Approve OpenAI Codex provider decision

2026-05-31 21:34:00 -04:00 · 2026-05-31 21:34:00 -04:00 · 03c87d437b
commit 03c87d437b
parent 19e7766c1a
7 changed files with 114 additions and 51 deletions
--- a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md
@ -78,7 +78,7 @@ This template belongs to `CTO-WORK-020`; it is not a new provider approval.
 Required fields:

 - `decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.
- `provider_class`: `external_anthropic` or `local_case_compatible`.
+- `provider_class`: `external_anthropic`, `external_openai_codex`, or `local_case_compatible`.
 - `provider`: exact provider string, or empty while blocked.
 - `model`: exact model string, or empty while blocked.
 - `approval_source`: JP approval reference or governed Core route reference.
--- a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-PRD.md
@ -111,7 +111,7 @@ Real Case Stage 2 remains blocked until a named provider/model is admitted, then
 This template clarifies the decision required by `CTO-WORK-020`; it does not approve a provider.

 - `decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.
- `provider_class`: `external_anthropic` or `local_case_compatible`.
+- `provider_class`: `external_anthropic`, `external_openai_codex`, or `local_case_compatible`.
 - `provider`: exact provider string, or empty while blocked.
 - `model`: exact model string, or empty while blocked.
 - `approval_source`: JP approval reference or governed Core route reference.
--- a/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md
@ -37,7 +37,7 @@ Acceptance:

 ## CTO-WORK-024 - Resolve Case Provider Decision

-Status: blocked.
+Status: validated.

 JP or a governed Core route chooses one `CTO-WORK-020` decision branch and records the required non-secret fields.

@ -54,16 +54,16 @@ Acceptance:
 - `CTO-WORK-022` remains blocked unless `decision_status=local_provider_required`.
 - Real Case Stage 2 remains blocked unless `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` exists and matches `CTO_HARNESS_CASE_MODEL_PROVIDER` and `CTO_HARNESS_CASE_MODEL`.

-Blocked by:
+Resolved by:

- JP choosing external provider approval or local provider requirement.
- Governed Core route if the decision must be promoted before provider use.
+- `CTO-CASE-PROVIDER-DECISION-RECORD.md` selecting `external_provider_approved`.
+- Real Case Stage 2 remains blocked by `CTO-WORK-020` admission JSON and Harness Evidence Interface proof.

-## CTO-WORK-025 - Current Case Provider Decision Record
+## CTO-WORK-025 - Initial Not-Decided Provider Decision Record

 Status: validated.

-Record the current fail-closed `CTO-WORK-020` decision state as `not_decided`.
+Record the initial fail-closed `CTO-WORK-020` decision state as `not_decided`.

 Acceptance:

@ -82,3 +82,26 @@ Acceptance:
 - Record keeps `CTO-WORK-024` blocked while `decision_status=not_decided`.
 - Record keeps `CTO-WORK-022` blocked unless `decision_status=local_provider_required`.
 - Record keeps real Case Stage 2 blocked until admitted provider/model and Harness Evidence Interface pass report exist.
+
+## CTO-WORK-026 - OpenAI Codex Primary Provider Decision
+
+Status: validated.
+
+Record JP approval of the external provider decision branch for the current Hermes model stack.
+
+Acceptance:
+
+- Decision record has `decision_status`: `external_provider_approved`.
+- Decision record has `provider_class`: `external_openai_codex`.
+- Decision record has `provider`: `openai-codex`.
+- Decision record has `model`: `gpt-5.5`.
+- Decision record has `fallback_provider`: `vllm`.
+- Decision record has `fallback_model`: `qwen3.6-35b-a3b`.
+- Decision record has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`; no secret value.
+- Decision record has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.
+- Decision record references Hermes model policy and local Hermes config as evidence sources without copying secrets.
+- Record says it is not provider/model admission and is not Stage 2 pass evidence.
+- Record says `CTO-WORK-024` is resolved by selecting `external_provider_approved`.
+- Record keeps `CTO-WORK-020` blocked until admission JSON and real Stage 2 pass evidence exist.
+- Record keeps `CTO-WORK-022` blocked because `decision_status=external_provider_approved`, not `local_provider_required`.
+- Record requires fallback to `vllm` with `qwen3.6-35b-a3b` to be explicit in admission evidence before it may count as a Case provider/model path.
--- a/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md
@ -56,7 +56,7 @@ Use only if JP or a governed Core route approves an external provider path.
 Required decision fields:

 - `decision_status`: `external_provider_approved`.
- `provider_class`: `external_anthropic`.
+- `provider_class`: `external_anthropic` or `external_openai_codex`.
 - `provider`: exact provider string.
 - `model`: exact model string.
 - `approval_source`: JP approval reference or governed Core route reference.
@ -70,6 +70,8 @@ Consequences:

