diff --git a/INTENT.md b/INTENT.md
new file mode 100644
index 0000000..19f4cdc
--- /dev/null
+++ b/INTENT.md
@@ -0,0 +1,121 @@
+# INTENT
+
+> This file captures **why this repository exists**,
+> the **direction it is moving toward**, and
+> the **kind of system it is meant to become**.
+> It is intentionally **aspirational and stable**, not a description of current implementation.
+
+---
+
+## One-liner
+
+**The infrastructure substrate — turning bare machines into hardened, verified, ready-to-build-on servers, declaratively and reproducibly.**
+
+---
+
+## Why This Exists
+
+Everything else assumes servers that already exist, are hardened, and are
+known-good. Without a disciplined foundation:
+
+* server baselines drift,
+* hardening is applied inconsistently,
+* and higher layers inherit an unverified, untrustworthy substrate.
+
+This layer exists to **provision and converge that substrate
+reproducibly**, and to **prove it meets a security baseline** before
+anything is built on top of it.
+
+---
+
+## The Mission
+
+> *Where we are going.*
+
+To become the **canonical, source-driven foundation** that provisions
+servers, hardens and converges the operating system, manages bootstrap
+secret material at rest, and validates the resulting baseline — so that
+every higher layer can assume a **hardened, verified substrate**.
+
+This means:
+
+* The substrate is built **from source**, not hand-tuned on live hosts
+* Security hardening is **part of provisioning**, not a later step
+* The baseline is **tested and proven** before handoff
+* The shape of the substrate is **recorded as the source of truth**
+
+---
+
+## Core Principles
+
+### 1. Declarative and Reproducible
+
+The substrate is derived from source and can be rebuilt the same way every
+time. No irreproducible, hand-tuned hosts.
+
+### 2. Hardened by Default
+
+Security hardening is intrinsic to provisioning, not bolted on afterward.
+
+### 3. Verified Before Handoff
+
+The baseline is validated against an explicit specification and proven
+good before any higher layer runs on it.
+
+### 4. A Recorded Source of Truth
+
+The inventory and shape of the substrate are recorded and authoritative,
+not discovered after the fact.
+
+### 5. Secure at Rest
+
+Bootstrap secret material is encrypted at rest in source and never stored
+in the clear.
+
+### 6. Foundation, Not Tenant
+
+This layer provides the ground. It does not run, orchestrate, or configure
+the things built on top of it.
+
+---
+
+## What This Is (Conceptually)
+
+This layer is:
+
+* an **infrastructure substrate**
+* a **provisioning and convergence** engine
+* a **security hardening baseline**
+* a **verification gate** before higher layers run
+* a **recorded inventory** and source of truth for the substrate
+
+---
+
+## What This Is Not
+
+This layer is not:
+
+* the runtime or orchestrator built above it
+* a provider of shared platform services
+* an application or business-capability provider
+* a place for higher-layer configuration
+
+It is the **ground an entire landscape stands on**.
+
+---
+
+## Direction of Evolution
+
+This layer is expected to evolve toward:
+
+* Stronger **reproducibility** and drift detection
+* Broader **provider** support without changing the model
+* **Continuous** baseline verification
+* Automated **rotation** of at-rest secret material
+* Self-evidencing, **auditable** provisioning
+
+---
+
+## Guiding Question
+
+> **How can the ground an entire landscape stands on be made reproducible, hardened, and provably good before anything is built on it?**