Record Case Stage 5 owned repo proof

2026-06-01 06:04:38 -04:00 · 2026-06-01 06:04:38 -04:00 · 0116ed2ec3
commit 0116ed2ec3
parent 51546ccbf5
5 changed files with 58 additions and 21 deletions
--- a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md
@ -53,7 +53,7 @@ Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.

 Type: HITL

-Status: blocked.
+Status: validated.

 Blocked by: CTO-WORK-037, CTO-WORK-039, CTO-WORK-040, and explicit JP selection or approval of an owned low-risk noncritical Target Repository.

@ -63,26 +63,42 @@ What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, implement the St

 Acceptance criteria:

- [ ] `case` remains disabled by default.
- [ ] `CTO_HARNESS_ALLOW_CASE=1` remains required.
- [ ] `CTO_HARNESS_CASE_STAGE=5` is required before owned noncritical repository execution.
- [ ] Missing Stage 5 gate emits blocked evidence and does not run Case.
- [ ] Target Repository admission proof records owner, path, noncritical classification, allowed paths, forbidden actions, and approval source.
- [ ] Unowned or critical repository admission blocks before mutation.
- [ ] Approval denied blocks before mutation.
- [ ] Approval granted is recorded before mutation.
- [ ] Case mutates only allowed paths inside the admitted Target Repository.
- [ ] No push, merge, deploy, close, PR open, issue close, or public publication occurs by default.
- [ ] Operator acceptance or rejection is recorded after verification.
- [ ] Required artifacts include Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, artifact digests, and freshness proof.
- [ ] Failure fixtures fail closed for approval denied, unowned repository, critical repository, disallowed file, dirty starting tree, dirty ending tree, failed tests, timeout, provider unavailable, and missing operator outcome.
- [ ] Fake remains the default validation lane and broad health remains green after focused Stage 5 validation.
+- [x] `case` remains disabled by default.
+- [x] `CTO_HARNESS_ALLOW_CASE=1` remains required.
+- [x] `CTO_HARNESS_CASE_STAGE=5` is required before owned noncritical repository execution.
+- [x] Missing Stage 5 gate emits blocked evidence and does not run Case.
+- [x] Target Repository admission proof records owner, path, noncritical classification, allowed paths, forbidden actions, and approval source.
+- [x] Unowned or critical repository admission blocks before mutation.
+- [x] Approval denied blocks before mutation.
+- [x] Approval granted is recorded before mutation.
+- [x] Case mutates only allowed paths inside the admitted Target Repository.
+- [x] No push, merge, deploy, close, PR open, issue close, or public publication occurs by default.
+- [x] Operator acceptance or rejection is recorded after verification.
+- [x] Required artifacts include Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, artifact digests, and freshness proof.
+- [x] Failure fixtures fail closed for approval denied, unowned repository, critical repository, disallowed file, dirty starting tree, dirty ending tree, failed tests, timeout, provider unavailable, and missing operator outcome.
+- [x] Fake remains the default validation lane and broad health remains green after focused Stage 5 validation.

 Allowed files: Hermes CTO harness engine, owned noncritical repo fixture admission records, focused Stage 5 validator, harness docs, and tests. WebUI, Core, Case source, vendor source, unowned repositories, critical repositories, production repositories, and external developer repositories are forbidden.

 Validator: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`, then `harness/evals/health.sh --json`.

-Done evidence: Stage 5 pass report, failure fixture reports, Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, artifact digests, clean worktree, commit.
+Done evidence:
+
+- Hermes commit: `084ac70 Add Case Stage 5 owned repo proof`.
+- Focused Stage 5 validator on Hermes main: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`.
+- Focused Stage 5 validator status: `ok: true`.
+- Focused validator pass report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json`.
+- Actual admitted Target Repository proof report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json`.
+- Actual admitted Target Repository proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json`.
+- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
+- Target repo proof commit: `155b442 stage5 case result`.
+- Changed files: `strings.py`.
+- Allowed paths passed: `true`.
+- Forbidden paths passed: `true`.
+- Required events passed: `true`.
+- Tests passed: `true`.
+- Operator outcome: `accepted`.
+- Target repository started clean and ended clean.


