Enclave Doctrine

Purpose and Scope

This Doctrine describes how the technology substrate is realized — the architecture as designed. It sits beneath the Constitution (which fixes the boundaries the substrate must respect), above the Enclave SOP (which holds the cadences and runbooks), and alongside the Manifests (which hold the specs). It governs the enclave nodes — the Manor, the Annex, the Outpost. It does not govern the Den, which is the Custodian’s personal infrastructure and sits outside the governed corpus (Constitution §13, §17).

Where this Doctrine and the Constitution appear to disagree, the Constitution wins. Where a value here is a tunable cadence or threshold, the SOP wins.

1. The Node Realization

Node	Role	Hosts (by zone)
The Manor	The Structure and Brain — HA sovereign core	Zone 0 Basement (the sovereign core) and Zone 2 Office (real-identity workplace)
The Annex	The Forge and Front Door — delivery edge	Zone 3 Kitchen (real-identity workplace) and Zone 4 Lounge (volunteer commons)
The Outpost	The Muscle — volatile, network-isolated	Zone 5 Range — the live-fire range, the Climb’s deploy ground, and the Climb’s free community forge, CI, and tracker
(The Den)	The Life Raft (outside the corpus)	Zone 1 — Custodian-personal; not governed here

The Outpost’s roles share the node’s isolation but never each other’s state: live-fire exercises run against disposable target VMs; the deploy ground stands up leased practice forks for the Climb; and the Climb’s free community forge, CI, and tracker are the durable services hosted here. The live-fire targets and the practice forks are rebuilt from templates (no backup dependency) and reach the participant only through the Air-Lock (Constitution §5C). The forge, by contrast, is durable — its repositories, tracker, and curation records are pushed to PBS under the Outpost backup exception (Constitution §5A, §9) — and is reached as an ordinary Beta web service via Traefik, not through the Air-Lock.

2. The Zone Service Map

What runs where, and which world it belongs to. (Specs in the Manifests; cadences in the SOP.)

Zone	Services	World
0 — Basement (Manor)	LDAP-Alpha + LDAP-Beta directories, Authentik-Business, n8n-Alpha, observability (Watchtower/Wazuh/Grafana), BookStack-Alpha (the Grimoire), PBS, OPNsense, the live-override store	Sovereign
2 — Office (Manor)	ERPNext (the Bursar) — finance, donor relations, recruitment, disbursement	Real-Identity Workplace (Alpha)
3 — Kitchen (Annex)	The Kitchen production GitLab (secret-bearing CI/deploy), the build farm	Real-Identity Workplace (Alpha)
4 — Lounge (Annex)	HumHub, BookStack-Beta (Common Library), Jitsi, Moodle (all LMS courses), Guacamole (Air-Lock), the public fronts (Quartet)	Volunteer Commons (Beta)
5 — Range (Outpost)	Live-fire target VMs; the deploy-ground forks; the free community forge, its CI, and the tracker (durable — §9 backup exception)	Volunteer Commons (Beta)

Note the two-node identity fact: both LDAP directories are physically hosted in the Basement (served by Authentik-Business), even though LDAP-Beta governs the commons hosted outward across the Annex (Lounge) and the Outpost (Range). The directories live where they are most protected; authentication reaches outward from there.

Courses run only on Moodle. Every LMS course — Welcome to Opplet Commons, Enclave Bootcamp, the WiseNxt Orientation, and the Opplet-thematic courses — is delivered on Moodle in the Lounge (Zone 4); the Range hosts no courses (Constitution §11.3). The WiseNxt Orientation’s hands-on work-discovery happens on a Range fork via the Air-Lock, but its course is in Moodle. Of these, Enclave Bootcamp is this domain’s own course — the Enclave triad’s learning material (Constitution §13); its content and grading are this Doctrine’s, though it is delivered in Moodle and the Commons issues the Opplet Learner Permit on its completion (Commons SOP §9).

3. The Identity-System Design

The Constitution fixes the boundaries (the two worlds, the sovereign outside them, Zero Cross-Pollination). This is how they are built.

Authentik-Business is the OIDC broker for both population directories. It federates LDAP-Beta (the automated pseudonymous commons) and LDAP-Alpha (the human-recruited real-identity workplace) and walls every business service per the Authentik Default Rule (Constitution §7). Authentik-Personal, in the Den, shares nothing with it.

The live-override store realizes the sovereign’s isolation (Constitution §2, §3). It is:

Minimal — it holds only the Custodian’s override and, at most, one or two trusted roots; it is not a directory and governs no population.
Dormant — disabled by default and enabled only when invoked, so it presents no standing attack surface.
Hardware-token-gated and reachable only over the Custodian network path (Constitution §7C) — never from either population’s network.
Layered above the break-glass — the offline credentials in the safe (SOP) remain the deeper fallback below the live override: the override is for an incident in one population’s directory, the safe for catastrophe.

Dual-hold is realized as two unlinked accounts under one person: a Beta callsign (issued by automation at Gate 1) and, if they cross into funded work, an Alpha real-identity (issued by contract). No system federates the two; the link is held privately by whoever administers the contract. The community sees only the callsign.

4. The Two-Forge Design

The forge is the one capability that straddles the public/confidential line, so it is built as two separate instances, one per world — distinct products, on distinct directories, on distinct nodes.

The free community forge (Forgejo, on the Range / Zone 5, Beta): public projects, practice work, contributions, and the durable curation records. Volunteers reach it on their callsign as a web service; it carries no production secrets. This is where the Climb’s open development and its work exemplars live — the source of truth that certified members (Opplet Learner Permit holders) may review (Constitution §11.3). Its durable datasets carry the §9 backup exception.
The Kitchen production GitLab (GitLab, Kitchen / Zone 3, Alpha): the secret-bearing layer — deploy keys, production CI, infrastructure-as-code with credentials. Reachable only by real-identity workers under contract.