 - `CTO-WORK-022` stays blocked.
 - Hermes may attempt real Case Stage 2 only after admission JSON exists and matches `CTO_HARNESS_CASE_MODEL_PROVIDER` and `CTO_HARNESS_CASE_MODEL`.
+- `openai-codex` with model `gpt-5.5` may be recorded as the primary approved external provider only when the approval source, credential source class, allowed network class, review trigger, and admission JSON are recorded.
+- `vllm` with model `qwen3.6-35b-a3b` may be recorded as an explicit fallback only when fallback use is represented in admission evidence and does not hide provider/model switching.
 - Any fallback to `anthropic` or `claude-sonnet-4-6` without matching admission blocks before `case_process_started`.

 ### Branch B - Local Provider Required
@ -107,6 +109,7 @@ Consequences:
 - Packet keeps `CTO-WORK-020` as the provider/model admission authority.
 - Packet keeps `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` as the execution admission gate.
 - Packet requires exact provider/model, approval source, credential source class, allowed network class, review trigger, and evidence expectations before admission.
+- Packet permits provider class `external_openai_codex` only as a decision branch, not as admission or Stage 2 proof.
 - Packet requires no secrets in SOT, task file, argv, report, trace, backend logs, generated config, or commits.
 - Packet states `CTO-WORK-022` stays blocked unless `decision_status=local_provider_required`.
 - Packet states real Case Stage 2 remains blocked until admitted provider/model and Harness Evidence Interface pass report exist.
--- a/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md
+++ b/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md
@ -15,33 +15,40 @@ Local planning SOT only. Not a Core Protocol. Not active Core authority.

 ## Current Decision State

- `decision_status`: `not_decided`.
- `provider_class`: empty while blocked.
- `provider`: empty while blocked.
- `model`: empty while blocked.
- `approval_source`: empty while blocked.
- `credential_source_class`: empty while blocked; no secret value.
- `allowed_network_class`: empty while blocked.
- `review_trigger`: empty while blocked.
- `evidence_sources`: `CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md`, `CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md`, `CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md`.
+- `decision_status`: `external_provider_approved`.
+- `provider_class`: `external_openai_codex`.
+- `provider`: `openai-codex`.
+- `model`: `gpt-5.5`.
+- `fallback_provider`: `vllm`.
+- `fallback_model`: `qwen3.6-35b-a3b`.
+- `approval_source`: JP chat approval on 2026-05-31.
+- `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`; no secret value.
+- `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.
+- `review_trigger`: before real Case Stage 2 admission JSON is written, before any credential source change, and before any default/fallback model change.
+- `evidence_sources`: `CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md`, `CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md`, `CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md`, `/home/svrnty/workspaces/hermes/scripts/apply-hermes-model-policy.py`, `/home/svrnty/.hermes/config.yaml`.
 - `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.

 ## Meaning

-`not_decided` means no provider/model may run. This record is not provider/model admission, not Stage 2 pass evidence, and not approval for external or local provider use.
+`external_provider_approved` means JP approved the provider decision branch for the existing Hermes model stack: `openai-codex` with model `gpt-5.5` as primary, and `vllm` with model `qwen3.6-35b-a3b` as fallback.

-`CTO-WORK-024` remains blocked because this record does not select `external_provider_approved` or `local_provider_required`.
+This record is not provider/model admission and is not Stage 2 pass evidence. It does not authorize Case to run until the `CTO-WORK-020` admission JSON exists and the Harness Evidence Interface proves real Stage 2.

-## Required Change To Leave Not Decided
+`CTO-WORK-024` is resolved by this record selecting `external_provider_approved`.

-Only JP or a governed Core route may change this record away from `not_decided`.
+## Decision History

-Allowed future values:
+Previous state:

- `external_provider_approved`.
- `local_provider_required`.
+- `decision_status`: `not_decided`.
+- `not_decided` means no provider/model may run.

-Any future non-`not_decided` state must include exact non-secret fields required by `CTO-WORK-020`: provider/model when applicable, approval source, credential source class, allowed network class, review trigger, and evidence expectations.
+Future changes:
+
+- Only JP or a governed Core route may change this record away from `external_provider_approved`.
+- Allowed future values remain `external_provider_approved` or `local_provider_required`.
+
+Any future state must include exact non-secret fields required by `CTO-WORK-020`: provider/model when applicable, approval source, credential source class, allowed network class, review trigger, and evidence expectations.

