diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76ad003..e86ab0d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ versioning for public release policy decisions.
 ## [Unreleased]
 
 <!-- core-ops-release:start -->
+### Changed
+
+- Restructure README around operational comprehension; add Mermaid architecture diagram, 30-second mental model, `examples/03-immich` walkthrough, and `docs/onboarding.cast` asciinema recording. No CLI or behavior changes.
 <!-- core-ops-release:end -->
 
 ## [2.2.4] - 2026-05-07
diff --git a/CLAUDE.md b/CLAUDE.md
index a543e09..ace6f59 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,6 +1,6 @@
 # core-ops Development Guidelines
 
-Auto-generated from all feature plans. Last updated: 2026-05-05
+Auto-generated from all feature plans. Last updated: 2026-05-06
 
 ## Active Technologies
 - Rust 2021 + clap 4, serde / serde_json, miette, thiserror, tempfile (015-controller-state-lifecycle)
@@ -9,6 +9,8 @@ Auto-generated from all feature plans. Last updated: 2026-05-05
 - Source repository on filesystem (input); existing canonical status snapshot at `/var/lib/core-ops/status.json` (output). The status snapshot gains a `layout-version: "1"` field to record which layout produced it. (016-source-repository-layout)
 - Rust 2021 (existing toolchain) + clap 4.5 (derive), serde 1.0, serde_yaml 0.9, serde_json 1.0, miette 7.2 (fancy diagnostics), thiserror 1.0, tempfile 3.10. **No new runtime dependencies.** Git invocation via `std::process::Command::new("git")` following the established pattern at `src/cli/init.rs:52`, `src/io/repo.rs:1312/1343/1372`, `src/io/release_governance.rs:367/440`, `src/cli/verification.rs:2068/2086/2090/2103`. (017-real-world-validation)
 - Existing `/var/lib/core-ops/status.json` for init'd mode (unchanged). Stateless plan writes nothing under `/var/lib/`; stateless apply writes audit + status with path-based provenance (see FR-013); stateless explain writes nothing. Operator-explicit `--audit-dir` honored across both modes (see FR-012 plus 2026-05-05 clarification). (017-real-world-validation)
+- N/A — no source code added or modified. Existing Rust 2021 toolchain in repository remains untouched. + Mermaid (GitHub-native rendering for the in-README diagram); `asciinema` CLI (operator-side, version-pinned in `docs/onboarding-script.sh`) for recording the `.cast` artifact. **No new runtime dependencies.** (018-adoption-readiness)
+- N/A — no persisted state added or read. (018-adoption-readiness)
 
 - Rust 2021 — clap 4, serde, miette, serde_json, serde_yaml
 - GitHub Actions — ubuntu-latest runners, `gh` CLI, `rustup`
@@ -98,9 +100,9 @@ removed or renamed.
 Follow standard Rust conventions. No new abstractions without justification.
 
 ## Recent Changes
+- 018-adoption-readiness: Added N/A — no source code added or modified. Existing Rust 2021 toolchain in repository remains untouched. + Mermaid (GitHub-native rendering for the in-README diagram); `asciinema` CLI (operator-side, version-pinned in `docs/onboarding-script.sh`) for recording the `.cast` artifact. **No new runtime dependencies.**
 - 017-real-world-validation: Added Rust 2021 (existing toolchain) + clap 4.5 (derive), serde 1.0, serde_yaml 0.9, serde_json 1.0, miette 7.2 (fancy diagnostics), thiserror 1.0, tempfile 3.10. **No new runtime dependencies.** Git invocation via `std::process::Command::new("git")` following the established pattern at `src/cli/init.rs:52`, `src/io/repo.rs:1312/1343/1372`, `src/io/release_governance.rs:367/440`, `src/cli/verification.rs:2068/2086/2090/2103`.
 - 016-source-repository-layout: Added Rust 2021 (stable toolchain), as established by the existing `core-ops` crate at v1.0.0; this feature is the trigger for the v2.0.0 major bump. + `clap` 4.5 (derive), `serde` 1.0 (derive), `serde_yaml` 0.9, `serde_json` 1.0, `miette` 7.2 (fancy diagnostics), `thiserror` 1.0, `tempfile` 3.10. No new runtime dependencies are required by this feature.
-- 015-controller-state-lifecycle: Added Rust 2021 + clap 4, serde / serde_json, miette, thiserror, tempfile
 
 
 <!-- MANUAL ADDITIONS START -->
diff --git a/Cargo.lock b/Cargo.lock
index 87fca05..b01a0af 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -157,7 +157,7 @@ checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
 
 [[package]]
 name = "core-ops"
-version = "2.2.4"
+version = "2.2.5"
 dependencies = [
  "clap",
  "libc",
diff --git a/Cargo.toml b/Cargo.toml
index cc8b122..f77eed9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "core-ops"
-version = "2.2.4"
+version = "2.2.5"
 edition = "2021"
 license = "AGPL-3.0-or-later"
 
diff --git a/README.md b/README.md
index 631b652..b03906c 100644
--- a/README.md
+++ b/README.md
@@ -5,122 +5,68 @@
 </p>
 
 <p align="center">
-  <strong>Host-native convergence for systemd-based systems</strong>
+  <strong>GitOps-style service management for systemd hosts</strong>
 </p>
 
----
-
-## What is CoreOps?
-
-CoreOps is a convergence engine for systemd-based hosts.
-
-It takes a declared system state and makes the host match it —  
-without hiding systemd, without introducing a new orchestration layer,  
-and without requiring image rebuilds for every change.
-
-If you are managing Fedora CoreOS or similar systems and find yourself
-choosing between:
-
-- rebuilding images for every iteration, or  
-- drifting into imperative host configuration  
-
-CoreOps exists in that gap.
-
----
-
-## Why CoreOps Exists
-
-Systemd-based hosts already have a clear operating model:
-
-- units define behavior  
-- the system converges toward that definition  
-
-But most tooling around them does one of two things:
-
-- replaces the model (Kubernetes, orchestration layers)  
-- ignores it (imperative configuration management)  
-
-CoreOps stays inside that model.
-
-It treats systemd and Quadlet as the source of truth and builds a
-convergence workflow around them instead of replacing them.
-
----
-
-## What CoreOps Does
-
-- Converges host-managed workloads declaratively  
-- Works with systemd-native and Quadlet-native workflows  
-- Produces inspectable plans, reports, and machine-readable output  
-- Preserves provenance and reconciliation state for later audit  
-- Executes VM-backed verification scenarios against real systems  
+<p align="center">
+<a href="https://github.com/outergod/core-ops/actions/workflows/ci.yml"><img src="https://github.com/outergod/core-ops/actions/workflows/ci.yml/badge.svg?branch=master" alt="CI"></a>
+<a href="https://github.com/outergod/core-ops/actions/workflows/e2e-gate.yml"><img src="https://github.com/outergod/core-ops/actions/workflows/e2e-gate.yml/badge.svg" alt="E2E Gate"></a>
+<a href="https://github.com/outergod/core-ops/releases/latest"><img src="https://img.shields.io/github/v/release/outergod/core-ops" alt="Latest Release"></a>
+<a href="LICENSE"><img src="https://img.shields.io/badge/license-AGPL--3.0--or--later-blue" alt="License: AGPL-3.0-or-later"></a>
+</p>
 
----
+CoreOps takes a Git repository containing [Quadlet] units, systemd drop-ins, and config files,
+shows what would change on the host, and can then apply those changes safely.
 
-## What CoreOps Is Not
+It is for people who already run services with systemd and Podman/Quadlet, but want:
 
-- Kubernetes or general container orchestration  
-- A replacement for systemd  
-- Generic imperative configuration management (e.g. Ansible-style)  
-- A custom templating language or DSL  
-- Fleet orchestration across many hosts (at this stage)  
+- `plan`: see exactly what would be created, changed, or removed
+- `apply`: make the host match the repository
+- `status`: see what Git revision produced the current host state
 
----
+CoreOps does not replace systemd. It writes the systemd/Quadlet artifacts you would otherwise
+manage by hand, then lets systemd run the services.
 
-## Supported Systems
+[Quadlet]: https://www.redhat.com/en/blog/quadlet-podman
 
-- **Supported:** Fedora CoreOS  
-- **Expected to work:** other systemd-based hosts (untested)  
-- **Unsupported:** non-systemd environments  
+<p align="center">
+  <a href="https://asciinema.org/a/HaqIw05gehGk2YpH">
+    <img src="docs/assets/core-ops-demo.gif" alt="CoreOps terminal demo: plan, diff, explain, and apply" width="820">
+  </a>
+</p>
 
-CoreOps operates directly on host-level systemd state and running CoreOps from
-a container is not a supported consumption method.
+<p align="center">
+  <a href="https://asciinema.org/a/HaqIw05gehGk2YpH">Watch the full terminal session on asciinema</a>
+</p>
 
 ---
 
-## Credibility
-
-[![CI](https://github.com/outergod/core-ops/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/outergod/core-ops/actions/workflows/ci.yml)
-[![E2E Gate](https://github.com/outergod/core-ops/actions/workflows/e2e-gate.yml/badge.svg)](https://github.com/outergod/core-ops/actions/workflows/e2e-gate.yml)
-[![Latest Release](https://img.shields.io/github/v/release/outergod/core-ops)](https://github.com/outergod/core-ops/releases/latest)
+## Why CoreOps exists
 
-| Signal | Value |
-|--------|-------|
-| Published artifacts | `x86_64 raw binary`, `aarch64 raw binary`, `x86_64 tar.gz + checksums`, `aarch64 tar.gz + checksums` |
-| Verification environment | `fedora-coreos-self-hosted@2026-04-fcos` |
+Running services directly on a systemd host works well, especially on Fedora CoreOS:
+systemd starts services, Podman runs containers, and Quadlet describes containers as units.
 
-This section is the stable credibility surface for outside evaluators. The badges
-above reflect live CI health and the latest published release version and update
-automatically as the project evolves.
+The hard part is keeping the host in sync over time.
 
----
+After a while you have container units, networks, volumes, drop-ins, config files,
+host-specific changes, and manual edits. You want to know:
 
-## First Interaction
+- What should be on this host?
+- What is actually on this host?
+- What would change if I apply the repository?
+- Which Git revision produced the current state?
 
-After installing the binary:
-
-```bash
-core-ops --version
-core-ops status
-``` 
-
-A valid installation should:
-
-* report a build identity
-* expose current system state
-* produce stable, inspectable output
+CoreOps answers those questions and applies the required changes.
 
 ---
 
-## Real-World Examples
+## Real-world examples
 
-Five real-world homelab setups translated into the source-repository
-layout. Each is runnable via stateless `--source-repo` invocation
-without `core-ops init`. See `examples/<NN-slug>/README.md` for setup
-intent, sources, and known limitations.
+These examples show CoreOps repositories for common self-hosted and small-infra services.
+You can run `plan` against each example directly, without initializing CoreOps first.
 
-* [`examples/01-caddy-whoami`](examples/01-caddy-whoami) — Caddy reverse proxy fronting whoami (single-Container baseline).
-* [`examples/02-nextcloud`](examples/02-nextcloud) — Nextcloud + Postgres + Redis + Traefik (multi-Container, intra-service network, persistent storage).
+* [`examples/01-caddy-whoami`](examples/01-caddy-whoami) — Caddy reverse proxy fronting whoami (single-container baseline).
+* [`examples/02-nextcloud`](examples/02-nextcloud) — Nextcloud + Postgres + Redis + Traefik (multi-container, intra-service network, persistent storage).
 * [`examples/03-immich`](examples/03-immich) — Immich photo server with ML worker (GPU device, multi-network).
 * [`examples/04-traefik-authelia`](examples/04-traefik-authelia) — Traefik + Authelia + protected backend (cross-service ForwardAuth composition).
 * [`examples/05-observability`](examples/05-observability) — Prometheus + Grafana + node-exporter + cadvisor (host-scope sidecars).
@@ -131,20 +77,18 @@ Try one without committing to anything:
 core-ops plan --source-repo examples/01-caddy-whoami --host example
 ```
 
-No prior `core-ops init` required; nothing is written under
-`/var/lib/core-ops/`. To switch into long-lived tracking mode after
-copying an example to your own setup directory, run
-`git init && core-ops init <path> <ref>` once.
-
 ---
 
-## Installation (Current Phase)
+## Quick start
 
-CoreOps is currently distributed as direct binaries for `x86_64` (`amd64`)
-and `aarch64` (`arm64`).
+Download the [latest release] from the GitHub Releases page.
 
-Download the published release bundle for your target architecture. A supported
-bundle includes:
+[latest release]: https://github.com/outergod/core-ops/releases/latest
+
+CoreOps is distributed as release bundles for `x86_64` (`amd64`) and `aarch64` (`arm64`).
+No external runtime dependencies are required beyond a supported host.
+
+Each bundle includes:
 
 - `core-ops-linux-<arch>`
 - `core-ops.service`
@@ -153,28 +97,36 @@ bundle includes:
 - `CHANGELOG.md`
 - `README.md`
 
+Install the binary and systemd units:
+
 ```bash
 tar -xzf core-ops-linux-<arch>.tar.gz
 install -m 0755 core-ops-linux-<arch> /usr/local/bin/core-ops
 install -m 0644 core-ops.service /etc/systemd/system/core-ops.service
 install -m 0644 core-ops.timer /etc/systemd/system/core-ops.timer
+systemctl daemon-reload
 ```
 
-No external runtime dependencies are required beyond a supported host.
+Check the installation:
+
+```bash
+core-ops --version
+core-ops status
+```
 
-For unattended host-native execution, the supported integration path uses the
-published canonical `core-ops.service` and `core-ops.timer` units (also
-available in `systemd/` in this repository). Initialize once, then enable the
-timer:
+A valid installation should:
+
+* report a build identity
+* expose current system state
+* produce stable, inspectable output
+
+To run CoreOps automatically, initialize a repository once and enable the timer:
 
 ```bash
 # One-time setup: persist repository and tracking ref
 core-ops init <repository-url> <ref>
 
-# Install and enable the timer
-install -m 0644 core-ops.service /etc/systemd/system/core-ops.service
-install -m 0644 core-ops.timer /etc/systemd/system/core-ops.timer
-systemctl daemon-reload
+# Enable the timer
 systemctl enable --now core-ops.timer
 ```
 
@@ -184,71 +136,57 @@ To override the quadlet directory or other defaults, use a systemd drop-in:
 systemctl edit core-ops.service
 ```
 
----
-
-## Minimal Trust Story
-
-CoreOps modifies host-level systemd and Quadlet artifacts in explicitly
-configured locations.
+### Supported systems
 
-Operators can audit behavior through:
-
-* plan output before changes
-* apply and verification reports during changes
-* persisted provenance and status after changes
-* release identity and changelog continuity
+- **Supported:** Fedora CoreOS  
+- **Expected to work:** other systemd-based hosts (untested)  
+- **Unsupported:** non-systemd environments  
 
-Recovery is expected to happen through explicit reconciliation and
-documented retry/rollback behavior — not silent mutation.
+CoreOps must run on the host. Running CoreOps itself inside a container is not supported.
 
 ---
 
-## Release & Verification Model
-
-CoreOps defines its public guarantees through:
-
-* a maintained specification
-* executable verification scenarios
-* a release gate
-
-A build is only considered distribution-ready once the release gate passes.
-
-The verification environment is versioned to detect drift over time.
+## Trust model
 
-Releasable changes are expected to carry explicit SemVer intent, update the
-canonical version in `Cargo.toml`, update a checked-in release fragment at
-`changes/<change-id>.md`, and keep `CHANGELOG.md` current.
+CoreOps changes host-level systemd and Quadlet files, so it is intentionally conservative.
 
-Maintainers and CI validate this contract through the dedicated helper binary:
-
-```bash
-cargo run --bin core-ops-release -- validate
-```
-
-Once a feature PR lands on `master`, the post-merge release job promotes the
-rendered `[Unreleased]` block to a new `[<version>] - <date>` section, removes
-the consumed fragments under `changes/`, and publishes the GitHub Release at
-the merge commit (which also creates the git tag). Maintainers do not edit
-`CHANGELOG.md` after the `[Unreleased]` block — `core-ops-release promote`
-owns that transition and is idempotent on re-run.
+You can inspect changes before applying them with `core-ops plan`.
+After applying, `core-ops status` records what was applied and which Git revision it came from.
+If something is wrong, fix or revert the repository, then run `core-ops apply` again.
 
 ---
 
-## Target Audience
+## Architecture
+
+```mermaid
+%%{init: {'flowchart': {'nodeSpacing': 50, 'rankSpacing': 70, 'padding': 20}}}%%
+flowchart LR
+  GIT[Git repository<br/>services/ + hosts/]
+  CORE[core-ops<br/>plan / apply / explain]
+  STATE[systemd + Quadlet units<br/>generated state]
+  HOST[host<br/>systemd-managed services]
+  AUDIT[(audit + status<br/>JSON snapshot)]
+  GIT --> CORE
+  CORE --> STATE
+  STATE --> HOST
+  CORE -.-> AUDIT
+  HOST -.-> AUDIT
+```
 
-* Homelab operators working with systemd-based hosts
-* Small and medium infrastructure teams
-* Operators who prefer inspectable, host-native workflows
+**Read left-to-right.** A Git repository (`services/` + `hosts/`)
+feeds `core-ops` (`plan` / `apply` / `explain`), which generates
+systemd + Quadlet units that the host runs under systemd. Audit and
+status are JSON side outputs of both `core-ops` and the host.
 