 ### CTO-WORK-039 - Stage 5 Target Repository Admission Template
@ -191,7 +207,7 @@ Validation evidence for `CTO-WORK-040`:
 - Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
 - Target repo owner: `jp`.
 - Target repo risk classification: `low_risk_noncritical`.
- Allowed paths: `src/`, `tests/`, `README.md`.
+- Allowed paths: `strings.py`, `test_strings.py`, `src/`, `tests/`, `README.md`.
 - Forbidden paths include secret, deploy, infra, workflow, dependency-lock, vendor, and `.git/` paths.
 - Admission status: `admitted`.

--- a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json
+++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json
@ -1,6 +1,8 @@
 {
  "admission_status": "admitted",
  "allowed_paths": [
+    "strings.py",
+    "test_strings.py",
    "src/",
    "tests/",
    "README.md"
--- a/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md
@ -240,7 +240,7 @@ Promotion condition:

 ## Stage 5 - Owned Noncritical Repo

-Status: planned. Execution remains blocked until `CTO-WORK-038` produces Harness Evidence Interface pass evidence after explicit JP selection or approval of an owned low-risk noncritical Target Repository.
+Status: validated for owned noncritical repository proof on 2026-06-01.

 Entry gates:

@ -266,6 +266,25 @@ Planning evidence:
 - Stage 5 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md`.
 - Stage 5 admission preflight evidence: Hermes commit `6e68a1a Add Case Stage 5 target admission preflight`; focused validator `ok: true`; aggregate harness health `pass`. This validates admission preflight only, not owned repository execution.

+Validation evidence:
+
+- Hermes commit: `084ac70 Add Case Stage 5 owned repo proof`.
+- Focused Stage 5 validator on Hermes main: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`.
+- Focused Stage 5 validator status: `ok: true`.
+- Focused validator pass report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json`.
+- Actual admitted Target Repository proof report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json`.
+- Actual admitted Target Repository proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json`.
+- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
+- Target repo proof commit: `155b442 stage5 case result`.
+- Changed files: `strings.py`.
+- Allowed paths passed: `true`.
+- Forbidden paths passed: `true`.
+- Required events passed: `true`.
+- Tests passed: `true`.
+- Operator outcome: `accepted`.
+- Target repository started clean and ended clean.
+- This validates Stage 5 only. Stage 6 candidate default remains blocked until comparison evidence exists.
+
 Validator expectation:

 - mutation stays inside allowed paths;
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -187,7 +187,7 @@ items:
    owner: ""
  - id: CTO-WORK-038
    title: Stage 5 Harness Owned Noncritical Repo Route
-    status: blocked
+    status: validated
    source: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md
    owner: jp
  - id: CTO-WORK-039
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -1081,7 +1081,7 @@ def main() -> int:
                if action not in forbidden_actions:
                    errors.append(f"stage5_target_admission_missing_forbidden_action:{action}")
        allowed_paths = payload.get("allowed_paths")
-        if not isinstance(allowed_paths, list) or allowed_paths != ["src/", "tests/", "README.md"]:
+        if not isinstance(allowed_paths, list) or allowed_paths != ["strings.py", "test_strings.py", "src/", "tests/", "README.md"]:
            errors.append(f"stage5_target_admission_allowed_paths_mismatch:actual_{allowed_paths}")
        forbidden_paths = payload.get("forbidden_paths")
        if not isinstance(forbidden_paths, list) or ".git/" not in forbidden_paths or "secrets/" not in forbidden_paths or "deploy/" not in forbidden_paths:
@ -1350,7 +1350,7 @@ def main() -> int:
            "CTO-WORK-035": "validated",
            "CTO-WORK-036": "validated",
            "CTO-WORK-037": "validated",
-            "CTO-WORK-038": "blocked",
+            "CTO-WORK-038": "validated",
            "CTO-WORK-039": "validated",
            "CTO-WORK-040": "validated",
            "CTO-WORK-041": "validated",