From 112574796fc3475ce0d140b95ffc343453d2fcfe Mon Sep 17 00:00:00 2001
From: Raylee Hawkins <rayleeops@gmail.com>
Date: Thu, 4 Jun 2026 03:47:54 -0500
Subject: [PATCH 1/2] docs(profile): refresh org README from current proof
 routes

---
 profile/README.md     | 20 +++++++++++++++++---
 profile/START_HERE.md | 26 ++++++++++++++------------
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/profile/README.md b/profile/README.md
index c3ca1b0..7442edf 100644
--- a/profile/README.md
+++ b/profile/README.md
@@ -6,7 +6,7 @@
 
 # HawkinsOperations
 
-**HawkinsOperations is a governed AI Security Operations control plane. AI can draft security work; deterministic validation, proof records, and human review authorize claims.**
+**HawkinsOperations is a governed AI Security Operations and detection engineering system. AI accelerates drafting, triage reasoning, case-packet support, documentation, and automation planning; deterministic validation, proof records, and human review decide what becomes operational truth.**
 
 `CONTROLLED_TEST_VALIDATED` · `HO-DET-001` · `NOT_PUBLIC_SAFE` · `RENDERING_NOT_PROOF` · `HUMAN_REVIEW_REQUIRED`
 
@@ -18,8 +18,10 @@
 
 ## 10-second read
 
-- AI drafts security work.
-- Deterministic validation, proof records, and human review authorize claims.
+- AI is labor; governance is authority.
+- AI can accelerate SOC and detection work, but it does not approve claims or dispositions.
+- Deterministic validation, evidence records, proof boundaries, and human review authorize operational truth.
+- Green CI is evidence for the checked scope, not approval.
 - Website/GitHub rendering is not proof.
 
 The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.
@@ -28,6 +30,18 @@ The system separates detection source, validation, platform contracts, proof rec
 
 **Claim firewall:** runtime-active, signal-observed, production, SOCaaS, autonomous SOC, AI-approved disposition, analyst-approved disposition, and public-safe runtime claims remain blocked unless separately proven. Blocked claims are intentional controls, not failed features.
 
+## Current strongest reviewer routes
+
+These are existing receipts and reviewer routes. They do not raise the proof ceiling.
+
+| Route | What to inspect | Current ceiling | Boundary |
+|---|---|---|---|
+| [Proof Pack 001](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded HO-DET-001 release ZIP, SHA256, and verifier path. | `CONTROLLED_TEST_VALIDATED` | Reviewer package only; public-safe runtime proof remains blocked. |
+| [HO-DET-001 proof path](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | Detection source, Splunk source, controlled validation, proof record, and public route. | `CONTROLLED_TEST_VALIDATED` | Source and validation do not prove runtime, signal, production, or public-safe status. |
+| [Runtime Route Proof v1](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | `PRIVATE_RUNTIME_ROUTE_PROOF_V1_CANDIDATE_PRESERVED` | `NOT_PUBLIC_SAFE`; not public proof, production proof, or broad-ingestion proof. |
+| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, 31 blocked claims. | `SCHEMA_CONTRACT_VERIFIER_EXISTS_ONLY` | Activity fires are not governed cases, runtime signals, or public-safe proof. |
+| [Six-repo authority model](../architecture/REPO_AUTHORITY_MAP.md) | Source, validation, platform, proof, website, and org-routing ownership. | `RENDERING_NOT_PROOF` / source-boundary routing | `.github` routes reviewers; proof records and checks own their scoped facts. |
+
 ## HawkinsOperations Control Panel
 
 `.github` is the org command center for reviewer routing, truth boundaries, and claim controls. It does not create proof authority. Proof records live in [hawkinsoperations-proof](https://github.com/HawkinsOperations/hawkinsoperations-proof), and the current public ceiling remains `CONTROLLED_TEST_VALIDATED` unless a specific proof record says otherwise. Runtime, signal, public-safe, production, SOCaaS, autonomous SOC, AI-approved disposition, and analyst-approved disposition claims remain blocked unless explicitly proven and approved.
diff --git a/profile/START_HERE.md b/profile/START_HERE.md
index 6479204..5d25c65 100644
--- a/profile/START_HERE.md
+++ b/profile/START_HERE.md
@@ -2,12 +2,14 @@
 
 Start here if reviewing HawkinsOperations.
 
