TORQ/OS
SYSTEM // 06 — policy engine

THE GOVERNOR.

Policy. Scope. Safety. Every intent passes through here.

/// 01
Levels

Four bands. One arbiter.

level · L00
self

Read Only

Query state. No mutations. Always allowed for authenticated principals.

scope
tenant/* (read)
examples
job.status · parts.lookup · schedule.read
level · L01
self · audited

Standard

Bounded writes within the principal's tenant. Default for technicians and admins.

scope
tenant/{self}
examples
parts.order · job.update · invoice.draft
level · L02
second-approver

Elevated

Cross-tenant or destructive ops. Requires a second approver and a reason string.

scope
tenant/* (cross)
examples
tenant.transfer · billing.refund · policy.update
level · L03
break-glass · 2 of 3

Restricted

Locked. Break-glass procedure: 2-of-3 quorum, time-boxed, paged to ops.

scope
kernel/*
examples
kernel.shutdown · tenant.delete · audit.purge
/// 02
Policies

Real policy DSL. Read it like a spec.

parts.orderStandard
policy parts.order {
  level   = STANDARD
  scope   = tenant/{self} ∧ bay/{intent.bay}
  require = principal.role ∈ { mechanic, admin }
  limit   = qty <= 50, price_total <= $5_000
  audit   = full
}
billing.refundElevated
policy billing.refund {
  level    = ELEVATED
  scope    = tenant/{self}
  require  = principal.role = admin
           ∧ approver ≠ principal
           ∧ reason.length >= 24
  limit    = amount <= $10_000
  audit    = full + page(ops)
}
kernel.shutdownRestricted
policy kernel.shutdown {
  level    = RESTRICTED
  scope    = kernel/*
  require  = quorum(2 of 3, role = sre_lead)
           ∧ ticket.severity ∈ { SEV1 }
  ttl      = 15m
  audit    = full + page(ops, exec) + immutable
}
/// 03
Audit Log

Every verdict, immutable.

tslevelactoraction · scopeverdictnote
14:02:11.214STANDARDtech/mike@bay3parts.order · tenant/wlms · bay/3ALLOWqty=4 sku=CER-PAD-04
14:02:11.402STANDARDagent/zerØjob.update · tenant/wlms · job/4421ALLOWstatus→IN_PROGRESS
14:03:48.001ELEVATEDadmin/sarabilling.refund · tenant/wlms · cust/8821DENYno second approver
14:04:02.118ELEVATEDadmin/sara + admin/jonbilling.refund · tenant/wlms · cust/8821ALLOW$240.00 · reason ok
14:11:30.504STANDARDtech/lee@bay7tenant.transfer · tenant/wlms → tenant/abcDENYlevel mismatch · need ELEVATED
14:22:00.900RESTRICTEDsre/alexkernel.shutdown · kernel/region-euDENYquorum 1 of 3
/// 04
Playground

Push an intent through.

// intent
// governor verdict
Standard
ALLOW
policy · parts.order · scope: tenant/wlms
  • ✓ role permitted (mechanic)
  • ✓ qty within limit
  • ✓ scope: tenant/wlms · bay/3
audit · writtenimmutable · 7y
// mandate

“Built for the bay floor — engineered for the operators who run it.”

// transmission end

BACK TO ALL
SYSTEMS.

← all systems
// contact channel
signalagent-zero@torq.os
opsops@torq.os
regionglobal · multi-AZ
torq/os · agent zerØ© ∞