schema_version: 1
kind: credential-change-request-schema
description: Non-secret schema contract for credential/security change requests.

required_top_level:
  - id
  - kind
  - schema_version
  - request_type
  - title
  - status
  - created
  - updated
  - requester
  - target
  - openbao
  - access_frontdoor
  - risk
  - verification
  - lifecycle

allowed_statuses:
  - draft
  - proposed
  - needs_changes
  - approved
  - denied
  - apply_pending
  - applied
  - verified
  - active
  - deactivated
  - rotated
  - compromised
  - superseded
  - cancelled

allowed_request_types:
  - workload-kv-read

secret_markers_rejected:
  - AGE-SECRET-KEY-1
  - "-----BEGIN PRIVATE KEY-----"
  - "-----BEGIN OPENSSH PRIVATE KEY-----"
  - OPENBAO_ROOT_TOKEN=
  - VAULT_TOKEN=
  - BAO_TOKEN=
  - hvb.
  - hvc.
  - hvs.
  - npm_
  - ghp_
  - sk-

workload_kv_read:
  required:
    openbao:
      - mount
      - kv_path
      - fields
      - policy_name
      - policy_file
      - auth
    openbao.auth:
      - method
      - mount
      - role
      - bound_claims
      - bound_claims_confirmed
      - policies
    access_frontdoor:
      - type
      - catalog_id
      - readiness
      - resolvable
    verification:
      - positive
      - negative
      - activation_conditions
    lifecycle:
      - deactivate
      - rotate
      - compromised

access_frontdoor_readiness:
  allowed:
    - template
    - pending-review
    - approved-pending-apply
    - applied-pending-verify
    - ready
    - disabled
    - compromised
  resolvable_true_requires_status: active
  ops_warden_should_consume_only:
    readiness: ready
    resolvable: true

guardrails:
  apply_plan_requires_status:
    - approved
  active_requires_status:
    - verified
  disallowed_policy_names:
    - root
    - platform-admin
  disallowed_path_fragments:
    - "*"
    - ".."