[ { "_id": "rule0001-0000-4000-8000-r00000000001", "abstractobject": { "id": "rule0001-0000-4000-8000-r00000000001", "name": "Sensor data access policy", "is_draft": false, "creator_id": "c0cece97-7730-4c2a-8c20-a30944564106", "creation_date": {"$date": "2026-04-10T00:00:00.000Z"}, "update_date": {"$date": "2026-04-10T00:00:00.000Z"}, "access_mode": 0 }, "description": "Governs access to the road-traffic sensor pipeline. Only members of the sensor-operators or analysts group may schedule or cancel executions of the sensor-data-collector workflow. MQTT topic sensors/camera/vehicle is readable by all default-namespace peers; write access restricted to the Mosquitto processing step running on authorised compute nodes. Violations trigger an audit log entry forwarded to the OpenCloud rule engine.", "condition": "request.group IN ['sensor-operators', 'analysts'] OR request.resource.type == 'mqtt.subscribe'", "actions": [ "ALLOW schedule:sensor-data-collector IF group IN [sensor-operators, analysts]", "ALLOW subscribe:sensors/camera/vehicle FOR *", "DENY publish:sensors/camera/vehicle UNLESS processing_id == e518d7a4-426a-4900-94e5-300767b1bb31", "AUDIT ON DENY" ] }, { "_id": "rule0002-0000-4000-8000-r00000000002", "abstractobject": { "id": "rule0002-0000-4000-8000-r00000000002", "name": "API logs read-only", "is_draft": false, "creator_id": "c0cece97-7730-4c2a-8c20-a30944564106", "creation_date": {"$date": "2026-04-10T00:00:00.000Z"}, "update_date": {"$date": "2026-04-10T00:00:00.000Z"}, "access_mode": 0 }, "description": "Controls access to the API monitoring pipeline. All collaborative-area members may query the Nginx dashboard endpoint (GET /status) and read Redis-cached API metrics. Triggering a new CURL ingestion run is restricted to peer-1 scheduler principals (peer_id == c0cece97). Direct writes to the Peer2 MinIO /logs bucket are denied to all external actors; only the CURL processing step running on Mundi datacenter is authorised to PUT objects. Ensures observability without allowing log tampering.", "condition": "request.method == 'GET' OR (request.peer_id == 'c0cece97-7730-4c2a-8c20-a30944564106' AND request.action == 'schedule')", "actions": [ "ALLOW GET:/status FOR *", "ALLOW GET:redis.key.api_status FOR *", "ALLOW schedule:api-monitoring-stack IF peer_id == c0cece97-7730-4c2a-8c20-a30944564106", "ALLOW PUT:minio:/logs/* IF processing_id == 0d565c87-50ae-4a73-843d-f8b2d4047772", "DENY PUT:minio:/logs/* FOR *", "AUDIT ON DENY" ] }, { "_id": "rule0003-0000-4000-8000-r00000000003", "abstractobject": { "id": "rule0003-0000-4000-8000-r00000000003", "name": "Cross-peer data retention", "is_draft": false, "creator_id": "c0cece97-7730-4c2a-8c20-a30944564106", "creation_date": {"$date": "2026-04-10T00:00:00.000Z"}, "update_date": {"$date": "2026-04-10T00:00:00.000Z"}, "access_mode": 0 }, "description": "Enforces lifecycle policies for cross-peer shared storage. Objects written to the Peer2 MinIO bucket (ff660006) under the /logs prefix are subject to a 30-day auto-expiry; a daily cron on peer-2 scans for objects older than 30 days and schedules deletion. Objects written to the IRT local file storage (e726020a) under the /tmp prefix expire after 7 days via a nightly cron on peer-1. Compressed daily rotations (.gz) under /logs are exempt from the 7-day rule and follow a 90-day archive policy. This rule is evaluated at write-time to tag objects with the appropriate TTL metadata header (X-Amz-Meta-Expires-At).", "condition": "resource.path STARTSWITH '/logs' OR resource.path STARTSWITH '/tmp'", "actions": [ "TAG X-Amz-Meta-Expires-At:+30d IF storage_id == ff660006-ff66-4006-8006-ffffffffffff AND path STARTSWITH /logs AND NOT path ENDSWITH .gz", "TAG X-Amz-Meta-Expires-At:+90d IF storage_id == ff660006-ff66-4006-8006-ffffffffffff AND path ENDSWITH .gz", "TAG X-Amz-Meta-Expires-At:+7d IF storage_id == e726020a-b68e-4abc-ab36-c3640ea3f557 AND path STARTSWITH /tmp", "SCHEDULE purge:expired CRON 0 2 * * *" ] } ]