docs: full document-truth pass across MVP and boundary docs

docs/ADMISSION_POLICY.md

@@ -39,9 +39,12 @@ and concrete execution.
 The canonical runtime admission contract lives in
 [RUNTIME_ADMISSION.md](RUNTIME_ADMISSION.md). The initial
 `RuntimeAdmissionResult` record is the bounded admission decision surface. The
-`compose_runtime_admission_result()` helper populates it from policy, ticket,
-trust, SCLite guarded verification, replay freshness, runner-profile, and
-receipt-obligation signals without making intent an execution authority.
+`compose_runtime_admission_result()` helper populates it from host-supplied
+policy, ticket, trust, SCLite guarded verification, replay freshness,
+runner-profile, and receipt-obligation summaries without making intent an
+execution authority. The helper composes summaries only; it does not verify
+SCLite tickets or record replay state. Guarded/replay blockers apply when the
+host sets `runtime_consumable=True`.
 
 ## Audit ledger port
 

docs/API_BOUNDARY.md

@@ -4,8 +4,8 @@ GovEngine owns reusable governed-execution services. Its public surface should s
 
 The top-level export stability classification lives in [API_STABILITY_MATRIX.md](API_STABILITY_MATRIX.md). It covers the current `govengine.__all__` surface and is guarded by tests so new public exports require an explicit stability decision.
 
-`govengine.surfaces.public_surface_index()` is the tested machine-readable map of the current alpha public surface set. It contains the neutral artifact-governance core, planning contracts, admission/policy contracts, evidence review, domain-profile SDK, runtime contract proofs, and controlled-execution core. The published `0.12.0-alpha` line removes the prior Ravenclaw-derived optional security facade; domain security behavior belongs in the host runtime.
-`govengine.boundary.kernel_boundary_report()` is the tested machine-readable 0.2 boundary report. It combines the kernel/profile/runtime/SCLite ownership contract, known domain-profile contracts such as Ravenclaw, and the current public surface index.
+`govengine.surfaces.public_surface_index()` is the tested machine-readable map of the current alpha public surface set. It contains the neutral artifact-governance core, planning contracts, admission/policy contracts, evidence review, domain-profile SDK, runtime contract proofs, and controlled-execution core. The published `0.12.2a0` (`0.12.2-alpha`) line removes the prior Ravenclaw-derived optional security facade; domain security behavior belongs in the host runtime.
+`govengine.boundary.kernel_boundary_report()` is the tested machine-readable boundary report (schema `v0.1`). It combines the kernel/profile/runtime/SCLite ownership contract, known domain-profile contracts such as Ravenclaw, and the current public surface index.
 `govengine.boundary.validate_domain_profile_conformance()` checks that a domain profile does not claim forbidden ownership and consumes only known GovEngine/SCLite surfaces.
 `govengine.orchestration.validate_orchestration_step()` checks deterministic orchestration handoff records without granting agent-loop, scheduler, UI, carrier, credential, or live-execution authority.
 `govengine.events.validate_event_envelope()` checks transport-neutral governance event metadata without accepting raw prompts, credentials, live commands, carrier payloads, or scheduling claims.
@@ -14,7 +14,7 @@ The top-level export stability classification lives in [API_STABILITY_MATRIX.md]
 `govengine.control.validate_control_decision()` checks deterministic between-step control decisions and delegates legal state changes to the state machine without accepting raw prompts, commands, schedulers, runtime storage, delivery, or live-execution claims.
 `govengine.runtime_shell.validate_runtime_snapshot()` checks host-provided control actions, queue snapshots, runtime snapshots, and scheduler-tick metadata without accepting raw prompts, commands, storage, schedules, credentials, carrier payloads, or live-execution claims.
 `govengine.planning.validate_task_contract()` and `validate_plan_intent_contract()` check neutral planner-to-runtime handoff shapes without accepting raw targets, raw prompts, commands, storage, schedules, credentials, carrier payloads, or live-execution claims.
-`govengine.admission.validate_admission_decision()`, `validate_policy_decision()`, `validate_approval_request()`, `validate_audit_record()`, `validate_audit_ledger_entry()`, `validate_audit_ledger_append_result()`, `validate_audit_ledger_verification_result()`, and `validate_runtime_admission_result()` check neutral runtime gate and audit-ledger port records without accepting raw targets, raw prompts, commands, storage, schedules, credentials, carrier payloads, or live-execution claims.
+`govengine.admission.validate_admission_decision()`, `validate_policy_decision()`, `validate_approval_request()`, `validate_audit_record()`, `validate_audit_ledger_entry()`, `validate_audit_ledger_append_result()`, `validate_audit_ledger_verification_result()`, `validate_runtime_admission_result()`, `compose_runtime_admission_result()`, and `validate_runtime_admission_proof_inputs()` check neutral runtime gate and audit-ledger port records without accepting raw targets, raw prompts, commands, storage, schedules, credentials, carrier payloads, or live-execution claims. `compose_runtime_admission_result()` composes host-supplied summaries; it does not verify SCLite tickets or record replay state.
 `govengine.execution.supervision.validate_supervised_runner_request()`,
 `validate_runner_receipt_for_request()`, and
 `validate_runner_receipt_binding()` check approved-spec runner supervision,
@@ -42,6 +42,7 @@ Neutral core modules:
 - `govengine.signing`
 - `govengine.deconfliction`
 - `govengine.state_index`
+- `govengine.state_machine`
 - `govengine.state_store`
 - `govengine.replay`
 
