diff --git a/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md b/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md
index 9f01964..af26826 100644
--- a/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md
+++ b/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md
@@ -70,3 +70,20 @@ Blocked by:
 - Focused validator artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260531T235421Z-r1-string-slugify-1875638`.
 - Aggregate validator artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260531T235448Z-r1-string-slugify-1876884`.
 - `CTO-WORK-020` remains blocked until a provider/model is explicitly approved and real Case Stage 2 produces a pass report.
+
+## CTO-WORK-020 Decision Record Template
+
+This template belongs to `CTO-WORK-020`; it is not a new provider approval.
+
+Required fields:
+
+- `decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.
+- `provider_class`: `external_anthropic` or `local_case_compatible`.
+- `provider`: exact provider string, or empty while blocked.
+- `model`: exact model string, or empty while blocked.
+- `approval_source`: JP approval reference or governed Core route reference.
+- `credential_source_class`: credential class only; no secret value.
+- `allowed_network_class`: allowed network class for this provider.
+- `review_trigger`: expiry, date, or condition that forces review.
+- `evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.
+- `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.
diff --git a/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md b/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md
index d009e49..a362c80 100644
--- a/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md
+++ b/sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md
@@ -105,3 +105,24 @@ Real Case Stage 2 remains blocked until a named provider/model is admitted, then
 - Focused validator artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260531T235421Z-r1-string-slugify-1875638`.
 - Aggregate validator artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260531T235448Z-r1-string-slugify-1876884`.
 - `CTO-WORK-020` remains blocked because no real provider/model has been approved and no real Case Stage 2 pass report exists.
+
+## Decision Record Template For CTO-WORK-020
+
+This template clarifies the decision required by `CTO-WORK-020`; it does not approve a provider.
+
+- `decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.
+- `provider_class`: `external_anthropic` or `local_case_compatible`.
+- `provider`: exact provider string, or empty while blocked.
+- `model`: exact model string, or empty while blocked.
+- `approval_source`: JP approval reference or governed Core route reference.
+- `credential_source_class`: credential class only; no secret value.
+- `allowed_network_class`: allowed network class for this provider.
+- `review_trigger`: expiry, date, or condition that forces review.
+- `evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.
+- `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.
+
+Allowed pending states:
+
+- `not_decided`: no provider/model may run.
+- `local_provider_required`: no external provider may run; create a Case-compatible local provider route first.
+- `external_provider_approved`: may proceed only when the approval source, credential source class, allowed network class, and admission JSON are recorded.
diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py
index e4d152e..53bd319 100644
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@@ -396,6 +396,20 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_PRD_PHRASES = [
     "20260531T235421Z-r1-string-slugify-1875638",
     "20260531T235448Z-r1-string-slugify-1876884",
     "`CTO-WORK-020` remains blocked because no real provider/model has been approved and no real Case Stage 2 pass report exists.",
+    "Decision Record Template For CTO-WORK-020",
+    "`decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.",
+    "`provider_class`: `external_anthropic` or `local_case_compatible`.",
+    "`provider`: exact provider string, or empty while blocked.",
+    "`model`: exact model string, or empty while blocked.",
+    "`approval_source`: JP approval reference or governed Core route reference.",
+    "`credential_source_class`: credential class only; no secret value.",
+    "`allowed_network_class`: allowed network class for this provider.",
+    "`review_trigger`: expiry, date, or condition that forces review.",
+    "`evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.",
+    "`effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.",
+    "`not_decided`: no provider/model may run.",
+    "`local_provider_required`: no external provider may run; create a Case-compatible local provider route first.",
+    "`external_provider_approved`: may proceed only when the approval source, credential source class, allowed network class, and admission JSON are recorded.",
 ]
 
 REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_IDS = [
@@ -423,6 +437,18 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [
     "20260531T235421Z-r1-string-slugify-1875638",
     "20260531T235448Z-r1-string-slugify-1876884",
     "`CTO-WORK-020` remains blocked until a provider/model is explicitly approved and real Case Stage 2 produces a pass report.",
+    "CTO-WORK-020 Decision Record Template",
+    "This template belongs to `CTO-WORK-020`; it is not a new provider approval.",
+    "`decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.",
+    "`provider_class`: `external_anthropic` or `local_case_compatible`.",
+    "`provider`: exact provider string, or empty while blocked.",
+    "`model`: exact model string, or empty while blocked.",
+    "`approval_source`: JP approval reference or governed Core route reference.",
+    "`credential_source_class`: credential class only; no secret value.",
+    "`allowed_network_class`: allowed network class for this provider.",
+    "`review_trigger`: expiry, date, or condition that forces review.",
+    "`evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.",
+    "`effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.",
 ]