Add CCR decision template task

workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md

@@ -10,7 +10,7 @@ topic_slug: railiance
 planning_priority: high
 planning_order: 7
 created: "2026-06-27"
-updated: "2026-06-27"
+updated: "2026-06-28"
 depends_on_workplans:
   - RAIL-PL-WP-0002
   - RAILIANCE-WP-0005
@@ -295,6 +295,32 @@ Acceptance:
 - Deactivation disables the relevant access front door and auth/policy path.
 - Compromise flow records blast-radius notes and required follow-up tasks.
 
+## T09 - Add decision templates and guided review actions
+
+```task
+id: RAILIANCE-WP-0007-T09
+status: todo
+priority: high
+state_hub_task_id: "c436fd8b-cd82-4600-81b0-87ec069d7ae6"
+```
+
+Remove the current friction where reviewers must know magic rationale prefixes
+for State Hub decisions to sync back into CCR status.
+
+Acceptance:
+
+- Each CCR review page or chat handoff shows explicit approve, deny, and needs
+  changes templates.
+- Generated templates include the accepted prefixes (`APPROVE:`, `DENY:`, and
+  `NEEDS_CHANGES:`) and pre-fill the CCR id, corrected path, policy, auth role,
+  and non-secret rationale prompt.
+- The dashboard or agent response links directly to the decision and states what
+  phrase or button will be recognized.
+- The sync tooling refuses ambiguous free-text approvals with a friendly message
+  that shows the valid templates.
+- Future UI work can replace prefix parsing with structured decision outcomes
+  without changing the CCR audit trail.
+
 ## Exit Criteria
 
 - A human can review and approve or deny a credential/security change without