Implement NK-WP-0013 playbook capability contract

workplans/NK-WP-0013-playbook-capability-contract.md

@@ -4,13 +4,13 @@ type: workplan
 title: "Playbook Capability Contract"
 domain: netkingdom
 repo: net-kingdom
-status: proposed
+status: finished
 owner: worsch
 topic_slug: netkingdom
 planning_priority: high
 planning_order: 13
 created: "2026-05-21"
-updated: "2026-05-21"
+updated: "2026-05-22"
 depends_on:
   - NK-WP-0006
 state_hub_workstream_id: 32a54d8e-8633-42a6-8ec1-104842c581c1
@@ -82,7 +82,7 @@ Out of scope:
 ```task
 id: NK-WP-0013-T1
 state_hub_task_id: d40f8b29-e983-4d52-bc1f-5f1c51709e7d
-status: todo
+status: done
 priority: high
 ```
 
@@ -96,7 +96,7 @@ co-design. Define contract **versioning and breaking-change governance**.
 ```task
 id: NK-WP-0013-T2
 state_hub_task_id: ece4b5b1-e1c2-449d-b0f4-83b7010bc838
-status: todo
+status: done
 priority: high
 ```
 
@@ -110,7 +110,7 @@ same capability are comparable.
 ```task
 id: NK-WP-0013-T3
 state_hub_task_id: c956f4a8-b9fa-44ab-8174-31999b98e3b1
-status: todo
+status: done
 priority: high
 ```
 
@@ -124,7 +124,7 @@ adequate" safe rather than guesswork.
 ```task
 id: NK-WP-0013-T4
 state_hub_task_id: e7de05a6-528a-4213-b6db-2c2e90353996
-status: todo
+status: done
 priority: high
 ```
 
@@ -137,7 +137,7 @@ responsibility map and sequence for a scenario from the declarations.
 ```task
 id: NK-WP-0013-T5
 state_hub_task_id: 05a2ff7d-86c4-4de9-9ea8-39a9ad5352a8
-status: todo
+status: done
 priority: high
 ```
 
@@ -151,7 +151,7 @@ the IAM Profile conformance check, NK-WP-0012-T5).
 ```task
 id: NK-WP-0013-T6
 state_hub_task_id: 769ed490-c091-41c1-b2e2-e8e378470b6b
-status: todo
+status: done
 priority: medium
 ```
 
@@ -172,6 +172,23 @@ the rest. Cross-repo coordination item for the Railiance domain.
   NetKingdom composes and parametrizes it from that declaration alone.
 - Contract versioning and breaking-change governance is documented.
 
+## Completion Notes
+
+- ADR: `docs/adr/ADR-0012-playbook-capability-contract-ownership.md`
+- Canonical contract:
+  `canon/standards/playbook-capability-contract_v0.1.md`
+- Machine-readable schema:
+  `canon/schemas/playbook-capability-declaration_v0.1.schema.json`
+- Validator and composition demo:
+  `tools/playbook-capability-contract/playbook_contract_validator.py`
+- Reference Railiance declaration:
+  `../railiance-infra/capabilities/playbooks/railiance-infra.bootstrap-host.yaml`
+- Sample scenario:
+  `examples/playbook-capability-contract/scenario-s1-host-bootstrap.yaml`
+- Fixture tests cover valid declarations, controlled vocabulary failures,
+  forbidden tenant overrides, missing required parameters, and successful
+  selection/parameter composition.
+
 ## Dependencies & Sequencing
 
 - **Realizes** the playbook-contract dependency from ADR-0007's
@@ -184,14 +201,14 @@ the rest. Cross-repo coordination item for the Railiance domain.
 - Parallels NK-WP-0012: same consumer-defines-contract pattern, same
   conformance-check shape, applied to orchestration instead of identity.
 
-## Open Questions
+## Resolved Questions
 
-- Contract format and home: a net-kingdom canon standard plus a
-  machine-readable schema (e.g. JSON/YAML schema) the catalog validates
-  against?
-- Catalog mechanism: a file convention in each playbook repo that NetKingdom
-  aggregates, or a published registry?
-- How parameter sensitivity interacts with tenant boundaries (which
-  parameters a tenant-scoped scenario may set vs. platform-only).
-- Whether the conformance validator is a standalone net-kingdom tool or a
-  shared library, mirroring the same open question in NK-WP-0012.
+- Contract format and home: NetKingdom canon standard plus a
+  machine-readable JSON schema and standalone validator.
+- Catalog mechanism: v0.1 uses file convention
+  `capabilities/playbooks/*.yaml`; a registry can be layered on later.
+- Parameter sensitivity: tenant scenarios cannot override
+  `platform_only`, `forbidden`, `playbook_default`,
+  `security_sensitive`, or `secret_reference` parameters.
+- Validator form: standalone NetKingdom tool for v0.1, mirroring
+  NK-WP-0012's executable-contract pattern.