hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record Case Stage 5 owned repo proof

Browse Source
This commit is contained in:
Svrnty
2026-06-01 06:04:38 -04:00
parent 51546ccbf5
commit 0116ed2ec3
5 changed files with 58 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md
+33 -17
View File
@@ -53,7 +53,7 @@ Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.
Type: HITL
Status: blocked.
Status: validated.
Blocked by: CTO-WORK-037, CTO-WORK-039, CTO-WORK-040, and explicit JP selection or approval of an owned low-risk noncritical Target Repository.
@@ -63,26 +63,42 @@ What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, implement the St
Acceptance criteria:
- [ ] `case` remains disabled by default.
- [ ] `CTO_HARNESS_ALLOW_CASE=1` remains required.
- [ ] `CTO_HARNESS_CASE_STAGE=5` is required before owned noncritical repository execution.
- [ ] Missing Stage 5 gate emits blocked evidence and does not run Case.
- [ ] Target Repository admission proof records owner, path, noncritical classification, allowed paths, forbidden actions, and approval source.
- [ ] Unowned or critical repository admission blocks before mutation.
- [ ] Approval denied blocks before mutation.
- [ ] Approval granted is recorded before mutation.
- [ ] Case mutates only allowed paths inside the admitted Target Repository.
- [ ] No push, merge, deploy, close, PR open, issue close, or public publication occurs by default.
- [ ] Operator acceptance or rejection is recorded after verification.
- [ ] Required artifacts include Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, artifact digests, and freshness proof.
- [ ] Failure fixtures fail closed for approval denied, unowned repository, critical repository, disallowed file, dirty starting tree, dirty ending tree, failed tests, timeout, provider unavailable, and missing operator outcome.
- [ ] Fake remains the default validation lane and broad health remains green after focused Stage 5 validation.
- [x] `case` remains disabled by default.
- [x] `CTO_HARNESS_ALLOW_CASE=1` remains required.
- [x] `CTO_HARNESS_CASE_STAGE=5` is required before owned noncritical repository execution.
- [x] Missing Stage 5 gate emits blocked evidence and does not run Case.
- [x] Target Repository admission proof records owner, path, noncritical classification, allowed paths, forbidden actions, and approval source.
- [x] Unowned or critical repository admission blocks before mutation.
- [x] Approval denied blocks before mutation.
- [x] Approval granted is recorded before mutation.
- [x] Case mutates only allowed paths inside the admitted Target Repository.
- [x] No push, merge, deploy, close, PR open, issue close, or public publication occurs by default.
- [x] Operator acceptance or rejection is recorded after verification.
- [x] Required artifacts include Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, artifact digests, and freshness proof.
- [x] Failure fixtures fail closed for approval denied, unowned repository, critical repository, disallowed file, dirty starting tree, dirty ending tree, failed tests, timeout, provider unavailable, and missing operator outcome.
- [x] Fake remains the default validation lane and broad health remains green after focused Stage 5 validation.
Allowed files: Hermes CTO harness engine, owned noncritical repo fixture admission records, focused Stage 5 validator, harness docs, and tests. WebUI, Core, Case source, vendor source, unowned repositories, critical repositories, production repositories, and external developer repositories are forbidden.
Validator: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`, then `harness/evals/health.sh --json`.
Done evidence: Stage 5 pass report, failure fixture reports, Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, artifact digests, clean worktree, commit.
Done evidence:
- Hermes commit: `084ac70 Add Case Stage 5 owned repo proof`.
- Focused Stage 5 validator on Hermes main: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`.
- Focused Stage 5 validator status: `ok: true`.
- Focused validator pass report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json`.
- Actual admitted Target Repository proof report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json`.
- Actual admitted Target Repository proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json`.
- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
- Target repo proof commit: `155b442 stage5 case result`.
- Changed files: `strings.py`.
- Allowed paths passed: `true`.
- Forbidden paths passed: `true`.
- Required events passed: `true`.
- Tests passed: `true`.
