diff --git a/README.md b/README.md
index 477f4cf..23539fd 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ Secrets are age-encrypted with field-level selective encryption. The `.sops.yaml
 
 ### sops-secrets-operator validation path
 
-`bootstrap/` installs `sops-secrets-operator` as the highest-priority child Application (`sync-wave: "-2"`) and waits for its CRD before the existing KSOPS-dependent waves continue. This is intentionally additive: KSOPS remains active until KMS-backed `SopsSecret` resources are proven and every existing age-encrypted Secret has been ported.
+`operators/` installs `sops-secrets-operator` as the highest-priority child Application within the actively reconciled `gitops-operators` tree (`sync-wave: "-2"`). This is intentionally additive: KSOPS remains active until KMS-backed `SopsSecret` resources are proven and every existing age-encrypted Secret has been ported.
 
 Future KMS-backed `SopsSecret` manifests should use the SOPS KMS recipient managed by the [`makeitworkcloud/tfroot-aws`](https://github.com/makeitworkcloud/tfroot-aws) repository with `encrypted_suffix: Templates`. Do not copy raw KMS key identifiers into docs or chat; use the applied OpenTofu output locally when encrypting migration manifests.
 
diff --git a/bootstrap/kustomization.yaml b/bootstrap/kustomization.yaml
index aabe143..39ef060 100644
--- a/bootstrap/kustomization.yaml
+++ b/bootstrap/kustomization.yaml
@@ -2,9 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  # Wave -2/-1: Install sops-secrets-operator before every other GitOps child.
-  - sops-secrets-operator-app.yaml
-  - wait-for-sops-secrets-operator.yaml
   # Wave 0: Configure ArgoCD (KSOPS + GitHub OAuth + RBAC)
   # NOTE: cluster-admin ClusterRoleBinding is managed by ansible-role-crc
   #       (ArgoCD cannot grant itself permissions it doesn't have)
diff --git a/bootstrap/wait-for-sops-secrets-operator.yaml b/bootstrap/wait-for-sops-secrets-operator.yaml
deleted file mode 100644
index dd75de1..0000000
--- a/bootstrap/wait-for-sops-secrets-operator.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-# Sync hook that blocks lower-priority bootstrap waves until the replacement
-# SOPS operator CRD is available. Do not wait for SopsSecret reconciliation here:
-# KMS-backed SopsSecret migration is a later step after ambient AWS auth exists.
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: wait-for-sops-secrets-operator
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
-    ignore-check.kube-linter.io/non-existent-service-account: "SA created by GitOps operator"
-    ignore-check.kube-linter.io/latest-tag: "bitnami/kubectl:latest is acceptable for a one-shot bootstrap wait Job"
-spec:
-  ttlSecondsAfterFinished: 300
-  backoffLimit: 30
-  activeDeadlineSeconds: 900
-  template:
-    spec:
-      serviceAccountName: argocd-argocd-application-controller
-      restartPolicy: Never
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-      containers:
-        - name: wait
-          image: bitnami/kubectl:latest
-          command:
-            - /bin/bash
-            - -c
-            - |
-              set -euo pipefail
-
-              echo "Waiting for sops-secrets-operator CRD..."
-              until kubectl get crd sopssecrets.isindir.github.com >/dev/null 2>&1; do
-                echo "Waiting for sopssecrets.isindir.github.com CRD..."
-                sleep 10
-              done
-
-              echo "sops-secrets-operator CRD is ready"
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-          resources:
-            requests:
-              cpu: 10m
-              memory: 64Mi
-            limits:
-              memory: 128Mi
diff --git a/operators/kustomization.yaml b/operators/kustomization.yaml
index 30ce061..aad1395 100644
--- a/operators/kustomization.yaml
+++ b/operators/kustomization.yaml
@@ -3,6 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - sops-secrets-operator
   - arc
   - cert-manager
   - cloudflare
diff --git a/bootstrap/sops-secrets-operator-app.yaml b/operators/sops-secrets-operator/application.yaml
similarity index 76%
rename from bootstrap/sops-secrets-operator-app.yaml
rename to operators/sops-secrets-operator/application.yaml
index c477a94..e57c503 100644
--- a/bootstrap/sops-secrets-operator-app.yaml
+++ b/operators/sops-secrets-operator/application.yaml
@@ -1,7 +1,7 @@
 ---
-# Highest-priority child Application for validating a KSOPS replacement path.
-# The operator must exist before any future KMS-backed SopsSecret workloads are
-# introduced, so it deliberately syncs before the ArgoCD/KSOPS wave 0 resources.
+# Installs sops-secrets-operator from the actively reconciled gitops-operators
+# Application. This only installs the CRD/controller; KMS-backed SopsSecret
+# reconciliation needs follow-up ambient AWS auth.
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -24,7 +24,7 @@ spec:
         namespaced: false
         resources: {}
         extraEnv:
-          # SOPS can infer the region from the KMS ARN, but setting the SDK
+          # SOPS can infer the region from KMS recipients, but setting the SDK
           # region keeps AWS client startup deterministic in the k3s cluster.
           - name: AWS_REGION
             value: us-west-2
diff --git a/operators/sops-secrets-operator/kustomization.yaml b/operators/sops-secrets-operator/kustomization.yaml
new file mode 100644
index 0000000..a4740e6
--- /dev/null
+++ b/operators/sops-secrets-operator/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml