Opplet Constitution

Educaship Infrastructure Boundary Law: Opplet Constitution

Version 12.8 · DRAFT (The Commons Path, Triads & Real-Identity) · Tier 0 · part of Charter Release 2026.3 · effective 2026-06-16

Preamble: The Doctrine of Sovereign Computation

We, the People of Opplet, in order to secure our digital sovereignty, ensure the integrity of our data, and cultivate a meritocratic forge for talent, do ordain and establish this Infrastructure Constitution.

This enclave separates the guardianship of its infrastructure from the operation of it, and both from the utilization of it by talent. Three standing authorities hold the structure together — Opplet’s Custodian (operational root and exclusive Basement access; runs and stewards the core infrastructure; may veto a Tech Board action, a veto the Economic Group can override), the Economic Group (the nonprofit owner and ultimate authority; holds legal title to the substrate; appoints and removes Custodians at its pleasure; cannot be vetoed), and the Tech Board (the Economic Group’s resourcing executive; holds the purse and the contracts, and determines which work is funded).

And the enclave is built of two worlds, governed in opposite ways:

• The Volunteer Commons — an automated, pseudonymous world of callsign volunteers in LDAP-Beta, where merit is proven on public work and a machine runs the lifecycle. It selects for objective skill, which a machine can grade.
• The Real-Identity Workplace — a human-recruited, real-identity world of contracted workers in LDAP-Alpha, where confidential, security-sensitive, and contracted work is done under an accountable, legally-bound identity. It selects for trust with confidential things, which only a human can judge.

The line between them is one line drawn three ways at once: pseudonymous ↔ real-identity, public ↔ confidential, automated ↔ human-recruited. Whether work is funded is a separate matter — layered on top by the Tech Board (§16), never the boundary itself. Above both worlds sits the sovereign Custodian; beside them, outside the enclave entirely, sits the Den.

The Four Pillars of Operation

1. Identity is Sovereign. Control of the root credential is the only true ownership. We delegate access, never authority. Identity is earned through participation, never granted on request; self-registration into privileged directories is forbidden.
2. Code is Law. Policy is not written in memos; it is enforced by firewalls, pipelines, and automation.
3. Automation is the Manager. The machine governs the routine; the human governs the exception.
4. Observation is Truth. Trust is a vulnerability. We do not trust; we verify through logs, metrics, and immutable audit trails.

On Sovereignty and Openness. Opplet is open source. Sovereignty protects operator control — the Custodian holds root over the running instance — not the privacy of the source. The platform’s openness is what lets others fork it and become custodians of their own instances.

1. The Hemispheric Strategy (Physical Topology)

Four physical nodes isolate the Custodian’s personal life, the business control plane, talent workloads, and adversarial exercises from one another.

• The Den (Custodian Life): Cloud-hosted, physically independent of all other nodes. The Life Raft — must remain 100% operational if all Hetzner nodes are lost.
• The Manor (Custodian Core): High-availability sovereign infrastructure. Business identity, internal automation, observability.
• The Annex (Delivery Edge): The Kitchen production source code and CI/CD, talent lifecycle, public traffic.
• The Outpost (Range): A volatile, network-isolated node with the live-fire range for exploitation exercises, the Climb’s deploy ground (where a leased practice fork is stood up, graded in isolation, then recycled), and the Climb’s infrastructure — the free community forge, its CI, and the tracker. The durable datasets (forge repositories, tracker, curation records) carry a backup exception (§5A, §9); the practice forks are ephemeral, rebuilt from templates. The roles must not bleed into one another or into the enclave.

The Life Raft Principle. The Den has zero dependency on the Manor, Annex, or Outpost. Node hardware lives in the Hardware Manifest (Enclave domain).

2. Infrastructure Zoning Strategy

The Volunteer Commons operates the Lounge (learning and community — Moodle, HumHub, BookStack-Beta, Jitsi) and the Range (the Climb). The free community forge, the Climb’s CI, the tracker, and the practice forks are the Climb’s, on the Range (Zone 5); the durable datasets carry a backup exception (§9), the forks are ephemeral. The Real-Identity Workplace operates the Office and the Kitchen (the confidential, secret-bearing zones).

