docs: align internal docs to enterprise standards

Add canonical operations/security/access/feature docs and fix path integrity to improve onboarding and incident readiness.

docs/access.md

@@ -0,0 +1,44 @@
+# Access and Permissions
+
+This document defines the least-privilege access model for CBDDC environments.
+
+## Roles
+
+| Role | Typical Permissions | Approval Required |
+|------|---------------------|-------------------|
+| Runtime Operator | Read health/logs, restart service, run incident checks | Team lead or on-call manager |
+| Deployment Engineer | Deploy approved releases, update runtime configuration | Change approval for production |
+| Security Administrator | Manage secrets, rotate tokens, review access | Security approval |
+| Maintainer | Modify CBDDC source/docs, merge reviewed changes | Pull request review |
+
+## Least-Privilege Rules
+
+- Grant access by role, not by individual preference.
+- Use environment-specific credentials and scoped service accounts.
+- Do not share production credentials across environments.
+- Remove elevated access promptly after incident or change window.
+
+## Approval Flow
+
+1. Request access with role, environment, and business reason.
+2. Approver validates least-privilege scope.
+3. Access is granted with expiration date when applicable.
+4. Grant/revoke events are logged for auditability.
+
+## Periodic Access Review
+
+- Review active privileged access at least quarterly.
+- Remove dormant or unowned accounts immediately.
+- Validate that emergency access accounts are controlled and monitored.
+
+## Secret Handling
+
+- Store `AuthToken`, connection strings, and credentials in approved secret stores.
+- Never commit secrets to source control.
+- Rotate secrets after incidents and on scheduled cadence.
+
+## Related Documents
+
+- [Security](security.md)
+- [Runbook](runbook.md)
+- [Production Hardening](production-hardening.md)