feature/osoh push constitutional admission

docs/governance/OSOH_SENTINEL_PUSH_ACCEPTANCE_CONDITIONS.md

@@ -0,0 +1,27 @@
+# Sentinel Push Constitutional Admission — Acceptance Conditions
+
+## Acceptance Conditions
+
+### Condition 1 — Registration Without Trust Transfer
+Sentinel may be registered for monitored-surface participation without any transfer of OSOH trust status, core authority, or internal-system equivalence.
+
+### Condition 2 — Push Eligibility Without Activation
+Sentinel may be allowed to send bounded deployment and heartbeat telemetry before activation, but such eligibility does not imply verified admission.
+
+### Condition 3 — Credential Scope Lock
+Sentinel push participation is admissible only when the ingest credential is exclusive to monitored-surface event delivery and incapable of broader control-plane action.
+
+### Condition 4 — Evidence-Bound Evaluation
+All push-origin events must be evaluated as evidence inputs subject to validation, correlation, and rejection when invalid, incomplete, inconsistent, or unverified.
+
+### Condition 5 — Fail-Closed State Preservation
+If constitutional evidence requirements are not met, Sentinel remains registered-at-most and must not transition to active monitored-surface status.
+
+### Condition 6 — Hybrid Activation Dependency
+Activation requires verified coherence between pull-observed conditions and push-delivered telemetry under the same monitored-surface identity.
+
+## Constitutional Outcome
+Sentinel push participation is admissible only as externally bounded telemetry contribution into OSOH’s monitoring framework. It is never a self-sufficient basis for activation or trust elevation.
+
+## Phase Completion Marker
+This phase is complete when admissibility is defined as registration-without-trust, push-without-activation, credential containment, evidence-bound evaluation, fail-closed preservation, and hybrid dependency.

docs/governance/OSOH_SENTINEL_PUSH_ACTIVATION_BOUNDARY_CONDITIONS.md

@@ -0,0 +1,27 @@
+# Sentinel Push Constitutional Admission — Activation Boundary Conditions
+
+## Activation Boundary Conditions
+
+### Boundary 1 — Registration Is Not Activation
+Registration establishes monitored-surface presence only. It does not establish reliability, trust, or active monitored-surface status.
+
+### Boundary 2 — Push Is Not Authority
+Push-origin events may contribute evidence but may not declare health, truth, or admissibility by assertion alone.
+
+### Boundary 3 — Evidence Must Be Verifiable
+Activation-relevant evidence must be attributable to the registered monitored surface, structurally valid, temporally coherent, and consistent with governed expectations.
+
+### Boundary 4 — Pull/Push Coherence Is Mandatory
+Activation requires coherence between externally observed pull conditions and Sentinel-origin push telemetry under the same monitored-surface identity.
+
+### Boundary 5 — Failure Preserves Inactive State
+Any break in verification, identity, timing, scope, or evidence integrity preserves inactive status by default.
+
+### Boundary 6 — OSOH Remains Final Authority
+OSOH alone determines monitored-surface activation status. Sentinel may supply evidence, but it may not determine its own admission outcome.
+
+## Constitutional Outcome
+Sentinel may participate in the monitoring system before activation, but activation remains an OSOH-governed decision produced only through evidence-bound hybrid verification.
+
+## Phase Completion Marker
+This phase is complete when the activation boundary is explicitly defined as OSOH-final, evidence-bound, hybrid-dependent, and fail-closed.

docs/governance/OSOH_SENTINEL_PUSH_CONSTITUTIONAL_ADMISSION.md

@@ -0,0 +1,27 @@
+# Sentinel Push Constitutional Admission — MVP Phase
+
+## Phase Objective
+Define the constitutional conditions under which Sentinel may participate in OSOH through push telemetry without crossing the trust boundary.
+
+## Non-Negotiable Constitutional Rules
+
+### 1. Externality Invariant
+Sentinel shall remain an external monitored surface at all times and shall not inherit trusted-core status by virtue of registration, telemetry delivery, or visibility inside OSOH.
+
+### 2. Push Evidence Scope Rule
+Deployment events, heartbeat events, and related Sentinel-origin telemetry shall be treated only as monitored-surface evidence inputs. They shall not constitute authority, truth-finality, or trust elevation.
+
+### 3. Single-Purpose Credential Rule
+Any Sentinel ingest credential must be scoped exclusively to monitored-surface event delivery into OSOH ingest and must not grant broader platform, operator, or trust privileges.
+
+### 4. Fail-Closed Admission Rule
+If push evidence is absent, malformed, unverifiable, or inconsistent with governing requirements, Sentinel shall remain non-activated. No permissive fallback is allowed.
+
+### 5. Hybrid Proof Rule
+Push telemetry alone is insufficient for activation. Sentinel may reach active monitored-surface status only when pull evidence and push evidence both exist and are coherently verified.
+
+## MVP Meaning
+Push participation is admissible only as bounded telemetry contribution inside a Level 4 hybrid monitoring model. OSOH remains the authority boundary. Sentinel remains observed, not trusted.
+
+## Exit Condition For This Phase
+This phase is complete when push participation is constitutionally defined as external, scoped, fail-closed, single-purpose, and insufficient on its own for activation.

