{
  "_schema_version": "1.1",
  "_description": "Central registry of all world flags. Every flag used in any quest, incident, or dialogue must be declared here. Flags not in this registry will fail content validation.",

  "flags": [
    {
      "id": "player_ssh_configured",
      "description": "Player has added their public key to ~/.ssh/authorized_keys on the workstation with correct permissions.",
      "set_by": ["Q001"],
      "read_by": ["Q002", "Q003", "Q004", "Q005", "Q006", "Q007", "Q008"],
      "gates": ["quest_unlock:Q002", "quest_unlock:Q003", "quest_unlock:Q004"],
      "persists": true
    },
    {
      "id": "player_loose_permissions",
      "description": "Player set up authorized_keys but with overly permissive file or directory permissions.",
      "set_by": ["Q001"],
      "read_by": ["marcus-Q001"],
      "gates": [],
      "persists": true
    },
    {
      "id": "nginx_stable",
      "description": "Nginx is correctly configured, running, and enabled on hermes.",
      "set_by": ["Q002"],
      "read_by": ["Q003"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["nginx_unstable"]
    },
    {
      "id": "nginx_unstable",
      "description": "Nginx is running but has a known fragility — not enabled on boot, or a quick-fix config.",
      "set_by": ["Q002"],
      "read_by": ["Q003"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["nginx_stable"]
    },
    {
      "id": "hermes_web_healthy",
      "description": "The web server on hermes is responding to requests normally.",
      "set_by": ["Q002"],
      "read_by": ["Q003", "Q004"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_web_down"]
    },
    {
      "id": "hermes_web_down",
      "description": "Nginx on hermes is inactive.",
      "set_by": ["Q002", "Q003"],
      "read_by": ["sarah-Q003-angry"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_web_healthy"]
    },
    {
      "id": "hermes_logrotate_healthy",
      "description": "Nginx logrotate config exists and is correctly configured on hermes.",
      "set_by": ["Q003"],
      "read_by": ["I001"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_log_pressure_pending"]
    },
    {
      "id": "hermes_disk_healthy",
      "description": "Disk utilization on hermes is below the alert threshold.",
      "set_by": ["Q003"],
      "read_by": ["I001"],
      "gates": [],
      "persists": false
    },
    {
      "id": "hermes_log_pressure_pending",
      "description": "Disk was cleared on hermes but logrotate is not configured. Log will grow again.",
      "set_by": ["Q003"],
      "read_by": ["I001"],
      "gates": ["incident_trigger:I001"],
      "persists": true,
      "conflicts_with": ["hermes_logrotate_healthy"]
    },
    {
      "id": "web_disk_pressure_active",
      "description": "Disk pressure on hermes is actively worsening due to unrotated logs.",
      "set_by": ["I001"],
      "read_by": [],
      "gates": [],
      "persists": false
    },
    {
      "id": "hermes_deploy_healthy",
      "description": "Web root ownership on hermes is correct and the deploy service can run without errors.",
      "set_by": ["Q004"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_deploy_partial"]
    },
    {
      "id": "hermes_deploy_partial",
      "description": "Web root top-level ownership is corrected but child files are still root-owned.",
      "set_by": ["Q004"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_deploy_healthy"]
    },
    {
      "id": "hermes_backup_healthy",
      "description": "Backup cron job runs as backup-agent, old files cleaned, disk below threshold.",
      "set_by": ["Q005"],
      "read_by": ["I002"],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_backup_partial", "hermes_backup_root_running"]
    },
    {
      "id": "hermes_backup_partial",
      "description": "Cron job user corrected but old root-owned backup files not cleaned up.",
      "set_by": ["Q005"],
      "read_by": ["I002"],
      "gates": ["incident_trigger:I002"],
      "persists": true,
      "conflicts_with": ["hermes_backup_healthy"]
    },
    {
      "id": "hermes_backup_root_running",
      "description": "Disk was cleared but the cron job is still running as root. Problem will recur.",
      "set_by": ["Q005"],
      "read_by": ["I002"],
      "gates": ["incident_trigger:I002"],
      "persists": true,
      "conflicts_with": ["hermes_backup_healthy"]
    },
    {
      "id": "vulcan_ntp_healthy",
      "description": "Time synchronization is active and enabled at boot on vulcan.",
      "set_by": ["Q006"],
      "read_by": ["Q008"],
      "gates": ["quest_unlock:Q008"],
      "persists": true,
      "conflicts_with": ["vulcan_ntp_fragile"]
    },
    {
      "id": "vulcan_ntp_fragile",
      "description": "NTP is running on vulcan but not enabled at boot.",
      "set_by": ["Q006"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["vulcan_ntp_healthy"]
    },
    {
      "id": "vulcan_builds_healthy",
      "description": "Package management on vulcan works without signature errors.",
      "set_by": ["Q006"],
      "read_by": ["Q008"],
      "gates": [],
      "persists": true
    },
    {
      "id": "hermes_ssh_hardened_correct",
      "description": "sshd on hermes uses AllowGroups with web-admin, correctly restricting access.",
      "set_by": ["Q007"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_ssh_allowusers_fragile", "hermes_ssh_unrestricted"]
    },
    {
      "id": "hermes_ssh_allowusers_fragile",
      "description": "sshd uses AllowUsers — works but requires manual updates for new users.",
      "set_by": ["Q007"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_ssh_hardened_correct", "hermes_ssh_unrestricted"]
    },
    {
      "id": "hermes_ssh_unrestricted",
      "description": "SSH hardening was removed entirely from hermes.",
      "set_by": ["Q007"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["hermes_ssh_hardened_correct", "hermes_ssh_allowusers_fragile"]
    },
    {
      "id": "priya_access_restored",
      "description": "Priya Nair can SSH to hermes again.",
      "set_by": ["Q007"],
      "read_by": ["priya-Q007"],
      "gates": [],
      "persists": true
    },
    {
      "id": "hermes_app_running",
      "description": "axiomworks-app is active and serving on hermes.",
      "set_by": ["Q008"],
      "read_by": [],
      "gates": [],
      "persists": true
    },
    {
      "id": "hermes_app_pinned_2-1-0",
      "description": "axiomworks-app is pinned to version 2.1.0 on hermes to avoid the broken 2.1.1.",
      "set_by": ["Q008"],
      "read_by": ["I003"],
      "gates": [],
      "persists": true
    },
    {
      "id": "vulcan_bad_build_known",
      "description": "The broken 2.1.1 build on vulcan has been identified but not yet fixed.",
      "set_by": ["Q008"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["vulcan_build_fixed"]
    },
    {
      "id": "vulcan_build_fixed",
      "description": "The broken 2.1.1 build was rebuilt correctly on vulcan and republished.",
      "set_by": ["Q008"],
      "read_by": [],
      "gates": [],
      "persists": true,
      "conflicts_with": ["vulcan_bad_build_known"]
    }
  ]
}