audit(cto): Wave 8 PAUSE-walk — §12 rows resolved

§12.1: SUPERSEDED by Wave 7 D2/Q2 (sandcastle promoted to schema v2 §4.6); confirmed Wave 8
§12.2: KEEP github-pat declared, DEFER vault provision until v2 PR-open lands (Wave 8 Q2)
§12.3: L6-svrnty.core-credentials runtime mode CONFIRMED as-is (Wave 8 Q3)

All 3 rows now resolved; PAUSE queue empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

DISCLOSURE.md

@@ -144,9 +144,9 @@ No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `
 
 ## §12 Pending JP review
 
-Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active `disclosure:` block yet.
+Rows surfaced by Wave-3 audit/recommendations. All 3 rows resolved in **Wave-8 PAUSE-walk (2026-05-24)**. Retained for audit trail.
 
-### §12.1 RESOLVED (Wave-7 D2 / Q2) — sandcastle promoted to canonical §6.5
+### §12.1 RESOLVED (Wave-7 D2 / Q2, confirmed Wave 8) — sandcastle promoted to canonical §6.5
 
 Per Wave-7 Q2 decision (2026-05-25): the open question on (a) `sovereign_apis: cli` vs (b) schema §4.6 `external_orchestrators:` was resolved in favor of **(b)** — schema v2 added the `external_orchestrators:` surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).
 
@@ -154,25 +154,23 @@ Sandcastle now lives in:
 - `manifest.yaml → disclosure.external_orchestrators[0]` (schema v2)
 - §6.5 above (canonical disclosure section)
 
-Row retained here for audit trail only. No JP action required.
+### §12.2 RESOLVED (Wave 8) — `github-pat` credential declaration: **KEEP declared, defer vault provision**
 
-### §12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE)
+Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`. **JP decision Wave 8 (2026-05-24): KEEP declared, defer vault provision until v2 PR-open path lands.**
 
-Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`.
+| Field | Value |
-
-| Field | Proposed value |
 |---|---|
 | vault_name | `github-pat` |
 | status | `optional` |
 | scope | `read` |
 | used_by | `credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command) |
-| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task. |
+| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. JP materializes via `credctl set github-pat <PAT>` before first v2 PR task. |
 
-**Open question for JP:** confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active `disclosure.credentials:` block. Pre-push check 6.d will then enforce `credctl list` exact-match.
+**Materialization state:** declared in legacy `manifest.credentials.optional: [github-pat]` (line 134) for documentation. NOT yet in `disclosure.credentials:` active block (which is `[]` on line 267) — would trigger pre-push check 6.d failure since vault-absent. Row promotes from legacy → active disclosure once JP runs `credctl set github-pat <PAT>`.
 
-### §12.3 NOTE — `L6-svrnty.core-credentials` runtime mode
+### §12.3 RESOLVED (Wave 8) — `L6-svrnty.core-credentials` runtime mode: **CONFIRM as-is**
 
-Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only.
+Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above. **JP decision Wave 8 (2026-05-24): CONFIRM as-is.** No change.
 
 ## §13 Open issues + next steps