Enclave SOP

Substrate Operations: The Enclave SOP

Version 2.2 · DRAFT (reconciles to Constitution v12.8) · Tier 2 · part of Charter Release 2026.3 · effective 2026-06-16

Purpose and Scope

The operational cadences, thresholds, and runbooks for the technology substrate — what the Enclave Doctrine designs and the Constitution bounds, made concrete. Custodian-tunable (Constitution §13B); changes are version-bumped here.

§1 — The Backup Bridge

The substrate’s state crosses nodes only over the encrypted Backup Bridge to Proxmox Backup Server (PBS) in the Basement, under Drop-Only — the source writes backups it cannot read or delete (Constitution §5A).

• Cadence: the Annex pushes to PBS every 4 hours; the Outpost likewise pushes its durable Climb datasets — the free community forge, the tracker, and the curation records — under the backup exception (Constitution §5A, §9). The ephemeral practice forks are excluded (rebuilt from templates).
• Canary: a 30-minute-offset canary verifies the push landed; a miss is an L0 event (§3, Constitution §8).
• Integrity: a weekly GitLab integrity test restores the latest repository snapshot to a scratch target and verifies it.
• Storage stays local (ZFS) on every node; nothing distributed spans nodes (Constitution §5B).

§2 — The External Pulse

Liveness is watched from outside the enclave so a total-node failure still alerts.

• Uptime Kuma runs on an independent micro-VPS (never on an enclave node) and checks each public front and key service endpoint.
• Dead-man’s switch: Uptime Kuma expects a periodic heartbeat from inside; if it stops, Uptime Kuma alerts the Custodian directly, out-of-band from the enclave’s own alerting.

§3 — Active Alerting Baseline

Wazuh and Grafana feed Pushover to the Custodian. The baseline alert set, tuned quarterly:

(Rows reconstructed after the loss of sop v1.3; severities map to the Kill Switch Matrix — Constitution §8 — but verify the set.)

Tuning policy: the table is reviewed every quarter; thresholds are adjusted to keep false positives low without dropping a real L0–L3.

§4 — OPNsense Resilience Procedures

• HA priority: OPNsense (virtualized on the Manor) holds the top HA restart priority — it returns before anything that depends on the network boundary.
• Config export: the running config is exported to BookStack-Alpha on a cadence, so a rebuild starts from a known-good config.
• Recovery target: OPNsense is rebuildable within 30 minutes from the exported config.

§5 — Disaster Recovery Procedures

• Per-node backups follow the RTO/RPO commitments (Constitution §9): Manor 4h/15m, Annex 8h/4h, Outpost 24h/last snapshot, Den Gateway 2h/24h, Den Engine 4h/daily.
• Rebuild priority: Den Gateway → OPNsense → LDAP + Authentik-Business → Den Engine → automation/observability → GitLab + Traefik → talent-facing services → Outpost.
• The DR runbook lives in BookStack-Alpha (the Grimoire); the Den’s runbook is local to the Engine with no enclave dependency.
• Multi-node drill: at least once per cycle a multi-node loss is rehearsed against the runbook (paired with §7).

§5B — The credential-bootstrap safe. The break-glass credentials — the printed credential-bootstrap section in the Custodian’s physical safe, plus the encrypted copy in Vaultwarden — are the deepest fallback for total loss. They are tested for legibility and completeness on the §7 cadence, and sit below the live override in the order of resort (§12).

§6 — RAM Headroom Audit

Every node’s RAM allocation is reviewed quarterly against the Hardware Manifest. The standing ceiling is 75% committed; crossing it on any node raises a warning (§3) and triggers a headroom-recovery action (rebalance or scale) before it becomes an availability risk.

§7 — Tabletop Exercise Cadence

Quarterly tabletop walkthroughs rehearse the incident paths — a backup-restore, an OPNsense rebuild, a single-zone isolation (L2), a node sever (L3), and a break-glass drill. Findings feed back into §3 thresholds and the §5 runbook.

§8 — Documentation Structure

The Constitution (§6) mandates the split; the homes are:

• §8A — Technical source of truth: the Kitchen production GitLab (secret-bearing) and the free community forge (public/open development — on the Range / Zone 5, LDAP-Beta).
• §8B — Custodian private documentation: BookStack-Alpha (the Grimoire, Basement).
• §8C — Community documentation: BookStack-Beta (the Common Library, Lounge), tiered public/member shelves.
• §8D — Den documentation: local to the Engine; no enclave dependency.

§8C member shelves are: internal community discussions; draft documents; member work products, organized by specialty (Engineering / Logistics / Finance / Marketing), not by rank; and Gate-2 endorsement records — Developer-space vote summaries plus curation notes referencing work in the free community forge (on the Range / Zone 5, per Constitution v12.8 §2 and Enclave Doctrine v1.1). (No rank-based shelves: the abolished rank model has no place here.)

§9 — Routine Operational Checks

The standing cadence. All Basement-touching duties remain the Custodian’s and are never delegated.