-HawkinsOperations is a governed AI Security Operations control plane. AI can draft security work; deterministic validation, proof records, and human review authorize claims.
+HawkinsOperations is a governed AI Security Operations and detection engineering system. AI can accelerate detection drafting, triage reasoning, case-packet support, documentation, and automation planning; deterministic validation, proof records, and human review authorize claims.
 
 The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.
 
-- AI drafts security work.
-- Validation, proof records, and human review authorize claims.
+- AI is labor; governance is authority.
+- AI can accelerate SOC and detection work, but it does not approve claims or dispositions.
+- Validation, evidence records, proof boundaries, deterministic checks, and human review authorize operational truth.
+- Green CI is evidence for the checked scope, not approval.
 - Website/GitHub rendering is not proof.
 
 The enterprise AI failure mode is that AI-generated output becomes a public claim, analyst conclusion, operational action, security disposition, or executive truth before evidence and human review authorize it. HawkinsOperations is built to prevent that promotion path.
@@ -42,9 +44,17 @@ Public claims require reviewed wording, evidence linkage, stale review, and appr
 
 ## Reviewer Control Panel
 
+### 30-second reviewer path
+
+1. Open the [organization profile](./README.md) for the system summary and strongest current reviewer routes.
+2. Open the [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) and [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) to verify the public proof ceiling.
+3. Open the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to see which repo owns source, validation, platform, proof, website rendering, and org routing.
+4. Open the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to confirm blocked claims and current boundaries.
+5. Treat every website/GitHub page as routing unless the owning proof record supports the claim.
+
 ### 3-minute command-center path
 
-1. Open the [organization profile](./README.md) to see the six-repo command center.
+1. Complete the 30-second reviewer path above.
 2. Open the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to confirm which repo owns each truth surface.
 3. Open the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to confirm the current claim ceiling and blocked claims.
 4. Open the [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) and [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) for proof-owned claim boundaries.
@@ -61,14 +71,6 @@ Reviewer metrics boundary: the Lifetime Governed Cases number stays strict and c
 
 Runtime Route Proof v1 private-candidate boundary: the proof repo routes a reviewer map and prerelease for one private controlled Wazuh -> Cribl -> Splunk marker summary. Claim ceiling remains `PRIVATE_RUNTIME_ROUTE_PROOF_V1_CANDIDATE_PRESERVED`; public-safe status remains `NOT_PUBLIC_SAFE`; Lifetime Governed Cases remains 4; `AI_DECIDED_DISPOSITION=false`.
 
-### 30-second reviewer path
-
-1. Start with the [organization profile](./README.md) for the system summary.
-2. Use the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to see which repo owns each truth surface.
-3. Use the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to separate report-only routing from controls that block, fail, or force correction.
-4. Inspect [hawkinsoperations-proof](https://github.com/HawkinsOperations/hawkinsoperations-proof) for proof records and claim ceilings.
-5. Follow source and validation links only inside their stated scope.
-
 ### 10-minute reviewer path
 
 1. Complete the 3-minute command-center path above.

From 785b3e20e5a6f469eb245a65deb430d4a7e180be Mon Sep 17 00:00:00 2001
From: Raylee Hawkins <rayleeops@gmail.com>
Date: Thu, 4 Jun 2026 04:04:54 -0500
Subject: [PATCH 2/2] docs(profile): strengthen org README first-scan impact

---
 profile/README.md     | 32 +++++++++++++-------------------
 profile/START_HERE.md | 20 +++++++++++++++-----
 2 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/profile/README.md b/profile/README.md
index 7442edf..c5ef607 100644
--- a/profile/README.md
+++ b/profile/README.md
@@ -16,31 +16,25 @@
 
