diff --git a/10-inventory/hosts/README.md b/10-inventory/hosts/README.md
new file mode 100644
index 0000000..0439721
--- /dev/null
+++ b/10-inventory/hosts/README.md
@@ -0,0 +1,14 @@
+# Hosts
+
+Each host lives in its own directory:
+
+```
+10-inventory/hosts/<role>-<scope>-<id>/
+```
+
+Minimum:
+
+- `README.md` (purpose + trust boundary)
+- `hardware.md` (what it is)
+- `os.md` (what it runs)
+
diff --git a/10-inventory/hosts/op-console-mac/README.md b/10-inventory/hosts/op-console-mac/README.md
new file mode 100644
index 0000000..66c3854
--- /dev/null
+++ b/10-inventory/hosts/op-console-mac/README.md
@@ -0,0 +1,16 @@
+# op-console-mac
+
+## Purpose
+
+Console host used to run `op-core-vm`.
+
+## Trust boundary
+
+- The host is a console, not a source of trust.
+- Critical actions happen only inside `op-core-vm`.
+- No long-lived secrets are kept on the host if avoidable.
+
+## References
+
+- Doctrine: `00-doctrine/operator-charter.md`
+- Lease: `20-identity/leases/op-console-mac.md`
diff --git a/10-inventory/hosts/op-console-mac/hardware.md b/10-inventory/hosts/op-console-mac/hardware.md
new file mode 100644
index 0000000..19e8790
--- /dev/null
+++ b/10-inventory/hosts/op-console-mac/hardware.md
@@ -0,0 +1,10 @@
+# Hardware (op-console-mac)
+
+- Model:
+- Serial:
+- CPU:
+- RAM:
+- Storage:
+- Network:
+- Location:
+
diff --git a/10-inventory/hosts/op-console-mac/os.md b/10-inventory/hosts/op-console-mac/os.md
new file mode 100644
index 0000000..e5a1045
--- /dev/null
+++ b/10-inventory/hosts/op-console-mac/os.md
@@ -0,0 +1,12 @@
+# OS (op-console-mac)
+
+- OS:
+- Version:
+- Install method:
+- Disk encryption:
+- Update policy:
+
+## Notes
+
+- The VM is the authority source; the host is replaceable.
+
diff --git a/10-inventory/hosts/op-witness-phone/README.md b/10-inventory/hosts/op-witness-phone/README.md
new file mode 100644
index 0000000..fc34911
--- /dev/null
+++ b/10-inventory/hosts/op-witness-phone/README.md
@@ -0,0 +1,15 @@
+# op-witness-phone
+
+## Purpose
+
+Witness device for verification (alerts, confirmations, second factors).
+
+## Trust boundary
+
+- The phone is a witness, not a workstation.
+- Prefer read-only access; no critical admin actions originate here.
+
+## References
+
+- Doctrine: `00-doctrine/operator-charter.md`
+- Lease: `20-identity/leases/op-witness-phone.md`
diff --git a/10-inventory/hosts/op-witness-phone/hardware.md b/10-inventory/hosts/op-witness-phone/hardware.md
new file mode 100644
index 0000000..22d8992
--- /dev/null
+++ b/10-inventory/hosts/op-witness-phone/hardware.md
@@ -0,0 +1,7 @@
+# Hardware (op-witness-phone)
+
+- Model:
+- Serial/IMEI:
+- Storage:
+- Network:
+
diff --git a/10-inventory/hosts/op-witness-phone/os.md b/10-inventory/hosts/op-witness-phone/os.md
new file mode 100644
index 0000000..9edd519
--- /dev/null
+++ b/10-inventory/hosts/op-witness-phone/os.md
@@ -0,0 +1,7 @@
+# OS (op-witness-phone)
+
+- OS:
+- Version:
+- Update policy:
+- Lock screen policy:
+
diff --git a/10-inventory/hosts/srv-local-core/README.md b/10-inventory/hosts/srv-local-core/README.md
new file mode 100644
index 0000000..ea52797
--- /dev/null
+++ b/10-inventory/hosts/srv-local-core/README.md
@@ -0,0 +1,11 @@
+# srv-local-core
+
+## Purpose
+
+Local core server: stable services and state that must still be rebuildable.