The Re-anchored Override Rule. Volunteer-world apps authenticate volunteers via LDAP-Beta, with operational admin (the L-levels) held in Beta. The Custodian’s lockout-survival override is not mapped into LDAP-Alpha — now a populated workforce directory — but into the isolated override store (§3), so it survives a compromise or wipe of either population. The Basement (Zone 0) and the Den (Zone 1) remain reachable only by the Custodian regardless of directory membership.

Authentication vs. Authorization. A directory is an authentication boundary; authorization is layered per service, least-privilege. A volunteer’s L-level, an Opplet Learner Permit, and a worker’s contract scope are authorization atop the directory, not the directory itself.

The Genesis Topology. Because the enclave’s nodes cannot all exist before they are built, at genesis the Custodian operates a collapsed topology: the Den, Manor, Annex, and Outpost may be co-resident on a single host until each is physically stood up. The collapse is of topology only, never of invariant. Even on one host, storage stays local to ZFS (§5B), the Custodian’s root stays out-of-band (§3), and the two populations stay partitioned in their directories (§3). What the interim defers is solely the physical inter-node separation and the network enforcement of the Sovereign Gap (§5). The collapse is a one-time bootstrap; it ends for a node once that node is stood up and its zone migrates onto it. The target zoning of §2 is the standing law; the genesis topology is the lawful path to it.

3. The Identity Architecture (Two Worlds and the Sovereign)

Identity is partitioned by population, and the Custodian — a sovereign, not a population — is isolated more strongly than either.

An LDAP governs a population; the Custodian is not a population. The Custodian therefore has no directory of their own — their root is out-of-band and their live override is a minimal isolated store reachable only over the Custodian network path (§7), never from either population’s network.

Zero Cross-Pollination. Authentik-Personal (the Den) and Authentik-Business (Beta + Alpha) share no users, tokens, or federation. A compromise of one world must not reach the other, nor the Den, nor the sovereign.

Dual-hold. A person may hold both a Beta callsign (volunteer) and an Alpha real-identity (worker); the link between them is private, known only to whoever administers the contract. Crossing from Beta to Alpha is a deliberate de-pseudonymization for accountable, real-identity work — not an automatic promotion. The Custodian is the standing proof of dual-hold: a volunteer callsign in the commons, the Custodian role above it.

4. The Public Fronts and the Forge

Public-anonymous brand fronts on the Annex (Lounge) behind Traefik: Opplet.com (platform), KenyaX.com (one public front of the KenyaX real-identity arm), WiseNxt.com (the methodology’s front), CNMCyber.com (the community landing). Generators and tooling live in the Software Stack Manifest (Enclave domain).

The Forge is two instances. A free community forge (the Climb’s, in the Range / Zone 5, LDAP-Beta) holds public code, practice, contribution, and the durable curation records; its durable datasets carry a backup exception (§9). The Kitchen production GitLab (LDAP-Alpha) holds the secret-bearing CI and deploy layer. Vetted code is promoted free → Kitchen by one-way mirror; secrets never flow outward.

The free community forge is the openness surface. Its public-read projects hold the canonical, secret-free, forkable Opplet blueprints. Because promotion is one-way (free → Kitchen) and secrets never flow outward, a forker clones the forge’s public blueprints and never touches Kitchen secrets; the Deploy/Fork door (§14) points there. This satisfies the Preamble’s openness pillar.

5. Network Protocol (The Sovereign Gap)

5A. The Janitor Rule. Manor → Annex/Outpost ALLOWED; Annex/Outpost → Manor DENIED, save three exceptions: OIDC to Authentik-Business (443); n8n-Alpha internal webhooks (X-Internal-Token); the Backup Bridge (Annex pushes to PBS under Drop-Only; the Outpost likewise pushes its durable Climb datasets — forge, tracker, curation records — to PBS under Drop-Only, the §9 backup exception). Cadences live in the Enclave SOP.

