WiseNxt SOP
The Climb: WiseNxt Operations
You're reading the public edition of WiseNxt SOP. The working source — drafts, change discussion, and member resources — lives in the community library.
Purpose and Scope
The tunable mechanics of the Climb — what the WiseNxt Doctrine describes, made concrete. Custodian-tunable (Constitution §13B). Numeric values are initial settings, reviewed on the Enclave SOP’s quarterly tuning cadence. Climb records live in Beta-side systems on the Range — the Forgejo forge, the Vikunja tracker, and BookStack-Beta — whose durable datasets carry a backup exception (Constitution §5A, §9); ERPNext is reserved for funded recruitment (Workplace SOP). Tooling named here is the initial selection, itself tunable.
1. Enrollment
The Climb begins when a Permit-holder opts in by entering the WiseNxt Orientation (§2) and producing its capstone: a proposed improvement to Opplet or the Commons. A senior operator reviews that proposal (§7); on review it becomes the participant’s first nominated exemplar, and enrollment is recorded against the member’s callsign in the Vikunja tracker. Standing membership and the Learner Permit are required (Constitution §11.3); no application, no human approval beyond the operator review that every exemplar receives. A member may pause or abandon the Climb at any time and remain a community member in good standing.
2. Prerequisites — the Permit and the Orientation
- The Learner Permit. Earned by completing Enclave Bootcamp (the Enclave domain’s theory course on how Opplet runs), delivered as an open Moodle course in the Lounge. Not run here — the course’s content and grading are the Enclave Doctrine’s, and the Opplet Learner Permit is issued by the Commons on completion (Commons SOP §9). The Permit is a certified-member credential: per Constitution §11.3 it grants Range-review of the forge, the Opplet-thematic courses, and the WiseNxt Orientation, and gates the certified-member Developer-space vote; Vikunja reads it as the enrollment eligibility flag (§1). No clock applies.
- The WiseNxt Orientation. The opt-in, climb-only on-ramp that follows the Permit — its own document in the WiseNxt domain, delivered as a Moodle course in the Lounge, with its hands-on fork work on the Range via the Air-Lock. Its capstone is the first exemplar (§1).
3. Exemplar Doors and Curation Ranking
Exemplars (Forgejo work, BookStack-Beta drafts) accrue under a participant’s callsign. They arrive through three doors, all producing the same output — an Opplet/Commons improvement — and all feeding one ranking queue:
- The Orientation proposal — reviewed by a senior operator (§7).
- Hackathons — periodic, judged by established best practice (panel/rubric).
- The demand-driven vacancy — an open need posted to the community (§6, Vacancy Board), answered with produced work.
Ranking uses two signals of unequal weight:
- Curation (necessary, weighted). Existing operators vouch for reviewed work — the upper ladder’s standing duty (Doctrine §4). A curation record names the participant, the target specialty, the work referenced, the endorsing operator(s), and the date, and is held durably (Vikunja record / BookStack-Beta member shelf, under the §9 backup exception). At least one credible curation is required.
- The Developer-space vote (supporting). Surfaces and adds weight; never sufficient alone. Certified-member-gated (HumHub Developer spaces; voters hold the Learner Permit — Commons Doctrine §7).
The combined rank orders the cohort queue (a Vikunja board). The wait is productive, not a rejection: a participant who does not place keeps producing for the next window.
4. The Range Lease (initial settings — tunable)
| Setting | Initial value | Note |
|---|---|---|
| Lease length | 48 hours | Auto-provisioned at grant; auto-recycled at expiry |
| Cohort cadence | every 2 weeks | A predictable window — surfaced on the member calendar as “next opens in N days” |
| Cohort size | = currently free range slots | Genesis planning figure 8–15; set by available Incus container capacity |
| Fork type | Incus system container | Ephemeral, disposable; rebuilt from templates. VM-grade isolation is reserved for adversarial live-fire exercises only |
| Re-lease | allowed | A participant who needs another run rejoins the queue |
Container forks are far lighter than VMs — they multiply cohort capacity per node and reduce provisioning I/O — which is what makes a single modest range node viable at genesis. The engineering target for fork cost is addressed in the Enclave domain; this section sets only the lease cadence and fork model.
5. The Deploy Grading Rubric
In the leased fork, the participant stands up and runs a whole miniature Opplet. The deploy is machine-graded by a CI-driven probe harness (the Climb’s one custom piece) run against the running fork, with results written to Vikunja via n8n.
Each face is a binary pass/fail probe; overall pass = all four green. Aptitude is read from a secondary quality signal — the face cleared cleanest/fastest among the four — not from the binary gate itself. The aptitude-signal weighting is the one tunable here; the four faces and the all-green pass bar are fixed.
| Face | Binary probe |
|---|---|
| Infrastructure (Engineering) | Fork stands up; services reachable; backup canary fires; RPO met; edge router rebuildable within target |
| Books (Finance) | Ledger/finance module configured and reconciling |
| Logistics | Services brought up in the correct rebuild-priority order; an injected coordination exception handled |
| Public front (Marketing) | The public site deployed and live |
Pass = the whole instance runs (mastery, breadth). Aptitude = the face of strongest performance and gravitation (the sort). A marginal face is feedback, not rejection — the participant may re-lease.
6. Recruitment and the Vacancy Board
Recruitment is the upper ladder’s duty (Doctrine §4): L3/L4 operators review exemplars (Orientation proposals, hackathon entries, vacancy responses), record curation, and own their zone’s Gate 2 (§7).
