diff --git a/README.md b/README.md
index 7097d6d..dfca476 100644
--- a/README.md
+++ b/README.md
@@ -45,8 +45,8 @@ This is a **Kubernetes cluster bootstrapping and GitOps configuration repository
 ## Architecture & Key Concepts
 
 ### GitOps Model
-- **App-of-Apps Pattern**: `infra/_app-of-apps.yaml` is the root Application that manages all infrastructure applications
-- **App-of-Apps Pattern**: `apps/_app-of-apps.yaml` is the root Application that manages all custom applications
+- **App-of-Apps Pattern**: `_app-of-apps.yaml` is the root Application that manages all infrastructure applications
+- **App-of-Apps Pattern**: `infra/enterprise-apps.yaml` is the main Application that manages all custom applications
 - **Source of Truth**: GitHub repository (`https://github.com/snothub/sturdy-adventure.git`) is the single source of truth
 - **Auto-sync**: All Applications have automated sync enabled with auto-pruning and self-healing
 - **Namespace Creation**: `CreateNamespace=true` allows ArgoCD to create namespaces as needed
diff --git a/cluster-resources/policies/secret-cloner.yaml b/cluster-resources/policies/secret-cloner.yaml
new file mode 100644
index 0000000..d7cd791
--- /dev/null
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -0,0 +1,71 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:secrets:view
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+    rbac.kyverno.io/aggregate-to-reports-controller: "true"
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:secrets:manage
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - update
+  - delete
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-secret-with-multi-clone
+spec:
+  rules:
+  - name: sync-secrets
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - trivy-system
+          - monitoring
+          - argocd
+          - cert-manager
+          - kyverno
+          - default
+          - cilium-secrets
+          - kube-public
+          - kyverno
+    generate:
+      generateExisting: false
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      cloneList:
+        namespace: secrets
+        kinds:
+        - v1/Secret
+        selector:
+          matchLabels:
+            allowedToBeCloned: "true"