5B. Storage Isolation Mandate. Distributed storage spanning physical nodes is BANNED; storage stays local (ZFS). State transfers only over the encrypted Backup Bridge.

5C. The Talent Proxy. Talents reach Outpost VMs only through the Air-Lock (Guacamole) at access.opplet.com; local hardware never touches the execution network. This governs the Range’s practice forks; the forge is reached as an ordinary Beta web service (public-read on public projects, Authentik-walled for Beta push — §7), via Traefik, distinct from the Air-Lock VM path.

5D. Den Network Isolation. Den ↔ Manor/Annex/Outpost: NO CONNECTIVITY — no mesh, no VPN, no exception. Internal to the Den, Gateway ↔ Engine over Tailscale. The Custodian reaches Den and Hetzner independently, via separate paths.

5E. Edge Router Resilience. OPNsense (virtualized on the Manor) holds top HA restart priority, exports config to BookStack-Alpha on a cadence, and is rebuildable within an SOP-defined target.

6. Documentation Structure

The split is mandated here; homes are specified in the Enclave SOP.

• Technical source of truth: the Kitchen production GitLab (secret-bearing) and the free community forge (public/open development — the Climb’s, in the Range / Zone 5, LDAP-Beta; the openness surface per §4).
• Custodian private documentation: BookStack-Alpha (the Grimoire, Basement).
• Community documentation: BookStack-Beta (the Common Library, Lounge), tiered public/member shelves.
• Den documentation: local to the Engine; no Hetzner dependency.

7. The Authentik Default Rule

Every HTTP service is Authentik-walled (Business or Personal) unless it falls into a named exception: public brand fronts; engagement doors; non-HTTP protocols; OIDC infrastructure; public read-only documentation; CI/CD machinery; network-boundary-protected services. Three postures: public-anonymous (rate-limit + captcha + validation); public + Authentik (OIDC); Custodian-only (network boundary primary, Authentik defense-in-depth). The free community forge is public-read on public projects and Authentik-walled for Beta-authenticated proposal/push (this posture is held in the Range with the forge).

8. The Kill Switch Matrix (Principle)

Four escalating response levels (severity, unrelated to the operator L-levels of §11):

A Talent Wipe clears the Volunteer Commons (LDAP-Beta); a workforce compromise is a separate event in LDAP-Alpha. The Custodian’s override (§2, §3) survives both. The Den has no entry — its key is revoked from the Gateway by hand.

9. Resilience Commitments (RTO/RPO)

Rebuild priority: Den Gateway → OPNsense → LDAP + Authentik-Business → Den Engine → automation/observability → GitLab + Traefik → talent-facing services → Outpost. Procedures in the Enclave SOP.

The Outpost backup exception. The Outpost’s “last good snapshot” RPO governs only its ephemeral workloads — the live-fire range and the practice forks, rebuilt from templates. The Climb’s durable datasets (forge, tracker, curation records) are exempted: they are pushed to PBS via the Backup Bridge under Drop-Only (§5A) on an Enclave-SOP cadence, so they survive the Outpost’s volatility.

10. The Intelligence Layer (Principle)

Split-Brain: Custodian data stays on Manor ZFS; Den data never transits to the enclave; liability data (talent logs) is forwarded immutably to Watchtower for non-repudiation. Observation Mandate: external uptime, service health, active alerting — cadences and thresholds are Enclave SOP concerns.

11. The Two Worlds and the Climb

This section fixes the boundaries of progression. How the climb is done lives in the WiseNxt Doctrine; community life in the Commons Doctrine; the real-identity workplace in the Workplace Doctrine.

11.1 — One door in. Every participant enters at Gate 1 by registering at commit.opplet.com. Registration mints the callsign — the LDAP-Beta identity — and makes the registrant a candidate: a callsign holder who authenticates into the commons to take the Welcome to Opplet Commons course (the Commons Welcome), but who holds no membership yet. Registration is the only public flow that creates an identity. Graduation from the Welcome clears Gate 1, promoting the candidate to a member of the Volunteer Commons, holding Zone 4 (Lounge) standing. A candidate carries a callsign; a member carries standing.

