# Illustrative implementation starter. This is not a normative ContextOS runtime schema.
schema_version: contextos.ai/examples/agent-authority-register/v1
kind: AgentAuthorityRegister

metadata:
  organization: example_enterprise
  security_owner: ciso_office
  reviewed_at: "2026-07-19"
  revocation_slo_seconds: 300

agent:
  subject: agent:contextos/security-remediation@2.4.1
  display_name: Security Remediation Agent
  blueprint: security_remediation
  environment: production
  lifecycle: active
  technical_owner: platform_security_team
  business_sponsor: vp_security_operations
  security_reviewer: product_security

runtime_identity:
  workload_id: spiffe://example.internal/agent/security-remediation
  runtime_profile: restricted_cloud_worker
  attestation_required: true
  signing_key_id: kid_security_agent_2026_q3
  generic_service_account: false

delegation:
  permitted_principal_kinds:
    - user
    - service
    - parent_agent
  tenant_bound: true
  child_claim_must_be_strict_subset: true
  max_depth: 2
  max_claim_ttl_seconds: 300

authority_baseline:
  approval_mode_ceiling: destructive
  allowed_data_classes:
    - INTERNAL
    - CONFIDENTIAL
  denied_data_classes:
    - RESTRICTED_EXPORT
  tools:
    - capability: cloud.inventory.read
      approval_mode: read_only
      destinations:
        - cloud_inventory_api
    - capability: cloud.change.propose
      approval_mode: local_write
      destinations:
        - change_staging_store
    - capability: cloud.change.execute
      approval_mode: destructive
      destinations:
        - approved_production_accounts
      requires_approval: true
      requires_reversal_plan: true
    - capability: support.case.create
      approval_mode: network
      destinations:
        - approved_vendor_support_tenant
      payload_max_data_class: INTERNAL
  forbidden_compositions:
    - source_trust: untrusted
      sensitive_read: true
      external_sink: true
      required_boundary: frozen_payload_preview_and_approval

credential_policy:
  token_passthrough_forbidden: true
  resource_audience_required: true
  short_lived_credentials_required: true
  raw_tokens_visible_to_model: false
  raw_tokens_retained_in_traces: false

observability:
  required_join_keys:
    - agent_subject
    - workload_id
    - tenant_id
    - run_id
    - trace_id
    - claim_hash
    - policy_decision_id
    - tool_call_id
    - mutation_ref
  required_high_risk_artifacts:
    - decision_record
    - approval_event
    - tool_call
    - tool_result
    - mutation_receipt
    - replay_result

drift_detection:
  compare_against_approved_release: true
  alert_on:
    - unknown_runtime_subject
    - owner_or_sponsor_missing
    - workload_identity_changed
    - oauth_scope_expanded
    - tool_manifest_expanded
    - destination_added
    - approval_mode_weakened
    - child_claim_not_strict_subset
    - token_ttl_increased
    - destructive_share_spike

revocation:
  stop_new_dispatch: true
  stop_claim_minting: true
  block_tool_gateway: true
  cancel_active_parent_runs: true
  cancel_active_child_runs: true
  freeze_pending_approvals: true
  freeze_pending_mutations: true
  quarantine_memory_proposals: true
  rotate_exposed_credentials: true
  replay_affected_traces: true
  last_drill_at: null
  last_drill_seconds: null

readiness_scorecard:
  discovery_coverage: 0
  identity_separation: 0
  accountability: 0
  effective_authority_graph: 0
  credential_boundaries: 0
  source_to_sink_analysis: 0
  privilege_drift_detection: 0
  decision_evidence: 0
  replay_coverage: 0
  revocation_slo: 0
  maximum: 20
  hard_stops:
    - production_action_without_versioned_agent_subject
    - generic_service_account_hides_multiple_agents
    - untrusted_source_to_sensitive_external_sink_without_boundary
    - active_parent_or_child_runs_survive_revocation
