commit f375d21a9e391502ecb170583c4abc7fabbd7ddf
Author: vaultsovereign <vaultsovereign@users.noreply.gitlab.com>
Date:   Wed Dec 17 15:13:19 2025 +0000

    Initialize ops repository

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cce9908
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+.DS_Store
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+
+# Terraform
+**/.terraform/
+**/*.tfstate
+**/*.tfstate.*
+**/crash.log
+**/crash.*.log
+
+# Common secret material (keep out of Git)
+*.pem
+*.key
+*.p12
+*.pfx
+*.jks
+*.kubeconfig
+*.ovpn
+*.mobileconfig
+.env
+.env.*
+!.env.example
+*.tfvars
+*.tfvars.json
+!.tfvars.example
+!.tfvars.json.example
+
+# Decrypted scratch areas
+vault/tmp/
diff --git a/00-doctrine/.gitkeep b/00-doctrine/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/00-doctrine/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/00-doctrine/README.md b/00-doctrine/README.md
new file mode 100644
index 0000000..f21b01d
--- /dev/null
+++ b/00-doctrine/README.md
@@ -0,0 +1,7 @@
+# Doctrine
+
+This directory defines the non-negotiable rules of operation.
+
+- `operator-charter.md` is the one-page version you keep visible.
+- `personal-operating-doctrine.md` is the full doctrine that everything derives from.
+
diff --git a/00-doctrine/backup-doctrine.md b/00-doctrine/backup-doctrine.md
new file mode 100644
index 0000000..609527b
--- /dev/null
+++ b/00-doctrine/backup-doctrine.md
@@ -0,0 +1,25 @@
+# Backup Doctrine
+
+## Principles
+
+- Backups exist for **calm recovery**, not comfort.
+- Encrypt backups **before** they leave the system.
+- A backup that cannot be safely lost is incorrectly scoped.
+- Restores are verified: a backup without a restore test is a hope, not a backup.
+
+## In-repo boundaries
+
+- What is backed up, where it is stored, and how it is restored is recorded in `60-backups/manifests/`.
+- Proof that restores work (restore drills, checksums, validation notes) lives in `60-backups/restore-tests/`.
+
+## Minimum standard
+
+For each backup set, record:
+
+- Source (what)
+- Destination (where)
+- Method (how)
+- Frequency (when)
+- Restore procedure (how to get it back)
+- Validation (how you know it worked)
+
diff --git a/00-doctrine/identity-law.md b/00-doctrine/identity-law.md
new file mode 100644
index 0000000..7f95836
--- /dev/null
+++ b/00-doctrine/identity-law.md
@@ -0,0 +1,27 @@
+# Identity Law
+
+## Principles
+
+- Operate via **roles**, not personalities.
+- Issue access as **leases** (time-bound, revocable), not permanence.
+- Prefer **short-lived credentials** over long-lived secrets.
+- Public keys are safe to store; private keys are not.
+
+## In-repo boundaries
+
+- Role definitions live in `20-identity/roles/`.
+- Policies and intent live in `20-identity/policies/`.
+- Leases (who/what has access, until when) live in `20-identity/leases/`.
+- Public keys live in `20-identity/keys/public/`.
+- Private keys and plaintext secrets never live in this repo.
+
+## Required properties (revocation)
+
+Every identity mechanism must support:
+
+1. **Revoke**: shut it off quickly.
+2. **Rotate**: replace it predictably.
+3. **Prove**: show what changed and when.
+
+If any of the above is not true, the mechanism does not belong in the core.
+
diff --git a/00-doctrine/operator-charter.md b/00-doctrine/operator-charter.md
new file mode 100644
index 0000000..f6229e5
--- /dev/null
+++ b/00-doctrine/operator-charter.md
@@ -0,0 +1,113 @@
+# The Operator Charter (One Page)
+
+*(v1.0)*
+
+## I. Prime Directive
+
+I do not optimize for convenience. I optimize for **clarity, recoverability, and sovereignty**.
