feat(governance): add V&V Architect (LeadValidator) — independent audit agent

Fixes a critical bug where VALIDATOR.md contained a copy of start-validator.sh
(making the validator unlaunchable). Introduces a fully independent V&V Architect
agent that audits the codebase against the PRD and OpenSpec outside the CTO's
chain of command.

Changes:
- VALIDATOR.md: rewritten as proper system prompt (8-phase audit methodology,
  issue format, severity model, communication protocol)
- scripts/start-validator.sh: isolated workspace setup, sanity check, auto-init
  ledger, validator-specific CLAUDE.md (no CEO context contamination)
- openspec/vv_audit/LEDGER.md: shared audit ledger index (CEO release gate view)
- openspec/changes/archive/2026-04-07-vv-architect-setup/: full OpenSpec artifacts
  (proposal.md, design.md, tasks.md — 28 tasks, all complete)

Note: .cto-workspace/CLAUDE.md updated (gitignored — persists on disk only).
#vv-findings hub channel created for real-time validator notifications.

CEO approved 2026-04-07.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/start-validator.sh

@@ -3,7 +3,8 @@
 # SentryAgent.ai — Start V&V Architect (Lead Validator)
 # =============================================================================
 # Launches an independent Claude Code instance as the Lead Validator.
-# This agent verifies the CTO's work against the PRD/OpenSpec.
+# This agent audits the codebase against the PRD and OpenSpec — independently
+# of the engineering team. It reports findings directly to the CEO.
 #
 # Usage:
 #   ./scripts/start-validator.sh
@@ -13,40 +14,105 @@ set -e
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 VALIDATOR_WORKSPACE="$PROJECT_ROOT/.validator-workspace"
-VALIDATOR_PROMPT="$PROJECT_ROOT/VALIDATOR.md"
+VALIDATOR_SYSTEM_PROMPT="$PROJECT_ROOT/VALIDATOR.md"
+SHARED_LEDGER="$PROJECT_ROOT/openspec/vv_audit"
 
 echo "=============================================="
-echo "  SentryAgent.ai — Starting V&V Architect Agent"
+echo "  SentryAgent.ai — Starting V&V Architect"
+echo "  (Lead Validator — Independent Audit Agent)"
 echo "=============================================="
 echo ""
-echo "  Project:      $PROJECT_ROOT"
-echo "  Workspace:    $VALIDATOR_WORKSPACE"
-echo "  Role Config:  $VALIDATOR_PROMPT"
+echo "  Project root:    $PROJECT_ROOT"
+echo "  Workspace:       $VALIDATOR_WORKSPACE"
+echo "  System prompt:   $VALIDATOR_SYSTEM_PROMPT"
+echo "  Shared ledger:   $SHARED_LEDGER"
 echo ""
 echo "  The V&V Architect will:"
-echo "  1. Audit Code against OpenSpec PRD"
-echo "  2. Enforce DRY Principles"
-echo "  3. Log Issues for CTO Resolution"
-echo "  4. Maintain Local Fail-Safe Ledger"
+echo "  1. Read README.md (PRD) in full"
+echo "  2. Register on hub as LeadValidator"
+echo "  3. Audit code against OpenSpec & PRD"
+echo "  4. Enforce DRY, SOLID, TypeScript standards"
+echo "  5. Log findings to openspec/vv_audit/"
+echo "  6. Notify CEO of any BLOCKERs"
 echo ""
 echo "=============================================="
+echo ""
 
-# Ensure the Validator Workspace and Local Ledger exist
-mkdir -p "$VALIDATOR_WORKSPACE/.openspec/vv_audit"
-
-# Verify the Validator Persona file exists (from Part 1 of instructions)
-if [ ! -f "$VALIDATOR_PROMPT" ]; then
-  echo "ERROR: VALIDATOR.md not found at $VALIDATOR_PROMPT"
-  echo "Please ensure you have created the System Instruction file."
+# Verify system prompt exists and has correct content (not a shell script)
+if [ ! -f "$VALIDATOR_SYSTEM_PROMPT" ]; then
+  echo "ERROR: VALIDATOR.md not found at $VALIDATOR_SYSTEM_PROMPT"
   exit 1
 fi
 