@@ -126,7 +127,7 @@ GovEngine owns:
 - `govengine.scope_ports` — neutral scope-port protocol and host extraction helper used by controlled-execution contracts.
 - `govengine.state_store` — neutral JSON state helper primitives.
 - `govengine.replay` — guarded SCLite root replay records, claim-once replay-store port contracts, and fresh/replayed decisions over host-supplied state without HMAC verification, key storage, runtime storage ownership, production database ownership, or replay policy beyond the supplied store.
-- `govengine.sclite_*` — explicit integration seams with SCLite, including descriptor/status/transition mapping that delegates lifecycle verification and review-bundle verdicts to SCLite.
+- `govengine.sclite_contracts` — explicit integration seams with SCLite, including descriptor/status/transition mapping that delegates lifecycle verification and review-bundle verdicts to SCLite.
 
 ## Consumes
 
@@ -194,9 +195,10 @@ admission contract described in
 bounded blockers, next actions, and artifact references.
 `compose_runtime_admission_result()` populates it from bounded gate evidence for
 hosts and reviewers; the record does not grant live execution authority by
-itself. `normalize_admission_artifact_refs()` is an alpha helper for bounded
-review references and existing digest strings only; it does not compute content
-digests and does not claim SCLite canonicalization authority.
+itself. After an allowed admission is composed, hosts may call
+`validate_runtime_admission_proof_inputs()` to check that expected proof-input
+summaries are present. That helper does not verify SCLite artifacts or replay
+persistence.
 
 The operator-facing path that ties admission, trust ports, guarded SCLite
 verification, replay freshness, runner profile, receipt obligation, and

docs/ARCHITECTURE.md

@@ -11,8 +11,9 @@ For the current extraction, the host/domain runtime is Ravenclaw. A future infra
 ## Governed-runtime MVP chain
 
 The current MVP path is documented for operators in
-[GOVERNED_RUNTIME_MVP_RUNBOOK.md](GOVERNED_RUNTIME_MVP_RUNBOOK.md). The short
-form is:
+[GOVERNED_RUNTIME_MVP_RUNBOOK.md](GOVERNED_RUNTIME_MVP_RUNBOOK.md). The full
+integration order and non-claims are in
+[SECURITY_INTEGRATION.md](SECURITY_INTEGRATION.md). The short form is:
 
 ```text
 intent
@@ -23,14 +24,44 @@ intent
   -> runner profile
   -> receipt obligation
   -> RuntimeAdmissionResult
-  -> bounded request/receipt/evidence references
+  -> GovRunnerRequest
+  -> GovRunnerReceipt
+  -> validate_runner_receipt_binding()
+  -> validate_evidence_review_chain()
+  -> bounded audit / review references
 ```
 