 ---
 
-## AI Authorship
+## AI authorship
 
 CoreOps is developed with AI assistance.
 
 AI influences how the system is produced, not how it behaves.
 
-Behavioral guarantees come from:
+The project relies on:
 
 * the specification
 * the test corpus
@@ -256,16 +194,14 @@ Behavioral guarantees come from:
 
 ---
 
-## License
-
-CoreOps is licensed under the GNU Affero General Public License v3 or later
-(AGPLv3+).
-
-See [LICENSE](LICENSE).
+## Target audience · License · Further reading
 
----
+* Homelab operators working with systemd-based hosts
+* Small and medium infrastructure teams
+* Operators who prefer inspectable, host-native workflows
 
-## Further Reading
+CoreOps is licensed under the GNU Affero General Public License v3 or later
+(AGPLv3+). See [LICENSE](LICENSE).
 
 * [CHANGELOG.md](CHANGELOG.md)
 * [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
diff --git a/changes/018-adoption-readiness.md b/changes/018-adoption-readiness.md
new file mode 100644
index 0000000..8f68f58
--- /dev/null
+++ b/changes/018-adoption-readiness.md
@@ -0,0 +1,7 @@
+---
+change_id: 018-adoption-readiness
+release_intent: patch
+summary: Restructure README around operational comprehension; add Mermaid architecture diagram, 30-second mental model, `examples/03-immich` walkthrough, and `docs/onboarding.cast` asciinema recording. No CLI or behavior changes.
+scope: docs
+release_preparation: false
+---
diff --git a/docs/assets/core-ops-demo.gif b/docs/assets/core-ops-demo.gif
new file mode 100644
index 0000000..fe86591
Binary files /dev/null and b/docs/assets/core-ops-demo.gif differ
diff --git a/docs/onboarding-script.sh b/docs/onboarding-script.sh
new file mode 100755
index 0000000..815554c
--- /dev/null
+++ b/docs/onboarding-script.sh
@@ -0,0 +1,147 @@
+#!/usr/bin/env bash
+# docs/onboarding-script.sh — regeneration entry point for docs/onboarding.cast
+#
+# Records an asciinema session of `core-ops apply --source-repo
+# examples/03-immich --host example` — the single beat where the
+# spec/006 streaming output is operationally interesting (the
+# line-by-line "creating... → created" progression as podman/systemd
+# processes each unit). Static plan and idempotent-re-run blocks
+# live in the README walkthrough section (FR-006); they do not
+# need motion. The cast and its rendered GIF sidecar at
+# `docs/assets/core-ops-demo.gif` (produced by `agg`) are linked
+# from the README walkthrough section per spec/018 FR-005 / FR-007 /
+# FR-009.
+#
+# ── Versions (asserted at re-record time) ────────────────────────────
+#   asciinema 2.4.0    (nix devshell pin; see flake.nix)
+#   asciicast format   v2 (FR-008 / SC-005)
+#   agg 1.7.0          (asciinema-agg; nix devshell pin) — renders the
+#                      cast to docs/assets/core-ops-demo.gif (FR-007 /
+#                      SC-005b). The GIF is the inline-renderable
+#                      sidecar the README embeds.
+#
+# ── Operator prerequisites ───────────────────────────────────────────
+#   * `nix develop` shell (provides asciinema 2.4.0).
+#   * `core-ops` binary installed at /usr/local/bin/core-ops. The
+#     env-scrubbed PATH below is `/usr/local/bin:/usr/bin:/bin`; the
+#     binary must be on that PATH or the recorded subshell will not
+#     find it. Build with `cargo build --release` then
+#     `install -m 0755 target/release/core-ops /usr/local/bin/core-ops`,
+#     or unpack a published release bundle as documented in README
+#     ## Quick start.
+#   * Working tree at the repo root (the script `cd`s into the repo so
+#     the recorded commands can reference `examples/03-immich` as a
+#     project-relative path).
+#   * `examples/03-immich/hosts/example/` overlay matches the recording
+#     host's device shape, OR the GPU device path declared in
+#     `examples/03-immich/services/immich-ml/quadlet/immich-ml.container.d/20-gpu.conf`
+#     is replaced with a placeholder, OR `immich-ml` is temporarily
+#     dropped from `hosts/example/host.yaml` for the recording. (Spec/018
+#     edge case: GPU passthrough cannot be exercised on an arbitrary host.)
+#
+# ── Sanitization (FR-009a, mirrors spec/017 FR-009) ──────────────────
+#   * Prompt: `op@example $` (no operator hostname).
+#   * Paths: project-relative (`examples/03-immich`) or `/home/op/...`.
+#   * Domains: RFC 2606 reserved (`example`, `op`, `host`, `*.example`).
+#   * IPs: RFC 5737 documentation ranges only.
+#   * No operator-private hostnames, no real credentials, no
+#     environment values sourced from the operator's private setup.
+#   The env-scrubbed `bash --noprofile --norc` subshell below ensures
+#   `$HOSTNAME`, `$USER`, shell history, and operator dotfiles cannot
+#   leak into the recording.
+#
+# ── Regeneration ─────────────────────────────────────────────────────
+#   nix develop --command docs/onboarding-script.sh
+#
+# ── Post-recording verification ──────────────────────────────────────
+#   head -n 1 docs/onboarding.cast | jq '.version'    # → 2  (SC-005)
+#   head -n 1 docs/onboarding.cast | jq '.duration'   # ≤ 90 (SC-005a)
+#   asciinema play docs/onboarding.cast               # plays end-to-end
+#   The SC-006a stop-list grep (operator-private hostnames + RFC 1918
+#   ranges) is documented in the structural checklist at
+#   `specs/018-adoption-readiness/checklists/readme-structure.md`. Run
+#   it from there — keeping the regex out of this script avoids a
+#   self-match against the very pattern the check forbids.
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$REPO_ROOT"
+
+OUTPUT="docs/onboarding.cast"
+GIF_OUTPUT="docs/assets/core-ops-demo.gif"
+ASCIINEMA_PINNED_VERSION="2.4.0"
+AGG_PINNED_VERSION="1.7.0"
+
+if ! command -v asciinema >/dev/null 2>&1; then
+  echo "error: asciinema not on PATH; run inside 'nix develop' shell" >&2
+  exit 1
+fi
+
+if ! command -v agg >/dev/null 2>&1; then
+  echo "error: agg not on PATH; run inside 'nix develop' shell" >&2
+  exit 1
+fi
+
+actual_version="$(asciinema --version 2>/dev/null | awk '{print $2}')"
+if [[ "$actual_version" != "$ASCIINEMA_PINNED_VERSION" ]]; then
+  echo "warning: asciinema $actual_version detected; spec/018 pin is $ASCIINEMA_PINNED_VERSION" >&2
+fi
+
+actual_agg_version="$(agg --version 2>/dev/null | awk '{print $2}')"
+if [[ "$actual_agg_version" != "$AGG_PINNED_VERSION" ]]; then
+  echo "warning: agg $actual_agg_version detected; spec/018 pin is $AGG_PINNED_VERSION" >&2
+fi
+
+mkdir -p "$(dirname "$GIF_OUTPUT")"
+
+# Recorded command sequence — written to a temp file so we avoid the
+# nested-quoting trap when passing it through `asciinema --command` and
+# `env -i ... bash -c`. `demo` echoes the prompt + command before
+# executing so the cast playback shows operator-style cadence without
+# requiring a real interactive shell.
+RECORDED_SCRIPT="$(mktemp --tmpdir onboarding.XXXXXX.sh)"
+trap 'rm -f "$RECORDED_SCRIPT"' EXIT
+
+cat > "$RECORDED_SCRIPT" <<'BASH'
+demo() {
+  printf 'op@example $ %s\n' "$1"
+  eval "$1"
+  printf '\n'
+}
+
+# Single beat — `apply` is the operationally interesting moment: it
+# streams the line-by-line "creating... → created" progression in
+# real time as podman/systemd processes each unit. The static
+# `plan` and idempotent re-run code blocks live in the README's
+# walkthrough section (per FR-006) and do not benefit from
+# motion; including them in the cast wastes the 90 s budget on
+# uneventful output.
+demo 'sudo core-ops apply --source-repo examples/03-immich --host example'
+BASH
+
+# `--idle-time-limit=2` compresses any pause ≥ 2s in playback so the
+# 90s duration cap (FR-007 / SC-005a) is not eaten by I/O stalls.
+asciinema rec \
+  --overwrite \
+  --idle-time-limit=2 \
+  --rows=30 --cols=110 \
+  --command "env -i HOME=/home/op PATH=/usr/local/bin:/usr/bin:/bin TERM=xterm-256color PS1='op@example \$ ' bash --noprofile --norc '$RECORDED_SCRIPT'" \
+  "$OUTPUT"
+
+echo
+echo "Recorded: $OUTPUT"
+echo "Duration (must be ≤ 90):"
+head -n 1 "$OUTPUT" | jq '.duration'
+
+# Render the GIF sidecar that the README embeds inline (FR-007 / SC-005b).
+# `--idle-time-limit 2` mirrors the recording-side compression so the
+# rendered animation matches the cast's playback cadence.
+agg --idle-time-limit 2 --quiet "$OUTPUT" "$GIF_OUTPUT"
+echo "Rendered: $GIF_OUTPUT"
+echo "Size: $(wc -c < "$GIF_OUTPUT") bytes (SC-005b soft cap: 1 MB)"
+
+echo
+echo "Next: run the SC-006a sanitization stop-list grep from"
+echo "  specs/018-adoption-readiness/checklists/readme-structure.md"
+echo "against $OUTPUT and this script."
diff --git a/docs/onboarding.cast b/docs/onboarding.cast
new file mode 100644
index 0000000..7007a6e
--- /dev/null
+++ b/docs/onboarding.cast
@@ -0,0 +1,59 @@
+{"version": 3, "term": {"cols": 135, "rows": 40, "type": "xterm-256color", "version": "libvterm(0.3)"}, "timestamp": 1778153667, "idle_time_limit": 2.0, "command": "env -i HOME=/home/op PATH=/usr/local/bin:/usr/bin:/bin TERM=xterm-256color PS1='op@example $ ' bash --noprofile --norc -c '\nprintf \"op@example \\$ sudo core-ops plan --source-repo examples/03-immich --host example\\n\"\nsleep 1\nsudo core-ops plan --source-repo examples/03-immich --host example | more\nprintf \"op@example \\$ sudo core-ops apply --source-repo examples/03-immich --host example\\n\"\nsleep 1\nsudo core-ops apply --source-repo examples/03-immich --host example\necho\nprintf \"op@example \\$ sudo core-ops plan --source-repo examples/03-immich --host example\\n\"\nsleep 1\nsudo core-ops plan --source-repo examples/03-immich --host example\n'", "env": {"SHELL": "/bin/bash"}}
+[0.011, "o", "op@example $ sudo core-ops plan --source-repo examples/03-immich --host example\r\n"]
+[1.036, "o", "\u001b[1m\u001b[37mPlan for host example @ (stateless) (first run)\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n\u001b[1m\u001b[37m\u001b[32m[+]\u001b[0m Create \u2022 10\u001b[0m\r\n\r\n\u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\t\tmissing\r\n    \u0394 content\r\n      --- previous\r\n      +++ desired\r\n      + [Unit]\r\n      + Description=Immich database data volume\r\n      + \r\n      + [Volume]\r\n      + VolumeName=immich-db-data\r\n\r\n\u001b[32m[+]\u001b[0m network/immich-internal.network\t\t\tmissing\r\n    \u0394 content\r\n      --- previous\r\n      +++ desired\r\n      + [Unit]\r\n      + Description=Internal network: server + db + redis + ML\r\n      + \r\n      + [Network]\r\n      + NetworkName=immich-internal\r\n      + Subnet=192.0.2.0/24\r\n\r\n\u001b[32m[+]\u001b[0m container/immich-database.container\t\t\tmissing\r\n    requires\r\n      \u251c\u2500 \u001b[32m[+]\u001b[0m network/immich-internal.network\t\tmissing\r\n      \u2514\u2500 \u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\tmissing\r\n    \u0394 content (21 additions)\r\n      + [Unit]\r\n      + Description=Immich Postgres + pgvecto.rs database\r\n      + After=network-online.target\r\n      + Wants=network-online.target\r\n      + \r\n      + [Container]\r\n      ...\r\n\r\n\u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\t\tmissing\r\n\u001b[7m--More--\u001b[27m"]
+[2.066, "o", "\r    \u0394 content\r\n      --- previous\r\n      +++ desired\r\n      + [Unit]\r\n      + Description=Immich ML model cache\r\n      + \r\n      + [Volume]\r\n      + VolumeName=immich-ml-cache\r\n\r\n\u001b[32m[+]\u001b[0m container/immich-ml.container\t\t\tmissing\r\n    requires\r\n      \u251c\u2500 \u001b[32m[+]\u001b[0m network/immich-internal.network\t\tmissing\r\n      \u2514\u2500 \u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\tmissing\r\n    \u0394 content (17 additions)\r\n      + [Unit]\r\n      + Description=Immich ML inference worker\r\n      + After=network-online.target\r\n      + Wants=network-online.target\r\n      + \r\n      + [Container]\r\n      ...\r\n\r\n\u001b[32m[+]\u001b[0m network/immich-public.network\t\t\tmissing\r\n    \u0394 content\r\n      --- previous\r\n      +++ desired\r\n      + [Unit]\r\n      + Description=Public-facing network shared with the edge proxy\r\n      + \r\n      + [Network]\r\n      + NetworkName=immich-public\r\n      + Subnet=198.51.100.0/24\r\n\r\n\u001b[32m[+]\u001b[0m container/immich-redis.container\t\t\tmissing\r\n    requires\r\n      \u2514\u2500 \u001b[32m[+]\u001b[0m network/immich-internal.network\t\tmissing\r\n    \u0394 content (17 additions)\r\n      + [Unit]\r\n      + Description=Immich Redis cache\r\n\u001b[7m--More--\u001b[27m"]
+[1.646, "o", "\r      + After=network-online.target\r\n      + Wants=network-online.target\r\n      + \r\n      + [Container]\r\n      ...\r\n\r\n\u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\t\t\tmissing\r\n    \u0394 content\r\n      --- previous\r\n      +++ desired\r\n      + [Unit]\r\n      + Description=Immich upload library\r\n      + \r\n      + [Volume]\r\n      + VolumeName=immich-upload\r\n\r\n\u001b[32m[+]\u001b[0m container/immich-server.container\t\t\tmissing\r\n    requires\r\n      \u251c\u2500 \u001b[32m[+]\u001b[0m network/immich-internal.network\t\tmissing\r\n      \u251c\u2500 \u001b[32m[+]\u001b[0m network/immich-public.network\t\tmissing\r\n      \u2514\u2500 \u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\tmissing\r\n    \u0394 content (27 additions)\r\n      + [Unit]\r\n      + Description=Immich photo/video server\r\n      + After=network-online.target immich-database.service immich-redis.service\r\n      + Wants=network-online.target\r\n      + Requires=immich-database.service immich-redis.service\r\n      + \r\n      ...\r\n\r\n\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tmissing\r\n    requires\r\n      \u2514\u2500 \u001b[32m[+]\u001b[0m network/immich-public.network\t\tmissing\r\n    \u0394 content (19 additions)\r\n      + [Unit]\r\n      + Description=Traefik edge proxy for Immich\r\n      + After=network-online.target immich-server.service\r\n      + Wants=network-online.target\r\n      + \r\n\u001b[7m--More--\u001b[27m"]
+[1.553, "o", "\r      + [Container]\r\n      ...\r\n\r\n\u001b[1m\u001b[37mSummary\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n"]
+[0.0, "o", "10 creates\r\n\r\n"]
+[0.001, "o", "op@example $ sudo core-ops apply --source-repo examples/03-immich --host example\r\n"]
+[1.02, "o", ""]
+[0.012, "o", "\u001b[1m\u001b[37mApply for host example @ (stateless) (first run)\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n\r\n\u001b[1m\u001b[37mExecution\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n"]
+[0.005, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\t\tcreating... \u25f0"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\t\tcreating... \u25f2"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-internal.network\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-internal.network\t\t\tcreating... \u25f3"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-internal.network\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-public.network\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-public.network\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-public.network\t\t\tcreating... \u25f2"]
+[0.102, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-database.container\t\t\tcreating... \u25f0"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-database.container\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-database.container\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-ml.container\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-ml.container\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-ml.container\t\t\tcreating... \u25f2"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-redis.container\t\t\tcreating... \u25f0"]
+[0.101, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-redis.container\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-redis.container\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-server.container\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-server.container\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-server.container\t\t\tcreating... \u25f2"]
+[0.102, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tcreating... \u25f0"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tcreating... \u25f3"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tcreating... \u25f2"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tcreating... \u25f1"]
+[0.1, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-internal.network\t\t\tcreated\r\n"]
+[0.084, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m network/immich-public.network\t\t\tcreated\r\n"]
+[0.209, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-database.container\t\t\tcreated\r\n"]
+[0.166, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-ml.container\t\t\tcreated\r\n"]
+[0.188, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-redis.container\t\t\tcreated\r\n"]
+[0.41, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/immich-server.container\t\t\tcreated\r\n"]
+[0.198, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m container/traefik-edge.container\t\t\tcreated\r\n"]
+[0.013, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-db-data.volume\t\t\tcreated\r\n"]
+[0.012, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-ml-cache.volume\t\t\tcreated\r\n"]
+[0.013, "o", "\r\u001b[2K\u001b[32m[+]\u001b[0m volume/immich-upload.volume\t\t\t\tcreated\r\n"]
+[0.366, "o", "\r\n\u001b[1m\u001b[37mSummary\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n10 creates\r\nOutcome: converged\r\n"]
+[0.002, "o", ""]
+[0.003, "o", "\r\nop@example $ sudo core-ops plan --source-repo examples/03-immich --host example\r\n"]
+[1.024, "o", ""]
+[0.207, "o", "\u001b[1m\u001b[37mPlan for host example @ (stateless)\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n\u001b[1m\u001b[37m\u001b[2m\u001b[37m[\u00b7]\u001b[0m Unchanged \u2022 10\u001b[0m\r\n\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m volume/immich-db-data.volume\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m network/immich-internal.network\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m container/immich-database.container\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m volume/immich-ml-cache.volume\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m container/immich-ml.container\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m network/immich-public.network\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m container/immich-redis.container\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m volume/immich-upload.volume\t\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m container/immich-server.container\t\t\tunchanged\r\n\u001b[2m\u001b[37m[\u00b7]\u001b[0m container/traefik-edge.container\t\t\tunchanged\r\n\r\n\u001b[1m\u001b[37mSummary\u001b[0m\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n10 unchanged\r\n"]
+[0.001, "o", "\r\n"]
+[0.0, "o", ""]
+[0.002, "x", "0"]
diff --git a/flake.nix b/flake.nix
index f393def..694f2fa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,6 +57,20 @@
           butane
           libvirt
           virt-manager
+          # `asciinema` records the spec/018 onboarding cast
+          # (`docs/onboarding.cast`) and is invoked by
+          # `docs/onboarding-script.sh`. Version is pinned by nixpkgs
+          # and asserted in the script header per spec/018 R1+FR-009.
+          asciinema
+          # `asciinema-agg` (binary `agg`) renders `docs/onboarding.cast`
+          # to the inline-embeddable GIF sidecar at
+          # `docs/assets/core-ops-demo.gif` that the README links from
+          # the walkthrough section. Same regeneration entry point
+          # (`docs/onboarding-script.sh`) drives both. Note: `pkgs.agg`
+          # is the unrelated Anti-Grain Geometry C++ library.
+          asciinema-agg
+          nodejs_24
+          bun
         ] ++ [
           rustToolchain
           rustAnalyzer
diff --git a/specs/018-adoption-readiness/checklists/readme-structure.md b/specs/018-adoption-readiness/checklists/readme-structure.md
new file mode 100644
index 0000000..ca991cf
--- /dev/null
+++ b/specs/018-adoption-readiness/checklists/readme-structure.md
@@ -0,0 +1,192 @@
+# README Structural Checklist (spec/018)
+
+**Purpose**: Runnable acceptance-criteria runbook for `README.md` after the spec/018 restructure. Used at PR review time and whenever a future contributor proposes a README edit.
+
+## How to use
+
+1. Run each command from the repository root.
+2. Compare the actual output against the expected outcome.
+3. Any failure indicates a deviation from the structural contract; resolve before merge.
+
+The SC-006a sanitization grep (C-006 below) is the canonical home of the operator-private stop-list pattern. The pattern is intentionally **not** embedded in `docs/onboarding-script.sh` because the regex would self-match against its own literal occurrence in the script.
+
+## Checks
+
+### C-001 — README line budget (FR-003 / SC-001)
+
+```sh
+wc -l README.md
+```
+
+Expected: ≤ 400. If exceeded, compress philosophy sections (Why CoreOps exists, What CoreOps is not, AI authorship) before extending — the budget is a deliberate constraint on README scope, not a soft target.
+
+### C-002 — Badge row composition (FR-002 / SC-002)
+
+```sh
+sed -n '1,/^---$/p' README.md | grep -cE '<a href=.*<img src='
+```
+
+Expected: `4` — exactly four `<a href="..."><img src="..." alt="..."></a>` badges, in the order CI / E2E Gate / Latest Release / License, between the title block and the first `---` separator. No additional badges may be promoted to the top row in this slice.
+
+For the alt-text ordering check:
+
+```sh
+sed -n '1,/^---$/p' README.md | grep -oE 'alt="[^"]+"' | sed 's/alt="//; s/"$//'
+```
+
+Expected output (in order):
+
+```
+CoreOps logo
+CI
+E2E Gate
+Latest Release
+License: AGPL-3.0-or-later
+```
+
+### C-003 — Mental-model heading position (FR-001 §3 / SC-003)
+
+```sh
+grep -n '^## 30-second mental model' README.md | head -1
+```
+
+Expected: exactly one match, line number ≤ 120. If the heading drifted past line 120, a section was inserted above it that doesn't belong above the mental model in the FR-001 ordering.
+
+### C-004 — Mermaid block presence and required substrings (FR-004 / SC-004)
+
+```sh
+grep -c '^```mermaid' README.md
+awk '/^```mermaid/,/^```$/' README.md | grep -cE 'Git|core-ops|systemd'
+awk '/^```mermaid/,/^```$/' README.md | grep -cE '\-\.->'
+```
+
+Expected: first command ≥ 1; second command ≥ 3 (each substring `Git`, `core-ops`, `systemd` appears at least once; counts may sum higher); third command ≥ 1 (audit/status side outputs use dashed edges).
+
+### C-005 — Walkthrough two-block + line budget (FR-006 / SC-007, SC-007b)
+
+```sh
+awk '/^## What using CoreOps feels like/{f=1; next} /^## Real-world examples/{f=0} f' README.md > /tmp/walkthrough.txt
+
+grep -c '^```text' /tmp/walkthrough.txt
+
+awk '/^```text/{f=1; next} /^```$/{f=0; next} f' /tmp/walkthrough.txt | grep -cv '^[[:space:]]*$'
+
+grep -oE 'immich-database|immich-server|immich-redis|immich-ml|traefik-edge|immich-internal|immich-public|immich-db-data|immich-ml-cache|immich-upload' /tmp/walkthrough.txt | sort -u | wc -l
+```
+
+Expected: first command = `2` (exactly two fenced text blocks); second command ≤ ~25 (combined non-blank lines across both blocks); third command ≥ 1 (at least one recognizable Quadlet unit identifier from `examples/03-immich/services/`).
+
+### C-006 — Sanitization stop-list (FR-009a / SC-006a)
+
+```sh
+grep -iE '(not\.one|ulthar|192\.168\.|10\.0\.|172\.16\.)' docs/onboarding.cast docs/onboarding-script.sh
+```
+
+Expected: zero matches (exit 1 from `grep`). If matches surface, the cast or script leaks operator-private values; re-record with a cleaner shell environment, or extend the post-recording strip pass (see "OSC 3008 sanitization note" below).
+
+**OSC 3008 sanitization note**: `pam_systemd` may emit OSC 3008 session-tracking sequences (containing `hostname=`, `machineid=`, PID metadata) when `sudo` creates a session under a terminal that supports them. The SC-006a regex above does not catch these sequences, but FR-009a's broader sanitization rule prohibits the leaks they contain. The recording committed at spec/018 was post-processed to strip OSC 3008 before commit; if regenerating, repeat the strip pass:
+
+```sh
+python3 - <<'PY'
+import json, re
+osc3008 = re.compile(r'\x1b\]3008;.*?\x1b\\', re.DOTALL)
+with open("docs/onboarding.cast") as f: lines = f.readlines()
+hdr = json.loads(lines[0])
+if "env" in hdr and "/nix/store/" in hdr["env"].get("SHELL", ""):
+    hdr["env"]["SHELL"] = "/bin/bash"
+if len(lines) > 1:
+    hdr["duration"] = json.loads(lines[-1])[0]
+out = [json.dumps(hdr) + "\n"]
+for line in lines[1:]:
+    if not line.strip(): continue
+    ev = json.loads(line)
+    if len(ev) >= 3 and isinstance(ev[2], str):
+        ev[2] = osc3008.sub("", ev[2])
+    out.append(json.dumps(ev) + "\n")
+with open("docs/onboarding.cast", "w") as f: f.writelines(out)
+PY
+```
+
+### C-007 — Hype stop-list (FR-014 / SC-008)
+
+```sh
+grep -iE '(enterprise-ready|industry-leading|production-grade|🚀)' README.md
+```
+
+Expected: zero matches.
+
+### C-008 — Pre-018 link targets resolve (Compatibility / SC-009)
+
+```sh
+for target in LICENSE CHANGELOG.md CODE_OF_CONDUCT.md docs/development.md examples/01-caddy-whoami examples/02-nextcloud examples/03-immich examples/04-traefik-authelia examples/05-observability; do
+  test -e "$target" || echo "MISSING: $target"
+done
+```
+
+Expected: no `MISSING:` lines printed.
+
+Catch-all version (extracts every `[label](path)` link target from README and tests existence; skips http/https links and anchor-only fragments):
+
+```sh
+grep -oE '\]\(([^)#)]+)\)' README.md \
+  | sed -E 's/\]\(|\)//g' \
+  | grep -vE '^https?://|^#' \
+  | while read -r target; do
+      test -e "$target" || echo "MISSING: $target"
+    done
+```
+
+Expected: no `MISSING:` lines printed.
+
+### C-009 — No third-party JS embed (FR-013)
+
+```sh
+grep -E '(asciinema\.org/.*\.js|<iframe|<script)' README.md
+```
+
+Expected: zero matches. The asciicast is referenced as the in-tree `docs/onboarding.cast` link only; a clickable text link to an asciinema.org-hosted upload is permitted, but no `<script>` or `<iframe>` embed.
+
+### C-010 — Asciicast format and duration (FR-007 / FR-008 / SC-005, SC-005a)
+
+```sh
+test -f docs/onboarding.cast
+head -n 1 docs/onboarding.cast | jq '.version'
+# Duration check — branches on cast version. In asciicast v2 the
+# header carries an absolute `duration` field. In asciicast v3 each
+# event line is `[delta, type, data]` where `delta` is the time
+# since the previous event; total duration = sum of all deltas.
+v=$(head -n 1 docs/onboarding.cast | jq '.version')
+if [ "$v" = "2" ]; then
+  head -n 1 docs/onboarding.cast | jq '.duration'
+else
+  awk 'NR>1' docs/onboarding.cast \
+    | jq -s 'map(.[0]) | add'
+fi
+```
+
+Expected: file exists; `.version` is `2` or `3` (asciicast v2 from asciinema 2.x or v3 from asciinema 3.x; `agg` 1.7.0 renders both). The duration value MUST be ≤ `90`.
+
+### C-011a — GIF sidecar exists and is embedded inline (FR-007 / FR-013 / SC-005b)
+
+```sh
+test -f docs/assets/core-ops-demo.gif
+head -c 6 docs/assets/core-ops-demo.gif | grep -E '^GIF8[79]a'
+wc -c < docs/assets/core-ops-demo.gif
+grep -E 'docs/assets/core-ops-demo\.gif' README.md
+```
+
+Expected: file exists; first 6 bytes are `GIF87a` or `GIF89a`; size ≤ 1 048 576 bytes (≤ 1 MB soft cap); the README references the file via image syntax inside the `## What using CoreOps feels like` section.
+
+### C-011 — Onboarding regeneration script invariants (FR-009 / SC-006)
+
+```sh
+test -x docs/onboarding-script.sh
+head -1 docs/onboarding-script.sh
+grep -c 'examples/03-immich' docs/onboarding-script.sh
+```
+
+Expected: file is executable; first line is `#!/usr/bin/env bash`; literal `examples/03-immich` appears at least once.
+
+---
+
+See `specs/018-adoption-readiness/spec.md` for the FR/SC definitions this checklist implements. The corresponding tasks are C-001/C-007 → T021/T022; C-005 → T013/T023; C-006/C-010/C-011 → T015/T014/T003; C-008 → T023; C-009 → T013/T016 (FR-013 carrying through to anything that touches the walkthrough section).
diff --git a/specs/018-adoption-readiness/plan.md b/specs/018-adoption-readiness/plan.md
new file mode 100644
index 0000000..71da9b6
--- /dev/null
+++ b/specs/018-adoption-readiness/plan.md
@@ -0,0 +1,137 @@
+# Implementation Plan: Adoption Readiness — README and Onboarding Experience
+
+**Branch**: `018-adoption-readiness` | **Date**: 2026-05-06 | **Spec**: [spec.md](./spec.md)
+**Input**: Feature specification from `/specs/018-adoption-readiness/spec.md`
+
+## Summary
+