docs/governance/OSOH_SENTINEL_PUSH_CONSTITUTIONAL_COMPLETION_CRITERIA.md

@@ -0,0 +1,27 @@
+# Sentinel Push Constitutional Admission — Completion Criteria
+
+## Completion Criteria
+
+### Criterion 1 — Externality Preserved
+Sentinel remains explicitly classified and interpreted as an external monitored surface with no trusted-core inheritance.
+
+### Criterion 2 — Telemetry Scope Preserved
+Push-origin deployment and heartbeat events are treated only as bounded telemetry evidence and never as self-authorizing truth.
+
+### Criterion 3 — Credential Containment Preserved
+The push credential is limited to ingest-only monitored-surface delivery and grants no broader operational authority.
+
+### Criterion 4 — Fail-Closed Admission Preserved
+Invalid, missing, unverifiable, inconsistent, or incomplete push evidence cannot produce activation.
+
+### Criterion 5 — Hybrid Requirement Preserved
+Push evidence alone cannot complete admission; verified pull and push coherence is required.
+
+### Criterion 6 — OSOH Final Authority Preserved
+The monitored-surface activation decision remains exclusively inside OSOH governance.
+
+## Phase Done Definition
+This phase is complete only when Sentinel push participation is fully defined as external, telemetry-only, bounded by ingest-only credentials, fail-closed by default, hybrid-dependent for activation, and subordinate to OSOH final authority.
+
+## Result
+Once these criteria are accepted, the constitutional admission phase for Sentinel push participation is complete and the next descent may be made safely.

docs/governance/OSOH_SENTINEL_PUSH_CONSTITUTIONAL_RULE_MATRIX.md

@@ -0,0 +1,31 @@
+# Sentinel Push Constitutional Admission — Rule Matrix
+
+## Governing Rule Matrix
+
+### Rule A — External Surface Persistence
+**Requirement:** Sentinel remains classified as an external monitored surface before, during, and after push participation.
+**Prohibition:** No push capability, registration state, or telemetry success may change Sentinel into trusted-core infrastructure.
+**Failure Handling:** If any design or implementation path implies trust inheritance, that path is constitutionally invalid.
+
+### Rule B — Telemetry-Only Interpretation
+**Requirement:** All Sentinel-origin push events shall be interpreted as telemetry inputs only.
+**Prohibition:** Push events must not be used as self-authorizing claims, operator authority, or trust proofs by themselves.
+**Failure Handling:** Any flow that treats push payloads as authority rather than evidence is invalid.
+
+### Rule C — Ingest Credential Containment
+**Requirement:** Sentinel shall use one bounded ingest-only credential for monitored-surface delivery.
+**Prohibition:** The credential must not grant read, write, admin, shell, deployment, operator, or control-plane authority outside the ingest scope.
+**Failure Handling:** Any broader credential scope is constitutionally non-admissible.
+
+### Rule D — Fail-Closed Verification
+**Requirement:** Missing, malformed, unverifiable, duplicated, or inconsistent push evidence must resolve to non-activation.
+**Prohibition:** No permissive fallback, silent acceptance, or trust-presuming bypass is allowed.
+**Failure Handling:** Sentinel remains inactive until evidence becomes valid under governed checks.
+
+### Rule E — Hybrid Activation Threshold
+**Requirement:** Active monitored-surface status requires both push evidence and pull evidence with coherent identity and timing.
+**Prohibition:** Push-only admission is insufficient for activation.
+**Failure Handling:** Sentinel may be registered and observed, but not activated, until hybrid coherence is established.
+
+## Phase Completion Marker
+This phase is complete when the governing matrix makes push participation admissible without trust-boundary collapse and without activation by push alone.