11.2 — The commons is a destination. Remaining a community member is a complete, valid standing. No gate purges a member for not climbing.

11.3 — The theory, the on-ramp, then the Climb — all opt-in. Beyond the membership cleared at Gate 1 (§11.1), a member earns the Opplet Learner Permit by completing Enclave Bootcamp — the theory of how Opplet runs, delivered as an open Moodle course in the Lounge. The Permit is a certified-member credential, not an undertaking to operate — many Permit-holders go no further. It grants the certified member three things: (a) Range review — read access to the source of truth and the newly-developed work exemplars on the free community forge, reached as an ordinary Beta web service, distinct from operating on the Range (§5C); (b) the Opplet-thematic courses; and (c) the WiseNxt Orientation. A Permit-holder who wishes to operate opts into the Climb through the WiseNxt Orientation — its course delivered in Moodle, the hands-on work-discovery on a sandboxed Range fork reached through the Air-Lock — which teaches operator mastery and discovers functional aptitude; the choice to opt in is the choice to produce and nominate work there. Enrollment in the Climb requires standing membership and the Learner Permit; no one may be enrolled from outside the commons. Enclave Bootcamp (theory), the WiseNxt Orientation (on-ramp), and the Climb exist and are opt-in by this Constitution; all course delivery is in Moodle (the Range hosts no courses), and each course’s content and grading belong to its domain’s Doctrine — Enclave Bootcamp to the Enclave Doctrine, the Welcome to the Commons Doctrine, the WiseNxt Orientation to the WiseNxt Doctrine (§13). (Short Moodle courses may likewise gate other tools that need them — authorization by credential, §2.)

11.4 — The operator ladders and the four Gate 2s. Each working zone is run by an operator ladder, L1–L4, an exception-escalation ladder under Pillar 3 (the machine governs routine promotion; humans hold the exceptions). Crossing from member into operating a zone happens at one of four Gate 2s — one per zone — each owned by that zone’s own senior operators. The operator ladders live entirely within the Volunteer Commons; they remain pseudonymous and confer no real-identity.

11.5 — The Genesis Seed. Because a zone cannot have senior operators before its first ones exist, at genesis the Custodian seeds each zone’s initial operators by root provision, bounded to Gate-1 alumni (Internal Sourcing remains absolute, §12). Seeding is a one-time bootstrap; it ends for a zone once that zone holds its own senior operators.

11.6 — Crossing into the Real-Identity Workplace. The crossing from Beta to Alpha is not a rung. It is taking real-identity work — confidential, security-sensitive, or contracted matters — which requires a real, legally-bound identity, because such work enters legal fields (privacy, security, contract) that a person can only stand behind under their real name (§3, §15E). It is reached by traditional human recruitment, drawn only from proven commons volunteers (§12). Whether a given assignment is funded is the Tech Board’s determination (§16); recruitment, contract, and any compensation are the Workplace domain’s mechanics.

11.7 — The two doors. Two opportunities hang off the climb and are not rungs of it: the Contractor door (a real-identity contract into the workplace, awarded by the Tech Board, which determines its funding — §16, Workplace domain), and the Custodian Partner door (the standing option to fork the public blueprints and run one’s own instance — §14, reserved). A participant may climb to L4 as a lifelong volunteer and take neither.

12. Single Intake, Sequential Recruitment — Four Rules

1. No Parallel Intake. No public flow creates an Alpha identity. Alpha is reached only by recruitment of a proven Beta volunteer into accountable real-identity work.
2. Dual-hold. A person may hold a Beta callsign and an Alpha real-identity, link private (§3). Crossing to Alpha does not erase the commons identity; it adds an accountable one beside it.
3. Internal Sourcing — Absolute. Every operator, every worker, and every Tech Board member began at Gate 1. There is no external hiring into Alpha; the Economic Group’s appointment power and the genesis seed are both bounded to Gate-1 alumni.
4. Custodian Participation. The Custodian may hold a Community membership acquired by the ordinary Gate-1 path; pseudonymous participation is the default, and the link to the Custodian role is at the Custodian’s discretion to disclose.

