sentryagent-idp/openspec/changes/process-governance-handoff-gap/design.md

## Context

The current multi-agent session protocol (CEO ↔ CTO via `#vpe-cto-approvals`) has a handoff gap: once the CEO authorizes an action, there is no enforcement that the CTO confirms completion before the session ends. The gap was exposed on 2026-04-07 when the CTO received commit authorization but the session ended before posting a confirmation — leaving 5 uncommitted files and the field trial status ambiguous.

The fix is purely process/documentation: CLAUDE.md and README.md are the authoritative session protocol documents. Both must be updated with explicit rules. No code changes are required.

## Goals / Non-Goals

**Goals:**
- Require the CTO to post a completion confirmation to `#vpe-cto-approvals` after every CEO-authorized action
- Require the CTO to post an end-of-session summary before closing
- Establish clear vocabulary: "authorized" ≠ "completed" in all status tracking
- Make these rules durable by codifying them in CLAUDE.md (session protocol) and README.md (CTO responsibilities)

**Non-Goals:**
- Automated enforcement (no code hooks, no CI checks)
- Changes to the V&V process or the `#vv-cto-resolution` channel protocol
- Changes to any service, API, or database

## Decisions

**Decision 1: CLAUDE.md is the primary update target.**
CLAUDE.md is loaded on every new Claude session via the project instructions. Any protocol rule placed there is enforced at session startup. README.md Section 4.3 is secondary — it documents CTO responsibilities but is not loaded automatically. Rationale: rules that need to be followed must live where they are read.

**Decision 2: Completion confirmation is a mandatory, structured message.**
Rather than leaving format open-ended, the confirmation must include: action completed, outcome (success/failure), commit hash (if applicable), and resulting state. This makes it scannable and unambiguous. Alternative considered: free-form text — rejected because it creates ambiguity about whether the action actually completed.

**Decision 3: Session-end summary is required before closing.**
The CTO must post a structured "end of session" summary any time a session ends with pending or in-progress work. Format: completed this session / pending (awaiting execution) / requires CEO action next session. Alternative considered: optional/best-effort — rejected because the exact failure mode was "session ended without summary."

**Decision 4: Authorized vs. Done as explicit vocabulary.**
Status messages must use unambiguous language. "Authorized" means CEO gave permission. "Committed," "deployed," or "completed" means the action was executed and confirmed. These terms must not be used interchangeably.

## Risks / Trade-offs

- **Risk**: CTO session ends abruptly (crash, timeout) before posting session-end summary → **Mitigation**: CEO checks `#vpe-cto-approvals` at startup for the last CTO message; if it is an authorization request (not a completion), treat the action as pending.
- **Risk**: Rules in CLAUDE.md may drift from README.md over time → **Mitigation**: Tasks explicitly update both files; future changes to session protocol must update both.
- **Trade-off**: Adding required messages increases CTO session overhead slightly. Accepted — the cost of a missed commit or ambiguous state is higher.

## Migration Plan

1. Update CLAUDE.md — add CTO Session Completion Protocol section
2. Update README.md Section 4.3 — add session-end checklist and completion confirmation to CTO responsibilities
3. No rollback needed — documentation-only change