Document local-first package sourcing policy

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

local/docs/SCRIPT-BEHAVIOR-MATRIX.md

@@ -64,6 +64,17 @@ repo already contains `prefix/x86_64-unknown-redox/sysroot/bin/x86_64-unknown-re
 
 ## Policy Mapping
 
+### Resilience / offline-first package sourcing
+
+Default Red Bear behavior is local-first:
+
+- use locally available package/source trees and overlay state for normal builds,
+- treat upstream refresh as an explicit operator action only (`--upstream`, dedicated fetch/sync),
+- do not fail policy-level expectations just because upstream network access is temporarily broken.
+
+This is required so builds and recovery workflows remain operable during upstream outages or
+connectivity failures.
+
 ### Upstream sync
 
 Use `local/scripts/sync-upstream.sh` when the goal is to refresh the top-level upstream Redox base.

local/docs/repo-governance.md

@@ -50,6 +50,16 @@ Do not describe compile-only work as supported hardware or a working desktop pat
 If a profile is tracked in git, helper scripts and docs should either support it directly or state
 why it is intentionally excluded.
 
+### 6. Resilience policy: local-first package sources
+
+- Red Bear builds must remain resilient when access to upstream Redox infrastructure is degraded or
+  unavailable.
+- Local package/source copies are the default operational source of truth for builds.
+- Upstream fetch/refresh is opt-in and must be explicitly requested by the operator (for example via
+  an explicit `--upstream` workflow).
+- After an explicit upstream refresh, local durable overlays (`local/patches`, `local/recipes`) stay
+  authoritative until a conscious reevaluation/promotion decision is made.
+
 ## Profile Intent
 
 ### `redbear-minimal`