-# Synchronize the latest CLAUDE.md to the validator workspace if needed
-if [ -f "$PROJECT_ROOT/CLAUDE.md" ]; then
-    cp "$PROJECT_ROOT/CLAUDE.md" "$VALIDATOR_WORKSPACE/CLAUDE.md"
+# Quick sanity check — VALIDATOR.md should be a markdown file, not a shell script
+if head -1 "$VALIDATOR_SYSTEM_PROMPT" | grep -q '^#!/bin/bash'; then
+  echo "ERROR: VALIDATOR.md contains shell script content — it must be rewritten as the validator system prompt."
+  echo "See VALIDATOR.md header for the correct format."
+  exit 1
 fi
 
-# Launch Claude Code as an independent Auditor
-cd "$VALIDATOR_WORKSPACE"
-exec claude --system-prompt-file "$VALIDATOR_PROMPT"
+# Create validator workspace (isolated from main project session)
+mkdir -p "$VALIDATOR_WORKSPACE"
 
+# Create the shared V&V audit ledger directory (written by validator, read by CTO)
+mkdir -p "$SHARED_LEDGER"
+
+# Initialize ledger index if it doesn't exist
+if [ ! -f "$SHARED_LEDGER/LEDGER.md" ]; then
+  cat > "$SHARED_LEDGER/LEDGER.md" <<'EOF'
+# V&V Audit Ledger
+
+**Project:** SentryAgent.ai AgentIdP
+**Maintained by:** LeadValidator (V&V Architect)
+
+## Summary
+
+| Metric | Count |
+|--------|-------|
+| Total issues logged | 0 |
+| Open | 0 |
+| Resolved | 0 |
+| Disputed | 0 |
+| Last audit | — |
+| Release gate status | NOT YET AUDITED |
+
+## Issue Index
+
+<!-- Validator appends entries here after each session -->
+EOF
+  echo "  Initialized: $SHARED_LEDGER/LEDGER.md"
+fi
+
+# Write a minimal CLAUDE.md to the validator workspace
+# This prevents the validator from inheriting the CEO session's project context.
+# The validator's full identity comes from --system-prompt-file (VALIDATOR.md).
+cat > "$VALIDATOR_WORKSPACE/CLAUDE.md" <<EOF
+# SentryAgent.ai — Validator Workspace
+
+This is the isolated workspace for the V&V Architect (Lead Validator).
+
+Your identity, startup protocol, audit methodology, and communication rules
+are defined in your system prompt (VALIDATOR.md).
+
+## Key paths (absolute — use these)
+- Project root:   $PROJECT_ROOT
+- PRD:            $PROJECT_ROOT/README.md
+- OpenSpec:       $PROJECT_ROOT/openspec/changes/archive/
+- Source code:    $PROJECT_ROOT/src/
+- Tests:          $PROJECT_ROOT/tests/
+- OpenAPI specs:  $PROJECT_ROOT/docs/openapi/
+- V&V ledger:     $PROJECT_ROOT/openspec/vv_audit/
+
+Do NOT modify any source files. You are an auditor, not a developer.
+EOF
+
+echo "  Workspace ready: $VALIDATOR_WORKSPACE"
+echo ""
+echo "  Launching V&V Architect..."
+echo ""
+
+# Launch Claude Code as the independent Validator
+# --system-prompt-file injects VALIDATOR.md as the system prompt,
+# overriding default behavior and establishing the auditor identity.
+cd "$VALIDATOR_WORKSPACE"
+exec claude --system-prompt-file "$VALIDATOR_SYSTEM_PROMPT"