Doctrine · Era: Aarambam · Public surface · Sealed Vault

The Sovereignty
Doctrine

A stateless civic institution must know exactly where its lock-ins live. This page is the public manifest. The migration runbooks are sealed.

The three sacred lines

— No vendor owns this archive.
— Every dependency is named in public; every substitution path is rehearsed in private.
— The institution survives the platform it was born on.

The Lock-in Index

LII = Σ wᵢ · cᵢ · (1 − sᵢ) — a weighted sum across 13 declared dependencies, normalised to 0–100. Lower means more sovereign. 27.5 is honest for Aarambam: the institution runs on someone else's infrastructure today, and says so.

Mean Time To Independence

engineering-days

Sum of substitution effort across every critical and high-tier dependency. Not a launch window, not a promise — an honest engineering bound, recomputed every era from the same manifest the gauge reads.

Sealed Vault runbooks execute against these numbers under Archon authorisation.Open the Vault →

Dependency manifest

Everything TLTE currently runs on

13 declared · public

Render

SSR worker + edge CDN

critical

on Cloudflare Workers · switch-cost ≈ 14d

Substitution (Nilaiththanmai): Bun + Hono on a stateless VM behind a sovereign anycast CDN.

Project hosting & deploy pipeline

high

on Lovable · switch-cost ≈ 5d

Substitution (Nilaiththanmai): Self-hosted Vite build → object store + edge worker.

Data

Primary database (RLS + Auth + Realtime)

critical

on Supabase / Postgres · switch-cost ≈ 21d

Substitution (Nilaiththanmai): Self-hosted Postgres 16 + PostgREST + GoTrue + Realtime, behind a sovereign reverse proxy.

Object storage (PDFs, archive)

high

on AWS S3 · switch-cost ≈ 7d

Substitution (Nilaiththanmai): S3-compatible MinIO clusters on owned hardware + geographic mirror in a friendly jurisdiction.

Identity

Creator phone-OTP

medium

on Twilio (+44) · switch-cost ≈ 4d

Substitution (Nilaiththanmai): Sovereign SMPP gateway via a UK MNO reseller; fallback to email-only for read members.

Google OAuth

high

on Google Identity · switch-cost ≈ 6d

Substitution (Aarambam): Self-hosted GoTrue with email + WebAuthn (passkeys) — no external IdP required.

Intelligence

Velicham archivist (LLM)

high

on Lovable AI Gateway · switch-cost ≈ 10d

Substitution (Nilaiththanmai): Self-hosted Llama-class model on owned GPUs, retrieval grounded on src/content/vinmin-docs only.

Tier-A crawl (Situation Board)

medium

on Firecrawl + Tavily · switch-cost ≈ 5d

Substitution (Nilaiththanmai): Headless-Chromium worker pool + readable-extractor, run on sovereign infra.

Comms

DNS + TLS for tlte.cloud

critical

on Cloudflare DNS · switch-cost ≈ 2d

Substitution (Nilaiththanmai): Self-hosted authoritative DNS (Knot) in two jurisdictions + ACME via Let's Encrypt mirror.

Transactional + auth email

medium

on Resend / Supabase mail · switch-cost ≈ 3d

Substitution (Nilaiththanmai): Self-hosted Postfix + DKIM/SPF/DMARC on owned IPs; fall back to a sovereign relay.

Long-horizon communications sovereignty

low

on (none yet) · switch-cost ≈ 1825d

Substitution (Nilaiyam): Communications Sovereignty Layer — partner-led smallsat capacity for store-and-forward archive sync where ground links are unsafe.

Build

npm package registry

medium

on npm Inc. · switch-cost ≈ 4d

Substitution (Aarambam): Verdaccio mirror with cryptographically pinned lockfile + offline cache.

ocean

Long-horizon ocean-knowledge sovereignty (maritime heritage, coastal resilience, blue-economy intelligence)

low

on (none yet) · switch-cost ≈ 1825d

Substitution (Nilaiyam): Knowledge Sovereignty · Ocean Layer — partner-led desk research → shoreline kits → licensed boat surveys → research-vessel partnership. No TLTE-owned vessel on the public surface.

Two-body transfer

Migration as orbital mechanics

Moving a critical dependency from a managed stack to a sovereign one is a Hohmann transfer: two impulses (build + cut-over) separated by a coast (parallel-run). The model is illustrative — it motivates the gauge and is documented openly so a reader can verify the shape of the math without ever needing the sealed runbooks.

Sovereign initial cost (r_B) — 1.60×Coast (parallel-run) eras — 3

impulse₁ (build) ≈ 1.265

impulse₂ (cut-over) ≈ 0.265

coast (parallel) ≈ 7.247

Δtotal ≈ 8.777

break-even era ≈ 4

Sealed Vault

Nine runbooks. Archon authorisation only.

The migration runbooks themselves — Data, Identity, Intelligence, Comms, Render, Build, Governance, the Communications Sovereignty Layer, and the full Exit Plan — are operational documents. They live behind a server-side gate keyed to the Archon role: every read is logged in an append-only audit table, and the runbook bodies never reach a client bundle.

Open the Vault

Long-horizon: Communications Sovereignty Layer — architecture spec →

Long-horizon: Knowledge Sovereignty · Ocean Layer →

Now (Aarambam)

— Managed stack, named in public.
— LII gauge live; manifest open.
— Build-tier and identity-tier substitutions already in flight.
— Append-only audit log on every Vault read.

Becoming (Nilaiththanmai)

— Self-hosted Postgres + MinIO + GoTrue.
— Velicham on owned GPUs, grounded on bundled corpus only.
— Sovereign DNS, TLS, mail in two jurisdictions.
— Step-down rehearsed; Founder credentials Shamir-split 4-of-5.
— Communications Sovereignty Layer scoped for the long horizon.

Source: src/lib/sovereignty/dependencies.ts. Audit: sovereignty_vault_log (Archons only). Cite as tlte-doctrine:sovereignty@v1.0.