+After spec/017 landed in v2.2.0, the repository ships a stateless `--source-repo` CLI surface and five real-world `examples/<NN-slug>/` directories. This plan turns those substrates into above-the-fold onboarding by restructuring `README.md` around operational comprehension, embedding a Mermaid architecture diagram, adding a 30-second mental model, recording a sanitized ≤ 90 s asciinema demo of `examples/03-immich`, and tightening (without extracting) philosophy sections. **Documentation-only**; no `src/`, `Cargo.toml`, `tests/`, schema, or CLI changes. `data-model.md` and `contracts/` are explicitly omitted — no new structures or interfaces.
+
+## Technical Context
+
+**Language/Version**: N/A — no source code added or modified. Existing Rust 2021 toolchain in repository remains untouched.
+**Primary Dependencies**: Mermaid (GitHub-native rendering for the in-README diagram); `asciinema` CLI (operator-side, version-pinned in `docs/onboarding-script.sh`) for recording the `.cast` artifact. **No new runtime dependencies.**
+**Storage**: N/A — no persisted state added or read.
+**Testing**: No `cargo test` cases added. Validation is structural and runs at PR review time via `specs/018-adoption-readiness/checklists/readme-structure.md` (grep / wc / file-existence checks). Existing `cargo test` and `cargo clippy --all-targets -- -D warnings` gates remain authoritative for the codebase and remain unchanged.
+**Target Platform**: GitHub-rendered Markdown (primary read surface); local terminal via `asciinema play` for the recording playback.
+**Project Type**: Documentation iteration on an existing CLI/agent project. No new codebase produced.
+**Performance Goals**:
+- `README.md` ≤ 400 lines after restructure (FR-003, SC-001).
+- `docs/onboarding.cast` ≤ 90 s duration (FR-007, SC-005a).
+- `## 30-second mental model` heading reachable within first 120 lines (SC-003).
+**Constraints**:
+- Stop-list: no `enterprise-ready`, `industry-leading`, `production-grade`, `🚀` (FR-014, SC-008).
+- No third-party JS embeds in README (FR-013).
+- No operator-private values in recording or script (FR-009a, SC-006a).
+- Walkthrough plan-output blocks are verbatim from real invocations with `...` elision only (FR-006, SC-007a).
+- All pre-018 README link targets MUST still resolve (Compatibility, SC-009).
+**Scale/Scope**: Single `README.md` rewrite; two new files under `docs/` (`onboarding.cast`, `onboarding-script.sh`); one new release fragment under `changes/`; spec scaffold under `specs/018-adoption-readiness/`. No code or test files modified.
+
+## Constitution Check
+
+*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
+
+| Principle | Assessment |
+|---|---|
+| 1. Functional Core, Imperative Shell | **N/A** — no code added. |
+| 2. Declarative State as the Source of Truth | The README structural contract (ordering, badge row, line budget, stop-list) is itself declarative; FR-001/FR-002/FR-003/FR-014 declare the shape, the checklist verifies it. No runtime state model touched. |
+| 3. Simplicity Over Cleverness | No new abstractions, no new tooling pipelines, no CI lint added (FR-019 explicitly forbids it). The reproduction script for the asciinema cast is shell with version-pinned tooling — minimum viable. |
+| 4. Explicit Effects and Explicit Failure | Edge cases (Mermaid render failure, asciinema drift, third-party block, GPU passthrough) are surfaced in spec.md `Edge Cases`. No silent recovery introduced. |
+| 5. Idempotence and Convergence First | **N/A** for the docs change itself. The recording demonstrates the existing apply idempotence (per FR-007); it does not introduce new convergence guarantees. |
+| 6. Open Standards and Native Interfaces First | Mermaid and asciinema are open formats. asciicast v2 is a documented JSON schema. GitHub-native rendering is preferred over third-party embeds (FR-013). |
+| 7. Observability as a Core Feature | The walkthrough block + recording **is** the observability surface for first-time readers. Existing CLI observability is unchanged. |
+| 8. Safe Defaults, Explicit Power | **N/A** — no defaults change. |
+| 9. Conservative Public Evolution | All pre-018 README link targets MUST still resolve (SC-009). The `Real-World Examples` section landed in v2.2.0 is preserved in spirit; only ordering and heading style change (FR-012). |
+| 10. Tests Define the Contract | No new tests. No externally visible host behavior change → **VM-backed scenario exemption** is recorded explicitly here: this is documentation-only with zero CLI / behavior / schema impact, so per Principle 10's exemption clause, no new VM scenario is required. The exemption is also recorded in spec.md Constitution Alignment section. |
+| 11. Regenerability Over Incidental Craftsmanship | The Mermaid block is text in the README; trivially regenerable. The asciinema cast is regenerable via `docs/onboarding-script.sh` (FR-009). The static walkthrough plan-output is regenerable from a real `core-ops plan` invocation (FR-006). |
+| 12. Provenance, Versioning, and Behavioral Traceability | **N/A** for the docs change itself. The README will continue to surface release/version provenance (badges, CHANGELOG link). |
+| 13. Release Governance and Intent | Documented and enforced. `changes/018-adoption-readiness.md` declares `release_intent: patch`, `scope: docs`. Validates as exempt under `always_exempt_documentation_or_formatting` per `core-ops-release validate`. CHANGELOG.md re-rendered via `core-ops-release changelog --write`. |
+
+**Result**: PASS. No violations. No `Complexity Tracking` entries required.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/018-adoption-readiness/
+├── plan.md                           # This file (Phase 0/1 outputs combined)
+├── spec.md                           # Feature spec (Session 2026-05-06 clarifications)
+├── research.md                       # Phase 0 — research log (asciinema tooling, Mermaid render, line budget)
+├── quickstart.md                     # Phase 1 — operator pointer for what 018 changes
+├── synthesis.md                      # Phase 5 (post-implementation) — author self-attestation
+├── checklists/
+│   └── readme-structure.md           # Acceptance-criteria runbook (PR review)
+└── tasks.md                          # Phase 2 output (created later by /speckit.tasks)
+```
+
+`data-model.md` is **omitted** — spec FR-015 explicitly states no new data structures are introduced.
+`contracts/` is **omitted** — spec FR-015 explicitly states no new CLI contracts are introduced.
+
+### Source artifacts (repository root)
+
+```text
+README.md                             # Largest single diff — restructured per spec FR-001
+CHANGELOG.md                          # Auto-rendered by `core-ops-release changelog --write`
+changes/
+└── 018-adoption-readiness.md         # Release fragment (release_intent: patch, scope: docs)
+docs/
+├── onboarding.cast                   # New — asciicast v2 recording, ≤ 90 s, sanitized
+└── onboarding-script.sh              # New — regeneration entry point + tooling pinning
+```
+
+**Not touched**: `src/`, `Cargo.toml`, `Cargo.lock`, `tests/`, `.github/workflows/`, `examples/`, `LICENSE`, `CODE_OF_CONDUCT.md`, `docs/development.md`, `docs/follow-ups.md`, `docs/core-ops.svg`, all existing `docs/*.md` proposal files.
+
+**Structure Decision**: Single-project Rust crate with adjunct documentation tree. This feature adds files only under `docs/`, `changes/`, and `specs/018-adoption-readiness/`, plus modifies `README.md` and (auto-rendered) `CHANGELOG.md`. No `src/` or `tests/` paths are touched.
+
+## Phase 0 — Research
+
+The detailed Phase 0 output is recorded in [`research.md`](./research.md). Summary of resolved unknowns:
+
+- **R1: Asciinema tooling and version pinning** — Decision recorded. Rationale: stable v2 schema, documented format, in-tree `.cast` artifact, no third-party JS embed required.
+- **R2: Mermaid GitHub render fidelity** — Decision recorded. Rationale: GitHub-native render path is the primary read surface; non-GitHub fallback is text prose per spec US3-AC-3.
+- **R3: README size benchmarks for similarly scoped infrastructure projects** — Decision recorded. Rationale: 400-line cap is empirically attainable per the post-spec/017 baseline (275 lines current).
+- **R4: Recording sanitization tooling** — Decision recorded. Rationale: shell-environment substitution at recording time (`PS1`, `PWD`, env scrub) is sufficient; no post-processing of the `.cast` JSON is required.
+- **R5: Walkthrough block fidelity verification** — Decision recorded. Rationale: spot-check at PR review by re-running `core-ops plan`; not a CI gate (per FR-019).
+
+No `NEEDS CLARIFICATION` markers remain after Session 2026-05-06 (5 questions, all resolved in spec.md `## Clarifications`).
+
+## Phase 1 — Design & Contracts
+
+### data-model.md
+
+**Skipped per spec FR-015.** No new data structures. The README itself is treated as a declarative artifact whose shape is defined by spec.md FR-001/FR-002/FR-003/FR-014 (ordering, badge row, line budget, stop-list). No `data-model.md` file is produced.
+
+### contracts/
+
+**Skipped per spec FR-015.** No new CLI surface, schema, API, or interface contract is introduced. The existing CLI surface from spec/017 is referenced by the walkthrough but not modified. No `contracts/` directory is produced.
+
+### quickstart.md
+
+Generated at [`quickstart.md`](./quickstart.md). Targets an operator who has read the post-018 README and wants a one-page reference for what this iteration changed and where the new artifacts live. Not a tutorial; a pointer.
+
+### Agent context update
+
+Run `.specify/scripts/bash/update-agent-context.sh claude` once plan.md and research.md are in place. This re-renders the auto-generated portion of `CLAUDE.md` to reflect any new technologies added by this plan. Spec 018 introduces no new technologies (only Mermaid + asciinema, both consumed externally), so the diff is expected to be limited to the `Recent Changes` and `Active Technologies` lines.
+
+## Phase 2 — Tasks (NOT produced by this command)
+
+Task breakdown is the output of `/speckit.tasks`. The implementation plan in `~/.claude/plans/based-on-the-actual-virtual-waterfall.md` (created during plan-mode entry) sketched a 25-task breakdown (T001–T025) across 5 phases (Spec scaffold; Content authoring; README restructure; Asciinema; Polish + synthesis). That sketch is a hint, not a contract — `/speckit.tasks` will author the canonical `tasks.md` from this plan and the spec.
+
+## Constitution re-check (post-design)
+
+Re-evaluating after Phase 0/1 produced research.md and quickstart.md (no other Phase 1 artifacts):
+
+| Principle | Re-assessment |
+|---|---|
+| 3. Simplicity Over Cleverness | Confirmed — no new tooling pipelines, no CI lint, no post-processing of asciicast JSON. |
+| 9. Conservative Public Evolution | Confirmed — research.md R3 captured the existing-link-resolve constraint; SC-009 covers it. |
+| 10. Tests Define the Contract | Confirmed — VM-backed scenario exemption explicitly recorded. No new unit/integration tests. |
+| 13. Release Governance and Intent | Confirmed — fragment + CHANGELOG re-render already validated as exempt by `core-ops-release validate`. |
+| All others | Unchanged from pre-Phase 0 evaluation; no design decisions altered constitution alignment. |
+
+**Result**: PASS. Plan is ready for `/speckit.tasks`.
+
+## Complexity Tracking
+
+*No Constitution Check violations. No entries required.*
diff --git a/specs/018-adoption-readiness/quickstart.md b/specs/018-adoption-readiness/quickstart.md
new file mode 100644
index 0000000..7360fa4
--- /dev/null
+++ b/specs/018-adoption-readiness/quickstart.md
@@ -0,0 +1,78 @@
+# Quickstart: What spec/018 adoption-readiness changes
+
+**Feature**: 018-adoption-readiness
+**Status**: Draft (post-clarify)
+**Audience**: an operator who has read the post-018 `README.md` and wants a one-page reference for what changed and where the new artifacts live.
+
+## TL;DR
+
+Spec/018 is a **documentation-only** iteration. It restructures `README.md` around operational comprehension and adds two artifacts under `docs/` to anchor the onboarding experience. **No CLI changes. No behavior changes. No schema changes.**
+
+## What's new on disk
+
+| Path | Purpose |
+|---|---|
+| `README.md` | Restructured per `spec.md` FR-001 (12 sections, ≤ 400 lines). Top of file: 4 badges (CI, E2E Gate, Latest Release, License) → 30-second mental model → architecture (Mermaid) → walkthrough → real-world examples → install → philosophy → trust → AI authorship → footer. |
+| `docs/onboarding.cast` | Asciicast v2 recording, ≤ 90 s, of an end-to-end `examples/03-immich` walkthrough including an idempotent re-run. Sanitized — no operator-private hostnames, paths, domains, IPs, or credentials. |
+| `docs/onboarding-script.sh` | Executable shell script documenting the deterministic command sequence used to produce `onboarding.cast`. Pins the `asciinema` version used at recording time. |
+| `changes/018-adoption-readiness.md` | Release fragment (`release_intent: patch`, `scope: docs`). Validates as exempt under `always_exempt_documentation_or_formatting`. |
+| `specs/018-adoption-readiness/` | Spec scaffold — `spec.md`, `plan.md`, `research.md`, this file, `synthesis.md` (post-implementation), `tasks.md` (produced by `/speckit.tasks`), `checklists/readme-structure.md`. |
+
+## What's not new on disk
+
+Confirmed unchanged by the 018 diff:
+
+- `src/`, `Cargo.toml`, `Cargo.lock`, `tests/`, `.github/workflows/`, `examples/`, `LICENSE`.
+- All existing CLI surfaces (`core-ops plan|apply|explain|status|init`, `core-ops-verify`, `core-ops-release`).
+- `CHANGELOG.md` — re-rendered by `core-ops-release changelog --write`, but the change-log machinery itself is untouched.
+
+## How to verify the change locally
+
+```bash
+# 1. Structural — README shape and stop-list
+wc -l README.md                                               # ≤ 400
+grep -c '^## 30-second mental model' README.md                # 1
+grep -c '```mermaid' README.md                                # ≥ 1
+grep -ciE '(enterprise-ready|industry-leading|production-grade|🚀)' README.md  # 0
+
+# 2. Onboarding artifacts
+test -f docs/onboarding.cast && head -n 1 docs/onboarding.cast | jq '.version'  # 2
+head -n 1 docs/onboarding.cast | jq '.duration'               # ≤ 90
+test -x docs/onboarding-script.sh && grep -F examples/03-immich docs/onboarding-script.sh
+
+# 3. Sanitization stop-list
+grep -iE '(not\.one|ulthar|192\.168\.|10\.0\.|172\.16\.)' docs/onboarding.cast docs/onboarding-script.sh  # exit 1 (no matches)
+
+# 4. Walkthrough fidelity (reviewer manual step)
+core-ops plan --source-repo examples/03-immich --host example  # spot-check non-elided README lines
+
+# 5. Asciinema playback
+asciinema play docs/onboarding.cast                           # plays end-to-end ≤ 90 s
+
+# 6. Release governance
+cargo run --bin core-ops-release -- validate --base-ref master  # passes (exempt)
+```
+
+## How to re-record the asciinema cast
+
+If `core-ops` CLI output drifts and the recording becomes stale:
+
+```bash
+docs/onboarding-script.sh
+```
+
+The script documents the recording shell (clean `env`, generic `PS1`, placeholder paths) and the `asciinema` version pin. The output is a fresh `docs/onboarding.cast`. Commit it.
+
+## How spec/018 relates to spec/017
+
+Spec/017 (v2.2.0) shipped the *substrate*: the stateless `--source-repo` CLI surface and five real-world `examples/<NN-slug>/` directories. Spec/018 turns that substrate into above-the-fold onboarding. The 018 walkthrough is the canonical tour of the 017 surface.
+
+If you only read one example: `examples/03-immich`. It is what the 018 walkthrough demonstrates and what `docs/onboarding.cast` records.
+
+## Where to look next
+
+- `specs/018-adoption-readiness/spec.md` — FRs / SCs / Edge Cases / Clarifications.
+- `specs/018-adoption-readiness/plan.md` — technical approach, constitution check, structure decision.
+- `specs/018-adoption-readiness/research.md` — Phase 0 decisions (asciinema tooling, Mermaid render, sanitization tooling, fidelity verification).
+- `specs/018-adoption-readiness/tasks.md` — implementation task breakdown (produced by `/speckit.tasks`; not present in this commit).
+- `specs/018-adoption-readiness/synthesis.md` — post-implementation retrospective (produced in the implementation phase; not present in this commit).
diff --git a/specs/018-adoption-readiness/research.md b/specs/018-adoption-readiness/research.md
new file mode 100644
index 0000000..6bfba97
--- /dev/null
+++ b/specs/018-adoption-readiness/research.md
@@ -0,0 +1,107 @@
+# Phase 0 Research: Adoption Readiness — README and Onboarding Experience
+
+**Feature**: 018-adoption-readiness
+**Date**: 2026-05-06
+**Owner**: spec-018 implementation
+
+## Scope
+
+Resolve unknowns surfaced during plan authoring before Phase 1 design begins. All decisions here back the FRs and SCs in `spec.md`. No `NEEDS CLARIFICATION` markers remain after Session 2026-05-06.
+
+---
+
+## R1 — Asciinema tooling and version pinning
+
+**Decision**: Use `asciinema` v2.x as the recording tool, asciicast v2 as the recorded format. Pin the recorder version in `docs/onboarding-script.sh` header and assert it at re-record time.
+
+**Rationale**:
+- Asciicast v2 is the documented, stable schema; the first line of the `.cast` file is a JSON header containing `"version": 2`, plus `width`, `height`, `timestamp`, `duration`, `command`, `title`, `env` fields (per asciinema/asciinema spec). SC-005 and SC-005a verify shape and duration via that header.
+- v2 is supported by all current playback tooling: the `asciinema play` CLI, asciinema.org's hosted player, and third-party offline players. v3 exists but is opt-in via `--cols` / `--rows` and not the default — sticking with v2 maximizes compatibility.
+- Recording in v2 keeps `docs/onboarding.cast` greppable and diffable as plain text JSON-lines, satisfying the "no binary artifact" preference of the project.
+- Version pinning in the script header (e.g., `# asciinema --version: 2.4.0`) makes drift visible. CI does not enforce it (per spec FR-019).
+
+**Alternatives considered**:
+- **Plain `script(1)` recording with a typescript file**: rejected. Output is byte-stream; no time-stamping or playback semantics. Loses the "live demo" affordance.
+- **terminalizer**: rejected. Node.js dependency, custom YAML format, no GitHub-native render path.
+- **agg → animated SVG**: rejected as primary format (kept as optional sidecar in research.md follow-up — see R5). Adds a binary-ish artifact and a build step.
+- **asciicast v3**: rejected for now. Not yet ubiquitous in playback tooling; stable v2 minimizes friction.
+
+---
+
+## R2 — Mermaid GitHub render fidelity
+
+**Decision**: Author the architecture diagram as a fenced ` ```mermaid ` block embedded in `README.md`. Accept that non-GitHub render contexts (RSS, mirrors, terminal viewers like `glow`) may not render the block.
+
+**Rationale**:
+- GitHub renders Mermaid blocks natively in `.md` files since Feb 2022. No build step, no checked-in SVG, no external CI step. The diagram is text in the source — trivially regenerable per Constitution Principle 11.
+- The substring requirements (`Git`, `core-ops`, `systemd` per FR-004) are verifiable by `grep` over `README.md`. SC-004 codifies this.
+- Non-GitHub renderers degrade to "raw fenced code block" which is still legible: the block contains node labels in plain text. Spec US3-AC-3 mandates surrounding prose recoverable from text alone, so degradation does not break the architecture explanation.
+
+**Alternatives considered**:
+- **Hand-drawn SVG in `docs/architecture.svg`**: rejected. Binary-ish XML artifact, requires editing in Inkscape/Figma, drift risk if model changes. Added tooling for marginal visual gain. Constitution Principle 3 (Simplicity) prefers Mermaid.
+- **ASCII art block**: rejected. Cluttered for ≥ 4 nodes; renders inconsistently across fonts.
+- **External diagrams.net link**: rejected. Off-repo dependency; violates spirit of "primary artifacts in tree."
+
+**Verification at PR time**: Open the GitHub PR diff page, confirm the Mermaid block renders. Manual; not a CI gate.
+
+---
+
+## R3 — README size benchmarks
+
+**Decision**: Cap `README.md` at ≤ 400 lines after restructure (FR-003, SC-001). The cap is aspirational-but-firm; if compression cannot fit the content, escalate to the user before extracting philosophy to `docs/`.
+
+**Rationale**:
+- Current post-017 `README.md` is 275 lines. Adding the Mermaid block (~15 lines), 30-second mental model (~25 lines), walkthrough section with two code blocks (~30 lines), and the License badge (~1 line) totals ~70 lines of additions. Compression of "Why CoreOps Exists", "What CoreOps Is Not", and "AI Authorship" sections (per FR-001 §8/§9/§11) reclaims ~30 lines. Net: ~315 lines. Headroom of ~85 lines.
+- 400 lines is the upper bound observed in similarly scoped infrastructure-tooling READMEs that still load cleanly on GitHub mobile (one mid-length scroll). Beyond 400, the page transitions from "scan-and-decide" to "reference document," which contradicts US1's 5-minute mental simulation goal.
+- Cap is verified by `wc -l README.md` (SC-001). Falsifiable.
+
+**Alternatives considered**:
+- **No cap**: rejected. Enables drift over time; the structural contract is meaningless without a numeric target.
+- **300-line cap**: rejected. Forces philosophy extraction (which spec FR-011 explicitly disallows for this slice).
+- **Per-section line budgets** (e.g., "Why exists ≤ 12 lines"): partially adopted in FR-001 (each section has a soft target) but not enforced via SC. Reviewer-checked.
+
+---
+
+## R4 — Recording sanitization tooling
+
+**Decision**: Sanitization is enforced at **recording time** via shell-environment manipulation: a clean `PS1`, a placeholder `PWD`, and `env -i` or explicit env scrubbing. No post-processing of the `.cast` JSON is performed.
+
+**Rationale**:
+- Per Clarification Q1 (Session 2026-05-06), recordings must mirror spec/017 FR-009: RFC 2606 / RFC 5737, generic prompt, no operator-private values. The simplest enforcement is to run the recording in a controlled shell where these values are already correct.
+- Recommended shell setup (documented in `docs/onboarding-script.sh` header):
+  ```bash
+  env -i HOME=/home/op PATH=/usr/local/bin:/usr/bin:/bin TERM=xterm-256color \
+    PS1='op@example $ ' \
+    bash --noprofile --norc -c '...recorded commands...'
+  ```
+- This prevents the operator's real `$HOSTNAME`, `$USER`, `$HOME`, and shell history from appearing in the recording.
+- Post-recording, `head -n 1 docs/onboarding.cast | jq` inspects the JSON header. The `env` field of the v2 header includes `TERM` and `SHELL`; both are deterministic when the recording shell is launched as above.
+- Verification at PR time: SC-006a runs `grep -i -E '(not\.one|ulthar|192\.168\.|10\.0\.|172\.16\.)' docs/onboarding.cast docs/onboarding-script.sh` and asserts zero matches. Stop-list grep is reliable for the operator's known private markers.
+
+**Alternatives considered**:
+- **Post-process the `.cast` JSON with `sed` / `jq`**: rejected. Adds a re-recording step that must run after every regeneration; risks corrupting the JSON; harder to audit than "the recording was clean from the start."
+- **Hostname-redaction as a CI lint**: rejected. SC-006a's grep is a stop-list, not a guarantee. CI would need a curated list of all possible operator-private markers, which is a maintenance burden disproportionate to the risk for a docs-only spec. (Consistent with FR-019.)
+
+---
+
+## R5 — Walkthrough block fidelity verification
+
+**Decision**: Verify FR-006 / SC-007a / SC-007b at PR review time by re-running `core-ops plan --source-repo examples/03-immich --host example` against the post-018 master tree and spot-checking each non-elided line in the README walkthrough blocks against the actual command output. **Not a CI gate** (per FR-019).
+
+**Rationale**:
+- The walkthrough's purpose is to convey deterministic CLI behavior. The fidelity claim ("every non-elided line is byte-identical to actual output") is verifiable by re-execution.
+- A CI-enforced version would require capturing and storing canonical CLI output per master HEAD, then running `diff` against the README blocks. This is feature creep for a docs spec and contradicts FR-019. The reviewer at PR time can run one command and spot-check.
+- Drift surface: any future change to `core-ops plan` output formatting (line ordering, color escape codes, header changes) will silently break the README block. The follow-up cost is a manual re-render. This is bounded risk; comparable in cadence to manual asciinema re-recording.
+
+**Alternatives considered**:
+- **CI snapshot test**: rejected per FR-019. Would also require a stable example fixture in `tests/` that mirrors `examples/03-immich`, which contradicts FR-017 ("no `tests/` modifications").
+- **`include` directive from the README to a separate file**: rejected. Markdown has no native include; would require a build step.
+- **Tag-based re-render bot**: out of scope; flagged as a follow-up in synthesis.md if relevant.
+
+---
+
+## Open follow-ups (not blocking 018)
+
+- **F1 — Static SVG sidecar via `agg`**: optional future enhancement to ship `docs/onboarding.svg` (a static SVG-rendered terminal output produced by `agg`) alongside `docs/onboarding.cast`. Provides a no-network static preview for RSS/mirror readers. Not in 018 scope (would expand FR-007).
+- **F2 — CONTRIBUTING.md / ARCHITECTURE.md follow-up**: spec.md Assumptions notes that a future spec (019 or beyond) may introduce these based on synthesis findings. Not in 018 scope; flagged in `synthesis.md` if the dogfooding pass surfaces a gap.
+- **F3 — Multi-language documentation**: out of scope per spec.md "Out of scope" list. Tracked here for completeness only.
diff --git a/specs/018-adoption-readiness/spec.md b/specs/018-adoption-readiness/spec.md
new file mode 100644
index 0000000..dbe5c2a
--- /dev/null
+++ b/specs/018-adoption-readiness/spec.md
@@ -0,0 +1,217 @@
+# Feature Specification: Adoption Readiness — README and Onboarding Experience
+
+**Feature Branch**: `018-adoption-readiness`
+**Created**: 2026-05-06
+**Status**: Draft
+**Input**: User description: "Increase adoption likelihood and onboarding experience by restructuring the README around operational comprehension, adding a 30-second mental model, an architecture diagram, an experiential walkthrough using `examples/03-immich`, an asciinema-based onboarding artifact, and elevated real-world examples — without changing CLI surface, behavior, or tone."
+
+## Summary
+
+After spec/017 landed in v2.2.0, the repository ships a stateless `--source-repo <PATH>` CLI surface and five real-world `examples/<NN-slug>/` directories. This feature spec turns those substrates into above-the-fold onboarding by restructuring the README around **operational comprehension** rather than philosophy-first exposition.
+
+This is a **documentation-only** change. No CLI surface, no behavior, no schema, no tests change. Release intent is `patch` per the bump rules (no `src/` modifications).
+
+## Clarifications
+
+### Session 2026-05-06
+
+- Q: Should the asciinema recording sanitize operator-private values (hostname, paths, domains, IPs)? → A: Yes — mirror spec/017 FR-009 — RFC 2606 reserved domains, RFC 5737 documentation IPs, generic prompt (e.g., `op@example`), project-relative paths, no real credentials or operator-private hostnames.
+- Q: Is there a duration cap on the asciinema recording? → A: Hard cap ≤ 90 seconds. If unattainable, narrow demo scope (skip status, skip re-run, drop a service) rather than extend.
+- Q: How faithful must the README walkthrough's plan-output block be to actual `core-ops plan` output? → A: Verbatim from a real run, with `...` elision permitted for repeats or uninteresting lines. No paraphrasing, no hand-tuning. Every non-elided line MUST appear byte-for-byte in actual output.
+- Q: Who performs the dogfooding pass referenced by SC-011? → A: Author self-attestation only. The author re-reads the rendered README cold (no separate operator), captures takeaways verbatim in `synthesis.md`, and assesses pass/fail against US1's expectations. Self-knowledge of the changes is an acknowledged limit traded against feasibility.
+- Q: What beats does the static walkthrough code block cover? → A: Plan output + a short idempotent re-run snippet showing the "no changes" line. Apply and status are carried only by the recording. Approximate budget: ~25 lines.
+
+## Scope distinction
+
+The proposal that triggered this spec asked, among other things, that the iteration "increase adoption likelihood." Adoption likelihood is unmeasurable inside this slice — there is no analytics, no funnel, no clone metric this spec can move. The spec therefore replaces "did adoption increase" with **structural** acceptance criteria (artifact existence, README ordering, line budget, stop-list absence) plus a single **dogfooding pass** (one operator unfamiliar with the changes describes the Git→host flow within 5 minutes). "Adoption" is the long-horizon hypothesis; "structural improvement" is what 018 commits to.