+
+If a system cannot be understood, rebuilt, or revoked, it does not belong.
+
+## II. The Core
+
+There is **one core of authority**.
+
+- `op-core-vm` is the origin of action.
+- It is disposable, but authoritative.
+- No critical action occurs outside it.
+
+The host is a console. The phone is a witness.
+
+## III. Identity Law
+
+Identity is finite.
+
+- Roles over personalities.
+- Least privilege, always.
+- Devices receive leases, never permanence.
+
+Anything that cannot be revoked cleanly is a liability.
+
+## IV. Naming Is Reality
+
+If it cannot be named correctly, it is not understood.
+
+Format:
+
+```
+<role>-<scope>-<id>
+```
+
+No myth names. No ambiguity. Renaming precedes deletion.
+
+## V. Infrastructure Doctrine
+
+Infrastructure is **cattle, not pets**.
+
+- Nodes are replaceable.
+- Loss is expected.
+- Rebuilds are boring.
+
+Sentiment is reserved for people, not machines.
+
+## VI. Separation of Meaning
+
+Meaning and infrastructure never mix.
+
+- Knowledge, media, philosophy → cold storage.
+- Keys, infra, authority → clean core.
+
+What matters must be portable. What operates must be disposable.
+
+## VII. Backup Rule
+
+Backups exist for **calm recovery**, not comfort.
+
+- Encrypt before upload.
+- Cloud storage is a vault, never a brain.
+- No live sync for the core.
+
+If losing a backup causes panic, it is wrongly scoped.
+
+## VIII. The Nuke Test
+
+Every system must answer:
+
+> “If this disappears today, can I rebuild without panic?”
+
+If not: reduce scope, split responsibility, document recovery, or remove it.
+
+## IX. Tool Discipline
+
+Every tool must earn its place.
+
+- Fewer tools, deeper mastery.
+- No duplicates without reason.
+- No installs without intent.
+
+Bloat is deferred failure.
+
+## X. Drift Control
+
+Entropy is natural. Drift is optional.
+
+Regularly: audit identities, review devices, correct names, delete without regret.
+
+Maintenance is freedom.
+
+## XI. Authority Boundary
+
+Critical actions occur only:
+
+- from the core
+- with intent
+- with traceability
+
+No shortcuts. No “just this once”.
+
+## XII. Final Law
+
+I build systems I am **not afraid to touch**.
+
+If fear appears, I stop — not to hesitate, but to **restore clarity**.
+
diff --git a/00-doctrine/personal-operating-doctrine.md b/00-doctrine/personal-operating-doctrine.md
new file mode 100644
index 0000000..9d5eecf
--- /dev/null
+++ b/00-doctrine/personal-operating-doctrine.md
@@ -0,0 +1,111 @@
+# Personal Operating Doctrine — Operator Edition
+
+*(v1.0)*
+
+## 1. Prime Directive
+
+I do not optimize for convenience. I optimize for **clarity, recoverability, and sovereignty**.
+
+If a system cannot be understood, rebuilt, or revoked, it does not belong.
+
+## 2. The Core
+
+There exists **one core** from which all authority flows:
+
+- `op-core-vm` is the origin of action.
+- It is disposable, but authoritative.
+- Nothing touches critical infrastructure unless it originates here.
+
+The host machine is a **console**, not a source of trust. The phone is a **witness**, not a workstation.
+
+## 3. Identity Law
+
+Identity is finite.
+
+- I operate through **roles**, not personalities.
+- Each role has minimal scope and clear purpose.
+- Devices hold **leases**, never permanent identity.
+
+Anything that cannot be cleanly revoked is a liability.
+
+## 4. Naming Is Reality
+
+If I cannot name it correctly, I do not understand it.
+
+All systems are named by:
+
+```
+<role>-<scope>-<id>
+```
+
+No myth names. No vibes. No ambiguity.
+
+Renaming precedes deletion. Deletion follows clarity.