13. The Opplet Project Charter

This Constitution is the keystone, and with the documents below forms the Opplet Project Charter. The Charter is composed of four domain triads beneath the keystone, each a Doctrine (methodology, tier 1), an SOP (mechanics, tier 2), and its learning material — the domain’s Moodle course:

(Two senses, kept distinct: the Volunteer Commons is the world — the Beta side, Lounge + Range — and it spans two peer domains, Commons (the Lounge / community-place layer) and WiseNxt (the Range / the Climb). A domain is the unit of governance, a team is who runs it, a zone is where it runs: the CNMCyber team runs the Lounge and the WiseNxt team runs the Range (cnmcyber.com is the brand). On the Alpha side the Workplace domain spans the whole world — Office + Kitchen — and is expected to be run by a future KenyaX team. “CNMCyber” and “KenyaX” are teams and brands, not domains.)

The remaining documents are the software and hardware manifests and the URL and website nomenclature. The three onboarding courses are no longer loose syllabi: each is the learning material of its domain above — Welcome to Opplet Commons (Commons), Enclave Bootcamp (Enclave), and the WiseNxt Orientation (WiseNxt) — and each course’s content and grading belong to that domain’s Doctrine. All three are delivered in Moodle (Lounge, Zone 4); the Range hosts no courses. Two separations hold at once: a domain owns a course without delivering it (the course runs in Moodle, not on the domain’s own infrastructure), and a team runs a zone without being it — the Volunteer Commons (Lounge + Range) is operated jointly by the CNMCyber team (which runs the Lounge) and the WiseNxt team (which runs the Range / the Climb). A Charter Release is a certified-coherent snapshot of the whole, cut by the Custodian (§17).

The Custodian domain has no triad. The Custodian is governed by this Constitution’s limits; the Den is explicitly outside the governed corpus — not a governed document, ratified by no body, at the Custodian’s sole discretion.

13A. Authority Split (selected)

13B. Substantive Changes

Doctrine or SOP changes require Custodian approval but do not require amendment unless they cross the infrastructure boundary above, in which case a companion Constitutional amendment is required.

14. The Engagement Doors

Four public, single-purpose doors under opplet.com: Commit (community intake — the only door that creates identity), Partner (donor/provider), Sync (passive follow), and the reserved Deploy/Fork door — the mechanism of the Custodian Partner crossing (§11.7), pointing at the free community forge’s public, forkable blueprints (§4). All are public-anonymous. Any future account-creation flow is either a ratified fifth door or a downstream recruitment.

15. The Layers and the Funding Hierarchy

The enclave’s domains correspond to layers distinct by nature, overlaid by a funding hierarchy: the Economic Group, through the Tech Board, funds and finances them. Funding is not editorial control.

• 15A. The Platform (Enclave). The open-source substrate, owned and funded by the Economic Group (which holds legal title to the substrate and appoints/removes Custodians at its pleasure), operated by the Custodian (root, overridable veto), resourced by the Tech Board.
• 15B. The Methodology (WiseNxt). The open-source work-discovery climb. Held by the Economic Group, financed through the Tech Board.
• 15C. The Sounding Board (Commons). The open-door volunteer community (the Commons domain, run by the CNMCyber team); no approval authority; its independence as a sounding board is protected and not compromised by who pays the hosting bill.
• 15D. The Real-Identity Operation (Workplace). The Economic Group’s real-identity operational arm, where confidential, security-sensitive, and contracted work lives — finance, donor relations, logistics, impact, the commercial products, and the secret-bearing technical operation. It is also where all funded work and compensation are administered. The Workplace is a full domain, not merely a brand; the KenyaX team operates it, and kenyax.com is one of its public fronts.

