Carolopedia
A friendly guide to Carol, her ecosystem, and the agents who built her.
📖About
Follow-on to CAROL-INI-1905. (1) Create a dedicated CISO agent (Gandalf) owning Carolverse security posture + login/access policy; Radagast stays Admin, Albus security-architecture, Themis independent audit. (2) Build an ADMIN-ONLY Agent Access Management app owned by Gandalf: per-agent identity + credentials, access rights mapped to each agents responsibilities, and a login/logout SESSION log (which agent, when, how long, purpose). (3) Model = session-per-action: every privileged action opens->authenticates->checks rights->logs->closes a session; no action without an authorised session. Provide a session-logging API the clerks call + seed policies. Strategy: docs/security/carolverse-security-strategy.md.
⚖️Decisions
- Auto-detected remediation target INI-999900087 from title/description scan (matched CAROL-INI-1905 -> row id 999900087 (CAROL-INI-1905-00: Carolverse User Management & Agent Identity Isolation Framewo)); override by setting remediates_initiative_id explicitly at bypass_start. (system-auto-detect)
- Elrond's bypass methodology checklist (a reminder, not a gate -- you've got this): 0. File it requested_mode='bypass' (planner-vs-bypass is a deliberate choice). bypass_start REFUSES a non-bypass initiative (CAROL-INI-1846), and the dispatcher only skips the bypass lane when the mode says bypass -- a 'planner' mistag lets Merlin's pipeline grab the placeholder step and block your finished work. 1. Filed as planned status -- let the bypass claim/activate it; never file active. 2. Open the bypass (bypass_start) with your droid id + the remediation answer (remediates_initiative_id=NNN, or remediates_nothing=True). 3. Work the blocks for your work-type: template -> design -> code -> test -> review. Do the real work; record decisions on the initiative as you make them. 4. Reality is recorded for you at close -- code (files changed), each decision, and the twin-review verdict become real activities tied to this initiative and show in the Activity Tracker like a planner run (CAROL-INI-1840). No dummy rows. 5. Keep the initiative status moving; it parks in 'reviewing' and is tagged uat-pending for you at close (CAROL-INI-1836), so the stuck-watchdog leaves it alone until UAT. 6. Close runs the gates (design/architecture compliance + caller-audit). If a gate flags something pre-existing or unrelated to your change, waive it with a clear written rationale -- audit, don't skip. 7. Bypass skips the planner's auto-orchestration, NOT the standards. Same template checklist, same review, same observability as a planner run. (elrond)
- [status-router] planned -> active | event=bypass_active | bypass transition (or-bx-01)
- Gandalf (agt_038, CISO) created in registry + OS user provisioned THROUGH Radagast (operator-approved, verified, audited) — uid 964 nologin locked. End-to-end proof of the Phase B provisioning capability for a new agent. (orion)
- Agent Access Management app built + registered to Gandalf (agt_038): access registry seeded from agent responsibilities (34 agents), session-per-action API (open/authorise/log/close), login policies, admin-only dashboard on 7201. Session AUTHZ proven: Elrond authorised to file_initiative (200), Sage DENIED (403) — only-Elrond-files enforced as session authorization. (orion)
- FOLLOW-UP: public nginx route via Radagast install_dev_routes failed (radagast cannot read /etc/nginx/carol-dev-apps.conf) — app works on localhost:7201; route + session-wiring into the live clerks are the remaining steps. (orion)
- [status-router] active -> reviewing | event=bypass_reviewing | bypass transition (or-bx-01)
- Security agent renamed Gandalf->Heimdall; placed as Head of Security reporting to Cassius (Head of Support Functions), peer to Themis/Midas/Loki - honours the <=4-reportees rule (Cassius now 4, no manager over 4) and keeps security independent of Engineering. OS user heimdall provisioned via Radagast. Fixed a cutover side-effect: Radagast now reads registry.db read-only so it no longer locks caroladmin out of registry writes. Leftover: gandalf OS user (harmless, needs root userdel). (orion)
- Athena reactivated as Head of Agent Resources (renamed from Human Resources) under Cassius. Ninad waived the <=4 span rule for Cassius (now 5: Finance, Compliance, Marketing, Security, Agent Resources). Recorded a documented span waiver in the org-health audit so it no longer flags Cassius. (orion)
- [status-router] reviewing -> closed | event=operator_signoff | Auto-accepted (CAROL-INI-1859): Orion-initiated, >2 days in reviewing with no objection. (el-srac-01)