 ---
 
-## 10-second read
+## What this shows now
 
-- AI is labor; governance is authority.
-- AI can accelerate SOC and detection work, but it does not approve claims or dispositions.
-- Deterministic validation, evidence records, proof boundaries, and human review authorize operational truth.
-- Green CI is evidence for the checked scope, not approval.
-- Website/GitHub rendering is not proof.
+HawkinsOperations is a governed detection engineering loop: source-controlled detection work, deterministic validation, platform contracts, proof records, reviewer releases, bounded runtime-candidate routing, and human-review gates. AI supports drafting, triage reasoning, case-packet support, documentation, and automation planning; it does not decide disposition, approve claims, promote proof, or close cases.
 
-The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.
+Green CI is evidence for the checked scope, not approval. Website and GitHub pages route reviewers; proof records and verifiers own the claim ceiling.
 
-**Current proof snapshot:** HO-DET-001 has source and controlled-test validation within the current public ceiling, Proof Pack 001 is a bounded reviewer route, the proof-owned ledger records 4 cases and 0 public-safe runtime cases, and the reviewer metrics route records 49 detection activity / controlled validation fires, 106 validation cases, 8 proof records, and 31 blocked claims.
+## Current strongest receipts
 
-**Claim firewall:** runtime-active, signal-observed, production, SOCaaS, autonomous SOC, AI-approved disposition, analyst-approved disposition, and public-safe runtime claims remain blocked unless separately proven. Blocked claims are intentional controls, not failed features.
-
-## Current strongest reviewer routes
+| Receipt | What is real today | Reviewer value | Boundary |
+|---|---|---|---|
+| [HO-DET-001 proof path](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | PowerShell EncodedCommand detection route mapped to ATT&CK T1059.001, with detection source, Splunk source, controlled validation, proof record, and public route. | Shows the full source -> validation -> platform contract -> proof -> rendering chain for one concrete detection. | Public ceiling remains `CONTROLLED_TEST_VALIDATED`; runtime, signal, production, and public-safe claims remain blocked. |
+| [Proof Pack 001](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded reviewer release ZIP with SHA256 and verifier route for HO-DET-001. | Gives a reviewer one package to verify without private lab access. | Reviewer release only; not public-safe runtime proof. |
+| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, and 31 blocked claims. | Reports progress without inflating proof or turning activity into case truth. | Activity fires are validation activity, not governed cases, runtime signals, or public-safe proof. |
+| [Runtime Route Proof v1](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | Shows runtime-route preservation work without publishing raw private evidence. | `NOT_PUBLIC_SAFE`; not public runtime proof, production proof, or broad-ingestion proof. |
+| [Six-repo authority model](../architecture/REPO_AUTHORITY_MAP.md) | Detections own source, validation owns behavior, platform owns contracts, proof owns claim ceilings, website renders, and `.github` routes. | Makes the system reviewable without allowing one repo or page to claim another truth surface. | Rendering is not proof; router surfaces do not authorize claims. |
 
-These are existing receipts and reviewer routes. They do not raise the proof ceiling.
+## What remains blocked
 
-| Route | What to inspect | Current ceiling | Boundary |
-|---|---|---|---|
-| [Proof Pack 001](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded HO-DET-001 release ZIP, SHA256, and verifier path. | `CONTROLLED_TEST_VALIDATED` | Reviewer package only; public-safe runtime proof remains blocked. |
-| [HO-DET-001 proof path](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | Detection source, Splunk source, controlled validation, proof record, and public route. | `CONTROLLED_TEST_VALIDATED` | Source and validation do not prove runtime, signal, production, or public-safe status. |
-| [Runtime Route Proof v1](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | `PRIVATE_RUNTIME_ROUTE_PROOF_V1_CANDIDATE_PRESERVED` | `NOT_PUBLIC_SAFE`; not public proof, production proof, or broad-ingestion proof. |
-| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, 31 blocked claims. | `SCHEMA_CONTRACT_VERIFIER_EXISTS_ONLY` | Activity fires are not governed cases, runtime signals, or public-safe proof. |
-| [Six-repo authority model](../architecture/REPO_AUTHORITY_MAP.md) | Source, validation, platform, proof, website, and org-routing ownership. | `RENDERING_NOT_PROOF` / source-boundary routing | `.github` routes reviewers; proof records and checks own their scoped facts. |
+Runtime-active public proof, signal-observed public proof, public-safe runtime proof, production SOCaaS, customer deployment, live enterprise deployment, autonomous SOC, AI-decided disposition, AI-approved disposition, analyst-approved disposition, FortiSIEM integration proven, fleet-wide coverage, and production-ready SOC are not claimed here.
 
