diff --git a/arch.md b/arch.md
new file mode 100644
index 0000000..b3bfea7
--- /dev/null
+++ b/arch.md
@@ -0,0 +1,65 @@
+## Arch
+
+![](./arch.png)
+
+## Components
+
+- **EFI Image**  
+  Minimal kernel providing a boot environment and network setup.
+
+- **Identity**  
+  Manages node lifecycle: registration, updates, and identity.
+
+- **Supervisor**  
+  Message router for registration procedures and authentication.
+
+- **Runners**  
+  Workers listening on a job queue to execute tasks like VM CRUD operations.
+
+- **SALs (System Abstraction Layers)**  
+  Wrappers around tools such as `cloud-hypervisor`, `btrfs`, and networking utilities.
+
+- **Coord (Coordinator)**  
+  Workflow manager that selects the supervisor and ensures task completion.
+
+- **Ledger**  
+  Centralized registration service for nodes, identity manager for users, and persistent store.
+
+- **Rhai Scripts**  
+  Minimal scripts to execute high-level operations like VM deployment.
+
+---
+
+## Node Lifecycle Flow
+
+1. Build and push the **EFI image** to the bootstrap system.  
+2. Bootstrap flashes the image on a USB stick or generates an iPXE image.  
+3. Once booted and network is set up, the **Identity Manager** triggers.  
+4. Identity Manager contacts the centralized control plane (**Ledger/Coord**) for registration.  
+5. Node state (identity and keys) is saved, and uptime reports are sent periodically.  
+
+---
+
+## Deployment Flow
+
+1. Client prepares a signed **Rhai script** with deployment specs, including loops and logic.  
+2. Script is sent to the **Coord**, which federates it to the relevant **Supervisor**, tracking execution and retries.  
+3. **Supervisor** verifies signatures, validates the script, and places jobs into the **Redis queue**.  
+4. Multiple **Runners** pick jobs from the queue and execute the corresponding **SALs**.
+
+---
+
+## Features and Workloads
+
+### Networking
+- Only Mycelium supported.  
+- No WireGuard/Yggdrasil/public overlays (public IPs only for gateway nodes).  
+
+### Workloads
+- Machines (VMs/containers)  
+- HeroDB  
+- Potential gateway support in the future (centralized Traefik)  
+- No QSFS/ZDB support  
+
+### Filesystem
+- Btrfs
diff --git a/arch.png b/arch.png
new file mode 100644
index 0000000..13fb56d
Binary files /dev/null and b/arch.png differ