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - First-time visitor mentally simulates a CoreOps workflow within 5 minutes (Priority: P1)
+
+A technically experienced operator opens the GitHub README cold. Within roughly five minutes of reading, they can answer four questions without leaving the page:
+
+1. *What is CoreOps?* (operating model — host-native, systemd/Quadlet, declarative reconciliation, Git-driven)
+2. *What does using it feel like?* (a representative `core-ops plan` invocation and its output)
+3. *Is it serious enough to evaluate?* (CI green, recent release, license clear)
+4. *How does Git become host state?* (one diagram, one mental model)
+
+**Why this priority**: This is the first-impression surface. Every other onboarding artifact is downstream of whether the operator continues past the README. If they bounce in 30 seconds because the page leads with philosophy, no walkthrough or example matters.
+
+**Independent Test**: The author opens the rendered page on GitHub after restructure. Time-box: 5 minutes for the read. The author then writes down — verbatim, without re-consulting the README — what they took away in answer to "What does CoreOps do and what does running it look like?" The captured answer must reference (a) host-native systemd/Quadlet convergence, (b) the Git → core-ops → systemd flow, (c) at least one CLI command they saw, and (d) a sense of project credibility (badges, version, release cadence). Pass/fail recorded in `synthesis.md`. Self-knowledge of the changes is an acknowledged limit (Clarification 2026-05-06 Q4); the test is still useful as a forcing function for "did the README actually surface these signals on a cold read."
+
+**Acceptance Scenarios**:
+
+1. **Given** the rendered README, **When** the reader scrolls from top, **Then** the first non-title content they encounter is a row of trust badges (CI, E2E Gate, Latest Release, License), followed by a `## 30-second mental model` heading within the first 120 lines.
+2. **Given** the rendered README, **When** the reader continues scrolling, **Then** they encounter an architecture diagram (rendered Mermaid block on GitHub) and a walkthrough section showing representative `core-ops plan` output, both before any installation instructions.
+3. **Given** the rendered README, **When** the reader reaches the bottom, **Then** they have not encountered any of: hype-flagged terms (per FR-014 stop-list), third-party JS embeds, or marketing-style feature comparison matrices.
+
+---
+
+### User Story 2 - Operator sees what `core-ops plan` actually does before installing anything (Priority: P2)
+
+An operator considering CoreOps wants concrete evidence that the tool produces deterministic, inspectable output before they download a binary or write a single config file. They scroll to a "What using CoreOps feels like" section and see (a) a static text block of representative plan output for a real example, and (b) a link to a recorded asciinema session of the same workflow end-to-end.
+
+**Why this priority**: Static walkthroughs and live recordings are independent trust signals — the static blocks prove "the output is shaped like this" (plan) and "re-running is a no-op when state already matches" (idempotent re-run); the asciinema proves "a real session runs in this time, with this cadence, on this kind of host." P2 because P1 (mental model) gates whether the operator reads this section at all; without P1, P2 is invisible.
+
+**Independent Test**: A reviewer reads the walkthrough section. They can (a) name two services that appear in the static plan-output block (the first of the two static blocks per FR-006), (b) follow the link to `docs/onboarding.cast` and play it back locally with `asciinema play`, (c) describe what idempotent re-run behavior looks like from the recording — and from the second static block (the "no changes" snippet) — without re-running the recording.
+
+**Acceptance Scenarios**:
+
+1. **Given** the README walkthrough section, **When** the reader inspects the static plan output block, **Then** the block is a fenced code block of representative `core-ops plan --source-repo examples/03-immich --host example` output containing recognizable units (e.g., `immich-server.container`, `immich-internal.network`).
+2. **Given** the README walkthrough section, **When** the reader clicks the recording link, **Then** they reach `docs/onboarding.cast` (in-tree, valid asciicast v2 format).
+3. **Given** the in-tree recording, **When** the reader runs `asciinema play docs/onboarding.cast` locally, **Then** the cast plays back end-to-end and exercises the `examples/03-immich` walkthrough including at least one idempotent re-run demonstrating no host mutation when state already matches.
+
+---
+
+### User Story 3 - Operator visualizes Git → host convergence without reading source code (Priority: P2)
+
+An operator wants to understand how a Git repository becomes host state on a single page. They find a Mermaid block in the README that names: the Git source, `core-ops`, generated systemd/Quadlet units, the host, and the audit/status side outputs.
+
+**Why this priority**: Architecture diagrams are the highest-bandwidth onboarding artifact when an operator's question is "where does my repository fit in this system?" Equal priority to US2 because the diagram and the walkthrough together answer the "what is this and what does it do" question; either alone leaves a gap.
+
+**Independent Test**: A reviewer who has never used CoreOps reads the diagram. They can (a) name the four primary nodes (Git, core-ops, systemd/Quadlet, host), (b) identify audit/status as side outputs (dashed/secondary edges), (c) describe the data flow direction (Git → core-ops → host).
+
+**Acceptance Scenarios**:
+
+1. **Given** the rendered README on GitHub, **When** the reader views the Architecture section, **Then** a Mermaid diagram renders inline with at least four nodes including the substrings `Git`, `core-ops`, `systemd`.
+2. **Given** the same diagram, **When** the reader follows directional edges, **Then** the primary flow is unambiguous (left-to-right or top-to-bottom) and audit/status side outputs are visually distinguished (e.g., dashed edges or secondary nodes).
+3. **Given** a non-GitHub render context (raw markdown, a mirror without Mermaid support), **When** the diagram fails to render, **Then** the surrounding README prose names the same four nodes and the flow direction explicitly so the architecture is recoverable from text alone.
+
+---
+
+### User Story 4 - Future maintainer preserves the operational-first ordering across edits (Priority: P3)
+
+A future contributor adds a new section to the README (e.g., a new badge, a new credibility signal, a configuration recipe). They consult `specs/018-adoption-readiness/checklists/readme-structure.md` and the spec's structural FRs. Their edit preserves the section ordering, badge row composition, and stop-list discipline.
+
+**Why this priority**: Documentation drifts. Without an explicit structural contract, the next contributor adds a "Features" matrix back at the top, or sneaks "production-grade" into a section header, and the spec/018 work is undone within three months. P3 because the maintenance load is real but the immediate user is hypothetical.
+
+**Independent Test**: A future contributor edits the README to add a section. The pre-merge checklist at `specs/018-adoption-readiness/checklists/readme-structure.md` catches any deviation from §FR-001 ordering, the §FR-002 badge row, or the §FR-014 stop-list.
+
+**Acceptance Scenarios**:
+
+1. **Given** the structural checklist, **When** a contributor proposes a README edit, **Then** the checklist names every constraint (ordering, badge row, line budget, stop-list, no third-party JS embeds) in a runnable form (`grep`, `wc`, heading inspection).
+
+---
+
+### Edge Cases
+
+- **Mermaid renders inconsistently outside GitHub** (RSS, mirrors, terminal viewers like `glow`). → Mitigated by US3-AC-3: the surrounding prose names the same four nodes textually, so the architecture is recoverable from text alone.
+- **The asciinema recording drifts from CLI output as `core-ops` evolves**. → Accepted bounded risk: a reviewer responsibility, not a CI gate. The `docs/onboarding-script.sh` regeneration entry point exists so re-recording is a one-command operation when output drifts.
+- **README walkthrough block diverges from `examples/03-immich` plan output as the example evolves**. → Mitigated by FR-006 (verbatim-from-real-invocation rule plus `...` elision): the walkthrough block is regenerated from a real `core-ops plan` invocation against `examples/03-immich` at authoring time, and the polish phase of the implementation re-validates by re-running (per tasks.md Phase 7 / SC-007a).
+- **GPU device passthrough in `examples/03-immich` cannot be exercised on the recording host**. → The recording script substitutes a placeholder device path or runs on a host with the correct device shape; documented in the script header.
+- **Operator reads the README on a network that blocks asciinema.org embeds** (corporate firewall, RSS, terminal viewer). → FR-013 forbids third-party JS embeds entirely; the recording is served from the in-tree `.cast` file with a static text fallback in the README.
+- **CHANGELOG.md or release notes drift between the README's badge claim and the actual published release**. → No new failure mode introduced by 018; the existing release governance owns CHANGELOG/version/tag consistency.
+- **A future contributor adds a hype-flagged term** (e.g., "production-grade"). → Caught by FR-014 stop-list grep documented in `checklists/readme-structure.md`.
+
+## Requirements *(mandatory)*
+
+### Functional Requirements
+
+#### README structure and ordering
+
+- **FR-001**: The root `README.md` MUST follow this section ordering, top-to-bottom:
+  1. Title block (logo + tagline) — preserved from current README lines 1–10.
+  2. Badge row (CI, E2E Gate, Latest Release, License) — single line, no heading, immediately after title block.
+  3. `## 30-second mental model` — concise operational framing, ≤ 200 words, covering host-native convergence, systemd/Quadlet centricity, declarative reconciliation, and Git-driven operation.
+  4. `## Architecture` — Mermaid block depicting Git → core-ops → systemd/Quadlet → host with audit/status as side outputs, plus surrounding prose recoverable when Mermaid fails to render (per US3-AC-3).
+  5. `## What using CoreOps feels like` — walkthrough using `examples/03-immich` and the post-017 `--source-repo` flag; embeds a static plan-output code block plus a link to `docs/onboarding.cast`.
+  6. `## Real-world examples` — five-entry list/links pointing to `examples/<NN-slug>/README.md`.
+  7. `## Quick start` — folds current "Installation (Current Phase)" + "First Interaction".
+  8. `## Why CoreOps exists` — compressed to ≤ 15 lines.
+  9. `## What CoreOps is not` — compressed to ≤ 12 lines.
+  10. `## Trust and release model` — folds the existing Credibility *table* (artifacts, verification env), Minimal Trust Story, and Release & Verification Model into one section.
+  11. `## AI authorship` — compressed to ≤ 12 lines.
+  12. `## Target audience · License · Further reading` — final reference block.
+- **FR-002**: The badge row MUST contain exactly four badges in this order: CI, E2E Gate, Latest Release, License. No other badges may be promoted to the top row in this slice.
+- **FR-003**: The README MUST be ≤ 400 lines after restructure.
+
+#### Onboarding artifacts
+
+- **FR-004**: The README MUST contain a Mermaid fenced code block depicting the architecture flow, with at least four nodes including the substrings `Git`, `core-ops`, `systemd`. Audit/status side outputs MUST be visually distinguished from the primary flow (e.g., dashed edges, secondary node shape).
+- **FR-005**: The README walkthrough section MUST use `examples/03-immich` as its canonical example and invoke `core-ops plan --source-repo examples/03-immich --host example` as the canonical command.
+- **FR-006**: The README walkthrough section MUST contain **two** fenced code blocks: (1) a plan-output block from the canonical `core-ops plan --source-repo examples/03-immich --host example` invocation, and (2) a short re-run snippet showing the idempotent "no changes" output (e.g., a second `core-ops plan` invocation immediately after `core-ops apply` produces no actionable diff). Both blocks MUST be derived **verbatim from real invocations**: every non-elided line MUST appear byte-for-byte in actual command output. Paraphrasing and hand-tuning are forbidden. `...` elision lines (a single line containing only the literal `...` and optional surrounding whitespace) are permitted to omit repeated or uninteresting lines for readability. The plan-output block MUST contain at least one recognizable Quadlet unit identifier from `examples/03-immich/services/` (e.g., `immich-server.container`, `immich-internal.network`). The combined budget for both blocks SHOULD be ≤ ~25 lines (excluding fence markers); if the natural plan output exceeds this, elide aggressively rather than expand the budget. Apply and status outputs are carried by the recording (`docs/onboarding.cast`), not by static blocks.
+- **FR-007**: The repository MUST publish an asciinema recording at `docs/onboarding.cast` exercising the single `core-ops apply --source-repo examples/03-immich --host example` invocation end-to-end. The recording is **apply-only** — the static plan-output and idempotent-re-run blocks in the README walkthrough section (per FR-006) are the canonical source of plan/re-plan content; including those beats in the recording adds duration without motion. The recording's total duration MUST be ≤ 90 seconds. If 90 seconds is insufficient, the scope MUST be narrowed (drop a service from the example, or use a smaller example) — the duration cap MUST NOT be extended. The repository MUST also publish a derived inline-renderable GIF sidecar at `docs/assets/core-ops-demo.gif`, produced by `agg` (asciinema-agg) from the same `.cast` source so the README walkthrough section can embed motion via standard Markdown image syntax. The GIF is a derived artifact (regenerated whenever the cast is re-recorded); the `.cast` remains the source-of-truth. The recording MUST be produced on a host where `core-ops` runs natively (not via SSH delegation): SSH transport collapses the line-by-line streaming-output timing that the recording is meant to capture, so SSH-delegated recording is explicitly out of spec.
+- **FR-008**: The recording at `docs/onboarding.cast` MUST be a valid asciicast file (JSON header on first line) playable with `asciinema play`. Either asciicast v2 (asciinema 2.x) or asciicast v3 (asciinema 3.x) is acceptable — both formats are rendered by `agg` 1.7.0 and played by asciinema.org. The header MUST declare `"version": 2` or `"version": 3`.
+- **FR-009**: The repository MUST publish a regeneration entry point at `docs/onboarding-script.sh` that is executable, has a shebang, contains the literal string `examples/03-immich`, and documents in its header the deterministic command sequence used to produce `onboarding.cast` AND the GIF sidecar at `docs/assets/core-ops-demo.gif`. The script MUST invoke `agg` after recording to render the GIF from the `.cast`. The script header documents the pinned versions of both `asciinema` and `agg` used at recording time.
+- **FR-009a**: The asciinema recording at `docs/onboarding.cast` and the regeneration script at `docs/onboarding-script.sh` MUST mirror spec/017 FR-009's sanitization rule: no operator-private values may appear in the captured session or the script. Specifically:
+  - Any hostname displayed in the shell prompt MUST be a generic placeholder (e.g., `example`, `op`, `host`); the operator's real machine hostname MUST NOT appear.
+  - Any domain literal MUST use RFC 2606 reserved domains (`*.example.com`, `*.example.org`, `*.test`, `*.invalid`, `*.localhost`).
+  - Any IP literal MUST use RFC 5737 documentation ranges (`192.0.2.0/24`, `198.51.100.0/24`, `203.0.113.0/24`).
+  - Filesystem paths MUST be project-relative or use generic placeholders (e.g., `/home/op/...`); the operator's real home-directory path or other private paths MUST NOT appear.
+  - No real credentials, tokens, secrets, or environment-variable values sourced from the operator's private setup MUST appear.
+
+#### Tone and structure preservation
+
+- **FR-010**: The README MUST preserve the existing sober, technically serious tone. The Constitution's Principle 1 (clarity, no hype) is the operating reference.
+- **FR-011**: Philosophy content (current "Why CoreOps Exists", "What CoreOps Is Not", "AI Authorship", "Target Audience" sections) MUST remain inline in the README. Extraction to `docs/philosophy.md` or similar is **out of scope** for this slice.
+- **FR-012**: The existing "Real-World Examples" section landed in v2.2.0 (current README lines 115–138) MUST be preserved in spirit but renamed to `## Real-world examples` and elevated above `## Quick start` per the FR-001 ordering. The five existing one-line example descriptions are preserved unchanged in content; only ordering changes.
+- **FR-013**: The README MUST NOT include any third-party JavaScript embed, iframe, or `<script>` tag (asciinema.org or otherwise). Standard Markdown / HTML image embeds (e.g., `![alt](path.gif)` or `<img src="path.gif">`) of the in-tree GIF sidecar at `docs/assets/core-ops-demo.gif` are explicitly permitted — they render inline on GitHub and other Markdown viewers without JS. An optional clickable link to an asciinema.org-hosted upload is permitted as an alternative anchor (the recommended pattern is to wrap the GIF `<img>` in an `<a href="https://asciinema.org/a/<id>">` so a single click opens the full asciinema.org player); the asciinema.org SVG-badge embed pattern is also permitted (it's a static SVG image, not a script).
+- **FR-014**: The README MUST NOT introduce any of the following hype-flagged terms (case-insensitive): `enterprise-ready`, `industry-leading`, `production-grade`, `🚀`. The stop-list is the falsifiable surrogate for "no hype-oriented language."
+
+#### Spec Kit deliverables
+
+- **FR-015**: The repository MUST publish the spec at `specs/018-adoption-readiness/` with: `spec.md` (this file), `plan.md`, `tasks.md`, `research.md`, `quickstart.md`, `synthesis.md` (post-implementation retrospective), and `checklists/readme-structure.md` (acceptance-criteria runbook). `data-model.md` and `contracts/` are explicitly **omitted** — no new data structures or CLI contracts.
+- **FR-016**: The repository MUST publish a release-governance fragment at `changes/018-adoption-readiness.md` declaring `release_intent: patch`, `scope: docs`, with a one-line summary of the README restructure.
+
+#### Negative requirements (out of scope)
+
+- **FR-017**: This change MUST NOT modify any file under `src/`, `.github/workflows/`, `examples/`, or `LICENSE`. **`Cargo.toml` MAY be bumped to a patch version** when triggered by release-governance rules (specifically the `packaged_readme_surface` rule, which fires when `README.md` is modified because the README ships in release bundles per the Quick Start documentation). The bump is metadata-only and does not constitute a source-code change. `Cargo.lock` is regenerated automatically by cargo and follows the same metadata-only treatment. **Existing test fixtures and integration assertions under `tests/integration/` and `tests/fixtures/` MAY also be updated** when their assertions reference README section names (renamed by FR-001) or pin the controller version string (bumped per the carve-out above). Such updates are mechanical fixture maintenance: they propagate spec/018's structural rename into existing tests without introducing new test surface, new CI gates, or assertions exercising new behavior. The prohibition is preserved for **new tests, new fixtures, or assertions exercising new behavior** — none of those are introduced by spec/018.
+- **FR-018**: This change MUST NOT introduce any new CLI surface, new flags, new commands, schema changes, or behavioral changes to existing commands.
+- **FR-019**: This change MUST NOT add a CI lint step that enforces FR-014 (stop-list) or FR-003 (line budget) — these are reviewer-checked via `checklists/readme-structure.md`. CI surface area is preserved.
+
+### Key Entities
+
+- **README structural contract**: The ordering, badge row, line budget, and stop-list together define a structural contract for the README that is enforced via the checklist at `specs/018-adoption-readiness/checklists/readme-structure.md` rather than runtime tests.
+- **Onboarding recording**: An asciicast v2 file at `docs/onboarding.cast` plus its regeneration entry point at `docs/onboarding-script.sh`. The pair is a single onboarding artifact: the cast is the immutable visible deliverable, the script is the maintainability backstop.
+- **Mental model**: A ≤ 200-word prose section that compresses the operational claim of CoreOps (host-native, systemd/Quadlet, declarative reconciliation, Git-driven) into a form a technically experienced operator can absorb in one read.
+
+## Constitution Alignment *(mandatory)*
+
+- **Functional core vs. side effects**: N/A — this feature ships only documentation and a recorded artifact. No core or shell code is added or modified.
+- **Declarative state model**: The README itself is a declarative artifact: structural ordering and badge composition are declared in FR-001/FR-002, and a checklist verifies the declared shape. No runtime state model is touched.
+- **Idempotence & convergence**: N/A — no convergence behavior changes. The asciinema recording demonstrates idempotent re-run of the existing `core-ops apply` semantics (per FR-007); it does not introduce new idempotence guarantees.
+- **Explicit effects/failures**: N/A — no new failure modes introduced. Edge cases (Mermaid render failure, asciinema drift) are handled by existing recoverability (text fallback, regeneration script).
+- **Observability**: N/A — no new observable runtime behavior. Documentation is the observed artifact.
+- **Provenance & traceability**: N/A — no provenance impact. The README references the existing release model; CHANGELOG continuity is owned by the existing release governance, not by this spec.
+- **Safe defaults**: N/A — no defaults change.
+- **Compatibility**: All existing README links (CHANGELOG, CODE_OF_CONDUCT, docs/development.md, examples/) MUST continue to resolve unchanged after restructure. The existing `## Real-World Examples` section's content is preserved (FR-012); only ordering and heading style change.
+- **Release version policy**: Documentation-only change with no `src/` modifications. Per the `changes/README.md` bump rules, this is `patch`. Declaring `patch` is at-or-above the inferred minimum.
+- **Release intent artifact**: `changes/018-adoption-readiness.md` declares `release_intent: patch`, `scope: docs`.
+- **Changelog discipline**: The fragment's `summary` field becomes the `[Unreleased]` bullet; the post-merge promote step in CI moves it into a tagged section automatically. No manual `CHANGELOG.md` editing.
+- **Test contract**: No new test surface. The existing `cargo test` and `cargo clippy --all-targets -- -D warnings` gates remain authoritative for the codebase. The README structural contract is verified at PR-review time via `checklists/readme-structure.md`, not via CI. **VM-backed scenario assessment**: No new behavioral mutation classes. Per Principle 10's exemption clause, no new VM-backed scenario is required for this feature; this exemption is recorded explicitly here as the documented justification.
+- **Regenerability**: The Mermaid block is text in the README and trivially regenerable. The asciinema recording is regenerable via `docs/onboarding-script.sh` (FR-009). The static walkthrough plan output is regenerable by re-running `core-ops plan --source-repo examples/03-immich --host example`.
+
+> **Verification Guidance section omitted**: This feature is documentation-only and does not participate in spec-derived end-to-end verification. The README structural contract is enforced via review checklist, and the asciinema artifact's correctness is asserted at recording time and at re-recording time, not in CI. Removing the section per the template's instruction.
+
+## Success Criteria *(mandatory)*
+
+### Measurable outcomes
+
+- **SC-001**: After this change merges, `wc -l README.md` MUST report ≤ 400 lines (per FR-003).
+- **SC-002**: After this change merges, the rendered README on GitHub MUST display a row of exactly four badges (CI, E2E Gate, Latest Release, License) immediately after the title/logo block, before any heading (per FR-002).
+- **SC-003**: After this change merges, the README MUST contain a `## 30-second mental model` heading within the first 120 lines (per FR-001 §3 and the mental-model entity definition).
+- **SC-004**: After this change merges, the README MUST contain at least one ` ```mermaid ` fenced code block whose content includes the substrings `Git`, `core-ops`, and `systemd` (per FR-004).
+- **SC-005**: After this change merges, the file `docs/onboarding.cast` MUST exist and be a valid asciicast file — first line is a JSON header with `"version": 2` (asciinema 2.x) or `"version": 3` (asciinema 3.x). Verifiable via `head -n 1 docs/onboarding.cast | jq '.version' | grep -E '^[23]$'` (per FR-007/FR-008).
+- **SC-005a**: After this change merges, the asciicast at `docs/onboarding.cast` MUST replay end-to-end in ≤ 90 seconds. For v2 casts, this is verifiable via the header `duration` field (`head -n 1 docs/onboarding.cast | jq '.duration'`). For v3 casts (which omit `duration` from the header), it is verifiable via the timestamp of the last event line (`tail -1 docs/onboarding.cast | jq '.[0]'`). Either MUST be ≤ 90 (per FR-007).
+- **SC-005b**: After this change merges, the file `docs/assets/core-ops-demo.gif` MUST exist as a non-empty GIF (first 6 bytes match `GIF89a` or `GIF87a`) and the README MUST embed it via standard image-tag syntax (`<img src="docs/assets/core-ops-demo.gif" ...>` or `![](docs/assets/core-ops-demo.gif)`) inside the `## What using CoreOps feels like` section. File size SHOULD be ≤ 1 MB (a soft cap; if exceeded, narrow the recording or tune `agg --idle-time-limit` rather than relax). Per FR-007/FR-013.
+- **SC-006**: After this change merges, the file `docs/onboarding-script.sh` MUST exist, be executable, contain a shebang on line 1, and contain the literal string `examples/03-immich` somewhere in the body (per FR-009).
+- **SC-006a**: After this change merges, `grep -i -E '(not\.one|ulthar|192\.168\.|10\.0\.|172\.16\.)' docs/onboarding.cast docs/onboarding-script.sh` MUST return zero matches; the recording and script MUST contain no operator-private domain markers, no RFC 1918 private IP ranges suggestive of a real homelab, and no operator-specific hostnames (per FR-009a). The same stop-list is applied to `docs/assets/core-ops-demo.gif` indirectly: the GIF is rendered from the same sanitized `.cast` source, so any string the cast does not contain cannot appear in the rendered frames.
+- **SC-007**: After this change merges, the README walkthrough section MUST contain a fenced code block whose content includes at least one Quadlet unit identifier from `examples/03-immich/services/` (per FR-006).
+- **SC-007a**: Each non-elided line in **both** README walkthrough code blocks (the plan-output block and the idempotent re-run snippet, excluding lines that are exactly `...` or whitespace) MUST be reproducible byte-for-byte from real `core-ops plan` / `core-ops apply` invocations against `examples/03-immich` on the post-018 master tree (per FR-006). Verified at PR review by re-running and spot-checking; not a CI gate.
+- **SC-007b**: After this change merges, the README walkthrough section MUST contain exactly two fenced code blocks (one plan, one re-run-no-changes), and their combined non-blank line count SHOULD be ≤ ~25 lines (per FR-006).
+- **SC-008**: After this change merges, `grep -i -E '(enterprise-ready|industry-leading|production-grade|🚀)' README.md` MUST return zero matches (per FR-014).
+- **SC-009**: After this change merges, every link target the pre-018 README pointed to (LICENSE, CHANGELOG.md, CODE_OF_CONDUCT.md, docs/development.md, each `examples/<NN-slug>/`) MUST still resolve from the post-018 README (per Compatibility).
+- **SC-010**: After this change merges, no file under `src/`, `.github/workflows/`, `examples/`, or `LICENSE` MUST have been modified by the diff (per FR-017). `Cargo.toml` MAY have a patch-version bump (e.g., `2.2.0` → `2.2.1`) driven by the `packaged_readme_surface` release-governance rule, and `Cargo.lock` is regenerated to match — both are metadata-only changes. **Existing test files under `tests/integration/` and `tests/fixtures/` MAY have mechanical maintenance updates** when README section names change (driven by FR-001) or when fixtures reference the bumped Cargo.toml version (driven by the `packaged_readme_surface` carve-out). No new test files, new fixtures, or new assertions exercising new behavior are introduced. Verified via `git diff master..HEAD --stat -- src/ .github/workflows/ examples/ LICENSE` returning empty.
