generated: '2026-07-15' method: generated source: openapi/hvault-auth-methods-openapi.yml, openapi/hvault-identity-openapi.yml, openapi/hvault-secrets-engines-openapi.yml, openapi/hvault-system-backend-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 116 by_action_class: acting: 76 connected: 40 by_consequence: write: 71 read: 40 safety-critical: 5 human_in_the_loop_required: 5 operations: - path: /auth/token/create method: post operationId: createToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/create-orphan method: post operationId: createOrphanToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/create/{role_name} method: post operationId: createTokenWithRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/lookup method: post operationId: lookupToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/lookup-self method: get operationId: lookupSelfToken x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/token/renew method: post operationId: renewToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/renew-self method: post operationId: renewSelfToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/revoke method: post operationId: revokeToken x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /auth/token/revoke-self method: post operationId: revokeSelfToken x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /auth/token/roles/{role_name} method: get operationId: readTokenRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/token/roles/{role_name} method: post operationId: createOrUpdateTokenRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/roles/{role_name} method: delete operationId: deleteTokenRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/approle/login method: post operationId: loginWithAppRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/approle/role/{role_name} method: get operationId: readAppRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/approle/role/{role_name} method: post operationId: createOrUpdateAppRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/approle/role/{role_name} method: delete operationId: deleteAppRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/approle/role/{role_name}/role-id method: get operationId: readAppRoleRoleId x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/approle/role/{role_name}/secret-id method: post operationId: generateAppRoleSecretId x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/kubernetes/login method: post operationId: loginWithKubernetes x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/kubernetes/config method: get operationId: readKubernetesConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/kubernetes/config method: post operationId: configureKubernetesAuth x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/kubernetes/role/{name} method: get operationId: readKubernetesRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/kubernetes/role/{name} method: post operationId: createOrUpdateKubernetesRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/kubernetes/role/{name} method: delete operationId: deleteKubernetesRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/ldap/login/{username} method: post operationId: loginWithLdap x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/jwt/login method: post operationId: loginWithJwt x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/userpass/login/{username} method: post operationId: loginWithUserpass x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/userpass/users/{username} method: get operationId: readUserpassUser x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/userpass/users/{username} method: post operationId: createOrUpdateUserpassUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/userpass/users/{username} method: delete operationId: deleteUserpassUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/github/login method: post operationId: loginWithGithub x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity method: post operationId: createEntity x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity method: get operationId: listEntities x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/entity/id/{id} method: get operationId: readEntityById x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/entity/id/{id} method: post operationId: updateEntityById x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/id/{id} method: delete operationId: deleteEntityById x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/name/{name} method: get operationId: readEntityByName x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/entity/name/{name} method: post operationId: updateEntityByName x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/name/{name} method: delete operationId: deleteEntityByName x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/batch-delete method: post operationId: batchDeleteEntities x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/merge method: post operationId: mergeEntities x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity-alias method: post operationId: createEntityAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity-alias/id/{id} method: get operationId: readEntityAlias x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/entity-alias/id/{id} method: post operationId: updateEntityAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity-alias/id/{id} method: delete operationId: deleteEntityAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group method: post operationId: createGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group method: get operationId: listGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/group/id/{id} method: get operationId: readGroupById x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/group/id/{id} method: post operationId: updateGroupById x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group/id/{id} method: delete operationId: deleteGroupById x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group/name/{name} method: get operationId: readGroupByName x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/group/name/{name} method: post operationId: updateGroupByName x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group/name/{name} method: delete operationId: deleteGroupByName x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group-alias method: post operationId: createGroupAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group-alias/id/{id} method: get operationId: readGroupAlias x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/group-alias/id/{id} method: post operationId: updateGroupAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/group-alias/id/{id} method: delete operationId: deleteGroupAlias x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/lookup/entity method: post operationId: lookupEntity x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/lookup/group method: post operationId: lookupGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/oidc/token/{name} method: get operationId: readOidcToken x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/oidc/.well-known/openid-configuration method: get operationId: readOidcWellKnownConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/oidc/.well-known/keys method: get operationId: readOidcJwks x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{mount}/config method: get operationId: readKvV2Config x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{mount}/config method: post operationId: updateKvV2Config x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/data/{path} method: get operationId: readKvV2Secret x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{mount}/data/{path} method: post operationId: createOrUpdateKvV2Secret x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/data/{path} method: delete operationId: deleteLatestKvV2Secret x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/delete/{path} method: post operationId: deleteKvV2SecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/undelete/{path} method: post operationId: undeleteKvV2SecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/destroy/{path} method: post operationId: destroyKvV2SecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/metadata/{path} method: get operationId: readKvV2Metadata x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{mount}/metadata/{path} method: post operationId: updateKvV2Metadata x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/metadata/{path} method: delete operationId: deleteKvV2Metadata x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{mount}/metadata/ method: get operationId: listKvV2Secrets x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /aws/creds/{name} method: get operationId: generateAwsCredentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /aws/roles/{name} method: get operationId: readAwsRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /aws/roles/{name} method: post operationId: createOrUpdateAwsRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /aws/roles/{name} method: delete operationId: deleteAwsRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /database/creds/{name} method: get operationId: generateDatabaseCredentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /database/roles/{name} method: get operationId: readDatabaseRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /database/roles/{name} method: post operationId: createOrUpdateDatabaseRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /database/roles/{name} method: delete operationId: deleteDatabaseRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /pki/issue/{name} method: post operationId: issueCertificate x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /pki/ca method: get operationId: readCaCertificate x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /pki/roles/{name} method: get operationId: readPkiRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /pki/roles/{name} method: post operationId: createOrUpdatePkiRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/encrypt/{name} method: post operationId: encryptData x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/decrypt/{name} method: post operationId: decryptData x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/keys/{name} method: get operationId: readTransitKey x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /transit/keys/{name} method: post operationId: createTransitKey x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/keys/{name} method: delete operationId: deleteTransitKey x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /ssh/sign/{name} method: post operationId: signSshKey x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/health method: get operationId: getSystemHealth x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/seal-status method: get operationId: getSealStatus x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/seal method: put operationId: sealVault x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/unseal method: put operationId: unsealVault x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/init method: get operationId: getInitStatus x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/init method: put operationId: initializeVault x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/auth method: get operationId: listAuthMethods x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/auth/{path} method: post operationId: enableAuthMethod x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/auth/{path} method: delete operationId: disableAuthMethod x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/mounts method: get operationId: listSecretsMounts x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/mounts/{path} method: post operationId: enableSecretsEngine x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/mounts/{path} method: delete operationId: disableSecretsEngine x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/policies/acl method: get operationId: listPolicies x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/policies/acl/{name} method: get operationId: readPolicy x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/policies/acl/{name} method: put operationId: createOrUpdatePolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/policies/acl/{name} method: delete operationId: deletePolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/audit method: get operationId: listAuditDevices x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/audit/{path} method: put operationId: enableAuditDevice x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/audit/{path} method: delete operationId: disableAuditDevice x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/leader method: get operationId: readLeaderStatus x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/config/auditing/request-headers method: get operationId: listAuditRequestHeaders x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/generate-root/attempt method: get operationId: readRootGenerationProgress x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/generate-root/attempt method: put operationId: startRootGeneration x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/generate-root/attempt method: delete operationId: cancelRootGeneration x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required