+
+## 5. Infrastructure Is Cattle
+
+No machine is sacred.
+
+- All nodes are replaceable.
+- Rebuilds are expected.
+- Loss is boring, not catastrophic.
+
+Sentiment is reserved for people and meaning — never machines.
+
+## 6. Separation of Concerns
+
+Meaning and infrastructure do not mix.
+
+- Knowledge, media, philosophy → cold storage.
+- Keys, infra, authority → clean core.
+
+What matters must be portable. What operates must be disposable.
+
+## 7. Backup Doctrine
+
+Backups exist to enable **calm recovery**, not comfort.
+
+- All backups are encrypted **before** leaving the system.
+- Cloud storage is a **vault**, never a brain.
+- No live sync for core systems.
+
+If a backup cannot be lost safely, it is incorrectly scoped.
+
+## 8. The Nuke Test
+
+Any system must pass this test:
+
+> “If this disappears today, can I rebuild without panic?”
+
+If the answer is no: reduce scope, split responsibility, document recovery, or remove it entirely.
+
+## 9. Tool Minimalism
+
+Every tool must earn its place.
+
+- Fewer tools, deeper mastery.
+- No duplicates without reason.
+- No installs without intent.
+
+Bloat is deferred failure.
+
+## 10. Drift Control
+
+Entropy is inevitable. Drift is optional.
+
+I perform regular identity audits, device reviews, naming corrections, and deletion passes.
+
+Maintenance is a form of freedom.
+
+## 11. Authority Boundary
+
+Critical actions happen only from `op-core-vm`, with intent, awareness, and traceability.
+
+No “just this once”. No shortcuts.
+
+## 12. Final Rule
+
+I build systems I am **not afraid to touch**.
+
+If fear appears, I stop — not to hesitate, but to **restore clarity**.
+
diff --git a/10-inventory/README.md b/10-inventory/README.md
new file mode 100644
index 0000000..93b92bc
--- /dev/null
+++ b/10-inventory/README.md
@@ -0,0 +1,9 @@
+# Inventory
+
+Inventory is the map of reality.
+
+- Hosts live under `10-inventory/hosts/<role>-<scope>-<id>/`.
+- Networks and services are recorded under `10-inventory/networks/` and `10-inventory/services/`.
+
+If it exists and matters operationally, it is inventoried and named.
+
diff --git a/10-inventory/hosts/.gitkeep b/10-inventory/hosts/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/10-inventory/hosts/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/10-inventory/networks/.gitkeep b/10-inventory/networks/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/10-inventory/networks/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/10-inventory/services/.gitkeep b/10-inventory/services/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/10-inventory/services/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/20-identity/README.md b/20-identity/README.md
new file mode 100644
index 0000000..1bea230
--- /dev/null
+++ b/20-identity/README.md
@@ -0,0 +1,13 @@
+# Identity
+
+Identity is operated as roles + leases.
+
+In this repo:
+
+- roles: `20-identity/roles/`
+- policies: `20-identity/policies/`
+- leases (time-bound grants): `20-identity/leases/`
+- public keys only: `20-identity/keys/public/`
+
+Private keys and plaintext secrets do not belong here.
+
diff --git a/20-identity/keys/public/.gitkeep b/20-identity/keys/public/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/20-identity/keys/public/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/20-identity/keys/public/README.md b/20-identity/keys/public/README.md
new file mode 100644
index 0000000..b679fb3
--- /dev/null
+++ b/20-identity/keys/public/README.md
@@ -0,0 +1,7 @@
+# Public keys only
+
+Store public keys here (e.g., `*.pub`).
+
+- Name keys to match the role/device: `<role>-<scope>-<id>`.
+- Never commit private keys.
