…ce entanglement + homelab-to-enterprise spectrum + attack-surface tempered by internal-access prereq (Aaron 2026-05-27 follow-up to #5423)

Three new operator-framing turns extending B-0857 row body after #5423
merge (Turns 1/2/3 already landed there):

**Turn 4 — install.sh ≈ Ace; entangled**:
> "yes install.sh is ace basically we've not really seperated it all
> out ace and zeta are pretty intertangled"

install.sh and Ace are NOT separate things in current substrate —
install.sh IS the install-side of what Ace would be at the
imperative-bash scope; Ace is the declarative evolution of the SAME
substrate at package-manager scope. Implication: B-0857 ↔ B-0854 are
the SAME work at different naming scopes, not sibling rows on
adjacent tracks.

**Turn 5 — homelab-edge to enterprise-restrictive spectrum**:
> "basically we are going to push the build is prod conept all the
> way to the edge for homelab / open claw like setups and thing
> scale it back for enterprise like setup to be more restrictive
> but i don't want to start in the more restretive mode until we
> see what the new shape feels like where the difference between
> build and dev vanish"

Build-is-prod unification (Turn 3) operates on a SPECTRUM, not as
a single mode. 3-tier table added: homelab (MAXIMALLY UNIFIED) →
small-team (UNIFIED with minimal separation) → enterprise
(RESTRICTIVE). Operator's explicit sequencing: START in unified
mode FIRST; live in it; discover what "build/dev/prod vanish"
feels like; THEN scale back for enterprise. DO NOT start
restrictive. Substrate-engineering decisions through B-0857
implementation defer enterprise-restrictive considerations until
unified mode has empirical operator-experience under it.

**Turn 6 — attack-surface tempered by internal-access prereq**:
> "the biggest issue i see is larger attack surface becasue more
> deps but this one is not as bad as it seems cause it requires
> internal access to network and box so you are already kind of
> fucked if they are this deep."

Operator's named primary concern with unified mode: larger attack
surface (more deps on every node = more CVE surface). Bounded by
precondition: exploitation requires network access AND shell
access. Threat-model scope: post-perimeter-breach, not
perimeter-breach. Perimeter defenses (firewall + VPN + mesh +
auth + B-0853 cosign signed artifacts) carry the primary security
load; expanded build-on-prod surface is downstream. Acceptable
reduced posture for homelab/open-claw scope; tightened for
enterprise scope per Turn 5 spectrum.

3-row threat-scope table added showing perimeter / node-level /
post-intrusion mitigations + ownership.

Composes with: B-0854 (Ace migration trajectory; Turn 4
entanglement); B-0852 (declarative cred-persistence; Turn 6 surface
substrate); B-0853 (cosign signed artifacts; Turn 6 mitigation);
B-0855 (self-register architectural fix; Turn 5 spectrum);
\`.claude/rules/edge-defining-work-not-speculation.md\` (Turn 5
sequencing); \`.claude/rules/methodology-hard-limits.md\` (Turn 6
threat-model floor stays operative).

Substrate-honest framing: this PR adds framing turns only; no
implementation work; the B-0857 row remains P2 deferred per
separation-of-concerns discipline (Aaron 2026-05-27: "deferring
of working on backlog is a seperate conerns of recording backlog
item exist").

Per .claude/rules/non-coercion-invariant.md HC-8: operator
authority over substrate-engineering trajectory; Turn 5 sequencing
preserved verbatim; Turn 6 threat-model preserved verbatim.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>