add /.well-known/ctef-conformance handler (pending moratorium-exemption decision)

[vdineshk]

Summary

Adds the /.well-known/ctef-conformance self-attestation handler to dominion-observatory + recovers a missing daily run log + writes today's run log.

Status: DRAFT — DO NOT MERGE until moratorium-exemption is granted.

Why the draft gate

The standing builder-moratorium (2026-05-10) names "well-known URIs" as a banned action class. The three-step exemption test fails at item (c): well-known URIs ARE in the moratorium's named artifact list. Builder cannot self-exempt under HARD RULE 23.

This PR therefore prepares the code but does not deploy. The handler is verified syntactically clean (wrangler dry-run: 208.65 KiB total upload, 42.13 KiB gzip). The config entry in post-deploy-health.json is registered with deploy_status: PREPARED-PENDING-CEO-EXEMPTION.

Why the request

• CTEF v0.3.2 publishes Mon 2026-05-19 (T-2 days).
• Empire is normatively cited in 6 sections of v0.3.2 per the ratified ctef-4-5-ratified directive.
• §4.5.3 calls for a self-attestation URI at /.well-known/ctef-conformance. Currently 404.
• First operator running the URI on publication day claims §4.5.3 reference status.

Changes

• dominion-observatory/src/index.js: handler added between mcp-observatory and trust-delta routes. ~70 LOC. Returns schema: ctef-conformance-v0.3.2 with role: evidence_provider, operator_did: did:web:dominion-observatory.sgdata.workers.dev, evidence_uri_pattern: /v1/behavioral-evidence/{server-id}, 4 conformance_vectors (positive_case, negative_path_subject_not_tracked, behavioral_silver_degradation_live, tier_distribution_citation), and spec_references covering §4.5.2 / §4.5.3 / §4.5.6.
• dominion-observatory/config/post-deploy-health.json: registers the new endpoint for post-deploy HARD RULE 6 verification once deployed.
• decisions/2026-05-16-builder-run-042.md: cherry-picked from branch claude/jolly-galileo-RDqHt (commit dcac119). Previously committed there but never merged; recovered this run.
• decisions/2026-05-17-builder-run-043.md: today's full daily report including paste-ready CEO exemption text and the carry-over A2A #1786 reply text.

CEO checklist (if exempting)

1. Confirm the handler shape is acceptable as the empire's §4.5.3 reference implementation.
2. Grant the exemption by writing the directive record per the paste-ready curl in decisions/2026-05-17-builder-run-043.md "Items Requiring Dinesh — P0".
3. Merge this PR.
4. Next Builder run sees the exemption at AWAKEN, deploys with HARD RULE 6 POST_DEPLOY_VERIFY_HEALTH, and adds the URI to the HARD RULE 21 spec-cited protected list.

Authoring disclosure

This change was prepared with AI assistance (per AI-disclosure norm for standards-impacting work).

---

Generated by Claude Code