# ============================================================ # SOaC-Enterprise: Lab Safety Policy # Component: brain/policy # ============================================================ # Publisher: SOaC Core Team # Version: 1.0.1 # Date: March 2026 # License: Apache 2.0 # Repository: github.com/ge0mant1s/SOaC-Enterprise # ============================================================ # Purpose: # Defines the boundary policy controlling permissible actions # across lab, staging, and production environments. Enforced # by The Nervous System (Edge) before any CLAW playbook step # executes against a target environment. # ============================================================ apiVersion: policy.soac.io/v1 kind: LabSafetyPolicy metadata: name: lab-safety-policy version: "1.0.1" author: soac-core-team created: "2026-03-01T00:00:00Z" tags: - policy-as-code - lab-safety - environment-boundary - blast-radius description: > Controls which CLAW playbook actions are permitted in each environment tier. Prevents production enforcement actions from executing in lab or staging contexts, and vice versa. # ============================================================ # 1. ENVIRONMENT DEFINITIONS # ============================================================ environments: lab: description: Isolated simulation environment for SOaC package testing and BAS scenarios identifiers: - env_tag: lab - hostname_prefix: ["lab-", "soac-lab-", "sim-"] - network_cidr: "10.100.0.0/16" data_classification: synthetic internet_access: false external_api_calls: blocked staging: description: Pre-production validation environment with anonymized data identifiers: - env_tag: staging - hostname_prefix: ["stg-", "staging-"] - network_cidr: "10.200.0.0/16" data_classification: anonymized internet_access: limited external_api_calls: read_only production: description: Live enterprise environment. Full enforcement permitted with governance controls. identifiers: - env_tag: production - hostname_prefix: ["prod-", "prd-"] - network_cidr: "10.0.0.0/8" data_classification: confidential internet_access: true external_api_calls: full # ============================================================ # 2. ACTION PERMISSIONS BY ENVIRONMENT # ============================================================ action_permissions: revoke_sessions: lab: simulate staging: block production: allow governance_required: true brain_oversight_required: true reset_mfa: lab: simulate staging: block production: allow governance_required: true brain_oversight_required: true disable_account: lab: simulate staging: block production: allow governance_required: true requires_human_approval: true contain_host: lab: simulate staging: simulate production: allow governance_required: true brain_oversight_required: true kill_process: lab: allow staging: simulate production: allow governance_required: false memory_snapshot: lab: allow staging: allow production: allow governance_required: false block_host: lab: simulate staging: simulate production: allow governance_required: true brain_oversight_required: true block_session: lab: simulate staging: block production: allow governance_required: true dns_sinkhole: lab: allow staging: block production: allow governance_required: true requires_human_approval: true max_blast_radius: org firewall_rule_inject: lab: allow staging: block production: allow governance_required: true requires_human_approval: true max_blast_radius: org notify_slack: lab: allow staging: allow production: allow governance_required: false create_jira_ticket: lab: simulate staging: allow production: allow governance_required: false export_logs: lab: allow staging: allow production: allow governance_required: false pii_redaction_required: true delete_data: lab: allow staging: block production: block governance_required: true requires_human_approval: true # ============================================================ # 3. SIMULATION MODE (Lab) # ============================================================ simulation: enabled: true mode: dry_run output: log_simulated_actions: true emit_synthetic_telemetry: true # Align with repo root folder name as seen in SOaC-Enterprise architecture synthetic_telemetry_target: test_logs/ restrictions: no_real_api_calls: true no_real_notifications: true synthetic_data_only: true # ============================================================ # 4. BLAST RADIUS ENFORCEMENT # ============================================================ blast_radius: lab: max_allowed: single_user staging: max_allowed: team production: max_allowed: org global_override: requires_human_approval: true approval_timeout: 10m timeout_action: abort # ============================================================ # 5. AUDIT & COMPLIANCE # ============================================================ audit: all_environments: true level: lab: standard staging: standard production: verbose retention_days: lab: 30 staging: 90 production: 365 immutable: true # ============================================================ # 6. POLICY ENFORCEMENT # ============================================================ enforcement: engine: edge on_policy_violation: block violation_notification: channel: slack target: "#soac-policy-violations" override: allowed: false # ============================================================ # 7. VERSIONING & CHANGELOG # ============================================================ versioning: policy: semver changelog: - version: "1.0.1" date: "2026-03-13" changes: - Align component metadata with product architecture (brain/policy) - Fix synthetic telemetry target path alignment (test_logs/) - Normalize enforcement engine name to 'edge' - version: "1.0.0" date: "2026-03-01" changes: - Initial release of Lab Safety Policy