docs: add node infrastructure concept page (Batch 2)

[marc0olo]

Summary

• Creates docs/concepts/node-infrastructure.md with full migration of two Learn Hub articles: IC-OS overview (SetupOS, HostOS, GuestOS) and Trusted Execution Environments
• TEE section covers: SEV-SNP memory encryption, VM launch measurements, attestation reports (including node-to-node and external attestation paths), sealing keys, disk partition layout table (A/B sets, which partitions are encrypted and why), traditional-vs-sealing-key encryption history, HKDF/LUKS key derivation, full 7-step GuestOS upgrade process with Upgrade VM and mutual attestation, and full emergency recovery section (manual rollback with NNS proposal steps + Recovery-GuestOS mechanism with upgrade-vs-recovery comparison table)
• Adds 3 images from Learn Hub: TEE architecture overview (tee-overview.jpg), SEV-SNP attestation report diagram (tee-attestation-report.svg), SEV-SNP key derivation diagram (tee-key-derivation.svg)
• Adds concepts/node-infrastructure to the explicit Concepts sidebar after app-architecture
• Updates docs/concepts/https-outcalls.md: replaces the Learn Hub TEE link with the new internal path; removes a stale Learn Hub further-reading link for the skipped HTTPS Outcalls article

Staging files deleted

• .migration/learn-hub/how-does-icp-work/node-infrastructure/overview.md → docs/concepts/node-infrastructure.md
• .migration/learn-hub/how-does-icp-work/node-infrastructure/trusted-execution-environments.md → docs/concepts/node-infrastructure.md#trusted-execution-environments

Sync recommendation

hand-written

[marc0olo]

Review notes

Content and links look good. One soft dependency to note:

Dependency on #209: The "Further reading" section links to protocol/index.md, which only exists once PR #209 merges. Not a hard build failure, but the link will be dead until then. Consider merging after #209 or temporarily removing the link and adding it back post-merge.

No other issues: no banned patterns, frontmatter complete, Learn Hub TEE link correctly replaced with the internal node-infrastructure.md#trusted-execution-environments path, <!-- Upstream: --> comment present.

[marc0olo]

Two items to address before merging:

1. Em-dash on line 89 (banned project-wide)

The "Further reading" bullet uses an em-dash, which is banned per project style rules:

- [Protocol Stack](protocol/index.md) — the replica software that runs inside GuestOS

Fix:

- [Protocol Stack](protocol/index.md): the replica software that runs inside GuestOS

2. Soft dependency on PR #209

The link to protocol/index.md will be a dead link until PR #209 merges and that page exists. Recommend merging this PR after #209 to avoid a temporarily broken link.

[marc0olo]

Feedback addressed:

• Replaced em-dash with colon in node-infrastructure.md line 89 Further reading bullet

Note on the soft dependency: the link to protocol/index.md will still be dead until PR #209 merges. Since #209 is now ready, recommend merging #209 first then this one.

[marc0olo]

Brand voice audit applied. The following fixes were committed in 7fe7c79:

Fixed automatically:

• node-infrastructure.md: expanded NNS on first occurrence ("pushed by the NNS" → "pushed by the Network Nervous System (NNS)")
• node-infrastructure.md: replaced banned term "workload" ("untrusted workload running in a virtual machine" → "untrusted process running in a virtual machine")

No other brand issues found: no blockchain comparisons, no em-dashes, no "reverse gas model", no DAO, no "on-chain"/"cross-chain"/"full-stack" with hyphens, no "token" used as a primary descriptor.

[marc0olo]

After PR #209 merges:

1. Add { slug: "concepts/node-infrastructure" } to sidebar.mjs after { slug: "concepts/app-architecture" } in the explicit Concepts items list
2. Update Further reading to restore: - [Protocol Stack](protocol/index.md): the replica software that runs inside GuestOS