Enclave Doctrine

Substrate Architecture: The Enclave Doctrine

Version 1.2 · DRAFT (reconciles to Constitution v12.8; adds §10 Evolution Loop) · Tier 1 — Tier 1 — Doctrine & Architecture · part of Charter Release 2026.3 · effective 2026-07-01

You're reading the public edition of Enclave Doctrine. The working source — drafts, change discussion, and member resources — lives in the community library.

Purpose and Scope

This Doctrine describes how the technology substrate is realized — the architecture as designed. It sits beneath the Constitution (which fixes the boundaries the substrate must respect), above the Enclave SOP (which holds the cadences and runbooks), and alongside the Manifests (which hold the specs). It governs the enclave nodes — the Manor, the Annex, the Outpost. It does not govern the Den, which is the Custodian’s personal infrastructure and sits outside the governed corpus (Constitution §13, §17).

Where this Doctrine and the Constitution appear to disagree, the Constitution wins. Where a value here is a tunable cadence or threshold, the SOP wins.


1. The Node Realization

NodeRoleHosts (by zone)
The ManorThe Structure and Brain — HA sovereign coreZone 0 Basement (the sovereign core) and Zone 2 Office (real-identity workplace)
The AnnexThe Forge and Front Door — delivery edgeZone 3 Kitchen (real-identity workplace) and Zone 4 Lounge (volunteer commons)
The OutpostThe Muscle — volatile, network-isolatedZone 5 Range — the live-fire range, the Climb’s deploy ground, and the Climb’s free community forge, CI, and tracker
(The Den)The Life Raft (outside the corpus)Zone 1 — Custodian-personal; not governed here

The Outpost’s roles share the node’s isolation but never each other’s state: live-fire exercises run against disposable target VMs; the deploy ground stands up leased practice forks for the Climb; and the Climb’s free community forge, CI, and tracker are the durable services hosted here. The live-fire targets and the practice forks are rebuilt from templates (no backup dependency) and reach the participant only through the Air-Lock (Constitution §5C). The forge, by contrast, is durable — its repositories, tracker, and curation records are pushed to PBS under the Outpost backup exception (Constitution §5A, §9) — and is reached as an ordinary Beta web service via Traefik, not through the Air-Lock.


2. The Zone Service Map

What runs where, and which world it belongs to. (Specs in the Manifests; cadences in the SOP.)

ZoneServicesWorld
0 — Basement (Manor)LDAP-Alpha + LDAP-Beta directories, Authentik-Business, n8n-Alpha, observability (Watchtower/Wazuh/Grafana), BookStack-Alpha (the Grimoire), PBS, OPNsense, the live-override storeSovereign
2 — Office (Manor)ERPNext (the Bursar) — finance, donor relations, recruitment, disbursementReal-Identity Workplace (Alpha)
3 — Kitchen (Annex)The Kitchen production GitLab (secret-bearing CI/deploy), the build farmReal-Identity Workplace (Alpha)
4 — Lounge (Annex)HumHub, BookStack-Beta (Common Library), Jitsi, Moodle (all LMS courses), Guacamole (Air-Lock), the public fronts (Quartet)Volunteer Commons (Beta)
5 — Range (Outpost)Live-fire target VMs; the deploy-ground forks; the free community forge, its CI, and the tracker (durable — §9 backup exception)Volunteer Commons (Beta)

Note the two-node identity fact: both LDAP directories are physically hosted in the Basement (served by Authentik-Business), even though LDAP-Beta governs the commons hosted outward across the Annex (Lounge) and the Outpost (Range). The directories live where they are most protected; authentication reaches outward from there.

Courses run only on Moodle. Every LMS course — Welcome to Opplet Commons, Enclave Bootcamp, the WiseNxt Orientation, and the Opplet-thematic courses — is delivered on Moodle in the Lounge (Zone 4); the Range hosts no courses (Constitution §11.3). The WiseNxt Orientation’s hands-on work-discovery happens on a Range fork via the Air-Lock, but its course is in Moodle. Of these, Enclave Bootcamp is this domain’s own course — the Enclave triad’s learning material (Constitution §13); its content and grading are this Doctrine’s, though it is delivered in Moodle and the Commons issues the Opplet Learner Permit on its completion (Commons SOP §9).