 ## Safety Constraints

@ -49,7 +56,7 @@ Any future non-`not_decided` state must include exact non-secret fields required
 - No Target Repository path may be inspected or copied.
 - `CTO-WORK-020` remains provider/model admission authority.
 - `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` remains execution admission gate.
- `CTO-WORK-024` remains blocked while `decision_status=not_decided`.
- `CTO-WORK-022` remains blocked unless `decision_status=local_provider_required`.
+- `CTO-WORK-022` remains blocked because `decision_status=external_provider_approved`, not `local_provider_required`.
 - Real Case Stage 2 remains blocked until admitted provider/model and Harness Evidence Interface pass report exist.
+- Fallback to `vllm` with `qwen3.6-35b-a3b` must be explicit in admission evidence before it may count as a Case provider/model path.
 - Existing evidence paths and commits are referenced only; runtime evidence is not copied into this record.
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -117,11 +117,16 @@ items:
    owner: ""
  - id: CTO-WORK-024
    title: Resolve Case Provider Decision
-    status: blocked
+    status: validated
    source: .sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md
-    owner: jp
+    owner: ""
  - id: CTO-WORK-025
-    title: Current Case Provider Decision Record
+    title: Initial Not-Decided Provider Decision Record
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md
+    owner: ""
+  - id: CTO-WORK-026
+    title: OpenAI Codex Primary Provider Decision
    status: validated
    source: .sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md
    owner: ""
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -403,7 +403,7 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_PRD_PHRASES = [
    "`CTO-WORK-020` remains blocked because no real provider/model has been approved and no real Case Stage 2 pass report exists.",
    "Decision Record Template For CTO-WORK-020",
    "`decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.",
-    "`provider_class`: `external_anthropic` or `local_case_compatible`.",
+    "`provider_class`: `external_anthropic`, `external_openai_codex`, or `local_case_compatible`.",
    "`provider`: exact provider string, or empty while blocked.",
    "`model`: exact model string, or empty while blocked.",
    "`approval_source`: JP approval reference or governed Core route reference.",
@ -445,7 +445,7 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [
    "CTO-WORK-020 Decision Record Template",
    "This template belongs to `CTO-WORK-020`; it is not a new provider approval.",
    "`decision_status`: `not_decided`, `external_provider_approved`, or `local_provider_required`.",
-    "`provider_class`: `external_anthropic` or `local_case_compatible`.",
+    "`provider_class`: `external_anthropic`, `external_openai_codex`, or `local_case_compatible`.",
    "`provider`: exact provider string, or empty while blocked.",
    "`model`: exact model string, or empty while blocked.",
    "`approval_source`: JP approval reference or governed Core route reference.",
@ -491,7 +491,6 @@ REQUIRED_LOCAL_PROVIDER_ROUTE_ISSUE_IDS = [

 REQUIRED_LOCAL_PROVIDER_ROUTE_ISSUE_PHRASES = [
    "Status: validated.",
-    "Status: blocked.",
    "`decision_status=local_provider_required`",
    "local_case_compatible",
    "Uses `CTO-WORK-020` admission JSON gate as authority instead of redefining admission.",
@ -528,6 +527,10 @@ REQUIRED_PROVIDER_DECISION_PACKET_PRD_PHRASES = [
    "real Case Stage 2 blocked unless a provider/model is admitted and a pass report exists through the Harness Evidence Interface",
    "no Target Repository path may be inspected or copied",
    "`provider_class`: `external_anthropic`",
+    "`provider_class`: `external_anthropic` or `external_openai_codex`.",
+    "`openai-codex` with model `gpt-5.5` may be recorded as the primary approved external provider only when the approval source, credential source class, allowed network class, review trigger, and admission JSON are recorded.",
+    "`vllm` with model `qwen3.6-35b-a3b` may be recorded as an explicit fallback only when fallback use is represented in admission evidence and does not hide provider/model switching.",
+    "Packet permits provider class `external_openai_codex` only as a decision branch, not as admission or Stage 2 proof.",
    "`provider_class`: `local_case_compatible`",
    "No external fallback to `anthropic` or `claude-sonnet-4-6` is allowed.",
    "Missing local adapter config blocks before `case_process_started`.",
@ -538,11 +541,11 @@ REQUIRED_PROVIDER_DECISION_PACKET_ISSUE_IDS = [
    "CTO-WORK-023",
    "CTO-WORK-024",
    "CTO-WORK-025",
+    "CTO-WORK-026",
 ]

