test(release): add policy statelock smoke

[VelariumAI]

Summary

Adds RR-004, a local fixture-based smoke layer for policy absence, statelock conflict, paradox report, and skillruntime/profile linkage behavior.

Core invariant:

No policy is not permission.

What changed

• Added RR-004 smoke script:
  • scripts/release_readiness/rr004_policy_statelock_smoke.sh
• Added RR-004 smoke test:
  • scripts/release_readiness/test_rr004_smoke.sh
• Added Go fixture support:
  • pkg/releasecheck/rr004_policy_statelock_test.go
• Integrated RR-004 into:
  • scripts/release_readiness/readiness.sh
• Updated release readiness docs:
  • docs/release/README.md
• Updated promotion manifest / allowlist for new managed files.

Operational posture

• Local and fixture-based.
• Does not call providers.
• Does not call network endpoints.
• Does not execute app tools.
• Does not create, move, or delete tags.
• Does not run release workflows.
• Does not publish releases.
• Does not modify runtime behavior.
• Does not modify vector/semantic-memory behavior.
• Does not modify private scanner artifacts.
• Does not modify private contracts.
• Does not start RR-005+ tooling.

RR-004 behavior

RR-004 simulates operator-facing negative and boundary flows.

Covered scenarios:

• sensitive action under absent/no matching policy
• explicit low-risk action under absent policy
• statelock conflict
• paradox report possible / confirmed / inconclusive semantics
• skillruntime/profile linkage for adverse statelock/paradox evidence

Expected behavior is verified:

• absent policy does not silently authorize sensitive action
• explicit low-risk path remains narrow and explicit
• statelock conflict is visible and not downgraded into pass
• paradox report does not overclaim no valid path unless confirmed
• remediation text is descriptive only
• no automatic remediation execution
• adverse evidence cannot silently pass through skillruntime/profile fixture paths
• receipt/ref linkage is present where claimed

RR-004 writes reports to:

.local/release-readiness/rr004/

Current RR-004 recommendation:

RR004_PASS

Main readiness integration

readiness.sh now includes RR-004 and still returns:

NEEDS_RR_SUITE

because RR-005+ remain deferred.

It does not claim RC_READY or STABLE_READY.

Review status

Independent review verdict: APPROVE.

Review confirmed:

• operator-facing scenario output is present
• “no policy is not permission” is exercised and asserted
• sensitive absent policy requires approval / does not silently allow
• explicit low-risk absent policy remains narrow
• statelock conflict is detected and surfaced
• paradox status handling avoids certainty overclaim
• skillruntime/profile linkage denies adverse evidence
• no provider/network/tool/release/tag/workflow execution
• vector/semantic memory preserved
• no public attribution
• manifest in sync

Validation

• bash scripts/release_readiness/test_smoke.sh passed.
• bash scripts/release_readiness/test_rr002_smoke.sh passed.
• bash scripts/release_readiness/test_rr003_smoke.sh passed.
• bash scripts/release_readiness/test_rr004_smoke.sh passed.
• bash scripts/release_readiness/rr002_cli_smoke.sh passed with RR002_INCOMPLETE.
• bash scripts/release_readiness/rr003_var_spine_smoke.sh passed with RR003_PASS.
• bash scripts/release_readiness/rr004_policy_statelock_smoke.sh passed with RR004_PASS.
• bash scripts/release_readiness/readiness.sh passed with NEEDS_RR_SUITE.
• bash scripts/check_promotion_manifest.sh passed with 914 / 914 managed files.
• go test ./pkg/releasecheck passed.
• Targeted package tests passed.
• go test ./... passed.
• go vet ./... passed.
• git diff --check passed.
• Private scanner finding zero_proofs_3 | reasoning/ classified as existing unrelated.

Deferred follow-ups

• RR-005 vector/RAG/engram preservation smoke.
• RR-006 scripted user/operator session simulation.
• RR-007 final release report generator.