Finalize Phase 14 governance cleanup

Author: ProfRandom92

docs/HOOK_PERMISSION_INTEGRATION.md

@@ -20,5 +20,5 @@ CompText maintains a strict distinction between behaviors actively executed by t
 ## 2. Local-Only and Offline-First baseline
 
 - **Authoritative Review-Gate**: The primary security enforcement layer remains the manual review and verification of proposed changes in the `proposals/` folder before running the apply gate (`ctxt apply`).
-- **No Rust-Level Enforcements**: Hooks and permissions are designed to be enforced by the hosting orchestrator (such as the Antigravity system). The local `ctxt` Rust binary does not contain sandboxing or active operating-system-level socket blockades.
+- **No Rust-Level Enforcements**: Hooks and permissions represent target policies for the hosting orchestrator (such as the Antigravity system). The local `ctxt` Rust binary does not contain active operating-system-level socket blockades.
 - **Offline Integrity**: Calculations and change-detection hashes are performed entirely offline using local utilities. No remote distributed marketplaces or online registries are used.

docs/POLICY_INTERCEPTOR_SPEC.md

@@ -4,30 +4,30 @@ This document provides the inert specification format for policy interceptor hoo
 
 ---
 
-## 1. Interceptor Lifecycle Targets
+## 1. Interceptor Lifecycle Targets (Planned / Not Active)
 
 ```text
-[ SessionStart ] ──────► Instantiates the workspace validation profile
+[ SessionStart ] ──────► Target-only: planned to initialize the validation profile (not active)
        │
        ▼
-[ PreToolUse ] ────────► Intercepts and validates tool input parameters
+[ PreToolUse ] ────────► Target-only: planned to validate tool input parameters (not active)
        │
        ▼
   ( Tool Run )
        │
        ▼
-[ PostToolUse ] ───────► Inspects and filters output streams
+[ PostToolUse ] ───────► Target-only: planned to filter output streams (not active)
        │
        ▼
-[ PostPhase ] ─────────► Evaluates phase completeness and git tree clean status
+[ PostPhase ] ─────────► Target-only: planned to check phase completeness (not active)
 ```
 
 ---
 
 ## 2. Specification Formats (Inert Targets)
 
 ### SessionStart Specification
-- **Intent**: Initializes the session state tracking profile.
+- **Intent**: Target-only: planned to initialize the session state tracking profile (not active).
 - **Inert Spec**:
   ```json
   {
@@ -41,7 +41,7 @@ This document provides the inert specification format for policy interceptor hoo
   ```
 
 ### PreToolUse Specification
-- **Intent**: Validates tool invocation arguments before execution.
+- **Intent**: Target-only: planned to validate tool invocation arguments before execution (not active).
 - **Inert Spec**:
   ```json
   {
@@ -55,7 +55,7 @@ This document provides the inert specification format for policy interceptor hoo
   ```
 
 ### PostToolUse Specification
-- **Intent**: Filters and sanitizes outputs before returning them to the model context.
+- **Intent**: Target-only: planned to filter and sanitize outputs before returning them to the model context (not active).
 - **Inert Spec**:
   ```json
   {

reports/phase_13_status.md

@@ -61,4 +61,4 @@
 3. **Change-Detection Policy**: Specified in design docs that integrity hashes are local change-detection tools, avoiding overclaims of remote/distributed marketplace or cryptographic provenance capabilities.
 4. **Starter Skills Bundling**: Normalized and registered 6 starter skills alongside the governance skill, all containing Goal, Read first, Use when, Allowed, Forbidden, Validation, and Return clauses.
 5. **Claims Audit Cleanliness**: Checked that no overclaims regarding cryptographic proofs, remote market integration, enterprise readiness, or certified safety exist.
-6. Review-Gate Cleanup: Updated README project tracking to Phase 13 COMPLETE and Phase 14 NEXT. Cleaned starter skill files to remove claim-sensitive release, readiness, compatibility, and guarantee-style wording. Recomputed and updated local SHA-256 change-detection hashes in the registry index.
+6. Review-Gate Cleanup: Updated README project tracking to Phase 13 status as complete and Phase 14 NEXT. Cleaned starter skill files to remove claim-sensitive release, readiness, compatibility, and guarantee-style wording. Recomputed and updated local SHA-256 change-detection hashes in the registry index.

reports/phase_14_status.md

@@ -44,7 +44,7 @@
 - **NETWORK**: offline-only (no network requests made or permitted during design and layout).
 - **SECRETS**: Redacted from all configurations and outputs.
 - **POLICY_DECISIONS**:
-  - Explicit demarcation of implemented behaviors (local validation, context harvesting, apply gate pathing) vs. target/inert architectures (policy interceptor hooks and host execution sandboxing).
+  - Explicit demarcation of implemented behaviors (local validation, context harvesting, apply gate pathing) vs. target/inert architectures (policy interceptor hooks and host execution constraints).
   - Maintained the authoritative status of the Proposal/Apply Gate and offline-first context model.
   - Indexed the new Phase 14 skill under `.agent/skills/REGISTRY.md` using SHA-256 for local change-detection verification only.
 - **RISKS**: Policy interceptor hooks and runtime permissions represent planned design integrations for the host/orchestrator; they do not represent active Rust-level execution blockades or guarantees.
@@ -58,4 +58,4 @@
 3. **Runtime Permissions**: Authored `docs/RUNTIME_PERMISSION_TEMPLATE.md` defining inert schemas for read/write/network/provider orchestrator constraints.
 4. **Starter Templates**: Placed inert policy and permission configurations under `templates/hooks/` and `templates/permissions/` directories.
 5. **Skill Registry updates**: Configured and registered `.agent/skills/ctxt-phase-14-hook-permission-integration/SKILL.md` with explicit allowed/forbidden scopes and recomputed local SHA-256 change-detection integrity hash.
-6. Review-Gate Cleanup: Updated README project tracking to Phase 13 COMPLETE and Phase 14 NEXT. Cleaned starter skill files to remove claim-sensitive release, readiness, compatibility, and guarantee-style wording. Recomputed and updated local SHA-256 change-detection hashes in the registry index.
+6. Review-Gate Cleanup: Updated README project tracking to Phase 14 COMPLETE and Phase 15 NEXT. Cleaned integration docs and templates to remove claim-sensitive hook, runtime, and host execution wording. Verified local change-detection hashes.

templates/hooks/interceptor.policy.md

@@ -8,3 +8,9 @@ This template specifies target policy interception configurations. It is inert a
   - PreToolUse: Target-only blocking of `.env` file reading.
   - PostToolUse: Target-only filtering of high-entropy patterns.
   - PostPhase: Target-only execution of `cargo test` suite.
+
+- **Metadata**:
+  - Requires host/orchestrator integration.
+  - Not executed by Rust CLI.
+  - No secrets.
+  - No network by default.

templates/permissions/default.permissions.md

@@ -9,3 +9,9 @@ This template specifies target runtime permission configurations. It is inert an
   - **Write**: Target-only restriction to allowed paths within the codebase only.
   - **Network**: Target-only blocking of remote sockets by default.
   - **Provider**: Target-only restriction of calls to mock/local adapters.
+
+- **Metadata**:
+  - Requires host/orchestrator integration.
+  - Not executed by Rust CLI.
+  - No secrets.
+  - No network by default.