+- **SC-011**: A dogfooding pass MUST be recorded in `specs/018-adoption-readiness/synthesis.md` as **author self-attestation** (per Clarification 2026-05-06 Q4). The author opens the rendered README cold, time-boxed at 5 minutes for the read, then writes down — verbatim, without re-consulting the README — what they took away in answer to "What does CoreOps do and what does running it look like?" The captured answer is assessed pass/fail per US1's Independent Test. Self-knowledge is an acknowledged limit; the test is preserved as a forcing function. A failure does not block merge but MUST trigger a follow-up issue with concrete remediation proposals.
+- **SC-012**: The synthesis section in `synthesis.md` MUST address the proposal's §9 questions: (a) did onboarding clarity materially improve, (b) what adoption/trust gaps remain, (c) does the repository now communicate the operational experience more effectively. Answers are operator-attested, not metric-driven.
+
+## Assumptions
+
+- The post-017 v2.2.0 master is the authoring baseline. `examples/03-immich/` and the `--source-repo` CLI surface are available and stable.
+- The asciinema recording is authored once at implementation time on a host with appropriate device shape for `examples/03-immich` (or with a documented device-substitution in `docs/onboarding-script.sh`). Drift between the recording and CLI output is accepted as a bounded risk; re-recording is a one-command operation when needed.
+- GitHub is the primary read surface for the README. Mermaid renders natively; non-GitHub render contexts are degraded but recoverable per US3-AC-3.
+- The "Credibility" section's badges and table content land in their new positions (top badge row + Trust section) without losing information; no new artifacts beyond the License badge are added in this slice.
+- The dogfooding operator (SC-011) is sourced informally from the operator's network; their response is captured verbatim in `synthesis.md` under a pseudonymous attribution if anonymity is preferred.
+- Future iterations may revisit FR-011 (extraction of philosophy to `docs/philosophy.md`) once the compressed inline form has been observed in practice. This spec deliberately keeps philosophy inline.
+- A future spec (019 or beyond) may introduce CONTRIBUTING.md or ARCHITECTURE.md based on the synthesis findings; those are out of scope here and flagged in `synthesis.md` if relevant.
diff --git a/specs/018-adoption-readiness/synthesis.md b/specs/018-adoption-readiness/synthesis.md
new file mode 100644
index 0000000..216fce8
--- /dev/null
+++ b/specs/018-adoption-readiness/synthesis.md
@@ -0,0 +1,54 @@
+# Synthesis: 018-adoption-readiness retrospective
+
+**Status**: Skeleton. Populated by T026 after US1/US2/US3/US4 land and the dogfooding pass (T025) is recorded.
+
+This file is the post-implementation retrospective for spec/018. It addresses the three questions the proposal raised in §9: did onboarding clarity materially improve, what adoption/trust gaps remain, and does the repository now communicate the operational experience more effectively.
+
+## Dogfooding pass (T025)
+
+> Populated by T025. The author opens the rendered `README.md` cold (≥ 24 h cool-off since the last edit), time-boxes 5 minutes, and writes down — verbatim, without re-consulting the README — the answer to "What does CoreOps do and what does running it look like?"
+>
+> Pass criterion (per US1 Independent Test): the captured answer must reference (a) host-native systemd/Quadlet convergence, (b) Git → core-ops → systemd flow, (c) ≥ 1 CLI command seen, (d) a sense of project credibility from badges/version.
+
+**Cool-off start (last `README.md` edit landed at)**: _TBD_
+**Cool-off end (read taken at)**: _TBD_
+
+**Verbatim takeaway**: _TBD_
+
+**Pass / fail per US1 criteria**: _TBD_
+
+## What materially improved
+
+> Populated by T026. Address: did onboarding clarity materially improve compared to the pre-018 README?
+
+_TBD_
+
+## Remaining adoption/trust gaps
+
+> Populated by T026. Address: what gaps remain that could affect adoption or trust signal?
+
+_TBD_
+
+## Operational communication effectiveness
+
+> Populated by T026. Address: does the repository now communicate the operational experience (plan → apply → converge) more effectively than before 018?
+
+_TBD_
+
+## Follow-ups flagged for post-018 specs
+
+> Populated by T026. Candidates noted in research.md include:
+>
+> - F1 — static SVG sidecar via `agg` for non-Mermaid / no-asciinema readers.
+> - F2 — CONTRIBUTING.md and ARCHITECTURE.md follow-up.
+> - F3 — multi-language documentation.
+>
+> Plus any new candidates surfaced by the dogfooding pass.
+
+_TBD_
+
+## Judgment calls made during implementation
+
+> Populated by T026. Document non-trivial decisions made by the implementer that the spec did not pre-resolve (e.g., where existing-but-not-canonical sections like "What CoreOps Does" or "Supported Systems" landed in the new structure).
+
+_TBD_
diff --git a/specs/018-adoption-readiness/tasks.md b/specs/018-adoption-readiness/tasks.md
new file mode 100644
index 0000000..7432c96
--- /dev/null
+++ b/specs/018-adoption-readiness/tasks.md
@@ -0,0 +1,222 @@
+---
+description: "Task list for 018-adoption-readiness implementation"
+---
+
+# Tasks: Adoption Readiness — README and Onboarding Experience
+
+**Input**: Design documents from `/specs/018-adoption-readiness/`
+**Prerequisites**: `plan.md`, `spec.md`, `research.md`, `quickstart.md`. `data-model.md` and `contracts/` are intentionally absent (per spec FR-015).
+
+**Tests**: **Exempted from new authorship.** Spec/018 is documentation-only. FR-019 explicitly forbids adding a CI lint step that enforces structural rules; no new tests, fixtures, or CI assertions are introduced. **Mechanical maintenance** of existing integration tests and fixtures IS permitted under FR-017's carve-out when assertions reference renamed README section names (driven by FR-001) or pin the bumped controller version string (driven by the `packaged_readme_surface` Cargo.toml bump). Verification of the structural contract itself is reviewer-driven via `specs/018-adoption-readiness/checklists/readme-structure.md` (T020 below). The standard `cargo test` and `cargo clippy --all-targets -- -D warnings` gates remain authoritative for the codebase.
+
+**Organization**: Tasks are grouped by user story. US1 (P1) is the MVP — restructured README with placeholders for the artifacts US2 and US3 contribute. US2 and US3 are independent fills of the placeholders. US4 codifies the structural contract for future maintainers.
+
+## Format: `[ID] [P?] [Story] Description`
+
+- **[P]**: Can run in parallel (different files, no dependencies on incomplete tasks)
+- **[Story]**: Maps the task to a user story (US1, US2, US3, US4) — required for user-story-phase tasks only
+- File paths in descriptions are absolute or repo-root-relative
+
+## Path conventions
+
+Single Rust crate at repository root. This iteration touches:
+
+- `README.md` (modified)
+- `Cargo.toml`, `Cargo.lock` (patch bump 2.2.0 → 2.2.1, governance-driven; per FR-017 carve-out)
+- `docs/onboarding.cast`, `docs/onboarding-script.sh` (new)
+- `docs/assets/core-ops-demo.gif` — GIF sidecar rendered from the cast by `agg`; embedded inline in the README walkthrough (FR-007 / SC-005b / FR-013).
+- `flake.nix` — adds `asciinema-agg` (binary `agg`) to the dev shell alongside the existing `asciinema` pin.
+- `specs/018-adoption-readiness/checklists/readme-structure.md`, `specs/018-adoption-readiness/synthesis.md` (new)
+- `tests/integration/test_distribution_*.rs`, `tests/fixtures/distribution/entrypoint-snapshot.md`, `tests/fixtures/provenance_state/valid-success.json` — mechanical maintenance updates only (FR-001 section renames + Cargo.toml version bump; per FR-017 carve-out)
+- `CHANGELOG.md` (auto-rendered by `core-ops-release changelog --write`)
+
+No `src/`, `.github/workflows/`, `examples/`, or `LICENSE` modifications.
+
+---
+
+## Phase 1: Setup (Shared Infrastructure)
+
+**Purpose**: Scaffold the spec directory's optional artifacts that later phases populate.
+
+- [X] T001 [P] Create `specs/018-adoption-readiness/checklists/` directory and an empty `readme-structure.md` skeleton (header + table-of-checks placeholder). Populated by T020 in Phase 6.
+- [X] T002 [P] Create `specs/018-adoption-readiness/synthesis.md` skeleton with frontmatter + section headers for "Dogfooding pass", "What materially improved", "Remaining adoption/trust gaps", "Operational communication effectiveness" (proposal §9 questions). Populated by T025 in Phase 7.
+
+---
+
+## Phase 2: Foundational (Blocking Prerequisites)
+
+**Purpose**: Build the asciinema regeneration entry point that US2's recording task depends on.
+
+**⚠️ CRITICAL**: T003 must complete before T014 (recording the cast) in Phase 4.
+
+- [X] T003 Author `docs/onboarding-script.sh`: executable shell script with shebang `#!/usr/bin/env bash`, version-pinned `asciinema` invocation in the header (per research.md R1, FR-009), env-scrubbed shell launcher (`env -i HOME=/home/op PATH=... TERM=xterm-256color PS1='op@example $ ' bash --noprofile --norc -c '...'` per research.md R4), deterministic command sequence exercising `core-ops plan --source-repo examples/03-immich --host example` plus apply + idempotent re-run, and the literal string `examples/03-immich` in the body (FR-009, SC-006). `chmod +x docs/onboarding-script.sh`.
+
+**Checkpoint**: Foundation ready — Phase 3 (US1 MVP) and Phase 5 (US3) can now begin in parallel.
+
+---
+
+## Phase 3: User Story 1 — First-time visitor mentally simulates within 5 minutes (Priority: P1) 🎯 MVP
+
+**Goal**: A technically experienced operator reading the README cold can answer four questions within ~5 minutes: what CoreOps is, what running it looks like, whether it is serious, and how Git becomes host state. Achieved by restructuring sections into operational-first order, promoting trust signals to the top, and inserting a 30-second mental model section.
+
+**Independent Test**: Open the rendered `README.md` on GitHub. Within the first 120 lines (excluding badges and title), the reader encounters: badge row → mental model heading → architecture placeholder → walkthrough placeholder → real-world examples link list. Stop-list grep returns 0 matches. `wc -l README.md` ≤ 400.
+
+> **No new tests authored** — per FR-019 (no new CI lint surface). Structural verification is via T020 checklist + T021/T022 polish checks. (Existing integration tests may receive mechanical fixture-maintenance updates per the FR-017 carve-out when README section names change.)
+
+### Implementation for User Story 1
+
+- [X] T004 [US1] Reorder all top-level sections in `README.md` per spec FR-001 (the canonical 12-section ordering: Title → Badge row → 30-second mental model → Architecture → What using CoreOps feels like → Real-world examples → Quick start → Why CoreOps exists → What CoreOps is not → Trust and release model → AI authorship → Target audience · License · Further reading). Move "Real-World Examples" (currently at lines 115–138) to its new position above "Quick start" per FR-012; preserve its content unchanged.
+- [X] T005 [US1] Promote badge row to immediately after the title block in `README.md` (FR-002, SC-002). Add the missing License badge: `[![License](https://img.shields.io/badge/license-AGPL--3.0--or--later-blue)](LICENSE)`. Final badge row contains exactly four badges in order: CI, E2E Gate, Latest Release, License. Remove the orphaned "Credibility" heading (badges no longer live under it).
+- [X] T006 [US1] Author the `## 30-second mental model` section in `README.md` (≤200 words, per FR-001 §3, SC-003). Cover: host-native convergence, systemd/Quadlet centricity, declarative reconciliation, Git-driven operation. Section heading must appear within the first 120 lines.
+- [X] T007 [US1] Compress philosophy sections in `README.md` to declared budgets per FR-001: "Why CoreOps exists" (≤15 lines), "What CoreOps is not" (≤12 lines), "AI authorship" (≤12 lines).
+- [X] T008 [US1] Fold the existing "Credibility" *table* (artifacts row + verification environment row) + "Minimal Trust Story" + "Release & Verification Model" sections into a single `## Trust and release model` section in `README.md` per FR-001 §10. Preserve the verification-environment row's identifier (`fedora-coreos-self-hosted@2026-04-fcos`) verbatim.
+- [X] T009 [US1] Insert anchor placeholders in `README.md` for Phase 4 and Phase 5 to fill: a `## Architecture` heading with a one-line note (filled by US3 T017/T018) and a `## What using CoreOps feels like` heading with a one-line note (filled by US2 T013/T016). The placeholders are valid markdown but explicitly note "[populated by US2/US3 implementation]" so the MVP is parseable as-is.
+- [X] T010 [US1] Verify intermediate state of `README.md` after T004–T009: `wc -l README.md` ≤ 400 (SC-001); `grep -c '^## 30-second mental model' README.md` returns 1 (SC-003); `grep -ciE '(enterprise-ready|industry-leading|production-grade|🚀)' README.md` returns 0 (SC-008). Fix any failure before proceeding to Phase 4/5.
+
+**Checkpoint**: US1 MVP complete. The README is structurally restructured even without US2's walkthrough or US3's Mermaid block. Architecture and Walkthrough sections are placeholders.
+
+---
+
+## Phase 4: User Story 2 — Operator sees what `core-ops plan` does before installing (Priority: P2)
+
+**Goal**: A first-time reader sees concrete, deterministic CLI output evidence in the README walkthrough section before installing anything. The static plan-output and idempotent re-run blocks come from real invocations; the asciinema recording carries apply and status motion.
+
+**Independent Test**: README walkthrough section contains exactly two fenced code blocks (one plan output, one re-run "no changes"), combined ≤ ~25 lines, every non-elided line reproducible from a real `core-ops plan` invocation. `docs/onboarding.cast` exists, asciicast v2 header reports duration ≤ 90 s, sanitization stop-list grep returns 0.
+
+> **Depends on**: T003 (regeneration script must exist before T014 can record).
+
+### Implementation for User Story 2
+
+- [X] T011 [P] [US2] Run `core-ops plan --source-repo examples/03-immich --host example` against post-018 master tree on a clean host (no prior apply against `--host example`); capture output verbatim into a working buffer for T013. Note the recognizable Quadlet unit identifiers from `examples/03-immich/services/` (e.g., `immich-server.container`, `immich-internal.network`, `immich-public.network`, `immich-database.container`, `immich-redis.container`, `immich-ml.container`, `traefik-edge.container`) for reference under SC-007.
+- [X] T012 [US2] Run `core-ops apply --source-repo examples/03-immich --host example` on a sanitized test host, then run `core-ops plan --source-repo examples/03-immich --host example` a second time; capture the idempotent "no changes" output (per FR-006 second block). Output goes to a working buffer for T013. **Not marked [P]**: shares the `--host example` state with T011 — apply mutates host state that T011's pre-apply plan reads. Run T012 after T011 completes (sequential), or use a fresh isolated host to safely parallelize.
+- [X] T013 [US2] Author the `## What using CoreOps feels like` section in `README.md` (replacing the placeholder T009 inserted): one short intro paragraph naming the canonical command; first fenced code block from T011 (plan output, elide repeats with `...` lines, keep recognizable unit identifiers); second fenced code block from T012 (idempotent re-run); both blocks verbatim from real invocations per FR-006. Combined non-blank line count SHOULD be ≤ ~25 (SC-007b). No paraphrasing.
+- [X] T014 [US2] Execute `docs/onboarding-script.sh` (T003) to record `docs/onboarding.cast`. Verify with `head -n 1 docs/onboarding.cast | jq '.version'` returns `2` (SC-005), `head -n 1 docs/onboarding.cast | jq '.duration'` returns ≤ 90 (SC-005a), and `asciinema play docs/onboarding.cast` plays end-to-end. If duration > 90 s, narrow the demo scope per FR-007 (skip status, skip re-run, drop a service) — DO NOT extend the cap.
+- [X] T015 [US2] Run sanitization stop-list grep: `grep -iE '(not\.one|ulthar|192\.168\.|10\.0\.|172\.16\.)' docs/onboarding.cast docs/onboarding-script.sh` MUST return zero matches (SC-006a, FR-009a). If matches found, re-record with a cleaner shell environment (env-scrub hostname, paths, any leaked private values).
+- [X] T016 [US2] Append a link to `docs/onboarding.cast` from the walkthrough section in `README.md` (e.g., `**Recording**: [docs/onboarding.cast](docs/onboarding.cast) — play locally with \`asciinema play\``). Confirm no `<script>` tag, no `<iframe>`, and no `https://asciinema.org/...js` reference in the README diff (FR-013).
+
+**Checkpoint**: US2 complete. Walkthrough section is fully populated with verbatim output blocks plus the in-tree recording link. Static fallback covers determinism + idempotence even for readers without asciinema tooling.
+
+---
+
+## Phase 5: User Story 3 — Operator visualizes Git → host convergence (Priority: P2)
+
+**Goal**: A reader on GitHub sees a Mermaid block depicting the high-level flow (Git → core-ops → systemd/Quadlet → host) with audit/status as side outputs. A reader on a non-Mermaid renderer can recover the same architecture from the surrounding prose.
+
+**Independent Test**: README contains a `mermaid` fenced code block with ≥ 4 nodes including the substrings `Git`, `core-ops`, `systemd`. The surrounding `## Architecture` prose names the same four nodes and the flow direction in plain text (per US3-AC-3). Mermaid block renders correctly on the GitHub PR preview.
+
+> **Independent of US2** — can run in parallel with Phase 4 if labor available.
+
+### Implementation for User Story 3
+
+- [X] T017 [US3] Author the Mermaid block in `README.md` `## Architecture` section (replacing the placeholder T009 inserted). Suggested structure (matching the recommended preview from clarification):
+  ```mermaid
+  flowchart LR
+    GIT[Git repository<br/>services/ + hosts/]
+    CORE[core-ops<br/>plan / apply / explain]
+    STATE[systemd + Quadlet units<br/>generated state]
+    HOST[host<br/>systemd-managed services]
+    AUDIT[(audit + status<br/>JSON snapshot)]
+    GIT --> CORE
+    CORE --> STATE
+    STATE --> HOST
+    CORE -.-> AUDIT
+    HOST -.-> AUDIT
+  ```
+  Verify FR-004: ≥ 4 nodes, contains substrings `Git`, `core-ops`, `systemd`. Audit/status edges use dashed `-.->` syntax to signal side-output status.
+- [X] T018 [US3] Author 2–4 lines of prose in `## Architecture` immediately around the Mermaid block (per US3-AC-3): name the four nodes (`Git repository`, `core-ops`, `systemd + Quadlet units`, `host`), the side-output (`audit + status`), and the flow direction (left-to-right) in plain text. The architecture must be recoverable when Mermaid fails to render.
+- [X] T019 [US3] Push the branch and open a draft PR; verify on the GitHub PR preview that the Mermaid block renders as a diagram (not as a raw fenced code block). Adjust syntax if rendering fails (e.g., move `<br/>` placement, simplify node labels). Manual visual verification — not a CI gate.
+
+**Checkpoint**: US3 complete. The Mermaid diagram renders on GitHub; the prose covers non-Mermaid renderers.
+
+---
+
+## Phase 6: User Story 4 — Future maintainer preserves operational-first ordering (Priority: P3)
+
+**Goal**: A future contributor adding a section to the README has a runnable structural checklist that catches deviations from FR-001 ordering, FR-002 badge row, FR-003 line budget, FR-013 third-party-JS prohibition, FR-014 stop-list, FR-009a sanitization rule.
+
+**Independent Test**: A reviewer running every command in `specs/018-adoption-readiness/checklists/readme-structure.md` against the post-implementation tree gets all-pass results.
+
+### Implementation for User Story 4
+
+- [X] T020 [US4] Populate `specs/018-adoption-readiness/checklists/readme-structure.md` (skeleton from T001) with one runnable check per FR/SC: line-budget (`wc -l README.md` ≤ 400), badge-row composition (4 badges, no others promoted), mental-model heading existence + position, Mermaid block existence + node substrings, walkthrough two-block + line budget, sanitization stop-list grep, hype stop-list grep, link-target resolve check (every pre-018 link still resolves), no third-party JS embed (`grep -E '(asciinema\.org/.*\.js|<iframe|<script)' README.md` returns 0). Each check labeled with the FR/SC it verifies.
+
+**Checkpoint**: US4 complete. Structural contract is documented and runnable.
+
+---
+
+## Phase 7: Polish & Cross-Cutting Concerns
+
+**Purpose**: Final structural validation, dogfooding pass, synthesis writing, release-governance verification.
+
+- [X] T021 [P] Final structural pass: `wc -l README.md` ≤ 400 (SC-001); `grep -c '^## 30-second mental model' README.md` = 1 (SC-003); `grep -c '```mermaid' README.md` ≥ 1 (SC-004).
+- [X] T022 [P] Final stop-list pass: `grep -ciE '(enterprise-ready|industry-leading|production-grade|🚀)' README.md` = 0 (SC-008).
+- [X] T023 [P] Final link-resolve pass: confirm every pre-018 README link target still resolves — `LICENSE`, `CHANGELOG.md`, `CODE_OF_CONDUCT.md`, `docs/development.md`, each `examples/<NN-slug>/README.md` for NN ∈ {01,02,03,04,05} (SC-009). Use a one-liner: `grep -oE '\]\(([^)]+)\)' README.md | sed -E 's/\]\(|\)//g' | xargs -I{} test -e {} || echo "{} missing"`.
+- [X] T024 [P] Final no-source-touched pass: `git diff master..HEAD --stat -- src/ .github/workflows/ examples/ LICENSE` returns empty (SC-010, FR-017). `Cargo.toml`, `Cargo.lock`, and `tests/` are excluded from this check per the FR-017 carve-out (governance-driven version bump + mechanical fixture maintenance for FR-001 section renames).
+- [ ] T025 Dogfooding pass per SC-011 / FR Clarification Q4: after a cooling-off period of ≥ 24 h since the last `README.md` edit, open the rendered `README.md` on the GitHub PR preview cold. Time-box: 5 minutes for the read. Then write down — verbatim, without re-consulting the README — what was taken away in answer to "What does CoreOps do and what does running it look like?" Capture the answer in `specs/018-adoption-readiness/synthesis.md` under the "Dogfooding pass" heading. Assess pass/fail per US1's Independent Test (must reference: host-native systemd/Quadlet convergence; Git → core-ops → systemd flow; ≥ 1 CLI command seen; sense of project credibility from badges/version).
+- [ ] T026 Author the body of `specs/018-adoption-readiness/synthesis.md` (skeleton from T002) per SC-012: address proposal §9 questions — (a) did onboarding clarity materially improve, (b) what adoption/trust gaps remain, (c) does the repository now communicate the operational experience more effectively. Operator-attested answers; reference T025 outcome explicitly.
+- [X] T027 Run `cargo run --bin core-ops-release -- validate --base-ref master` from repo root; confirm `Outcome: passed` and `Classification: exempt` with `Applied Rules: always_exempt_documentation_or_formatting`. If `CHANGELOG aligned: no`, run `cargo run --bin core-ops-release -- changelog --write` and re-validate.
+- [ ] T028 Open the implementation PR; the description references this `tasks.md`, links the rendered Mermaid block (already verified in T019), and links `docs/onboarding.cast` for reviewer playback. Confirm CI green (no Rust changes, so `ci.yml` is fast-path; the release-governance step passes per T027).
+
+---
+
+## Dependencies & Execution Order
+
+### Phase dependencies
+
+- **Phase 1 (Setup)**: No dependencies — T001 and T002 can start immediately and run in parallel.
+- **Phase 2 (Foundational)**: T003 depends on Phase 1 completion (script lives alongside the spec scaffold). Blocks T014 in Phase 4 (recording requires the script).
+- **Phase 3 (US1, P1, MVP)**: Depends on Phase 2 completion. T004–T009 are sequential (all touch `README.md`); T010 depends on T004–T009.
+- **Phase 4 (US2)**: Depends on Phase 3 completion (walkthrough placeholder must exist before T013 fills it). T011 and T012 are sequential by default (T011 before T012) since they share `--host example` state on a single host; only safely parallel on isolated hosts. T013 depends on both. T014 depends on T003 + T013. T015 depends on T014. T016 depends on T015.
+- **Phase 5 (US3)**: Depends on Phase 3 completion (architecture placeholder must exist). T017 → T018 → T019 sequential.
+- **Phase 6 (US4)**: Depends on Phase 1 completion (skeleton from T001) and ideally on Phase 3/4/5 (so the checklist can encode the actual final structure). Recommend running after Phase 4 and Phase 5 land.
+- **Phase 7 (Polish)**: Depends on all prior phases. T021–T024 can run in parallel. T025 has a 24-hour cool-off prerequisite. T026 depends on T025. T027 depends on the final commit. T028 depends on T027.
+
+### User story dependencies
+
+- **US1 (P1)** restructures the README and inserts placeholders. Must complete before US2 / US3 fill the placeholders.
+- **US2 (P2)** and **US3 (P2)** are independent of each other once US1 is done — can run in parallel.
+- **US4 (P3)** is independent of US2/US3 in spirit but the checklist's runnable commands assume the final shape, so author after US1/US2/US3 land.
+
+### Parallel opportunities
+
+- T001 ∥ T002 (different files in `specs/018-adoption-readiness/`).
+- ~~T011 ∥ T012~~ — sequential by default (shared `--host` state); only safely parallel on isolated hosts.
+- US2 (Phase 4) ∥ US3 (Phase 5) once Phase 3 lands.
+- T021 ∥ T022 ∥ T023 ∥ T024 (independent grep / wc / link checks).
+
+---
+
+## Implementation Strategy
+
+### MVP first (US1 only)
+
+1. Phase 1 (T001, T002) → spec scaffold.
+2. Phase 2 (T003) → asciinema regeneration script.
+3. Phase 3 (T004–T010) → README structurally restructured with placeholders.
+4. **STOP and VALIDATE**: T010 confirms ≤ 400 lines, mental model heading present, no stop-list terms.
+5. Open as a draft PR. The MVP is shippable: badges promoted, mental model present, examples elevated, philosophy compressed. Architecture and walkthrough are explicit placeholders.
+
+### Incremental delivery
+
+After MVP:
+
+1. Land US3 (Phase 5: T017–T019) → Mermaid renders on GitHub PR preview.
+2. Land US2 (Phase 4: T011–T016) → walkthrough blocks populated, recording committed.
+3. Land US4 (Phase 6: T020) → checklist for future maintainers.
+4. Polish (Phase 7: T021–T028) → final structural pass, dogfooding, synthesis, validate, PR open.
+
+### Solo author strategy
+
+This iteration is single-author. The dogfooding step (T025) is self-attestation per Clarification Q4 — no external operator required. Schedule the 24-hour cool-off explicitly: complete T021–T024 on day N, sleep, run T025 on day N+1.
+
+---
+
+## Notes
+
+- **No new tests authored** per FR-019. The verification surface is `specs/018-adoption-readiness/checklists/readme-structure.md` (T020), not CI. Existing integration tests and fixtures may receive mechanical maintenance updates per the FR-017 carve-out when README section names change (FR-001) or when fixtures pin the bumped Cargo.toml version (`packaged_readme_surface` carve-out).
+- **No Rust source changes** → no `cargo test` / `cargo clippy` tasks specific to spec/018. Existing gates remain authoritative; if mechanical fixture maintenance lands, run `cargo test` and `cargo clippy --all-targets -- -D warnings` to confirm the codebase remains green.
+- **Release governance**: `release_intent: patch` in `changes/018-adoption-readiness.md` (already created). Validates as exempt under `always_exempt_documentation_or_formatting`. CHANGELOG.md re-rendered via `core-ops-release changelog --write` and re-validated by T027.
+- **`Cargo.toml` patch bump (2.2.0 → 2.2.1) is required** by the `packaged_readme_surface` release-governance rule because `README.md` ships in published release bundles (see `decision_018-packaged-readme-surface-cargo-bump`). FR-017 was relaxed mid-implementation to permit this.
+- **No VM-backed scenario**: explicitly exempted in spec/plan Constitution Alignment under Principle 10 (no externally visible host behavior change).
+- Update task checkboxes (`- [ ]` → `- [X]`) as work lands per memory feedback (`feedback_speckit_tasks_checklist.md`): per-task, not batched at session end.
+- Commit per logical group (one task or one tightly-coupled cluster). Conventional commit format `docs(spec/018): ...`.
diff --git a/tests/fixtures/distribution/entrypoint-snapshot.md b/tests/fixtures/distribution/entrypoint-snapshot.md
index c2e19dd..ae5d435 100644
--- a/tests/fixtures/distribution/entrypoint-snapshot.md
+++ b/tests/fixtures/distribution/entrypoint-snapshot.md
@@ -1,14 +1,14 @@
 # CoreOps Entrypoint Snapshot
 