+`compose_runtime_admission_result()` composes host-supplied gate summaries into
+`RuntimeAdmissionResult`. It does not validate SCLite tickets, verify
+signatures, record replay state, or execute live work. Runtime admission
+composition requires an allowed runner profile and a receipt obligation;
+concrete runner receipts are validated later with
+`validate_runner_receipt_binding()`. Guarded/replay blockers apply during
+composition only when the host sets `runtime_consumable=True`.
+
 GovEngine owns the neutral mechanics that compose and validate this chain. It
 does not own domain policy meaning, operator approval workflow, production
 identity or keys, raw evidence storage, SCLite proof authority, or live backend
 execution.
 
+## Public surface map
+
+The tested public surface registry in `govengine.surfaces` currently exposes
+seven neutral surfaces. Additional alpha exports such as `govengine.api`,
+`govengine.context`, `govengine.roles`, and `govengine.execution_backend` exist
+outside that registry. See also [API_BOUNDARY.md](API_BOUNDARY.md) and
+[API_STABILITY_MATRIX.md](API_STABILITY_MATRIX.md).
+
+| Surface | Primary modules |
+| --- | --- |
+| `artifact_governance_core` | `govengine.core`, `govengine.boundary`, `govengine.sclite_contracts`, `govengine.lifecycle`, `govengine.signing`, `govengine.replay`, `govengine.deconfliction`, `govengine.state_index`, `govengine.state_machine`, `govengine.state_store` |
+| `planning_contracts_core` | `govengine.planning` |
+| `admission_policy_core` | `govengine.admission` |
+| `evidence_review_core` | `govengine.review` |
+| `domain_profile_sdk` | `govengine.profiles` |
+| `runtime_contract_proofs` | `govengine.contract_proofs` |
+| `controlled_execution_core` | `govengine.execution.*`, `govengine.ooda`, `govengine.orchestration`, `govengine.events`, `govengine.control`, `govengine.runtime_shell`, `govengine.scope_ports`, `govengine.contracts.execution` |
+
 ## Layers
 
 ### 0. Kernel/profile boundary layer
@@ -56,8 +87,22 @@ Purpose:
 
 - validate neutral admission, policy-decision, approval, audit, evidence, and
   review records;
+- compose and validate `RuntimeAdmissionResult` through
+  `compose_runtime_admission_result()`, `validate_runtime_admission_result()`,
+  `validate_runtime_admission_proof_inputs()`, and bounded public summaries;
+- expose `AuditLedgerPort` and a development-only `JsonlAuditLedgerAdapter` for
+  hash-chained audit append/read/verify without production database ownership;
+- validate receipt-bounded evidence and review reference chains through
+  `validate_evidence_review_chain()`;
 - keep security-domain policy meaning and evidence taxonomy in the host runtime.
 
+`validate_runtime_admission_result()` checks record shape and consistency; it
+does not by itself enforce receipt obligation on arbitrary stored records the way
+`compose_runtime_admission_result()` does.
+
+See [RUNTIME_ADMISSION.md](RUNTIME_ADMISSION.md) and
+[EVIDENCE_REVIEW.md](EVIDENCE_REVIEW.md).
+
 ### 2. Contract layer
 
 Modules:
@@ -74,7 +119,29 @@ Purpose:
 Lifecycle artifact projection from a host runtime payload is host-owned;
 Ravenclaw implements its projection outside this kernel.
 
-### 3. Execution helper / runner protocol layer
+See [SCLITE_INTEGRATION.md](SCLITE_INTEGRATION.md).
+
+### 3. Replay, signing, and trust bridge layer
+
+Modules:
+
+- `govengine.replay`
+- `govengine.signing`
+
+Purpose:
+
+- record guarded SCLite root freshness through host-supplied JSON state,
+  `ReplayClaimStore`, or development-only in-memory adapters;
+- compose SCLite guarded-strict verification with replay recording through
+  `verify_guard_and_record_replay()`;
+- provide GovEngine-owned record digests, signed-record envelopes, and
+  host-provided signer/verifier/trust ports, plus deterministic demo ports for
+  fixtures only.
+
+GovEngine does not own SCLite Kernel Guard HMAC verification, PKI, KMS, key
+storage, or production replay persistence.
+
+### 4. Execution helper / runner protocol layer
 