(Cadence/owner rows reconstructed after the loss of sop v1.3 — verify against any surviving copy.)

§10 — Recruitment and Disbursement (relocated)

Moved in full to the Workplace SOP. The Tech Board’s funded-work workflow, the ERPNext recruitment process, and disbursement are real-identity-workplace mechanics and live with the Workplace domain. Nothing of it remains here. (CNMCyber and KenyaX are team/brand names, not domains; the domain SOPs are the Commons SOP and the Workplace SOP — Constitution v12.8 §13.)

§11 — Cutting a Charter Release

Procedure: reconcile the corpus → cut the immutable lockfile → move the charterRelease pointer → rebuild and verify. Document ids are stable primary keys; releases are immutable.

Under the four-triad composition (Constitution v12.8 §13), each domain pins a Doctrine + SOP + course. A Charter Release pins:

• constitution (keystone)
• Enclave triad: enclave-doctrine, enclave-sop (this document), enclave-bootcamp
• Commons triad: commons-doctrine, commons-sop, welcome-to-opplet-commons
• WiseNxt triad: wisenxt-doctrine, wisenxt-sop, wisenxt-orientation
• Workplace triad: workplace-doctrine, workplace-sop (no course yet — Constitution §13)
• the manifests, the URL Nomenclature, the Official Website document

The first Charter Release after the restructure performs a coordinated id migration (permitted only at a release boundary), reflecting the full v12.6–v12.8 target state: sop → enclave-sop (this re-issue completes it); the Participant Doctrine splits — its ladder content keeps wisenxt-doctrine, its community content forks to commons-doctrine; the paid-workforce pair migrates to workplace-doctrine / workplace-sop; and the single moodle-syllabus is retired, splitting into the three domain courses — welcome-to-opplet-commons (Commons), enclave-bootcamp (Enclave), and wisenxt-orientation (WiseNxt). New ids are minted for any remaining triad members. Re-pin everything in a fresh charter-YYYY-N+1.yaml; old lockfiles stay immutable.

§12 — Sovereign Override and Break-Glass

The Constitution (§2, §3) fixes that the Custodian’s override is isolated from both population directories. This is how it is operated.

• The live override is normally dormant. It is enabled only when invoked, reached only over the Custodian network path (Constitution §7C), and gated by a hardware token. It exists to let the Custodian respond to a compromise of either population directory — a Talent Wipe of Beta, or a workforce-directory incident in Alpha — without a full break-glass.
• Invocation is logged immutably to Watchtower (Pillar 4); the override is disabled again on completion. An enabled-and-idle override is itself an alertable condition (§3).
• Break-glass remains the deeper fallback (§5B): the printed credential-bootstrap section in the Custodian’s physical safe, plus the encrypted copy in Vaultwarden. Break-glass is for catastrophe — total loss, or a compromise that reaches the override itself. The order of resort is: ordinary admin → live override → break-glass.

Changelog

v2.2 (2026-06-16) — Clean re-issue (self-contained)

• Consolidated to one file. The substrate mechanics §1–§9, formerly carried “verbatim in sop v1.3,” are now inlined; sop v1.3 is retired, completing the sop → enclave-sop id migration (§11). No mechanic changed in substance — §1 now also records the Outpost’s durable-dataset push (Constitution §5A, §9), §8C is folded in already corrected (specialty shelves, forge-on-Range, no rank line), and an override-idle alert row is noted in §3 (§12).
• Carries forward the v2.1 reconciliation to Constitution v12.8: four-triad Charter (§11) with per-domain courses; cnmcyber-* → commons-*, kenyax-* → workplace-*; §10 relocated to the Workplace SOP; real-identity terminology.
• The §3 alert baseline and §9 cadence tables are reconstructed (the originals were lost with sop v1.3) — verify rows.
• Still DRAFT pending ratification of the amendment cluster (Constitution v12.6–v12.8).

v2.1 (2026-06-16) — Reconcile to Constitution v12.8

• Re-pinned §11 to the four-triad composition; cnmcyber-* → commons-*, kenyax-* → workplace-*; §10 relocated to the Workplace SOP; “paid workforce” → “real-identity workplace”; “four-pair” → “four-triad.”

v2.0 (2026-06-12) — Re-home under the Two Worlds restructure

• Re-homed from sop v1.3 as the Enclave SOP (then in delta form, referencing sop v1.3 for §1–§9). §10 relocated; §8C corrected; §11 reconciled; §12 (sovereign override) added.

END OF DOCUMENT

• Tier 0 — Keystone: Opplet Constitution
• Tier 1 — Doctrine & Architecture: Enclave Doctrine, Commons Doctrine, WiseNxt Doctrine, Workplace Doctrine
• Tier 2 — Operations & Learning: Enclave SOP (this document), Enclave Bootcamp, Commons SOP, Commons Welcome, WiseNxt SOP, WiseNxt Orientation, Workplace SOP
• Tier 3 — Manifests & Reports: Software Stack, Hardware Manifest, URL Nomenclature, Opplet.Com Website
• Tier 4 — Zone Projects: Den Migration