+
diff --git a/20-identity/leases/.gitkeep b/20-identity/leases/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/20-identity/leases/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/20-identity/policies/.gitkeep b/20-identity/policies/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/20-identity/policies/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/20-identity/roles/.gitkeep b/20-identity/roles/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/20-identity/roles/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/20-identity/templates/.gitkeep b/20-identity/templates/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/20-identity/templates/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/30-infra/README.md b/30-infra/README.md
new file mode 100644
index 0000000..94e0618
--- /dev/null
+++ b/30-infra/README.md
@@ -0,0 +1,8 @@
+# Infrastructure
+
+Infrastructure is cattle.
+
+Store infrastructure-as-code and configuration management here.
+
+Guardrail: keep state and generated artifacts out of Git (e.g., Terraform state).
+
diff --git a/30-infra/config/.gitkeep b/30-infra/config/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/30-infra/config/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/30-infra/k8s/.gitkeep b/30-infra/k8s/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/30-infra/k8s/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/30-infra/terraform/.gitkeep b/30-infra/terraform/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/30-infra/terraform/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/40-apps/.gitkeep b/40-apps/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/40-apps/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/40-apps/README.md b/40-apps/README.md
new file mode 100644
index 0000000..59342dd
--- /dev/null
+++ b/40-apps/README.md
@@ -0,0 +1,4 @@
+# Apps
+
+Application-specific operational material (deploy, config, lifecycle) lives here.
+
diff --git a/50-runbooks/00-panic-day/.gitkeep b/50-runbooks/00-panic-day/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/50-runbooks/00-panic-day/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/50-runbooks/00-panic-day/README.md b/50-runbooks/00-panic-day/README.md
new file mode 100644
index 0000000..70cb958
--- /dev/null
+++ b/50-runbooks/00-panic-day/README.md
@@ -0,0 +1,13 @@
+# Panic Day
+
+This folder contains rebuild-from-zero drills.
+
+Rule: each drill must be runnable with only this repo, cold storage, and the vault keys.
+
+Suggested drills:
+
+- Rebuild `op-core-vm` from a clean base image.
+- Restore this repo, validate integrity, and re-establish authority boundary.
+- Rotate critical credentials and invalidate all prior device leases.
+- Restore one representative backup set end-to-end and record proof.
+
diff --git a/50-runbooks/10-provision/.gitkeep b/50-runbooks/10-provision/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/50-runbooks/10-provision/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/50-runbooks/10-provision/README.md b/50-runbooks/10-provision/README.md
new file mode 100644
index 0000000..9b358ad
--- /dev/null
+++ b/50-runbooks/10-provision/README.md
@@ -0,0 +1,4 @@
+# Provision
+
+Create and bootstrap new nodes/services in a repeatable way.
+
diff --git a/50-runbooks/20-incident/.gitkeep b/50-runbooks/20-incident/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/50-runbooks/20-incident/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/50-runbooks/20-incident/README.md b/50-runbooks/20-incident/README.md
new file mode 100644
index 0000000..4287b5a
--- /dev/null
+++ b/50-runbooks/20-incident/README.md
@@ -0,0 +1,4 @@
+# Incident
+
+Containment, diagnosis, recovery, and postmortem procedures.
+
diff --git a/50-runbooks/90-decom/.gitkeep b/50-runbooks/90-decom/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/50-runbooks/90-decom/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/50-runbooks/90-decom/README.md b/50-runbooks/90-decom/README.md
new file mode 100644
index 0000000..9a767fe
--- /dev/null
+++ b/50-runbooks/90-decom/README.md
@@ -0,0 +1,4 @@
+# Decommission
+
+Safe teardown, revocation, and evidence capture for retired systems.
+
diff --git a/50-runbooks/README.md b/50-runbooks/README.md
new file mode 100644
index 0000000..f5bcbad
--- /dev/null
+++ b/50-runbooks/README.md
@@ -0,0 +1,15 @@
+# Runbooks
+
+Runbooks are executable documents: written to be followed under pressure.
+
+Minimum required sections:
+
+- Purpose
+- Preconditions
+- Steps (exact commands)
+- Validation (how you know it worked)
+- Rollback / abort criteria
+- Evidence (what to record)
+
+Use `ops/50-runbooks/_template.md` for new runbooks.