+
+## Authority boundary
+
+- Provisioning and changes originate from `op-core-vm`.
+- Host state is treated as disposable; the source of truth lives in `ops/`.
+
diff --git a/10-inventory/hosts/srv-local-core/hardware.md b/10-inventory/hosts/srv-local-core/hardware.md
new file mode 100644
index 0000000..9ce03e4
--- /dev/null
+++ b/10-inventory/hosts/srv-local-core/hardware.md
@@ -0,0 +1,10 @@
+# Hardware (srv-local-core)
+
+- Model:
+- Serial:
+- CPU:
+- RAM:
+- Storage:
+- Network:
+- Location:
+
diff --git a/10-inventory/hosts/srv-local-core/os.md b/10-inventory/hosts/srv-local-core/os.md
new file mode 100644
index 0000000..7e87839
--- /dev/null
+++ b/10-inventory/hosts/srv-local-core/os.md
@@ -0,0 +1,8 @@
+# OS (srv-local-core)
+
+- OS:
+- Version:
+- Install method:
+- Disk encryption:
+- Update policy:
+
diff --git a/10-inventory/hosts/srv-local-shield/README.md b/10-inventory/hosts/srv-local-shield/README.md
new file mode 100644
index 0000000..5f9bff9
--- /dev/null
+++ b/10-inventory/hosts/srv-local-shield/README.md
@@ -0,0 +1,11 @@
+# srv-local-shield
+
+## Purpose
+
+Local shield node: boundary services (gateway, filtering, segmentation).
+
+## Authority boundary
+
+- Provisioning and changes originate from `op-core-vm`.
+- Configuration is managed as code; rebuilds are expected.
+
diff --git a/10-inventory/hosts/srv-local-shield/hardware.md b/10-inventory/hosts/srv-local-shield/hardware.md
new file mode 100644
index 0000000..a7e126e
--- /dev/null
+++ b/10-inventory/hosts/srv-local-shield/hardware.md
@@ -0,0 +1,10 @@
+# Hardware (srv-local-shield)
+
+- Model:
+- Serial:
+- CPU:
+- RAM:
+- Storage:
+- Network:
+- Location:
+
diff --git a/10-inventory/hosts/srv-local-shield/os.md b/10-inventory/hosts/srv-local-shield/os.md
new file mode 100644
index 0000000..f991130
--- /dev/null
+++ b/10-inventory/hosts/srv-local-shield/os.md
@@ -0,0 +1,8 @@
+# OS (srv-local-shield)
+
+- OS:
+- Version:
+- Install method:
+- Disk encryption:
+- Update policy:
+
diff --git a/20-identity/leases/README.md b/20-identity/leases/README.md
new file mode 100644
index 0000000..70501df
--- /dev/null
+++ b/20-identity/leases/README.md
@@ -0,0 +1,12 @@
+# Leases
+
+Leases are time-bound grants of access tied to a device (or system) and a role.
+
+Rules:
+
+- A lease has an expiry.
+- A lease is revocable.
+- Every lease has a recorded grant and a recorded revoke/rotate event.
+
+Use `20-identity/templates/lease.md` for new leases.
+
diff --git a/20-identity/leases/op-console-mac.md b/20-identity/leases/op-console-mac.md
new file mode 100644
index 0000000..f0c78ab
--- /dev/null
+++ b/20-identity/leases/op-console-mac.md
@@ -0,0 +1,20 @@
+# Lease: op-console-mac
+
+## Grant
+
+- Lease type: device (console)
+- Issued to role: operator
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- Permits: physical and local access required to operate `op-core-vm`.
+- Forbids: treating the host OS as a source of trust.
+
+## Rotation / revocation
+
+- Revoke: remove local access, rotate any credentials that could have been exposed, and rebuild `op-core-vm` if integrity is in doubt.