15E. The Real-Identity Requirement

Work sorts into bands by what identity it requires. The line is legal accountability: when work enters a legal field — privacy (confidential or personal information), security (security-sensitive operations), or contract (work performed under binding contract) — the participant must stand behind it under their real name. Such work may not be done under a callsign; it belongs to the Real-Identity Workplace (Alpha).

The real-identity triggers are Constitutional and mandatory: work that enters privacy, security, or contract may not be handed to a callsign, and the Tech Board cannot waive that requirement to keep work pseudonymous. Funding is a separate question determined by the Tech Board (§16); compensation mechanics live in the Workplace domain. Because payment is lawful only to a real name, all funded work necessarily lands on real-identity (Alpha) identities — but it is the legal field, not the funding, that draws the constitutional line.

16. The Tech Board

The Economic Group’s resourcing executive — the purse and the contracts. It determines which assignments are funded, posts and awards the resulting contracts (project and operation), disburses Economic Group funds, and finances the Methodology and the Sounding Board’s infrastructure. Funding attaches to real-identity (Alpha) work, because payment is lawful only to a real name (§15E). The Board holds no root and no operator level.

The bounded judgment. The Tech Board decides funding, not identity: it may not reclassify work that genuinely enters privacy, security, or contract as pseudonymous to keep it in the commons, and it may not deny a real-identity basis to work that requires one.

Composition. Five Gate-1-alumni seats — four appointed by the Economic Group, one elected by the LDAP-Alpha workforce. Two-year staggered terms; re-eligible; the board elects its chair. Vacancies refilled by the next-eligible election result or the Economic Group; every member a Gate-1 alumnus.

Decisions. A majority is quorum; routine business by simple majority; disbursements above an Economic-Group threshold need its approval.

The veto. The Custodian may veto a board action threatening the architecture; the action suspends and the Economic Group may override. The Custodian holds no seat; the board holds no veto over the Custodian.

17. Amendment Procedure

The Economic Group is the ultimate constitutional authority; the Constitution is authored and maintained by the Custodian as steward. The Custodian holds an overridable veto over Tech Board action, no veto over the Economic Group, and serves at the Economic Group’s pleasure.

Ratification is the Economic Group’s authority, delegated to the Tech Board. A Custodian-drafted amendment takes effect when the Tech Board ratifies it; a Custodian objection suspends it and sends it to the Economic Group, whose decision is final and not vetoable. The delegation reaches the governed corpus only — not the Den.

Coherence. The Custodian keeps the Charter coherent and certifies it by cutting Charter Releases (procedure in the Enclave SOP). A release may certify an amendment only after ratification.

Amendments that DO require Constitutional change: the Four Pillars; the Hemispheric or Zoning Strategy; the Sovereign Gap; the Authentik exception categories; the two-world boundary and the identity-domain structure (§2, §3); the four §12 Rules; the existence of the Climb (with Enclave Bootcamp as its theory prerequisite), the four Gate 2s, the operator ladders, or the genesis seed (§11); the real-identity triggers — privacy, security, and contract (§15E); the Three Layers or funding hierarchy (§15); the Custodian / Economic Group / Tech Board arrangement; the Tech Board’s composition, election, or terms (§16); the RTO/RPO commitments (§9); a fifth Engagement Door; the Charter composition (§13); or any change crossing the §13A split from the Doctrine/SOP side.

END OF DOCUMENT

• Tier 0 — Keystone: Opplet Constitution (this document)
• Tier 1 — Doctrine & Architecture: Enclave Doctrine, Commons Doctrine, WiseNxt Doctrine, Workplace Doctrine
• Tier 2 — Operations & Learning: Enclave SOP, Enclave Bootcamp, Commons SOP, Commons Welcome, WiseNxt SOP, WiseNxt Orientation, Workplace SOP
• Tier 3 — Manifests & Reports: Software Stack, Hardware Manifest, URL Nomenclature, Opplet.Com Website
• Tier 4 — Zone Projects: Den Migration