[codex] Consume pinned Work Ledger framework snapshot

[bnvoss]

Summary

This wires /motus to consume the canonical motus-work-ledger framework surface from commit ed65daac4a081f67362f402f5f37ce3d3a1aeff1.

• copies the canonical spec/, schemas/, semconv/, and conformance/ surfaces into /motus
• replaces the obsolete Framework RFC path with spec/MOTUS-WORK-LEDGER-RFC.md
• adds MOTUS_WORK_LEDGER.lock.json and a drift guard for copied file sets/hashes
• runs the drift guard in Quality Gates and from the framework conformance tests
• protects the lock, snapshot, gate scripts, and package tests in Quality Gates path filters

Why

motus-work-ledger is now the canonical portable model. /motus should remain the reference implementation and fail CI when its copied framework surface drifts without an explicit resync.

Validation

• python3 packages/cli/scripts/ci/check_work_ledger_snapshot.py PASS
• invalid non-hex source_commit rejected
• non-canonical source_repo rejected
• python3 conformance/validator/check_schema_registry.py PASS
• python3 conformance/validator/check_semconv_schema_map.py PASS
• python3 conformance/validator/check_conformance.py PASS
• python3 packages/cli/scripts/ci/check_quality_gate_path_filters.py PASS
• bash scripts/gates/gate-surface-001.sh PASS
• python3 -m pytest packages/cli/tests/test_framework_conformance.py packages/cli/tests/test_docs_taxonomy_lock.py -q PASS, 12/12
• git diff --check PASS
• bash scripts/gates/run-all-gates.sh PASS, 17/17 with 294 tests

Review

Independent headless review found three issues: stale RFC links, weak source commit/repo validation, and missing packages/cli/tests/** path-filter coverage. All three were fixed and the follow-up review approved with no findings.

Work Item

Closes motus-os/motus-work-ledger#7.

[bnvoss]

CI follow-up: GitHub gates failed on detect-secrets false positives for SHA-256 values in MOTUS_WORK_LEDGER.lock.json. I first tried a root lockfile exclusion, headless review flagged bypass risk, then hardened the lock validator to reject unknown keys, duplicate JSON keys, malformed timestamps, non-canonical source repo, malformed commits, and malformed digests. Local validation now passes: check_work_ledger_snapshot, targeted tests 17/17, GATE-SEC-002, git diff --check, and run-all-gates 17/17 with 299 tests. Headless follow-up approved with no findings.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 491c35c5e2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require redaction in work.closed payload schema

For Level 1 event-backed receipts, redaction is a required receipt field and check_receipt_projection_consistency() later expects it to come from closed["redaction"], but the advertised work.closed event-kind schema omits it. A producer following this schema can emit a validly-hashed work.closed event without redaction; build_receipt() then defaults the receipt to {"status":"none"}, so the receipt is no longer derived from Store facts and the checker will fail when comparing Store facts. Include redaction in required_payload or stop defaulting it.

Useful? React with 👍 / 👎.