diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md
index 67b7d4b..2bdbd94 100644
--- a/cc-ci-plan/plan.md
+++ b/cc-ci-plan/plan.md
@@ -653,6 +653,13 @@ Each default stands until the Adversary or reality forces a change; record the c
 - **No mocks for the e2e stages.** D2 means real deploys. If something can't be tested for real,
   it's a finding, not a pass.
 - **Idempotent + reversible.** Anything done to the server must be re-derivable from the repo.
+  Infra bring-up is **declarative idempotent reconciliation in Nix** — not manual post-steps and not
+  run-once scripts. Each piece (swarm + `proxy` net, the traefik recipe deploy, Drone, the
+  comment-bridge, the dashboard) is a systemd **oneshot that re-runs on every activation/boot** and
+  *converges* to the desired state (inspect → act only if needed → no-op if already correct), like
+  `swarm-init`. **No `/var/lib/.bootstrapped`-style sentinels** (they don't self-heal drift). The
+  goal: a from-scratch install is `git clone` + `nixos-rebuild switch` + the operator preconditions
+  — `docs/install.md` must never accumulate manual post-rebuild steps.
 - **Stop on missing *external* infra inputs** (class-A1 in §4.4: cc-ci SSH/root access, the
   Tailscale auth key, Gitea bot creds, the pre-issued wildcard cert at `/var/lib/ci-certs/live/`,
   registry creds — and the preconfigured DNS/gateway facts) rather than improvising around them;