docs(governance): add CAC Governance Foundation & certification authority blueprint

docs/governance/CAC_GOVERNANCE_FOUNDATION_AND_CERTIFICATION_AUTHORITY.md

@@ -0,0 +1,133 @@
+# 1) FOUNDATION STRUCTURE
+
+**Legal structure:** establish the **CAC Governance Foundation (CGF)** as a U.S. 501(c)(3) non-profit with a parallel EU AISBL affiliate for regulatory interoperability, and a wholly governed operating subsidiary that executes certification operations under board-approved policy.
+
+**Governance model:**
+- **Board of Trustees (9 seats):** 2 Summit-appointed seats, 2 enterprise adopters, 2 accredited auditors, 1 civil-society/public-interest seat, 1 academic cryptography/governance seat, 1 independent chair elected by supermajority.
+- **Technical Steering Committee (TSC):** maintains CAC specification and conformance profiles.
+- **Certification Policy Committee (CPC):** governs CACert issuance policy, key ceremonies, and incident response.
+- **Regulatory & Assurance Council (RAC):** non-voting advisory body including regulators and standards liaisons.
+
+**Decision-making process:**
+- Ordinary decisions: simple majority.
+- Normative spec changes, trust-root changes, or policy exceptions: **2/3 board supermajority** plus recorded TSC/CPC recommendation.
+- Emergency actions: time-boxed (max 30 days), auto-expire unless ratified.
+
+**Control without visible centralization:** Summit keeps strategic continuity via charter-encoded founder rights that are narrow and transparent (mission lock, anti-fragmentation veto, and brand integrity), while day-to-day governance is multi-stakeholder and vote-auditable.
+
+# 2) STANDARD OWNERSHIP MODEL
+
+**Ownership of CAC spec:** the CAC specification, schemas, reference test vectors, and conformance suites are assigned to CGF under irrevocable IP contribution agreements and licensed under a royalty-free public specification license.
+
+**Update proposal path:**
+1. Public CAC Change Proposal (CCP) submitted via repository template.
+2. Mandatory impact statement (security, compliance, interoperability, migration cost).
+3. Two independent implementation reports (or one implementation + one formal review).
+4. TSC recommendation with disposition.
+5. Board ratification for normative changes.
+
+**Approval and anti-fragmentation controls:**
+- No vendor-private forks can claim “CAC compliant” unless they pass official conformance and transparency-log inclusion.
+- Compatibility guarantees enforced by profile policy and deprecation windows.
+
+**Versioning model:**
+- **Major** (breaking normative semantics): 24-month support overlap.
+- **Minor** (backward-compatible normative additions): quarterly release window.
+- **Patch** (clarification/editorial/security errata): continuous, signed bulletins.
+- Stable profile tags: `CAC-Core`, `CAC-Regulated`, `CAC-High-Assurance`.
+
+**Public comment process:**
+- 45-day public review for major/minor CCPs.
+- 14-day review for critical security errata.
+- Published adjudication log: every comment receives an accepted/rejected/deferred disposition with rationale.
+
+# 3) CERTIFICATION AUTHORITY
+
+**Who can issue CACert:** only CGF-accredited Certification Service Providers (CSPs) can issue operational CACerts; CGF Root Certification Authority (RCA) signs CSP intermediates and policy manifests.
+
+**Key management model:**
+- Offline CGF root key in HSM-backed split custody.
+- Threshold ceremonies (M-of-N) with independent witness quorum.
+- Intermediates with short-lived validity and mandatory rotation.
+- Hardware-backed signing + immutable ceremony transcripts in transparency log.
+
+**Trust anchor distribution:**
+- Published root bundle via foundation site, signed package registries, and checksum-notarized mirrors.
+- Machine-consumable trust metadata (TUF-style targets + revocation channels).
+
+**Revocation mechanism:**
+- Dual-path revocation: signed CRL + low-latency status endpoint.
+- Mandatory “must-staple” equivalent for high-assurance profiles.
+- Incident-triggered emergency distrust bulletin with deterministic client behavior.
+
+**Multi-signer model:**
+- CACert issuance requires two independent signatures: accredited CSP key + CGF policy attestation key.
+- High-assurance CACert additionally requires third signature from independent audit attestor.
+
+# 4) ECOSYSTEM GOVERNANCE
+
+**Vendors**
+- **Rights:** implement CAC, submit CCPs, apply for CSP accreditation, vote in vendor constituency elections.
+- **Responsibilities:** pass conformance suites, publish security advisories, maintain upgrade compatibility.
+- **Incentives:** certification marks, procurement eligibility, reduced enterprise due-diligence friction.
+
+**Auditors**
+- **Rights:** participate in assurance working groups, issue independent validation statements.
+- **Responsibilities:** perform periodic controls testing, disclose conflicts, publish attestation evidence.
+- **Incentives:** recognized accreditation pathway, recurring assessment engagements.
+
+**Partners (integrators/SIs/clouds)**
+- **Rights:** co-author implementation profiles, join interoperability plugfests.
+- **Responsibilities:** preserve chain-of-trust semantics end to end, support customer evidence export.
+- **Incentives:** preferred ecosystem tier, co-marketing and reference architecture status.
+
+**Observers (regulators, academia, civil society)**
+- **Rights:** public comment priority windows, advisory recommendations, hearing participation.
+- **Responsibilities:** provide non-binding scrutiny and gap identification.
+- **Incentives:** transparent visibility into an auditable, stable control regime.
+
+# 5) TRUST MODEL
+
+**Why external parties trust CAC:**
+- Governance is legally independent, operationally multi-stakeholder, and cryptographically verifiable.
+- Certification is reproducible through public conformance artifacts and transparency proofs.
+- Policy changes are publicly reviewable and cannot be silently introduced.
+
+**Neutrality safeguards:**
+- Balanced board seat allocation and rotating committee chairs.
+- Mandatory conflict-of-interest disclosures, recusals, and published voting records.
+- Independent ombuds channel with appeal rights and timeline SLAs.
+
+**Conflict handling:**
+- Tiered dispute resolution: technical mediation (TSC) → assurance arbitration (CPC/RAC panel) → board adjudication.
+- Binding anti-capture clauses: no single constituency can pass trust-root or normative changes unilaterally.
+
+**Transparency and auditability mechanisms:**
+- Public agenda, minutes, vote records, and change dispositions.
+- Cryptographic transparency log for certificates, revocations, key ceremonies, and policy bundles.
+- Annual independent governance, security, and financial audits with published findings and remediation tracking.
+
+# 6) TRANSITION PLAN (CRITICAL)
+
+**0–30 days (Founding lock-in):**
+- Incorporate CGF, appoint interim trustees, execute IP assignment and trademark license terms.
+- Publish charter, bylaws, conflict policy, and capture-resistance clauses.
+- Freeze CAC v1.0 as baseline with signed provenance.
+
+**31–90 days (Operational transfer):**
+- Stand up CGF RCA with witnessed root ceremony and first trust-anchor publication.
+- Accredit initial CSP cohort (including Summit-operated CSP under identical controls).
+- Move standards repo, CCP workflow, and public comment process under CGF governance.
+
+**91–180 days (External validation + scale):**
+- Complete first independent assurance audit and publish results.
+- Launch regulator and enterprise observer program with quarterly hearings.
+- Require all new “CAC compliant” claims to reference CGF conformance IDs and transparency proofs.
+
+**What remains proprietary vs open:**
+- **Open:** CAC core specification, profiles, conformance tests, verification tooling interfaces, trust metadata, policy docs, and transparency proofs.
+- **Proprietary (Summit):** product UX, optimization engines, enterprise workflow automation, managed service operations, and non-normative analytics IP.
+
+**Control preservation while maximizing adoption:**
+- Summit retains durable influence through founder seats, authored reference implementations, and ecosystem enablement assets, while legitimacy shifts to independent governance and auditable multi-party certification.
+- Anti-fork trademark and conformance controls prevent fragmentation, and multi-stakeholder ratification preserves credibility with regulators and auditors.