-Required stable sections:
+Required stable sections (post-spec/018 FR-001 ordering):
 
-- What is CoreOps?
-- Why CoreOps Exists
-- What CoreOps Is Not
-- Credibility
-- Target Audience
-- Supported Systems
-- AI Authorship
-- Minimal Trust Story
-- Installation (Current Phase)
-- Release & Verification Model
+- 30-second mental model
+- Architecture
+- What using CoreOps feels like
+- Real-world examples
+- Quick start
+- Why CoreOps exists
+- What CoreOps is not
+- Trust and release model
+- AI authorship
+- Target audience · License · Further reading
diff --git a/tests/fixtures/provenance_state/valid-success.json b/tests/fixtures/provenance_state/valid-success.json
index dd86955..6e08677 100644
--- a/tests/fixtures/provenance_state/valid-success.json
+++ b/tests/fixtures/provenance_state/valid-success.json
@@ -1,7 +1,7 @@
 {
   "schema_version": 1,
   "controller": {
-    "version": "2.2.4",
+    "version": "2.2.5",
     "revision": "8f3c2ab",
     "build_time": "2026-03-23T10:00:00Z",
     "tree_state": "clean"
diff --git a/tests/integration/test_distribution_credibility.rs b/tests/integration/test_distribution_credibility.rs
index 4425a45..35ca188 100644
--- a/tests/integration/test_distribution_credibility.rs
+++ b/tests/integration/test_distribution_credibility.rs
@@ -16,7 +16,9 @@ fn credibility_surface_matches_release_metadata_fixture() {
     )
     .expect("parse release metadata");
 