+- Verify: confirm operator access is only possible from a trusted, rebuilt core.
+
diff --git a/20-identity/leases/op-witness-phone.md b/20-identity/leases/op-witness-phone.md
new file mode 100644
index 0000000..5ba8bb7
--- /dev/null
+++ b/20-identity/leases/op-witness-phone.md
@@ -0,0 +1,20 @@
+# Lease: op-witness-phone
+
+## Grant
+
+- Lease type: device (witness)
+- Issued to role: witness
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- Permits: read-only verification and confirmations.
+- Forbids: initiating critical operational changes.
+
+## Rotation / revocation
+
+- Revoke: remove device access and rotate any linked factors.
+- Verify: confirm no critical role can originate from this device.
+
diff --git a/20-identity/roles/operator.md b/20-identity/roles/operator.md
new file mode 100644
index 0000000..bac28b2
--- /dev/null
+++ b/20-identity/roles/operator.md
@@ -0,0 +1,20 @@
+# Role: operator
+
+## Purpose
+
+Execute critical operational actions from the core boundary.
+
+## Scope
+
+- Allowed: provisioning, configuration, recovery, decommission.
+- Forbidden: ad-hoc changes outside `op-core-vm`.
+
+## Allowed origins
+
+- `op-core-vm` only.
+
+## Rotation / revocation
+
+- Revoke: invalidate leases, rotate credentials, and sever device trust.
+- Prove: record the action in `70-audits/reports/`.
+
diff --git a/20-identity/roles/witness.md b/20-identity/roles/witness.md
new file mode 100644
index 0000000..e1cdb14
--- /dev/null
+++ b/20-identity/roles/witness.md
@@ -0,0 +1,20 @@
+# Role: witness
+
+## Purpose
+
+Observe and confirm (alerts, read-only checks, second-factor confirmations).
+
+## Scope
+
+- Allowed: read-only verification and confirmations.
+- Forbidden: provisioning and configuration changes.
+
+## Allowed origins
+
+- `op-witness-phone` only.
+
+## Rotation / revocation
+
+- Revoke: remove device access and rotate any linked factors.
+- Prove: record the action in `70-audits/reports/`.
+
diff --git a/20-identity/templates/README.md b/20-identity/templates/README.md
new file mode 100644
index 0000000..47da0e6
--- /dev/null
+++ b/20-identity/templates/README.md
@@ -0,0 +1,7 @@
+# Templates
+
+Use these templates to keep identity material consistent:
+
+- `role.md`
+- `lease.md`
+
diff --git a/20-identity/templates/lease.md b/20-identity/templates/lease.md
new file mode 100644
index 0000000..d54c890
--- /dev/null
+++ b/20-identity/templates/lease.md
@@ -0,0 +1,24 @@
+# Lease: <device-or-system>
+
+## Grant
+
+- Lease type:
+- Issued to role:
+- Issued at (UTC):
+- Expires at (UTC):
+- Revoked at (UTC):
+
+## Scope
+
+- What this lease permits:
+- What it explicitly forbids:
+
+## Rotation / revocation
+
+- Revocation procedure:
+- Post-revoke verification:
+
+## Evidence
+
+What you record when granting/rotating/revoking (timestamps, IDs, logs).
+
diff --git a/20-identity/templates/role.md b/20-identity/templates/role.md
new file mode 100644
index 0000000..ebbb996
--- /dev/null
+++ b/20-identity/templates/role.md
@@ -0,0 +1,29 @@
+# Role: <name>
+
+## Purpose
+
+What this role exists to do.
+
+## Scope
+
+- Allowed actions:
+- Forbidden actions:
+
+## Allowed origins
+
+Where this role is allowed to be used from (e.g., `op-core-vm`).
+
+## Credentials
+
+What mechanisms this role uses (keys/tokens), and where the encrypted material lives.
+
+## Rotation / revocation
+
+- How to revoke fast:
+- How to rotate predictably:
+- Proof you record:
+
+## Notes
+
+Anything future-you must remember.
+