 Modules:
 
@@ -84,20 +151,33 @@ Modules:
 - `govengine.execution.command_shape`
 - `govengine.execution.runner`
 - `govengine.execution.runner_protocol`
+- `govengine.execution.gate`
+- `govengine.execution.supervision`
 - `govengine.execution_backend`
 
 Purpose:
 
 - expose stable API result/error envelopes for hard boundaries;
 - validate approved execution specs;
-- check execution-ticket presence/shape;
+- check execution-ticket presence/shape through host-facing ticket-gate helpers;
 - normalize command shape and target observations;
 - assemble dry-run result envelopes;
-- define the carrier-neutral runner request/receipt protocol a host adapter can honor.
-
-Important: live subprocess execution is not owned by GovEngine yet. The runner protocol prepares and records bounded execution shape; host adapters still own concrete IO/subprocess behavior.
-
-### 4. Host context and scope-port layer
+- define the carrier-neutral runner request/receipt protocol a host adapter can honor;
+- gate controlled execution through `ExecutionGate` and default `DryRunRunner`;
+- validate supervised runner requests, receipts, and receipt bindings through
+  `validate_runner_receipt_binding()`;
+- evaluate optional local subprocess runner readiness through
+  `LocalSubprocessRunnerReadiness` while keeping the local runner at
+  `not_applicable` by default.
+
+`govengine.execution_backend` is a port-only contract with no shipped live
+backend. Important: live subprocess execution is not owned by GovEngine. The
+runner protocol prepares and records bounded execution shape; host adapters
+still own concrete IO/subprocess behavior. See
+[RUNNER_SUPERVISION.md](RUNNER_SUPERVISION.md) and
+[LOCAL_SUBPROCESS_RUNNER_DECISION.md](LOCAL_SUBPROCESS_RUNNER_DECISION.md).
+
+### 5. Host context and scope-port layer
 
 Modules:
 
@@ -113,20 +193,59 @@ Purpose:
 - avoid hard dependencies on Ravenclaw internals;
 - support standalone import and package testing.
 
-### 5. OODA safety/control layer
+### 6. Planning, profile, and proof contract layer
 
-Module:
+Modules:
+
+- `govengine.planning`
+- `govengine.profiles`
+- `govengine.contract_proofs`
+
+Purpose:
+
+- validate neutral planner-to-runtime handoff contracts without owning a planner
+  implementation;
+- declare contract-only domain profiles and conformance reports for Ravenclaw and
+  Tecrax fixture paths;
+- provide public-safe multi-profile proof fixtures over existing GovEngine
+  contracts.
+
+These surfaces are metadata and validation only. They do not add scheduling,
+carrier adapters, credentials, or live execution authority.
+
+### 7. OODA, orchestration, and runtime-shell control layer
+
+Modules:
 
 - `govengine.ooda`
+- `govengine.orchestration`
+- `govengine.events`
+- `govengine.control`
+- `govengine.runtime_shell`
 
 Purpose:
 
 - observe normalized execution telemetry and operator-control events;
 - orient observations against approved specs, execution tickets, policy decisions, scope, budgets, and host state;
 - decide whether the next step should continue, pause, abort, cooldown, degrade to dry-run, or require owner review;
-- act by returning deterministic control decisions to the host runner/adapter.
+- expose deterministic orchestration handoff records, governance event envelopes, run-state transitions, between-step control decisions, and host runtime-shell projections without owning schedulers, queues, storage, credentials, or live execution.
+
+GovEngine provides reusable deterministic contracts here. Host runtimes such as
+Ravenclaw still own wiring those contracts into live control loops.
+
+## Operator surfaces
+
+GovEngine also ships read-only operator helpers that validate bounded records
+without executing work:
+
+- `scripts/inspect_runtime_admission.py` — inspect `RuntimeAdmissionResult`
+  records;
+- `scripts/verify_runner_receipt_binding.py` — verify admission/ticket/request/
+  receipt binding references;
+- `scripts/verify_audit_ledger.py` — verify development JSONL audit-ledger
+  chains.
 
