chore: align slurp config and scaffolding

docs/progress/SEC-SLURP-1.1a-supplemental.md

@@ -0,0 +1,32 @@
+# SEC-SLURP 1.1a – DHT Resilience Supplement
+
+## Requirements (derived from `docs/Modules/DHT.md`)
+
+1. **Real DHT state & persistence**
+   - Replace mock DHT usage with libp2p-based storage or equivalent real implementation.
+   - Store DHT/blockstore data on persistent volumes (named volumes/ZFS/NFS) with node placement constraints.
+   - Ensure bootstrap nodes are stateful and survive container churn.
+
+2. **Pin Steward + replication policy**
+   - Introduce a Pin Steward service that tracks UCXL CID manifests and enforces replication factor (e.g. 3–5 replicas).
+   - Re-announce providers on Pulse/Reverb and heal under-replicated content.
+   - Schedule anti-entropy jobs to verify and repair replicas.
+
+3. **Envelope encryption & shared key custody**
+   - Implement envelope encryption (DEK+KEK) with threshold/organizational custody rather than per-role ownership.
+   - Store KEK metadata with UCXL manifests; rotate via BACKBEAT.
+   - Update crypto/key-manager stubs to real implementations once available.
+
+4. **Shared UCXL Beacon index**
+   - Maintain an authoritative CID registry (DR/UCXL) replicated outside individual agents.
+   - Ensure metadata updates are durable and role-agnostic to prevent stranded CIDs.
+
+5. **CI/SLO validation**
+   - Add automated tests/health checks covering provider refresh, replication factor, and persistent-storage guarantees.
+   - Gate releases on DHT resilience checks (provider TTLs, replica counts).
+
+## Integration Path for SEC-SLURP 1.1
+
+- Incorporate the above requirements as acceptance criteria alongside LevelDB persistence.
+- Sequence work to: migrate DHT interactions, introduce Pin Steward, implement envelope crypto, and wire CI validation.
+- Attach artifacts (Pin Steward design, envelope crypto spec, CI scripts) to the Phase 1 deliverable checklist.