-    assert!(readme.contains("## Credibility"));
+    // Per spec/018 FR-001 §10, the standalone `## Credibility` heading was folded into
+    // `## Trust and release model`; the artifact-availability table moved with it.
+    assert!(readme.contains("## Trust and release model"));
     // Live badges replaced the static release identity, gate status, and verification status values
     assert!(readme.contains("actions/workflows/ci.yml/badge.svg"), "missing CI badge");
     assert!(readme.contains("actions/workflows/e2e-gate.yml/badge.svg"), "missing E2E gate badge");
@@ -34,8 +36,9 @@ fn credibility_snapshot_fixture_lists_stable_sections() {
     )
     .expect("read entrypoint snapshot");
 
-    assert!(contents.contains("Credibility"));
-    assert!(contents.contains("Installation (Current Phase)"));
-    assert!(contents.contains("Release & Verification Model"));
-    assert!(contents.contains("Supported Systems"));
+    // Spec/018 FR-001 ordering — the snapshot tracks the post-restructure section names.
+    assert!(contents.contains("30-second mental model"));
+    assert!(contents.contains("Architecture"));
+    assert!(contents.contains("What using CoreOps feels like"));
+    assert!(contents.contains("Trust and release model"));
 }
diff --git a/tests/integration/test_distribution_entrypoint.rs b/tests/integration/test_distribution_entrypoint.rs
index 486b41b..a31a127 100644
--- a/tests/integration/test_distribution_entrypoint.rs
+++ b/tests/integration/test_distribution_entrypoint.rs
@@ -9,18 +9,19 @@ fn repo_root() -> std::path::PathBuf {
 fn readme_contains_required_entrypoint_sections() {
     let contents = fs::read_to_string(repo_root().join("README.md")).expect("read README");
 
