Identity
Who you are, and what you may touch — the SSO, the two directories, and the vaults.
In a nutshell
The identity layer answers one question for every service above it: who is this, and what may they touch. It sits on the substrate and under the applications, and it is where the enclave’s deepest line — between the Workplace and the Commons — stops being doctrine and becomes configuration.
Three pieces hold it. Authentik issues the single sign-on the rest of the stack federates to. OpenLDAP keeps the two directories behind it, one per world. And Vaultwarden holds the secrets. The gate that lets certified members operate inside the Commons — the Air-Lock — is a matter of topology, described in Systems (guard); the tools it is built from live here in Identity and in Bedrock.