An open position is a vacancy. Vikunja is the single source of truth — each vacancy is a tracker item labelled by track, level, type (entry / advancement), and status (open / claimed / filled). Two kinds, surfaced to two audiences:
- Advancement vacancies — open operator seats (next level in a track, or a lateral seat in another). Surfaced in Vikunja, beside the cohort queue: read-visible to all climbers, claim-gated to the certified. A cross-track claim lands at the new track’s L2 seat, requires a new-zone curation, adds a zone endorsement to the Operator License (§7), and needs no re-deploy (Doctrine §4).
- Entry vacancies — open needs that seed exemplar work (§3). Broadcast by n8n to a dedicated HumHub space for potential climbers, reaching members not yet in the tracker. When a vacancy points at concrete work, the work is a Forgejo issue and the Vikunja vacancy links to it.
Initial setting: advancement seats are tracker-only (not echoed to the community stream), revisited if climbers report missing openings.
7. The Per-Zone Gate-2 Workflow
Each working zone runs its own Gate 2, owned by its L3/L4 operators:
- Eligibility. A passed Climb (Learner Permit + deploy) plus at least one credible curation record for the target zone/specialty.
- Review. The zone’s operators review the deploy result, the curation, and the vote in Vikunja (Beta-side; not ERPNext).
- Admission. Routine admissions are confirmed on the objective bar; borderline cases are the operators’ judgment. Admission is taking an open L2 seat (certify-vs-seat — Doctrine §4); if no seat is open, the certified participant waits on the seat, not the bar.
- License and provision. On admission, the participant receives the Operator License with this zone as an endorsement (the first endorsement, or an added one for a cross-track entrant), and n8n provisions the L2 seat within LDAP-Beta — no directory change, same callsign. (The Lounge Gate 2 provisions CNMCyber staff.)
8. Aptitude Recording
A participant’s discovered specialty (from the exemplar hint and the deploy rubric, §5) is recorded against their callsign in Vikunja as a focus, not a lock: it routes them toward the matching zone and seats, but a participant may re-enter the Climb, claim a cross-track seat (§6), or shift focus. Aptitude is descriptive of demonstrated work, never a permanent label.
9. The Climb’s Stack
The Climb owns its infrastructure (Constitution §2, §4; Doctrine §1), all on the Range (Zone 5 / Outpost). Initial selection, tunable:
- Forge + CI — Forgejo (+ Forgejo Actions). Exemplar work, merge requests, and the work artifacts that vacancies reference. Public-read on public projects; Beta-authenticated for proposal/push (Constitution §7). The public projects are the openness/forkability surface (Constitution §4), and the certified-member review surface (the Permit’s Range-review grant — Constitution §11.3).
- Tracker — Vikunja. Enrollment, the cohort queue, ranking, aptitude, durable curation records, and the vacancy board. OIDC to Authentik; single-container + SQLite at prototype scale.
- Range forks — Incus. Ephemeral system-container practice forks, rebuilt from templates (§4). VM-grade isolation reserved for adversarial live-fire exercises only.
- SSO — Authentik (OIDC) over LDAP-Beta. Every tool federates here; one Beta identity, same callsign.
- Glue — n8n. Fork provisioning, grade write-back, seat provisioning, and entry-vacancy broadcast.
- Broadcast — a HumHub space for potential climbers. The entry-vacancy surface (§6).
No courses run on the Range. The WiseNxt Orientation course is delivered in Moodle (Lounge); only its hands-on fork work runs here via the Air-Lock (Constitution §11.3).
Durability — the backup exception. The durable services — the forge (repositories, curation records) and the tracker — are pushed to PBS via the Backup Bridge under Drop-Only (Constitution §5A, §9), so they survive the Outpost’s volatility. The ephemeral practice forks stay no-backup, rebuilt from templates. Nothing is moved off the Range.
10. Genesis-Seeding Procedure
Until a zone holds its own L3/L4 (Doctrine §6, Constitution §11.5):
- The Custodian identifies Gate-1 alumni who hold the Learner Permit and have cleared the machine-graded deploy.
- The Custodian provisions them as the zone’s initial operators by root, recording the seed action immutably (Pillar 4).
- Seeding for a zone ends once it holds its own senior operators; thereafter its Gate 2 and its recruitment duty (§6) are operator-owned.
Changelog
v1.4 (2026-06-16) — Reconcile to Constitution v12.8
- §2: the Permit course is Enclave Bootcamp (the Enclave domain’s; content/grading the Enclave Doctrine’s), the Permit issued by the Commons (Commons SOP §9); the §11.3 Permit grants recorded. The WiseNxt Orientation course runs in Moodle, its fork work on the Range.
- CNMCyber → Commons (Doctrine/SOP refs, “improvement to the Commons”); KenyaX SOP → Workplace SOP; paid → funded. CNMCyber stays the team/brand (“CNMCyber staff,” §7).
- §9: the forge named as the certified-member review surface; “no courses on the Range” noted.
v1.3 (2026-06-15) — Binary grader, the Operator License, stack stays on the Range, PROVISIONAL lifted
- §5 binary grader; §9 stack on the Range with the backup exception; §6/§7 Operator License; §2 the WiseNxt Orientation a WiseNxt-domain document; PROVISIONAL lifted. (v1.4 re-homes the theory course to the Enclave domain and renames the CNMCyber/KenyaX domains.)
END OF DOCUMENT
All charter documents
- Tier 0 — Keystone: Opplet Constitution
- Tier 1 — Doctrine & Architecture: Enclave Doctrine, Commons Doctrine, WiseNxt Doctrine, Workplace Doctrine
- Tier 2 — Operations & Learning: Enclave SOP, Enclave Bootcamp, Commons SOP, Commons Welcome, WiseNxt SOP (this document), WiseNxt Orientation, Workplace SOP
- Tier 3 — Manifests & Reports: Software Stack, Hardware Manifest, URL Nomenclature, Opplet.Com Website
- Tier 4 — Zone Projects: Den Migration