3. The Identity-System Design

The Constitution fixes the boundaries (the two worlds, the sovereign outside them, Zero Cross-Pollination). This is how they are built.

Authentik-Business is the OIDC broker for both population directories. It federates LDAP-Beta (the automated pseudonymous commons) and LDAP-Alpha (the human-recruited real-identity workplace) and walls every business service per the Authentik Default Rule (Constitution §7). Authentik-Personal, in the Den, shares nothing with it.

The live-override store realizes the sovereign’s isolation (Constitution §2, §3). It is:

  • Minimal — it holds only the Custodian’s override and, at most, one or two trusted roots; it is not a directory and governs no population.
  • Dormant — disabled by default and enabled only when invoked, so it presents no standing attack surface.
  • Hardware-token-gated and reachable only over the Custodian network path (Constitution §7C) — never from either population’s network.
  • Layered above the break-glass — the offline credentials in the safe (SOP) remain the deeper fallback below the live override: the override is for an incident in one population’s directory, the safe for catastrophe.

Dual-hold is realized as two unlinked accounts under one person: a Beta callsign (issued by automation at Gate 1) and, if they cross into funded work, an Alpha real-identity (issued by contract). No system federates the two; the link is held privately by whoever administers the contract. The community sees only the callsign.


4. The Two-Forge Design

The forge is the one capability that straddles the public/confidential line, so it is built as two separate instances, one per world — distinct products, on distinct directories, on distinct nodes.

  • The free community forge (Forgejo, on the Range / Zone 5, Beta): public projects, practice work, contributions, and the durable curation records. Volunteers reach it on their callsign as a web service; it carries no production secrets. This is where the Climb’s open development and its work exemplars live — the source of truth that certified members (Opplet Learner Permit holders) may review (Constitution §11.3). Its durable datasets carry the §9 backup exception.
  • The Kitchen production GitLab (GitLab, Kitchen / Zone 3, Alpha): the secret-bearing layer — deploy keys, production CI, infrastructure-as-code with credentials. Reachable only by real-identity workers under contract.

Promotion is one-way: free → Kitchen. Vetted code is mirrored from the free forge into the Kitchen for release; secrets never mirror outward. The boundary is physical (two products, two directories, two nodes), not a permission flag — the stronger guarantee per Pillar 4.


5. The Public Fronts

The Quartet on the Lounge behind Traefik, public-anonymous: opplet.com (platform), kenyax.com (a public front of the Workplace — the KenyaX team’s brand), wisenxt.com (the methodology), cnmcyber.com (the community). Generators and build tooling are tracked in the Software Stack Manifest.


6. The Sovereign Gap — Design Patterns

The Constitution states the Gap (§5); this is how each piece is built.

  • The Janitor Rule is enforced at OPNsense: the Manor reaches outward to manage the Annex and Outpost; the return path is denied save the three constitutional exceptions (OIDC, internal webhooks, the Backup Bridge).
  • The Backup Bridge is a Drop-Only push to PBS in the Basement: the Annex writes backups it cannot read or delete, and the Outpost likewise pushes the Climb’s durable datasets (forge, tracker, curation records) under the §9 backup exception (Constitution §5A). State crosses only here, encrypted.
  • Storage Isolation keeps every node’s storage local (ZFS); nothing distributed spans nodes.
  • The Talent Proxy (Guacamole) puts the Air-Lock between a participant and any Range VM, so local hardware never touches the execution network. The forge is the exception by design — it is a web service, not a Range VM (§4, Constitution §5C).
  • Den Isolation is absolute and realized as the absence of any route — no mesh, no VPN, no exception — so the Life Raft cannot be reached from a compromised enclave.

7. The Kill Switch — Implementation Design

The Constitution fixes the four severity levels and their authorities (§8); this is what enacts them. L0 and L1 are n8n-Alpha workflows (alert, suspend). L2 and L3 are OPNsense actions (isolate a zone, sever a node), with L3 requiring Custodian confirmation. The thresholds that trigger each are SOP-tunable; the mechanisms are fixed here. A Talent Wipe clears LDAP-Beta; the Custodian’s override (§3) is designed to survive it, and equally to survive a workforce-directory compromise.


