# INTENT > This file captures **why this repository exists**, > the **direction it is moving toward**, and > the **kind of system it is meant to become**. > It is intentionally **aspirational and stable**, not a description of current implementation. --- ## One-liner **The infrastructure substrate — turning bare machines into hardened, verified, ready-to-build-on servers, declaratively and reproducibly.** --- ## Why This Exists Everything else assumes servers that already exist, are hardened, and are known-good. Without a disciplined foundation: * server baselines drift, * hardening is applied inconsistently, * and higher layers inherit an unverified, untrustworthy substrate. This layer exists to **provision and converge that substrate reproducibly**, and to **prove it meets a security baseline** before anything is built on top of it. --- ## The Mission > *Where we are going.* To become the **canonical, source-driven foundation** that provisions servers, hardens and converges the operating system, manages bootstrap secret material at rest, and validates the resulting baseline — so that every higher layer can assume a **hardened, verified substrate**. This means: * The substrate is built **from source**, not hand-tuned on live hosts * Security hardening is **part of provisioning**, not a later step * The baseline is **tested and proven** before handoff * The shape of the substrate is **recorded as the source of truth** --- ## Core Principles ### 1. Declarative and Reproducible The substrate is derived from source and can be rebuilt the same way every time. No irreproducible, hand-tuned hosts. ### 2. Hardened by Default Security hardening is intrinsic to provisioning, not bolted on afterward. ### 3. Verified Before Handoff The baseline is validated against an explicit specification and proven good before any higher layer runs on it. ### 4. A Recorded Source of Truth The inventory and shape of the substrate are recorded and authoritative, not discovered after the fact. ### 5. Secure at Rest Bootstrap secret material is encrypted at rest in source and never stored in the clear. ### 6. Foundation, Not Tenant This layer provides the ground. It does not run, orchestrate, or configure the things built on top of it. --- ## What This Is (Conceptually) This layer is: * an **infrastructure substrate** * a **provisioning and convergence** engine * a **security hardening baseline** * a **verification gate** before higher layers run * a **recorded inventory** and source of truth for the substrate --- ## What This Is Not This layer is not: * the runtime or orchestrator built above it * a provider of shared platform services * an application or business-capability provider * a place for higher-layer configuration It is the **ground an entire landscape stands on**. --- ## Direction of Evolution This layer is expected to evolve toward: * Stronger **reproducibility** and drift detection * Broader **provider** support without changing the model * **Continuous** baseline verification * Automated **rotation** of at-rest secret material * Self-evidencing, **auditable** provisioning --- ## Guiding Question > **How can the ground an entire landscape stands on be made reproducible, hardened, and provably good before anything is built on it?**