_principals": [ "platform", "root" ], "max_ttl_hours": 8 } }, { "id": "ssh-cert:actor/ci-deploy-agent", "type": "ssh-certificate", "labels": [ "ssh-signing", "agt" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "ci-deploy-agent", "actor_type": "agt", "allowed_subjects": [ "ci-deploy-agent", "iam:ci-deploy-agent" ], "allowed_principals": [ "deploy", "git" ], "max_ttl_hours": 2 } }, { "id": "ssh-cert:actor/backup-automation", "type": "ssh-certificate", "labels": [ "ssh-signing", "atm" ], "trust_zone": "platform", "owner": "team:platform-security", "attributes": { "actor_id": "backup-automation", "actor_type": "atm", "allowed_subjects": [ "backup-automation", "iam:backup-automation" ], "allowed_principals": [ "backup" ], "max_ttl_hours": 1 } } ], "actions": [ "sign" ], "caring_profile": "caring-0.4.0-rc2", "metadata": { "flex_auth_contract": "resource-registration-v0", "tenant": "tenant:platform" } } ], "tenants": [ { "id": "tenant:platform", "name": "Platform Tenant" } ], "subjects": [ { "id": "platform-steward", "type": "Agent", "display_name": "Platform Steward", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-admins" ], "tenant": "tenant:platform", "metadata": { "actor_type": "adm" } }, { "id": "ci-deploy-agent", "type": "Agent", "display_name": "CI Deploy Agent", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-agents" ], "tenant": "tenant:platform", "metadata": { "actor_type": "agt" } }, { "id": "backup-automation", "type": "Automation", "display_name": "Backup Automation", "organization_relation": "ServiceProvider", "roles": [ "Operator" ], "groups": [ "group:ops-warden-automations" ], "tenant": "tenant:platform", "metadata": { "actor_type": "atm" } } ], "groups": [ { "id": "group:ops-warden-admins", "display_name": "Ops Warden Admin Actors", "members": [ "platform-steward" ], "tenant": "tenant:platform" }, { "id": "group:ops-warden-agents", "display_name": "Ops Warden Agent Actors", "members": [ "ci-deploy-agent" ], "tenant": "tenant:platform" }, { "id": "group:ops-warden-automations", "display_name": "Ops Warden Automation Actors", "members": [ "backup-automation" ], "tenant": "tenant:platform" } ], "relationships": [ { "id": "rel:platform-steward-sign-platform-steward", "system": "ops-warden", "subject": "group:ops-warden-admins", "relation": "signer", "object": "ssh-cert:actor/platform-steward", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-adm-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/platform-steward", "tenant": "tenant:platform", "resource": "ssh-cert:actor/platform-steward" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } }, { "id": "rel:ci-deploy-agent-sign-ci-deploy-agent", "system": "ops-warden", "subject": "group:ops-warden-agents", "relation": "signer", "object": "ssh-cert:actor/ci-deploy-agent", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-agt-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/ci-deploy-agent", "tenant": "tenant:platform", "resource": "ssh-cert:actor/ci-deploy-agent" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } }, { "id": "rel:backup-automation-sign-backup-automation", "system": "ops-warden", "subject": "group:ops-warden-automations", "relation": "signer", "object": "ssh-cert:actor/backup-automation", "tenant": "tenant:platform", "conditions": [ "TimeLimited", "Logged" ], "caring": { "id": "descriptor:ops-warden-atm-signer", "profile": "caring-0.4.0-rc2", "subject_type": "Group", "organization_relation": "ServiceProvider", "canonical_role": "Operator", "scope": { "level": "Resource", "id": "ssh-cert:actor/backup-automation", "tenant": "tenant:platform", "resource": "ssh-cert:actor/backup-automation" }, "planes": [ "Identity", "Secret", "Audit" ], "capabilities": [ "Use", "Operate", "Audit" ], "exposure_modes": [ "Metadata" ], "conditions": [ "TimeLimited", "Logged" ], "restrictions": [ "PrivilegeEscalationBlocked", "SecretAccessBlocked" ], "access_path": "mediated" } } ] }