docs(cac): publish CAC Certification Specification v1.0 and quickstart

docs/cac/CAC_QUICKSTART.md

@@ -0,0 +1,51 @@
+# CAC Quickstart
+
+## Objective
+
+Produce a Level 3 CAC-admissible build with deterministic evidence artifacts and CI-enforced checks.
+
+## Prerequisites
+
+1. A pinned system release identifier.
+2. Deterministic execution profile (fixed seeds, pinned dependencies, pinned model/tool versions).
+3. CI pipeline with required CAC checks.
+
+## Minimal Compliance Steps
+
+1. Generate one decision execution and emit `decision_trace.json` with complete ordered steps.
+2. Generate deterministic `report.json` and `metrics.json` without timestamp fields.
+3. Generate one reproducible `failure_case.json` with expected vs observed delta.
+4. Compute SHA-256 hashes for deterministic artifacts and build evidence manifest.
+5. Replay the same execution using identical inputs and verify exact/tolerance-constrained equivalence.
+6. Run required CI checks:
+   - `admissibility_check`
+   - `reproducibility_check`
+   - `evidence_integrity_check`
+7. On pass, issue signed `cacert.json` with explicit validity window and conformance level.
+
+## Required Artifact Set
+
+- `report.json`
+- `metrics.json`
+- `decision_trace.json`
+- `failure_case.json`
+- `cacert.json`
+
+## Determinism Rules
+
+1. Deterministic artifacts MUST NOT include timestamps, random UUIDs, hostnames, or process IDs.
+2. If runtime stamps are needed, write them to `stamp.json` and exclude from deterministic checks.
+3. Artifact arrays MUST use stable ordering.
+4. Every deterministic artifact MUST include hash fields.
+
+## CI Gate Contract
+
+Deployment MUST be blocked if any required check fails. No manual override is CAC-compliant.
+
+## Conformance Target
+
+- Level 1: Traceable
+- Level 2: Reproducible
+- Level 3: Admissible (full CAC)
+
+A build is CAC-compliant only at Level 3 with `cacert.json` verdict `PASS`.