diff --git a/Technical_Decomp_Cache.md b/Technical_Decomp_Cache.md
new file mode 100644
index 0000000..3c42bb7
--- /dev/null
+++ b/Technical_Decomp_Cache.md
@@ -0,0 +1,25 @@
+## enroll/cache.py
+
+### HarvestCache (frozen dataclass)
+
+Purpose: a small wrapper around a directory path representing a locally stored harvest bundle.
+
+#### Field:
+
+dir: Path: the bundle directory.
+
+#### Property:
+
+state_json -> Path: returns dir / "state.json".
+
+#### Lifecycle / where it’s used:
+
+Created by `new_harvest_cache_dir(hint=...)` when the CLI wants a safe default output location (especially for SOPS encrypted outputs).
+
+It’s a "typed return value" so callers don’t pass raw strings around.
+
+#### Security behavior around it:
+
+`new_harvest_cache_dir()` builds a directory under `~/.local/cache/enroll/harvest` (or `$XDG_CACHE_HOME/enroll/harvest`).
+
+Uses mkdtemp() to avoid predictable paths and forces 0700 permissions (best-effort).
\ No newline at end of file