Initialize ops repository

70-audits/checklists/.gitkeep

@@ -0,0 +1 @@
+

70-audits/checklists/README.md

@@ -0,0 +1,12 @@
+# Checklists
+
+Use these to perform regular drift control.
+
+When you run a checklist, file the result under `70-audits/reports/` with:
+
+- date/time
+- operator role used
+- what changed
+- what was revoked/rotated
+- any failures and follow-ups
+

70-audits/checklists/quarterly.md

@@ -0,0 +1,17 @@
+# Quarterly Drift Control
+
+## Identity
+
+- Rotate high-value credentials and invalidate old material.
+- Re-evaluate role scopes; remove privileges that became “default”.
+
+## Backup reality check
+
+- Perform a full restore drill of at least one critical system.
+- Verify restore validation steps still match reality.
+
+## Infra sanity
+
+- Identify and remove orphaned resources (accounts, hosts, services).
+- Confirm all critical infrastructure is reproducible from `ops/`.
+

70-audits/checklists/weekly.md

@@ -0,0 +1,22 @@
+# Weekly Drift Control
+
+## Identity
+
+- Review active leases; revoke anything unused or unclear.
+- Confirm least-privilege matches reality (roles/policies still correct).
+- Confirm no new long-lived credentials exist without rotation plan.
+
+## Backups
+
+- Verify latest backups completed for all critical sets.
+- Confirm at least one restore proof is recent (per backup cadence).
+
+## Inventory / Naming
+
+- Confirm new systems/services are inventoried and named `<role>-<scope>-<id>`.
+- Rename unclear entries before deleting anything.
+
+## Core boundary
+
+- Confirm critical changes still originate only from `op-core-vm`.
+