Add playbook capability declaration for bootstrap

capabilities/playbooks/railiance-infra.bootstrap-host.yaml

@@ -0,0 +1,94 @@
+apiVersion: netkingdom.io/playbook-capability/v0.1
+kind: PlaybookCapabilityDeclaration
+metadata:
+  id: railiance-infra.bootstrap-host
+  name: Railiance S1 host bootstrap
+  owner: railiance-infra
+  repo: railiance-infra
+  domain: railiance
+  contract_version: "0.1"
+  source_links:
+    - label: Bootstrap playbook
+      path: ansible/playbooks/bootstrap.yaml
+    - label: Railiance infra scope
+      path: SCOPE.md
+spec:
+  playbook:
+    path: ansible/playbooks/bootstrap.yaml
+    type: ansible
+    invocation: make converge
+    description: Converges the Railiance S1 host baseline with base hardening, SOPS/age agent support, custodian-agent SSH access, swap, and resource limits.
+  capabilities:
+    - id: s1.os-baseline
+      tier: S1
+      resource_kinds:
+        - infrastructure_resources
+        - secrets_credentials
+      description: Establishes the host OS baseline and bootstrap secret-handling substrate required before higher Railiance layers run.
+  parameters:
+    - name: target_hosts
+      type: array
+      required: true
+      constraints:
+        min_items: 1
+      sensitivity: operational
+      tuning_authority: netkingdom_tunable
+      description: Inventory hosts selected for convergence.
+    - name: swapfile_size_mb
+      type: integer
+      required: false
+      default: 4096
+      constraints:
+        minimum: 0
+        maximum: 65536
+      sensitivity: operational
+      tuning_authority: netkingdom_tunable
+      description: Swap file size applied through host variables.
+    - name: sops_age_secret_source
+      type: string
+      required: false
+      default: ansible/inventory/group_vars/secrets.sops.yaml
+      sensitivity: secret_reference
+      tuning_authority: platform_only
+      description: SOPS-encrypted variable source consumed by the bootstrap playbook.
+    - name: wireguard_enabled
+      type: boolean
+      required: false
+      default: false
+      sensitivity: security_sensitive
+      tuning_authority: platform_only
+      description: Whether to include the optional WireGuard role in this playbook mode.
+  responsibilities:
+    - resource_kind: infrastructure_resources
+      owner: railiance-infra
+      resources:
+        - server:target_hosts
+        - os-baseline
+        - ssh-access
+      repo_owns: Ansible convergence mechanics, role execution, and host baseline verification hooks.
+      netkingdom_orchestrates: Whether the S1 substrate capability is selected for a scenario and which security posture is required before higher layers run.
+    - resource_kind: secrets_credentials
+      owner: railiance-infra
+      resources:
+        - sops-age-bootstrap-material
+        - custodian-agent-ssh-key
+      repo_owns: Placement and convergence mechanics for encrypted bootstrap material and custodian-agent access.
+      netkingdom_orchestrates: Bootstrap secret-material placement policy and the requirement that tenant operators do not receive platform bootstrap authority.
+  trust:
+    requires: []
+    satisfies:
+      - state: bare_host_trust
+        readiness_checks:
+          - id: os-baseline-converged
+            description: Base, sops_agent, custodian_agent, swapfile, and resource_limits roles converge successfully.
+            evidence: ansible/playbooks/bootstrap.yaml completes successfully for target_hosts.
+      - state: bootstrap_secret_trust
+        readiness_checks:
+          - id: sops-agent-ready
+            description: SOPS/age encrypted bootstrap variable source is available to the host convergence path.
+            evidence: sops_agent role converges with ansible/inventory/group_vars/secrets.sops.yaml.
+  catalog:
+    publish: capabilities/playbooks/railiance-infra.bootstrap-host.yaml
+    maturity: reference
+    consumers:
+      - netkingdom-meta-orchestration