Document local-first package sourcing policy

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

README.md

@@ -27,6 +27,12 @@ relates to Debian:
 - durable Red Bear state belongs in `local/patches/`, `local/recipes/`, `local/docs/`, and tracked
   Red Bear configs
 
+Operational resilience policy:
+
+- package/source usage is local-first by default,
+- local copies are used continuously for builds and recovery workflows,
+- upstream package refresh is performed only when explicitly requested.
+
 For **upstream WIP recipes specifically**, Red Bear uses a stricter rule:
 
 1. once an upstream recipe or subsystem is still marked WIP, Red Bear treats it as a local project

docs/06-BUILD-SYSTEM-SETUP.md

@@ -16,6 +16,13 @@ Build this repository using the Red Bear overlay model:
 - upstream WIP recipes are useful inputs, but should not automatically be treated as the durable
   shipping source of truth for Red Bear.
 
+Resilience policy for package/source inputs:
+
+- default build posture is local-first/offline-capable,
+- local copies are used continuously unless upstream refresh is explicitly requested,
+- upstream refresh is an explicit operation, not an implicit background requirement for normal
+  builds.
+
 ## Prerequisites
 
 ### System Requirements
@@ -260,7 +267,7 @@ cp target/release/myapp ${COOKBOOK_STAGE}/usr/bin/
 | `PREFIX_BINARY` | `1` | Use prebuilt toolchain (faster) |
 | `REPO_BINARY` | `0` | Use prebuilt packages (faster, no compilation) |
 | `REPO_NONSTOP` | `0` | Continue on build errors |
-| `REPO_OFFLINE` | `0` | Don't update source repos |
+| `REPO_OFFLINE` | `0` | Don't update source repos; Red Bear policy treats local-first sourcing as the normal operating mode and upstream refresh as explicit opt-in |
 
 ### Environment Variables for Recipes
 

local/docs/SCRIPT-BEHAVIOR-MATRIX.md

@@ -64,6 +64,17 @@ repo already contains `prefix/x86_64-unknown-redox/sysroot/bin/x86_64-unknown-re
 
 ## Policy Mapping
 
+### Resilience / offline-first package sourcing
+
+Default Red Bear behavior is local-first:
+
+- use locally available package/source trees and overlay state for normal builds,
+- treat upstream refresh as an explicit operator action only (`--upstream`, dedicated fetch/sync),
+- do not fail policy-level expectations just because upstream network access is temporarily broken.
+
+This is required so builds and recovery workflows remain operable during upstream outages or
+connectivity failures.
+
 ### Upstream sync
 
 Use `local/scripts/sync-upstream.sh` when the goal is to refresh the top-level upstream Redox base.

local/docs/repo-governance.md

@@ -50,6 +50,16 @@ Do not describe compile-only work as supported hardware or a working desktop pat
 If a profile is tracked in git, helper scripts and docs should either support it directly or state
 why it is intentionally excluded.
 
+### 6. Resilience policy: local-first package sources
+
+- Red Bear builds must remain resilient when access to upstream Redox infrastructure is degraded or
+  unavailable.
+- Local package/source copies are the default operational source of truth for builds.
+- Upstream fetch/refresh is opt-in and must be explicitly requested by the operator (for example via
+  an explicit `--upstream` workflow).
+- After an explicit upstream refresh, local durable overlays (`local/patches`, `local/recipes`) stay
+  authoritative until a conscious reevaluation/promotion decision is made.
+
 ## Profile Intent
 
 ### `redbear-minimal`