feat(governance): add V&V Architect (LeadValidator) — independent audit agent

Fixes a critical bug where VALIDATOR.md contained a copy of start-validator.sh
(making the validator unlaunchable). Introduces a fully independent V&V Architect
agent that audits the codebase against the PRD and OpenSpec outside the CTO's
chain of command.

Changes:
- VALIDATOR.md: rewritten as proper system prompt (8-phase audit methodology,
  issue format, severity model, communication protocol)
- scripts/start-validator.sh: isolated workspace setup, sanity check, auto-init
  ledger, validator-specific CLAUDE.md (no CEO context contamination)
- openspec/vv_audit/LEDGER.md: shared audit ledger index (CEO release gate view)
- openspec/changes/archive/2026-04-07-vv-architect-setup/: full OpenSpec artifacts
  (proposal.md, design.md, tasks.md — 28 tasks, all complete)

Note: .cto-workspace/CLAUDE.md updated (gitignored — persists on disk only).
#vv-findings hub channel created for real-time validator notifications.

CEO approved 2026-04-07.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/archive/2026-04-07-vv-architect-setup/tasks.md

@@ -0,0 +1,61 @@
+# Tasks — vv-architect-setup
+
+## WS1 — Fix VALIDATOR.md (System Prompt)
+
+- [x] 1.1 Identify the bug: `VALIDATOR.md` contained an exact copy of `scripts/start-validator.sh` (byte-for-byte identical — 1900 bytes each)
+- [x] 1.2 Rewrite `VALIDATOR.md` as the proper system prompt for the LeadValidator agent
+- [x] 1.3 Define validator identity and independence principle (not under CTO authority; reports to CEO)
+- [x] 1.4 Define 6-step startup protocol (read PRD → register hub → check ledger → check channel → report readiness → begin audit)
+- [x] 1.5 Define Phase A — OpenSpec task completeness check (verify all archived tasks.md `[x]` items have corresponding code)
+- [x] 1.6 Define Phase B — API surface audit (every route must have an OpenAPI spec; spec must match implementation)
+- [x] 1.7 Define Phase C — TypeScript standards audit (no `any`, strict mode, JSDoc, error hierarchy)
+- [x] 1.8 Define Phase D — DRY principle audit (no duplicated logic, utility files as single sources of truth)
+- [x] 1.9 Define Phase E — SOLID principles audit (SRP spot-checks on key services, constructor injection)
+- [x] 1.10 Define Phase F — Test coverage audit (>80% threshold, integration tests for all endpoints)
+- [x] 1.11 Define Phase G — AGNTCY compliance audit (agent identity model, lifecycle, DID, conformance tests)
+- [x] 1.12 Define Phase H — Security audit (OWASP Top 10 checks)
+- [x] 1.13 Define issue format: `VV_ISSUE_NNN.md` with Status, Severity, Category, Finding, Evidence, Required Action, CTO Response, Resolution
+- [x] 1.14 Define severity model: BLOCKER / MAJOR / MINOR with clear ownership and release impact
+- [x] 1.15 Define communication protocol: `#vv-findings` for routine findings, `#vpe-cto-approvals` for BLOCKER escalations
+- [x] 1.16 Define dispute resolution protocol: CTO writes justification → Validator evaluates → CEO as final arbiter
+- [x] 1.17 Define AUDIT LEDGER INDEX maintenance requirements
+
+## WS2 — Fix scripts/start-validator.sh
+
+- [x] 2.1 Remove the line that copies CEO's `CLAUDE.md` into the validator workspace (was contaminating validator with CEO-session context)
+- [x] 2.2 Add sanity check: abort with clear error if `VALIDATOR.md` first line is `#!/bin/bash` (prevents relaunching with wrong content)
+- [x] 2.3 Add `SHARED_LEDGER` variable pointing to `openspec/vv_audit/`
+- [x] 2.4 Add `mkdir -p "$SHARED_LEDGER"` to auto-create ledger directory on first run
+- [x] 2.5 Add auto-initialisation of `LEDGER.md` if it does not exist (idempotent — skipped if already present)
+- [x] 2.6 Write validator-specific `CLAUDE.md` to workspace (absolute paths only, no CEO-session context, no role-switching instructions)
+- [x] 2.7 Update echoed launch checklist to reflect validator's actual responsibilities
+- [x] 2.8 Ensure `exec claude --system-prompt-file "$VALIDATOR_SYSTEM_PROMPT"` uses the correct variable name
+
+## WS3 — Shared V&V Issue Ledger
+
+- [x] 3.1 Create `openspec/vv_audit/` directory in project root (accessible by both validator and CTO via absolute paths)
+- [x] 3.2 Create `openspec/vv_audit/LEDGER.md` — structured audit index with Summary table, Issue Index, Audit History, and usage instructions
+- [x] 3.3 Document who updates what: Validator updates Summary and Issue Index; CTO updates issue files; CEO reads for release gate status
+
+## WS4 — Central Hub Channel
+
+- [x] 4.1 Create `#vv-findings` channel on central hub with description: "V&V Architect findings — audit issues, BLOCKER notifications, resolution tracking"
+- [x] 4.2 Verify `#vpe-cto-approvals` (CEO channel) already exists — BLOCKER escalations go here
+
+## WS5 — CTO Peer-Review Protocol Update
+
+- [x] 5.1 Update `.cto-workspace/CLAUDE.md` Peer-Review Protocol section
+- [x] 5.2 Replace relative path `./specs/issues/` with absolute path `openspec/vv_audit/`
+- [x] 5.3 Add `#vv-findings` channel reference
+- [x] 5.4 Clarify CTO cannot dismiss validator findings — only resolve or dispute
+- [x] 5.5 Clarify BLOCKER resolution protocol: CEO automatically notified; CTO must not resolve without CEO awareness
+- [x] 5.6 Add instruction on how to start the validator (`./scripts/start-validator.sh`)
+
+## WS6 — OpenSpec Documentation (this change)
+
+- [x] 6.1 Create `openspec/changes/archive/2026-04-07-vv-architect-setup/` directory
+- [x] 6.2 Write `proposal.md` — problem statement, proposed solution, CEO approval
+- [x] 6.3 Write `design.md` — architecture, decisions (D1–D5), file map, hub channels
+- [x] 6.4 Write `tasks.md` (this file) — complete task breakdown with all items checked
+- [x] 6.5 Create `specs/` directory (no API specs needed — this is agent governance tooling, not an API change)
+- [x] 6.6 Commit all changes to git: VALIDATOR.md, scripts/start-validator.sh, openspec/vv_audit/, openspec/changes/archive/2026-04-07-vv-architect-setup/