[
  {
    "id": "unlock:workstation:sudo:basic",
    "description": "Basic sudo access on the workstation (systemctl, journalctl, df)",
    "trust_threshold": 50.0,
    "revokes_below_trust": -1,
    "grants_access": ["sudo:workstation:systemctl", "sudo:workstation:journalctl", "sudo:workstation:df"],
    "grants_vms": [],
    "grants_docs": ["onboarding"],
    "revokes": []
  },
  {
    "id": "unlock:web_server:access",
    "description": "Access to the web server (hermes) via SSH from workstation",
    "trust_threshold": 55.0,
    "revokes_below_trust": 45.0,
    "grants_access": ["ssh:web_server", "sudo:web_server:systemctl", "sudo:web_server:nginx"],
    "grants_vms": ["web_server"],
    "grants_docs": ["nginx-runbook", "web-deploy-guide"],
    "revokes_vms": ["web_server"],
    "revokes": ["ssh:web_server", "sudo:web_server:systemctl", "sudo:web_server:nginx"]
  },
  {
    "id": "unlock:web_server:sudo:full",
    "description": "Full sudo on hermes — enables root-level fixes",
    "trust_threshold": 60.0,
    "revokes_below_trust": 45.0,
    "grants_access": ["sudo:web_server:full"],
    "grants_vms": [],
    "grants_docs": ["server-admin-guide"],
    "revokes": ["sudo:web_server:full"]
  },
  {
    "id": "unlock:build_machine:access",
    "description": "Access to the build machine (vulcan)",
    "trust_threshold": 60.0,
    "revokes_below_trust": 50.0,
    "grants_access": ["ssh:build_machine", "sudo:build_machine:pacman"],
    "grants_vms": ["build_machine"],
    "grants_docs": ["arch-runbook", "package-mirror-guide"],
    "revokes_vms": ["build_machine"],
    "revokes": ["ssh:build_machine", "sudo:build_machine:pacman"]
  },
  {
    "id": "unlock:incident:visibility",
    "description": "Incident alerts shown in HUD — player trusted enough to see system pressure",
    "trust_threshold": 55.0,
    "revokes_below_trust": -1,
    "grants_access": ["hud:incident_alerts"],
    "grants_vms": [],
    "grants_docs": ["incident-response-guide"],
    "revokes": []
  }
]