 REQUIRED_PROVIDER_DECISION_PACKET_ISSUE_PHRASES = [
    "Status: validated.",
-    "Status: blocked.",
    "`not_decided` is current safe state",
    "`external_provider_approved`",
    "`local_provider_required`",
@ -575,32 +578,53 @@ REQUIRED_PROVIDER_DECISION_PACKET_ISSUE_PHRASES = [
    "Record keeps `CTO-WORK-024` blocked while `decision_status=not_decided`.",
    "Record keeps `CTO-WORK-022` blocked unless `decision_status=local_provider_required`.",
    "Record keeps real Case Stage 2 blocked until admitted provider/model and Harness Evidence Interface pass report exist.",
+    "Status: validated.",
+    "Record JP approval of the external provider decision branch for the current Hermes model stack.",
+    "Decision record has `decision_status`: `external_provider_approved`.",
+    "Decision record has `provider_class`: `external_openai_codex`.",
+    "Decision record has `provider`: `openai-codex`.",
+    "Decision record has `model`: `gpt-5.5`.",
+    "Decision record has `fallback_provider`: `vllm`.",
+    "Decision record has `fallback_model`: `qwen3.6-35b-a3b`.",
+    "Decision record has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`; no secret value.",
+    "Decision record has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.",
+    "Decision record references Hermes model policy and local Hermes config as evidence sources without copying secrets.",
+    "Record says `CTO-WORK-024` is resolved by selecting `external_provider_approved`.",
+    "Record keeps `CTO-WORK-020` blocked until admission JSON and real Stage 2 pass evidence exist.",
+    "Record keeps `CTO-WORK-022` blocked because `decision_status=external_provider_approved`, not `local_provider_required`.",
+    "Record requires fallback to `vllm` with `qwen3.6-35b-a3b` to be explicit in admission evidence before it may count as a Case provider/model path.",
 ]

 REQUIRED_PROVIDER_DECISION_RECORD_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
-    "`decision_status`: `not_decided`.",
-    "`provider_class`: empty while blocked.",
-    "`provider`: empty while blocked.",
-    "`model`: empty while blocked.",
-    "`approval_source`: empty while blocked.",
-    "`credential_source_class`: empty while blocked; no secret value.",
-    "`allowed_network_class`: empty while blocked.",
-    "`review_trigger`: empty while blocked.",
+    "`decision_status`: `external_provider_approved`.",
+    "`provider_class`: `external_openai_codex`.",
+    "`provider`: `openai-codex`.",
+    "`model`: `gpt-5.5`.",
+    "`fallback_provider`: `vllm`.",
+    "`fallback_model`: `qwen3.6-35b-a3b`.",
+    "`approval_source`: JP chat approval on 2026-05-31.",
+    "`credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`; no secret value.",
+    "`allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.",
+    "`review_trigger`: before real Case Stage 2 admission JSON is written, before any credential source change, and before any default/fallback model change.",
+    "/home/svrnty/workspaces/hermes/scripts/apply-hermes-model-policy.py",
+    "/home/svrnty/.hermes/config.yaml",
    "`effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.",
+    "`external_provider_approved` means JP approved the provider decision branch for the existing Hermes model stack: `openai-codex` with model `gpt-5.5` as primary, and `vllm` with model `qwen3.6-35b-a3b` as fallback.",
+    "This record is not provider/model admission and is not Stage 2 pass evidence.",
+    "`CTO-WORK-024` is resolved by this record selecting `external_provider_approved`.",
+    "Previous state:",
+    "`decision_status`: `not_decided`.",
    "`not_decided` means no provider/model may run.",
-    "not provider/model admission, not Stage 2 pass evidence, and not approval for external or local provider use",
-    "`CTO-WORK-024` remains blocked because this record does not select `external_provider_approved` or `local_provider_required`.",
-    "Only JP or a governed Core route may change this record away from `not_decided`.",
-    "`external_provider_approved`.",
-    "`local_provider_required`.",
+    "Only JP or a governed Core route may change this record away from `external_provider_approved`.",
+    "Allowed future values remain `external_provider_approved` or `local_provider_required`.",
    "No secret value may appear in SOT, task file, argv, report, trace, backend logs, generated config, or commit.",
    "No Target Repository path may be inspected or copied.",
    "`CTO-WORK-020` remains provider/model admission authority.",
    "`CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` remains execution admission gate.",
-    "`CTO-WORK-024` remains blocked while `decision_status=not_decided`.",
-    "`CTO-WORK-022` remains blocked unless `decision_status=local_provider_required`.",
+    "`CTO-WORK-022` remains blocked because `decision_status=external_provider_approved`, not `local_provider_required`.",
    "Real Case Stage 2 remains blocked until admitted provider/model and Harness Evidence Interface pass report exist.",
+    "Fallback to `vllm` with `qwen3.6-35b-a3b` must be explicit in admission evidence before it may count as a Case provider/model path.",
    "Existing evidence paths and commits are referenced only; runtime evidence is not copied into this record.",
 ]

@ -941,8 +965,9 @@ def main() -> int:
            "CTO-WORK-021": "validated",
            "CTO-WORK-022": "blocked",
            "CTO-WORK-023": "validated",
-            "CTO-WORK-024": "blocked",
+            "CTO-WORK-024": "validated",
            "CTO-WORK-025": "validated",
+            "CTO-WORK-026": "validated",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")