From 27cf5e31534c8ad5c47b2a8cc6fa97ab7e665732 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Sun, 24 May 2026 18:16:43 -0400 Subject: [PATCH] =?UTF-8?q?audit(cto):=20Wave=208=20PAUSE-walk=20=E2=80=94?= =?UTF-8?q?=20=C2=A712=20rows=20resolved?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit §12.1: SUPERSEDED by Wave 7 D2/Q2 (sandcastle promoted to schema v2 §4.6); confirmed Wave 8 §12.2: KEEP github-pat declared, DEFER vault provision until v2 PR-open lands (Wave 8 Q2) §12.3: L6-svrnty.core-credentials runtime mode CONFIRMED as-is (Wave 8 Q3) All 3 rows now resolved; PAUSE queue empty. Co-Authored-By: Claude Opus 4.7 (1M context) --- DISCLOSURE.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/DISCLOSURE.md b/DISCLOSURE.md index f5325fd..a9c14ba 100644 --- a/DISCLOSURE.md +++ b/DISCLOSURE.md @@ -144,9 +144,9 @@ No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest ` ## §12 Pending JP review -Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active `disclosure:` block yet. +Rows surfaced by Wave-3 audit/recommendations. All 3 rows resolved in **Wave-8 PAUSE-walk (2026-05-24)**. Retained for audit trail. -### §12.1 RESOLVED (Wave-7 D2 / Q2) — sandcastle promoted to canonical §6.5 +### §12.1 RESOLVED (Wave-7 D2 / Q2, confirmed Wave 8) — sandcastle promoted to canonical §6.5 Per Wave-7 Q2 decision (2026-05-25): the open question on (a) `sovereign_apis: cli` vs (b) schema §4.6 `external_orchestrators:` was resolved in favor of **(b)** — schema v2 added the `external_orchestrators:` surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics). @@ -154,25 +154,23 @@ Sandcastle now lives in: - `manifest.yaml → disclosure.external_orchestrators[0]` (schema v2) - §6.5 above (canonical disclosure section) -Row retained here for audit trail only. No JP action required. +### §12.2 RESOLVED (Wave 8) — `github-pat` credential declaration: **KEEP declared, defer vault provision** -### §12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE) +Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`. **JP decision Wave 8 (2026-05-24): KEEP declared, defer vault provision until v2 PR-open path lands.** -Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`. - -| Field | Proposed value | +| Field | Value | |---|---| | vault_name | `github-pat` | | status | `optional` | | scope | `read` | | used_by | `credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command) | -| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task. | +| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. JP materializes via `credctl set github-pat ` before first v2 PR task. | -**Open question for JP:** confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active `disclosure.credentials:` block. Pre-push check 6.d will then enforce `credctl list` exact-match. +**Materialization state:** declared in legacy `manifest.credentials.optional: [github-pat]` (line 134) for documentation. NOT yet in `disclosure.credentials:` active block (which is `[]` on line 267) — would trigger pre-push check 6.d failure since vault-absent. Row promotes from legacy → active disclosure once JP runs `credctl set github-pat `. -### §12.3 NOTE — `L6-svrnty.core-credentials` runtime mode +### §12.3 RESOLVED (Wave 8) — `L6-svrnty.core-credentials` runtime mode: **CONFIRM as-is** -Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only. +Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above. **JP decision Wave 8 (2026-05-24): CONFIRM as-is.** No change. ## §13 Open issues + next steps