8. The Observability Design

Three dimensions, per the Constitution’s mandate (§10): external uptime (a micro-VPS running Uptime Kuma, independent of the enclave), service-level health checks, and active alerting (Wazuh/Grafana → Pushover). Liability data — talent logs from the Outpost and Annex — is forwarded immutably to Watchtower in the Basement for non-repudiation; it is observation, not backup. The Split-Brain design keeps Custodian data on Manor ZFS and Den data wholly off the enclave. Cadences and thresholds are the SOP’s.


9. Extension and Forking

The substrate is designed to be forked: the blueprints (infrastructure-as-code, the open codebase) are public on the free community forge, so an instance can be reconstituted from them — which is what makes the Custodian Partner door real (Constitution §11.7, §14) and what the Range deploy ground rehearses. A practice fork in the Range is a miniature of this substrate; a Custodian Partner’s instance is a full one, stood up independently. Because the substrate is rebuildable from public blueprints and the Economic Group holds the legal substrate, succession carries no key-person lock-in (Constitution §15A).


10. The Evolution Loop

The substrate is not finished; it is steered. The Constitution fixes who holds root, who holds the purse, and who does the work; this is the design of the loop by which the enclave’s next state is proposed, weighed, and funded — the mechanism the Vision section fronts. It governs the future of the substrate (this domain); its cadence and runbook are the SOP’s (§13).

The structural spaces. The loop is driven by structural developer-spaces — HumHub Developer-spaces in the Lounge (Zone 4, Beta) that the Tech Board designates as structural (Constitution §16). Designation is a resourcing act, not an editorial one: it marks a space’s projects as candidates for the roadmap and for funding, and it does not touch the Commons’ standing as an open sounding board (Constitution §15C). Participation is at member standing; the deeper forge and exemplar review remains a Learner-Permit grant (Constitution §11.3).

The two motions. A structural space acts on the enclave in two directions at once:

  • Shape (forward). It drafts the enclave’s next state — proposals, designs, roadmaps — on the member shelves of BookStack-Beta (the Common Library; Constitution §6, SOP §8C). This is where the future is written before it is load-bearing; mature drafts surface on the Vision section.
  • Assess (present). It evaluates the enclave as it now runs, through visibility — curated, read-only exposure of the running state (dashboards, public blueprints, architecture) — and guided tours led by enclave staffers: the Alpha real-identity operators of the secret-bearing technical operation (Constitution §15D). Assessment is bounded by the Sovereign Gap: a tour narrates and shows; it never grants a Beta identity a path into Alpha, the Kitchen, or the Basement (Constitution §5, §7). What can be shown is exactly what can be shown safely — no more.

The Tech Board gate. A shaped project leaves the loop only through the Tech Board, which approves it onto one of two tracks, or declines it:

  • Economic-Group-funded → the Contractor track. The project is funded; its build is real-identity, contracted work in the Workplace (Alpha), reached through the Contractor door (Constitution §11.6, §11.7, §16). Payment is lawful only to a real name (Constitution §15E), so funded work lands on Alpha by construction.
  • WiseNxt-available → the Volunteer track. The project is not funded but is approved as volunteer work, surfaced through the Climb (WiseNxt, Beta) for work-discovery on the Range (Constitution §11.3, §13).

Whenever the Board withholds funding — declining a project or routing it to the Volunteer track — it records the reason (SOP §13). The gate keeps the constitutional line intact: the Board decides funding and track, never identity — it may not push privacy-, security-, or contract-bearing work onto the Volunteer track to keep it pseudonymous (Constitution §15E, §16).

What the loop is not. The loop proposes; it does not ratify. Root stays with the Custodian, legal title and ultimate authority with the Economic Group, and the Charter is amended only by the procedure the Constitution fixes (Constitution §17). A structural space shapes the enclave’s future; it does not govern it.


END OF DOCUMENT


Pages describing Opplet’s approved state based on this document:

  • Audit — written against v1.2, current
  • Engine — written against v1.2, current
  • GitLab — written against v1.2, current
  • Vision — written against v1.2, current

All charter documents

Has anything touched?

If reading this made you want to argue with it, extend it, or notice what's missing, that's the signal to show up.

:/back-to-top