+
diff --git a/50-runbooks/_template.md b/50-runbooks/_template.md
new file mode 100644
index 0000000..db6987e
--- /dev/null
+++ b/50-runbooks/_template.md
@@ -0,0 +1,35 @@
+# Runbook: <title>
+
+## Purpose
+
+What this runbook does and when to use it.
+
+## Preconditions
+
+- Access/role required:
+- Systems required:
+- Expected safe state:
+- Time estimate:
+
+## Steps
+
+1.
+2.
+3.
+
+## Validation
+
+How to prove the procedure succeeded (commands + expected output).
+
+## Rollback / Abort
+
+What to do if validation fails, and when to stop.
+
+## Evidence
+
+What you record (timestamps, change IDs, logs, screenshots).
+
+## Notes
+
+Gotchas, dependencies, links.
+
diff --git a/60-backups/README.md b/60-backups/README.md
new file mode 100644
index 0000000..8de9990
--- /dev/null
+++ b/60-backups/README.md
@@ -0,0 +1,7 @@
+# Backups
+
+- Backup manifests live in `60-backups/manifests/`.
+- Restore proofs live in `60-backups/restore-tests/`.
+
+Backups are only real when restores are verified.
+
diff --git a/60-backups/manifests/.gitkeep b/60-backups/manifests/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/60-backups/manifests/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/60-backups/restore-tests/.gitkeep b/60-backups/restore-tests/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/60-backups/restore-tests/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/70-audits/README.md b/70-audits/README.md
new file mode 100644
index 0000000..d85dece
--- /dev/null
+++ b/70-audits/README.md
@@ -0,0 +1,9 @@
+# Audits
+
+Audits are how drift is prevented.
+
+- Checklists live in `70-audits/checklists/`.
+- Evidence and outcomes live in `70-audits/reports/`.
+
+If a checklist item cannot be verified, treat it as failed until proven otherwise.
+
diff --git a/70-audits/checklists/.gitkeep b/70-audits/checklists/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/70-audits/checklists/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/70-audits/checklists/README.md b/70-audits/checklists/README.md
new file mode 100644
index 0000000..e56f6db
--- /dev/null
+++ b/70-audits/checklists/README.md
@@ -0,0 +1,12 @@
+# Checklists
+
+Use these to perform regular drift control.
+
+When you run a checklist, file the result under `70-audits/reports/` with:
+
+- date/time
+- operator role used
+- what changed
+- what was revoked/rotated
+- any failures and follow-ups
+
diff --git a/70-audits/checklists/quarterly.md b/70-audits/checklists/quarterly.md
new file mode 100644
index 0000000..cebd8e3
--- /dev/null
+++ b/70-audits/checklists/quarterly.md
@@ -0,0 +1,17 @@
+# Quarterly Drift Control
+
+## Identity
+
+- Rotate high-value credentials and invalidate old material.
+- Re-evaluate role scopes; remove privileges that became “default”.
+
+## Backup reality check
+
+- Perform a full restore drill of at least one critical system.
+- Verify restore validation steps still match reality.
+
+## Infra sanity
+
+- Identify and remove orphaned resources (accounts, hosts, services).
+- Confirm all critical infrastructure is reproducible from `ops/`.
+
diff --git a/70-audits/checklists/weekly.md b/70-audits/checklists/weekly.md
new file mode 100644
index 0000000..3bec7e3
--- /dev/null
+++ b/70-audits/checklists/weekly.md
@@ -0,0 +1,22 @@
+# Weekly Drift Control
+
+## Identity
+
+- Review active leases; revoke anything unused or unclear.
+- Confirm least-privilege matches reality (roles/policies still correct).
+- Confirm no new long-lived credentials exist without rotation plan.
+
+## Backups
+
+- Verify latest backups completed for all critical sets.
+- Confirm at least one restore proof is recent (per backup cadence).