+    // Spec/018 FR-001 12-section ordering (post-restructure).
     for heading in [
         "# CoreOps",
-        "## What is CoreOps?",
-        "## Why CoreOps Exists",
-        "## What CoreOps Is Not",
-        "## Credibility",
-        "## Target Audience",
-        "## Supported Systems",
-        "## AI Authorship",
-        "## Minimal Trust Story",
-        "## Installation (Current Phase)",
-        "## Release & Verification Model",
+        "## 30-second mental model",
+        "## Architecture",
+        "## What using CoreOps feels like",
+        "## Real-world examples",
+        "## Quick start",
+        "## Why CoreOps exists",
+        "## What CoreOps is not",
+        "## Trust and release model",
+        "## AI authorship",
+        "## Target audience · License · Further reading",
     ] {
         assert!(contents.contains(heading), "missing heading: {heading}");
     }
diff --git a/tests/integration/test_distribution_installation.rs b/tests/integration/test_distribution_installation.rs
index 8a4a3a9..520d3f4 100644
--- a/tests/integration/test_distribution_installation.rs
+++ b/tests/integration/test_distribution_installation.rs
@@ -9,7 +9,8 @@ fn repo_root() -> std::path::PathBuf {
 fn readme_documents_binary_installation_sequence() {
     let contents = fs::read_to_string(repo_root().join("README.md")).expect("read README");
 
-    assert!(contents.contains("## Installation (Current Phase)"));
+    // Per spec/018 FR-001 §7, "Installation (Current Phase)" was folded into "Quick start".
+    assert!(contents.contains("## Quick start"));
     assert!(contents.contains("x86_64"));
     assert!(contents.contains("aarch64"));
     assert!(contents.contains("core-ops-linux-<arch>.tar.gz"));