{
  "id": "Q001",
  "title": "Welcome Aboard",
  "tier": 1,
  "primary_vm": "workstation",
  "required_vms": ["workstation"],
  "ticket_id": "T001",
  "baseline_snapshot": "baseline.day-one",
  "summary": "The player's first task. Their SSH key was never added to the workstation's authorized_keys during provisioning. Marcus walks them through where things are. The fix is trivial but teaches navigation and file inspection.",
  "clue_fingerprint": {
    "description": "SSH key is missing from authorized_keys. The provisioning script ran but the key was never appended. Evidence is visible in ~/.ssh/authorized_keys being absent entirely and in /var/log/auth.log showing permission denied publickey.",
    "evidence": [
      { "type": "file_absent", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys" },
      { "type": "log_contains", "vm": "workstation", "path": "/var/log/auth.log", "contains": "Permission denied (publickey)" }
    ]
  },
  "objectives": [
    {
      "id": "ssh-dir-exists",
      "description": "Ensure the .ssh directory exists with correct permissions",
      "check_mode": "passive",
      "validation": {
        "type": "and",
        "rules": [
          { "type": "directory_exists", "vm": "workstation", "path": "/home/player/.ssh" },
          { "type": "file_mode", "vm": "workstation", "path": "/home/player/.ssh", "mode": "0700" }
        ]
      }
    },
    {
      "id": "authorized-key-present",
      "description": "Add the provided public key to authorized_keys",
      "check_mode": "passive",
      "validation": {
        "type": "and",
        "rules": [
          { "type": "file_exists", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys" },
          { "type": "file_mode", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys", "mode": "0600" },
          { "type": "file_owner", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys", "user": "player", "group": "player" }
        ]
      }
    }
  ],
  "solution_branches": [
    {
      "id": "correct-setup",
      "label": "Correct Setup",
      "priority": 100,
      "validation": {
        "type": "and",
        "rules": [
          { "type": "file_exists", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys" },
          { "type": "file_mode", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys", "mode": "0600" },
          { "type": "file_mode", "vm": "workstation", "path": "/home/player/.ssh", "mode": "0700" },
          { "type": "file_owner", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys", "user": "player", "group": "player" }
        ]
      },
      "trust_delta": 1,
      "world_flags": ["player_ssh_configured"],
      "follow_up_dialogue": "marcus-Q001-complete-clean",
      "follow_up_ticket": "T002"
    },
    {
      "id": "permissive-setup",
      "label": "Permissive Setup",
      "priority": 50,
      "validation": {
        "type": "and",
        "rules": [
          { "type": "file_exists", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys" },
          { "type": "file_owner", "vm": "workstation", "path": "/home/player/.ssh/authorized_keys", "user": "player", "group": "player" }
        ]
      },
      "trust_delta": 0,
      "world_flags": ["player_ssh_configured", "player_loose_permissions"],
      "follow_up_dialogue": "marcus-Q001-complete-permissive",
      "follow_up_ticket": "T002",
      "_note": "Key is present and owned correctly but permissions are too open. SSH will still reject it. Marcus will mention this later."
    }
  ],
  "pressure_profile": null,
  "blast_radius": [],
  "unlock_requirements": [],
  "narrative_phase": "normal_work",
  "linux_concepts": ["ssh-keygen", "authorized_keys", "file permissions"],
  "failure_conditions": ["SSH keys not added", "authorized_keys permissions too broad"],
  "behavior_impact": {
    "correct-setup": { "curiosity_delta": 0, "obedience_delta": 1, "risk_delta": 0, "suspicion_delta": 0 },
    "permissive-setup": { "curiosity_delta": 0, "obedience_delta": 0, "risk_delta": 1, "suspicion_delta": 1 },
    "default": { "curiosity_delta": 0, "obedience_delta": 0, "risk_delta": 0, "suspicion_delta": 0 }
  },
  "hidden_hook": null,
  "access_requirements": {
    "minimum_access": { "workstation": "basic_user" },
    "requires_root": false,
    "temporary_grants_allowed": []
  },
  "tags": ["onboarding", "ssh", "permissions", "workstation"],
  "internal_notes": "This quest has no time pressure and no incidents. It is purely tutorial. Marcus is present and talkative. The only failure mode is giving up, which cannot happen mechanically."
}