+
+## Inventory / Naming
+
+- Confirm new systems/services are inventoried and named `<role>-<scope>-<id>`.
+- Rename unclear entries before deleting anything.
+
+## Core boundary
+
+- Confirm critical changes still originate only from `op-core-vm`.
+
diff --git a/70-audits/reports/.gitkeep b/70-audits/reports/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/70-audits/reports/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/70-audits/reports/README.md b/70-audits/reports/README.md
new file mode 100644
index 0000000..f298a3e
--- /dev/null
+++ b/70-audits/reports/README.md
@@ -0,0 +1,9 @@
+# Reports
+
+Store audit outcomes and evidence here.
+
+Suggested format:
+
+- `YYYY-MM-DD-weekly.md`
+- `YYYY-Q#-quarterly.md`
+
diff --git a/80-automation/README.md b/80-automation/README.md
new file mode 100644
index 0000000..f6f1b94
--- /dev/null
+++ b/80-automation/README.md
@@ -0,0 +1,4 @@
+# Automation
+
+Scripts and containers that make operations repeatable live here.
+
diff --git a/80-automation/containers/.gitkeep b/80-automation/containers/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/80-automation/containers/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/80-automation/scripts/.gitkeep b/80-automation/scripts/.gitkeep
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/80-automation/scripts/.gitkeep
@@ -0,0 +1 @@
+
diff --git a/90-scratch/.gitignore b/90-scratch/.gitignore
new file mode 100644
index 0000000..7c9d611
--- /dev/null
+++ b/90-scratch/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+!README.md
diff --git a/90-scratch/README.md b/90-scratch/README.md
new file mode 100644
index 0000000..c46319a
--- /dev/null
+++ b/90-scratch/README.md
@@ -0,0 +1,6 @@
+# Scratch
+
+Disposable working area.
+
+Nothing here is source of truth. Everything here is safe to delete.
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ea3e2ef
--- /dev/null
+++ b/README.md
@@ -0,0 +1,34 @@
+# ops
+
+Single source of operational truth: everything here must be understandable, rebuildable, and revocable.
+
+## Non-negotiables
+
+- **Authority boundary:** critical actions originate from `op-core-vm`.
+- **No plaintext secrets in Git:** `vault/` contains encrypted artifacts only; `20-identity/keys/public/` is public keys only.
+- **Naming is reality:** everything is named `<role>-<scope>-<id>`.
+- **Nuke test:** if losing it causes panic, reduce scope or remove it.
+
+## Read first
+
+- `00-doctrine/operator-charter.md`
+- `00-doctrine/personal-operating-doctrine.md`
+
+## Layout
+
+- `00-doctrine/` – the law (stable, rarely changed)
+- `10-inventory/` – what exists (hosts, networks, services)
+- `20-identity/` – roles, policies, leases, public keys
+- `30-infra/` – infrastructure as code + config management
+- `40-apps/` – application-specific ops (deploy, config, lifecycle)
+- `50-runbooks/` – executable procedures (panic day, provision, incident, decom)
+- `60-backups/` – backup manifests + restore proofs
+- `70-audits/` – checklists + reports
+- `80-automation/` – scripts and containers that make the above repeatable
+- `90-scratch/` – disposable working area (not source of truth)
+- `vault/` – encrypted-only artifacts (safe to leak without keys)
+
+## What does not belong here
+
+Meaning-bearing material (books, media, personal archives) stays in cold storage, not `ops/`.
+
diff --git a/vault/README.md b/vault/README.md
new file mode 100644
index 0000000..f6cd3cb
--- /dev/null
+++ b/vault/README.md
@@ -0,0 +1,12 @@
+# Vault (encrypted-only)
+
+This directory contains **encrypted artifacts only**.
+
+Rules:
+
+- Never commit plaintext secrets (even temporarily).
+- Never commit private keys.
+- Treat `vault/` as safe-to-leak ciphertext: if leaking it would break you, it is mis-scoped.
+
+Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.
+