docs(capital-efficiency): intake ready; submission tables + policy auditIntakeSubmission

Register blocker shift to submission/engagement pending; add signedEngagement placeholders.

Made-with: Cursor

config/capital-efficiency-policy.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "description": "Simulation-only capital efficiency policy for Chain 138/cW PMM treasury risk modeling. This is not a live leverage or mint/redemption contract configuration.",
   "version": "1.0.0",
-  "updated": "2026-04-27",
+  "updated": "2026-04-28",
   "defaults": {
     "paths": 1000,
     "epochs": 365,
@@ -86,6 +86,19 @@
     ],
     "auditEngagementEvidence": null,
     "auditIntakeUrl": "https://cybersecur.d-bis.org/intake.html",
+    "auditIntakeSubmission": {
+      "submittedAt": null,
+      "receiptOrReference": null,
+      "contactEmail": null,
+      "auditFirm": null,
+      "evidenceDoc": "docs/19-capital-efficiency-external-approval-evidence.md"
+    },
+    "signedEngagement": {
+      "firm": null,
+      "engagementReference": null,
+      "signedAt": null,
+      "finalScopeSummary": null
+    },
     "governanceApprovalEvidence": null,
     "riskDashboardEvidence": "docs/18-capital-efficiency-risk-dashboard-and-runbook.md",
     "operatorRunbookEvidence": "docs/18-capital-efficiency-risk-dashboard-and-runbook.md",

docs/19-capital-efficiency-external-approval-evidence.md

@@ -1,16 +1,56 @@
 # Capital Efficiency External Approval Evidence
 
-Status: external evidence required.
+**Status:** intake path **ready** (CyberSecur Global form live). **Submission / signed engagement** still pending — this register tracks evidence as it arrives.
 
 This file is the canonical evidence register for the remaining non-local blockers. Populate it with signed references before changing `liveExecutionGuard.status` away from `simulation_only`.
 
-## Audit Engagement
+## Audit intake path (ready)
 
 | Field | Value |
 |---|---|
-| Firm | CyberSecur Global intake identified |
+| Audit firm (requested) | CyberSecur Global |
 | Intake URL | `https://cybersecur.d-bis.org/intake.html` |
+| Security contact | `https://cybersecur.d-bis.org/.well-known/security.txt` |
 | Intake fields | Organization, contact email, repository URL, chains/deployments, timeline, notes |
+| Blocker class | ~~Intake path unknown~~ → **submission / engagement pending** |
+
+### Requested scope (for manual submission)
+
+Use normal browser submission (Web3Forms may reject scripted POSTs). Notes should reference at minimum:
+
+- **Chain 138** deployments and RPC/explorer context you want reviewed.
+- **cW/c\* PMM mesh** — routing surfaces and reserves relevant to capital-efficiency claims.
+- **Capital-efficiency simulator** — this repo’s Monte Carlo overlay (`config/capital-efficiency-policy.json`, scenarios, validators).
+- **Future blueprint** — treasury / liquidity / leverage / risk / keeper alignment (design and audit-readiness; live leverage contracts remain gated).
+
+## Intake submission record (pending)
+
+Fill when submitted:
+
+| Field | Value |
+|---|---|
+| Submission date | |
+| Intake receipt / reference | (email confirmation, ticket id, or Web3Forms reference if provided) |
+| Contact email | |
+| Audit firm name | CyberSecur Global (expected) |
+| Evidence URI / path | This file + policy JSON keys below |
+
+## Audit engagement (signed)
+
+Fill when a statement of work or engagement letter exists:
+
+| Field | Value |
+|---|---|
+| Firm | |
+| Engagement reference | |
+| Signed date | |
+| Final scope (short) | |
+| Evidence URI | |
+
+Historical placeholder row (superseded by tables above):
+
+| Field | Value |
+|---|---|
 | Engagement reference | Pending external engagement |
 | Signed date | Pending external engagement |
 | Scope | Treasury engine, liquidity engine, leverage engine, risk engine, keeper/deleverage flow, oracle/circuit breaker integration |
@@ -41,3 +81,12 @@ Use the CyberSecur Global intake form to request the audit. The request should i
 - `config/capital-efficiency-policy.json` keeps `liveExecutionGuard.status = simulation_only`.
 - `scripts/validate-capital-efficiency.cjs` requires dashboard, runbook, and liquidity commitment evidence paths.
 - Live leverage contracts remain blocked until the pending audit and governance evidence is real, dated, and reviewable.
+
+## Operator checklist (Web3Forms)
+
+1. Rotate access key in Web3Forms dashboard if needed.
+2. Set `CYBERSECUR_WEB3FORMS_ACCESS_KEY` in operator dotenv (see project `.env.master.example`).
+3. Redeploy static site: `scripts/deployment/sync-cybersecur-global-to-ct7810.sh` from proxmox repo (renders intake when key is set).
+4. Verify: `curl -I https://cybersecur.d-bis.org/intake.html` and `curl -I https://cybersecur.d-bis.org/.well-known/security.txt`.
+
+**Gitea mirror non-fast-forward** on parent repo is separate hygiene — not a capital-efficiency blocker unless you require mirror parity before submission.