 ## HawkinsOperations Control Panel
 
diff --git a/profile/START_HERE.md b/profile/START_HERE.md
index 5d25c65..b9b28c0 100644
--- a/profile/START_HERE.md
+++ b/profile/START_HERE.md
@@ -2,16 +2,26 @@
 
 Start here if reviewing HawkinsOperations.
 
-HawkinsOperations is a governed AI Security Operations and detection engineering system. AI can accelerate detection drafting, triage reasoning, case-packet support, documentation, and automation planning; deterministic validation, proof records, and human review authorize claims.
+HawkinsOperations is a governed AI Security Operations and detection engineering system built around source-controlled detection work, deterministic validation, platform contracts, proof records, reviewer releases, bounded runtime-candidate routing, and human-review gates.
 
 The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.
 
 - AI is labor; governance is authority.
-- AI can accelerate SOC and detection work, but it does not approve claims or dispositions.
+- AI can accelerate detection drafting, triage reasoning, case-packet support, documentation, and automation planning.
+- AI does not decide disposition, approve claims, promote proof, or close cases.
 - Validation, evidence records, proof boundaries, deterministic checks, and human review authorize operational truth.
 - Green CI is evidence for the checked scope, not approval.
 - Website/GitHub rendering is not proof.
 
+Start with the receipts, then check the boundaries:
+
+| First check | What it shows | Boundary |
+|---|---|---|
+| [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | PowerShell EncodedCommand detection route, source, Splunk source, controlled validation, proof record, and public ceiling. | `CONTROLLED_TEST_VALIDATED`; runtime, signal, production, and public-safe claims remain blocked. |
+| [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded reviewer ZIP, SHA256, and verifier route for HO-DET-001. | Reviewer release only; not public-safe runtime proof. |
+| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, 31 blocked claims. | Activity fires are validation activity, not governed cases, runtime signals, or public-safe proof. |
+| [Runtime Route Proof v1 reviewer map](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | `NOT_PUBLIC_SAFE`; not public runtime proof, production proof, or broad-ingestion proof. |
+
 The enterprise AI failure mode is that AI-generated output becomes a public claim, analyst conclusion, operational action, security disposition, or executive truth before evidence and human review authorize it. HawkinsOperations is built to prevent that promotion path.
 
 Current public proof is intentionally bounded. Runtime-active, signal-observed, production, SOCaaS, autonomous SOC, AI-approved disposition, analyst-approved disposition, and public-safe runtime claims remain blocked unless separately proven. Blocked claims are a claim firewall, not failed features.
@@ -46,10 +56,10 @@ Public claims require reviewed wording, evidence linkage, stale review, and appr
 
 ### 30-second reviewer path
 
-1. Open the [organization profile](./README.md) for the system summary and strongest current reviewer routes.
-2. Open the [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) and [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) to verify the public proof ceiling.
+1. Open the [organization profile](./README.md) for the strongest current receipts.
+2. Open the [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) and [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) to verify the flagship proof route and bounded reviewer release.
 3. Open the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to see which repo owns source, validation, platform, proof, website rendering, and org routing.
-4. Open the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to confirm blocked claims and current boundaries.
+4. Open the [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) to verify bounded metrics without governed-case inflation.
 5. Treat every website/GitHub page as routing unless the owning proof record supports the claim.
 
 ### 3-minute command-center path