-This layer converts Ravenclaw's existing scattered controls — stop/pause, host health gates, cooldowns, runtime decisions, and anomaly/replay checks — into a reusable GovEngine contract. It is policy-first, deterministic by default, and carrier-neutral.
+These scripts are inspection and verification tools, not execution backends.
 
 ## Boundary rule
 
@@ -140,10 +259,15 @@ forbidden: GovEngine -> Logdash/OpenClaw/MCP/A2A adapters
 
 ## Current maturity
 
-The package currently covers dry-run-safe helpers and neutral contract gates.
-The published `0.12.2-alpha` line keeps the governed-runtime kernel MVP honest:
-canonical runtime admission, host-provided trust ports, receipt/evidence
-binding, audit/replay ports, inspect-only admission review, and runner safety
-documentation are alpha surfaces, not production execution claims. GovEngine is
-not a complete orchestrator, scheduler, supervisor stack, subprocess runner, or
-product shell and does not claim production execution safety on its own.
+The package currently covers dry-run-safe helpers and neutral contract gates in
+kernel in alpha form. Source on `main` already includes the governed-runtime MVP
+and roadmap-hardening surfaces described above; the last PyPI publish remains
+`govengine==0.12.2a0` (`0.12.2-alpha`), with newer work recorded under
+`Unreleased` in `CHANGELOG.md` until the next alpha release.
+
+Those alpha surfaces — canonical runtime admission, host-provided trust ports,
+receipt/evidence binding, audit/replay ports, inspect-only admission review,
+read-only operator verifiers, and runner safety documentation — are not
+production execution claims. GovEngine is not a complete orchestrator,
+scheduler, supervisor stack, subprocess runner, or product shell and does not
+claim production execution safety on its own.

docs/DOMAIN_PROFILE_CONTRACT.md

@@ -2,7 +2,12 @@
 
 A domain profile contract is the host-facing declaration that lets a runtime consume GovEngine without moving domain semantics into the kernel.
 
-GovEngine `0.8.x` also exposes `govengine.profiles`, a minimal contract-only SDK around this boundary. The SDK provides `DomainProfile`, resource/task/stage registries, capability, runner, policy-hook, evidence-rule declarations, fixture Ravenclaw/Tecrax profiles, and `ProfileConformanceReport`. These declarations remain data and validation shapes; they do not implement adapters, credentials, product UX, domain taxonomy, or live execution.
+GovEngine also exposes `govengine.profiles`, a minimal contract-only SDK around
+this boundary. The SDK provides `DomainProfile`, resource/task/stage registries,
+capability, runner, policy-hook, evidence-rule declarations, fixture
+Ravenclaw/Tecrax profiles, and `ProfileConformanceReport`. These declarations
+remain data and validation shapes; they do not implement adapters, credentials,
+product UX, domain taxonomy, or live execution.
 
 ## Contract Shape
 
@@ -49,7 +54,7 @@ These remain outside profile ownership even when a profile has runtime code that
 
 ## Ravenclaw Compatibility
 
-The built-in Ravenclaw profile contract identifies Ravenclaw as a security-research host profile. It owns campaign/runtime semantics and Logdash/operator workflow language, while consuming neutral GovEngine admission-policy and controlled-execution surfaces plus SCLite review bundles.
+The built-in Ravenclaw profile contract identifies Ravenclaw as a security-research host profile. It owns campaign/runtime semantics and Logdash/operator workflow language, while consuming neutral GovEngine admission-policy, evidence-review, and controlled-execution surfaces plus SCLite review bundles.
 
 The `ravenclaw_security_profile()` SDK fixture is narrower than Ravenclaw itself: it declares security-research resource types, task families, planning stages, policy hooks, dry-run runner profile, and receipt-bounded evidence expectations. It does not make GovEngine own Ravenclaw finding taxonomy, Logdash, campaign UX, or target-test authorization.