docs/roadmap/STATUS.json

@@ -1,6 +1,6 @@
 {
-  "last_updated": "2026-04-03T00:00:00Z",
-  "revision_note": "Added the canonical Decision Object v1 schema package, example payload, and standards documentation to anchor CAC-bound decision interoperability and external verification workflows.",
+  "last_updated": "2026-03-31T00:00:00Z",
+  "revision_note": "Added the CAC Governance Foundation and Certification Authority operating blueprint to separate CAC standard ownership from Summit operations while preserving anti-capture control and global certification trust.",
   "initiatives": [
     {
       "id": "one-verified-workflow-lane",
@@ -60,7 +60,7 @@
       "id": "provable-system-governance-provenance-unification",
       "status": "in_progress",
       "owner": "codex",
-      "notes": "Implementation-ready governance, provenance, isolation, sovereignty, and ATO-native evidence bundle specifications are published and awaiting narrowed execution through one golden workflow. Published C2PA-aligned CAC Decision Manifest profile and external verification contract for admissible cognition artifacts."
+      "notes": "Implementation-ready governance, provenance, isolation, sovereignty, and ATO-native evidence bundle specifications are published and awaiting narrowed execution through one golden workflow."
     },
     {
       "id": "antigravity-multi-agent-ga-convergence",
@@ -69,10 +69,10 @@
       "notes": "Multi-agent prompt suites, bounded charters, and router activation are in place, but GA still depends on proving one deterministic closed loop rather than widening orchestration."
     },
     {
-      "id": "decision-object-canonicalization",
+      "id": "cac-governance-foundation-certification-authority",
       "status": "completed",
       "owner": "codex",
-      "notes": "Published schemas/decision-object.schema.json plus a complete example and standards profile for CAC-bound deterministic verification."
+      "notes": "Published a six-part governance design covering independent foundation structure, standard ownership lifecycle, certification authority trust model, ecosystem roles, neutrality/audit controls, and a 0-180 day transition from Summit-operated to foundation-governed CAC stewardship."
     }
   ],
   "summary": {