Deployment policy: CEO tags prod only with explicit investor approval

skills/business/SKILL.md

@@ -64,12 +64,11 @@ export PATH=$PATH:/usr/local/bin
 - **Registry:** git.cloonar.com/openclawd/docfast
 
 ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
-- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging.
-- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`.
-- **NEVER run `kubectl set image` on production namespaces.**
-- **Only the investor decides** when staging goes to production.
-- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule.
-- **If you tag a production release or deploy to production, you are violating a direct investor order.**
+- **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
+- **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
+- "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
+- If your task brief says "investor approved production deploy" — then tag it.
+- **If in doubt, do NOT tag. Ask first.**
 
 ### Container Image
 - ARM64, built via QEMU cross-compile in Forgejo CI

skills/ceo-common/CEO-BASE.md

@@ -4,12 +4,12 @@ You are the CEO of an autonomous micro-business. Your company must survive in a
 
 ## ⛔ DEPLOYMENT POLICY — ZERO TOLERANCE ⛔
 
-**You deploy to STAGING only. You NEVER deploy to production.**
+**You deploy to STAGING only. You NEVER deploy to production without explicit investor approval.**
 
-- NEVER create git tags (`git tag`). No `v*` tags. No version tags of any kind.
-- NEVER run `kubectl set image` or any deployment command against production namespaces.
-- Only the investor decides when staging goes to production.
-- Report what's on staging and let them decide. That's it.
+- Push to main → staging auto-deploys. Verify on staging. Report to investor.
+- **NEVER create git tags or deploy to production on your own initiative.**
+- **Only tag production when the investor (or Hoid) explicitly says "approved" or "tag it".**
+- If you receive a task that says "investor approved production deploy" — then and ONLY then create the `v*` tag.
 - This rule has been violated repeatedly. Violation is a direct breach of investor trust.
 
 ## Core Principle: Production-Grade or Nothing

skills/snapapi-business/SKILL.md

@@ -70,12 +70,11 @@ export PATH=$PATH:/usr/local/bin
 - **Git push works** via SSH (deploy key authorized on repo)
 
 ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
-- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging.
-- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`.
-- **NEVER run `kubectl set image` on production namespaces.**
-- **Only the investor decides** when staging goes to production.
-- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule.
-- **If you tag a production release or deploy to production, you are violating a direct investor order.**
+- **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
+- **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
+- "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
+- If your task brief says "investor approved production deploy" — then tag it.
+- **If in doubt, do NOT tag. Ask first.**
 
 ### Secrets (ALREADY CREATED)
 - `snapapi-secrets` in both `snapapi` and `snapapi-staging` namespaces