Promotion is one-way: free → Kitchen. Vetted code is mirrored from the free forge into the Kitchen for release; secrets never mirror outward. The boundary is physical (two products, two directories, two nodes), not a permission flag — the stronger guarantee per Pillar 4.

5. The Public Fronts

The Quartet on the Lounge behind Traefik, public-anonymous: opplet.com (platform), kenyax.com (a public front of the Workplace — the KenyaX team’s brand), wisenxt.com (the methodology), cnmcyber.com (the community). Generators and build tooling are tracked in the Software Stack Manifest.

6. The Sovereign Gap — Design Patterns

The Constitution states the Gap (§5); this is how each piece is built.

The Janitor Rule is enforced at OPNsense: the Manor reaches outward to manage the Annex and Outpost; the return path is denied save the three constitutional exceptions (OIDC, internal webhooks, the Backup Bridge).
The Backup Bridge is a Drop-Only push to PBS in the Basement: the Annex writes backups it cannot read or delete, and the Outpost likewise pushes the Climb’s durable datasets (forge, tracker, curation records) under the §9 backup exception (Constitution §5A). State crosses only here, encrypted.
Storage Isolation keeps every node’s storage local (ZFS); nothing distributed spans nodes.
The Talent Proxy (Guacamole) puts the Air-Lock between a participant and any Range VM, so local hardware never touches the execution network. The forge is the exception by design — it is a web service, not a Range VM (§4, Constitution §5C).
Den Isolation is absolute and realized as the absence of any route — no mesh, no VPN, no exception — so the Life Raft cannot be reached from a compromised enclave.

7. The Kill Switch — Implementation Design

The Constitution fixes the four severity levels and their authorities (§8); this is what enacts them. L0 and L1 are n8n-Alpha workflows (alert, suspend). L2 and L3 are OPNsense actions (isolate a zone, sever a node), with L3 requiring Custodian confirmation. The thresholds that trigger each are SOP-tunable; the mechanisms are fixed here. A Talent Wipe clears LDAP-Beta; the Custodian’s override (§3) is designed to survive it, and equally to survive a workforce-directory compromise.

8. The Observability Design

Three dimensions, per the Constitution’s mandate (§10): external uptime (a micro-VPS running Uptime Kuma, independent of the enclave), service-level health checks, and active alerting (Wazuh/Grafana → Pushover). Liability data — talent logs from the Outpost and Annex — is forwarded immutably to Watchtower in the Basement for non-repudiation; it is observation, not backup. The Split-Brain design keeps Custodian data on Manor ZFS and Den data wholly off the enclave. Cadences and thresholds are the SOP’s.

9. Extension and Forking

The substrate is designed to be forked: the blueprints (infrastructure-as-code, the open codebase) are public on the free community forge, so an instance can be reconstituted from them — which is what makes the Custodian Partner door real (Constitution §11.7, §14) and what the Range deploy ground rehearses. A practice fork in the Range is a miniature of this substrate; a Custodian Partner’s instance is a full one, stood up independently. Because the substrate is rebuildable from public blueprints and the Economic Group holds the legal substrate, succession carries no key-person lock-in (Constitution §15A).

Changelog

v1.2 (2026-06-16) — Reconcile terminology to Constitution v12.8

Real-identity sweep. The Alpha world is the Real-Identity Workplace: §1 and §2 world labels move from “paid workforce” to “real-identity workplace”; §3 LDAP-Alpha is the “human-recruited real-identity workplace”; §3 dual-hold and §4 forge access read “real-identity” / “funded work.” Literal “real name” is unaffected (none in this Doctrine).
Workplace / KenyaX split (§5). kenyax.com is reframed as a front of the Workplace domain, the KenyaX team’s brand (mirroring Constitution §15D); cnmcyber.com stays the community brand.
Enclave Bootcamp noted as this domain’s course (§2) — the Enclave triad’s learning material; content/grading are this Doctrine’s, delivered in Moodle, the Permit issued by the Commons (Constitution §13, §11.3).

v1.1 (2026-06-16) — Forge Location & Forge-Product Correction

Brought into line with Constitution v12.5–v12.6. The free community forge, its CI, and the tracker are recorded on the Range (Zone 5 / Outpost), not the Lounge (Zone 4) — correcting v1.0’s placement, which predated the v12.5 revert of the forge to the Range (§1, §2, §4).
The two forges are named as distinct products — the free community forge is Forgejo (Range, Beta); the Kitchen production forge is GitLab (Kitchen, Alpha) — matching the Software Stack (§4).
Forge durability recorded. The forge/tracker/curation records are durable and pushed to PBS under the Outpost backup exception (Constitution §5A, §9); the Backup Bridge note (§6) and the Outpost role description (§1) updated accordingly.
The forge is the certified-member review surface. Its public-read projects are the source of truth and work exemplars that Opplet Learner Permit holders may review (Constitution v12.6 §11.3).
Courses are Moodle-only. Recorded that every LMS course runs on Moodle in the Lounge and the Range hosts none (§2; Constitution §11.3).

v1.0 (2026-06-12) — Initial Release

Extracted from the detail of Constitution §1–§10 during the Two Worlds restructure (Constitution v12.0), which slimmed the Constitution to boundaries and re-homed substrate design here. No node, network rule, or identity boundary is changed; this records the architecture as designed beneath those boundaries.
New design content for the restructure: the two-forge design (§4), the live-override store (§3), the Outpost’s deploy-ground role (§1), and the zone service map (§2).
Status DRAFT pending ratification of the Two Worlds Amendment.

END OF DOCUMENT