apiVersion: guildhouse.io/v1alpha1
kind: Accord
metadata:
  name: genesis-accord
  version: "1.0.0"
  previousVersionHash: "0000000000000000000000000000000000000000000000000000000000000000"
  authorizingCeremony: bootstrap
  effectiveAt: "2025-06-01T00:00:00Z"
  expiresAt: "2027-06-01T00:00:00Z"
spec:
  trustDomain: guildhouse.local
  policy:
    bundleHash: "sha256:genesis"
    bundlePath: ".guildhouse/policies/"
  classifications:
    - name: read-access
      description: Read-only
      pathways: [imperative, declarative]
      resourceSelectors:
        - apiGroups: ["*"]
          resources: ["*"]
          verbs: ["get", "list", "watch"]
    - name: workload-scaling
      description: Scale workload replicas
      pathways: [imperative, declarative]
      resourceSelectors:
        - apiGroups: ["apps"]
          resources: ["deployments", "statefulsets"]
          fields: ["spec.replicas"]
          verbs: ["patch", "update"]
    - name: workload-deployment
      description: Deploy and update workloads
      pathways: [imperative, declarative]
      resourceSelectors:
        - apiGroups: ["apps"]
          resources: ["deployments", "statefulsets", "daemonsets"]
          verbs: ["create", "update", "patch", "delete"]
    - name: rbac-modification
      description: Modify RBAC resources
      pathways: [declarative]
      resourceSelectors:
        - apiGroups: ["rbac.authorization.k8s.io"]
          resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
          verbs: ["*"]
    - name: network-policy
      description: Manage network policies
      pathways: [declarative]
      resourceSelectors:
        - apiGroups: ["networking.k8s.io"]
          resources: ["networkpolicies"]
          verbs: ["*"]
    - name: secret-management
      description: Manage secrets
      pathways: [declarative]
      resourceSelectors:
        - apiGroups: [""]
          resources: ["secrets"]
          verbs: ["create", "update", "patch", "delete"]
    - name: emergency-access
      description: Emergency break-glass access
      pathways: [imperative]
      resourceSelectors:
        - apiGroups: ["*"]
          resources: ["*"]
          verbs: ["delete"]
    - name: accord-change
      description: Changes to the accord document
      pathways: [declarative]
      resourceSelectors:
        - paths:
            - ".guildhouse/accord.yaml"
            - ".guildhouse/policies/**"
    - name: workspace-merge
      description: Merge workspace changes
      pathways: [declarative]
      resourceSelectors:
        - paths:
            - "namespaces/**"
    - name: reconciliation-merge
      description: Automated reconciliation
      pathways: [autonomous]
      resourceSelectors:
        - apiGroups: ["*"]
          resources: ["*"]
          verbs: ["*"]
  ceremonies:
    - classification: read-access
      type: self_grant
      requirements:
        maxDuration: "8h"
        scopeConstraints:
          verbs: ["get", "list", "watch"]
    - classification: workload-scaling
      type: single_approval
      requirements:
        approverRoles: ["namespace-admin"]
        maxDuration: "4h"
        mutationBudget: 10
        requiresCapabilityProfile: true
    - classification: workload-deployment
      type: single_approval
      requirements:
        approverRoles: ["namespace-admin"]
        maxDuration: "4h"
        mutationBudget: 5
        requiresTwinValidation: true
    - classification: rbac-modification
      type: quorum_approval
      requirements:
        approverRoles: ["namespace-admin"]
        quorum: 2
        maxDuration: "2h"
        mutationBudget: 3
    - classification: network-policy
      type: single_approval
      requirements:
        approverRoles: ["namespace-admin"]
        maxDuration: "4h"
    - classification: secret-management
      type: quorum_approval
      requirements:
        approverRoles: ["namespace-admin"]
        quorum: 2
        maxDuration: "2h"
        mutationBudget: 3
    - classification: emergency-access
      type: break_glass
      requirements:
        maxDuration: "30m"
        mandatoryPostIncidentReview: true
        externalEvidence:
          type: jira_ticket
          project: INCIDENT
          status: ["Active", "In Progress"]
    - classification: accord-change
      type: quorum_approval
      requirements:
        quorum: 2
        requiresRegoTestsPass: true
        requiresSchemaValidation: true
    - classification: workspace-merge
      type: single_approval
      requirements:
        approverRoles: ["namespace-admin"]
    - classification: reconciliation-merge
      type: autonomous
      requirements:
        controllerSvidMatch: "spiffe://guildhouse.local/ns/*/sa/reconciler"
  ledger:
    alwaysNotarize:
      - ceremony_completion
      - session_creation
      - mutation_applied
    logOnly:
      - read_access
      - session_heartbeat
    sampled:
      events:
        - health_check
      sampleRate: 100
  reconciliation:
    defaultWindow: "24h"
    onExpiry: alert
    driftCheckInterval: "5m"
    driftResponses:
      - resourceSelector:
          apiGroups: [""]
          resources: ["secrets"]
        action: alert
      - resourceSelector:
          apiGroups: ["apps"]
          resources: ["deployments"]
        action: auto_reconcile
  controllers:
    - svid: "spiffe://guildhouse.local/ns/argocd/sa/argocd-application-controller"
      classification: workload-deployment
      permittedMutations:
        - apiGroups: ["apps"]
          resources: ["deployments", "statefulsets"]
          verbs: ["create", "update", "patch"]
      ledgerFidelity: full
  roles:
    - name: namespace-admin
      members:
        - identity: "spiffe://guildhouse.local/ns/capstone/sa/admin"
        - identity: "oidc:tking@guildhouse.local"
      namespaces: ["capstone", "quartermaster"]
    - name: cluster-admin
      members:
        - identity: "oidc:tking@guildhouse.local"