- Operator outcome: `accepted`.
- Target repository started clean and ended clean.
### CTO-WORK-039 - Stage 5 Target Repository Admission Template
@@ -191,7 +207,7 @@ Validation evidence for `CTO-WORK-040`:
- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
- Target repo owner: `jp`.
- Target repo risk classification: `low_risk_noncritical`.
- Allowed paths: `src/`, `tests/`, `README.md`.
- Allowed paths: `strings.py`, `test_strings.py`, `src/`, `tests/`, `README.md`.
- Forbidden paths include secret, deploy, infra, workflow, dependency-lock, vendor, and `.git/` paths.
- Admission status: `admitted`.
.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json
+2
View File
@@ -1,6 +1,8 @@
{
"admission_status": "admitted",
"allowed_paths": [
"strings.py",
"test_strings.py",
"src/",
"tests/",
"README.md"
.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md
+20 -1
View File
@@ -240,7 +240,7 @@ Promotion condition:
## Stage 5 - Owned Noncritical Repo
Status: planned. Execution remains blocked until `CTO-WORK-038` produces Harness Evidence Interface pass evidence after explicit JP selection or approval of an owned low-risk noncritical Target Repository.
Status: validated for owned noncritical repository proof on 2026-06-01.
Entry gates:
@@ -266,6 +266,25 @@ Planning evidence:
- Stage 5 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md`.
- Stage 5 admission preflight evidence: Hermes commit `6e68a1a Add Case Stage 5 target admission preflight`; focused validator `ok: true`; aggregate harness health `pass`. This validates admission preflight only, not owned repository execution.
Validation evidence:
- Hermes commit: `084ac70 Add Case Stage 5 owned repo proof`.
- Focused Stage 5 validator on Hermes main: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`.
- Focused Stage 5 validator status: `ok: true`.
- Focused validator pass report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json`.
- Actual admitted Target Repository proof report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json`.
- Actual admitted Target Repository proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json`.
- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
- Target repo proof commit: `155b442 stage5 case result`.
- Changed files: `strings.py`.
- Allowed paths passed: `true`.
- Forbidden paths passed: `true`.
- Required events passed: `true`.
- Tests passed: `true`.
- Operator outcome: `accepted`.
- Target repository started clean and ended clean.
- This validates Stage 5 only. Stage 6 candidate default remains blocked until comparison evidence exists.
Validator expectation:
- mutation stays inside allowed paths;
WORKBOARD.yaml
+1 -1
View File
@@ -187,7 +187,7 @@ items:
owner: ""
- id: CTO-WORK-038
title: Stage 5 Harness Owned Noncritical Repo Route
status: blocked
status: validated
source: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md
owner: jp
- id: CTO-WORK-039
tools/validate_cto_child.py
+2 -2
View File
@@ -1081,7 +1081,7 @@ def main() -> int:
if action not in forbidden_actions:
errors.append(f"stage5_target_admission_missing_forbidden_action:{action}")
allowed_paths = payload.get("allowed_paths")
if not isinstance(allowed_paths, list) or allowed_paths != ["src/", "tests/", "README.md"]:
if not isinstance(allowed_paths, list) or allowed_paths != ["strings.py", "test_strings.py", "src/", "tests/", "README.md"]:
errors.append(f"stage5_target_admission_allowed_paths_mismatch:actual_{allowed_paths}")
forbidden_paths = payload.get("forbidden_paths")
if not isinstance(forbidden_paths, list) or ".git/" not in forbidden_paths or "secrets/" not in forbidden_paths or "deploy/" not in forbidden_paths:
@@ -1350,7 +1350,7 @@ def main() -> int:
"CTO-WORK-035": "validated",
"CTO-WORK-036": "validated",
"CTO-WORK-037": "validated",
"CTO-WORK-038": "blocked",
"CTO-WORK-038": "validated",
"CTO-WORK-039": "validated",
"CTO-WORK-040": "validated",
"CTO-WORK-041": "validated",