Add CTO Case provider build route

tools/validate_cto_child.py

@@ -30,6 +30,8 @@ REQUIRED_FILES = [
     "sot/03-PROTOCOLS/CTO-CASE-STAGE2-ARTIFICIAL-FIXTURE-ISSUES.md",
     "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md",
     "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md",
+    "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md",
+    "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md",
 ]
 
 REQUIRED_BRIEF_PHRASES = [
@@ -285,6 +287,52 @@ REQUIRED_PROVIDER_ADMISSION_ISSUE_IDS = [
     "CTO-WORK-014",
 ]
 
+REQUIRED_PROVIDER_BUILD_PRD_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "no durable admitted `ca` executable exists",
+    "Node `v20.19.5`, no local `bun` executable",
+    "no `dist/ca`, no PATH `ca`",
+    "https://github.com/workos/case.git",
+    "7959ac917cdeb0983b4aaa20bb9f42021747fed8",
+    "discovery evidence only",
+    "durable WorkOS Case `ca` executable",
+    "source pin and SHA-256 digest",
+    "CTO_HARNESS_CASE_BIN",
+    "bun run build:binary",
+    "dist/ca",
+    "unrelated npm `case` package",
+    "ca run --task <task-file> --mode unattended",
+    "allowed paths, forbidden actions, verification command, and evidence expectations",
+    "Missing Bun blocks before build; it does not degrade to warning.",
+    "missing credentials",
+    "Stage 2 with `CTO_HARNESS_CASE_BIN=<admitted-ca>` produces a pass report only through real Case execution.",
+    "Current Hermes source admission status remains `not_admitted` until the provider build report is recorded.",
+    "Same-run fake baseline comparison remains required",
+    "report.json",
+    "report.md",
+    "events.normalized.jsonl",
+    "trace.jsonl",
+    "patch.diff",
+    "test.log",
+    "backend raw logs",
+    "artifact digests",
+    "freshness proof",
+    "source_admission_status",
+    "case_process_started",
+    "backend_exit_code",
+    "allowed_writes_passed",
+    "changed_files",
+    "blockers",
+    "No Cortex Core, Case source, vendor source, or Target Repository file is mutated by admission.",
+    "harness/evals/health.sh --json",
+    "Stage 2 moves from provider-unavailable blocked status to a real Case pass report",
+]
+
+REQUIRED_PROVIDER_BUILD_ISSUE_IDS = [
+    "CTO-WORK-015",
+    "CTO-WORK-016",
+]
+
 
 def workboard_status(text: str, issue_id: str) -> str | None:
     pattern = rf"- id: {re.escape(issue_id)}\n(?:    .+\n)*?    status: ([^\n]+)"
@@ -454,6 +502,28 @@ def main() -> int:
             if issue_id not in text:
                 errors.append(f"missing_provider_admission_issue_id:{issue_id}")
 
+    provider_build_prd = ROOT / "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md"
+    if provider_build_prd.is_file():
+        text = provider_build_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("provider_build_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_PROVIDER_BUILD_PRD_PHRASES:
+            checked.append(f"provider_build_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_provider_build_prd_phrase:{phrase}")
+
+    provider_build_issues = ROOT / "sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md"
+    if provider_build_issues.is_file():
+        text = provider_build_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("provider_build_issues_missing_not_promoted_frontmatter")
+        if "Local planning SOT only. Not a Core Protocol. Not active Core authority." not in text:
+            errors.append("provider_build_issues_missing_local_planning_notice")
+        for issue_id in REQUIRED_PROVIDER_BUILD_ISSUE_IDS:
+            checked.append(f"provider_build_issue_id:{issue_id}")
+            if issue_id not in text:
+                errors.append(f"missing_provider_build_issue_id:{issue_id}")
+
     board = ROOT / "WORKBOARD.yaml"
     if board.is_file():
         text = board.read_text(encoding="utf-8")
@@ -473,6 +543,10 @@ def main() -> int:
             checked.append(f"workboard_id:{issue_id}")
             if issue_id not in text:
                 errors.append(f"missing_workboard_id:{issue_id}")
+        for issue_id in REQUIRED_PROVIDER_BUILD_ISSUE_IDS:
+            checked.append(f"workboard_id:{issue_id}")
+            if issue_id not in text:
+                errors.append(f"missing_workboard_id:{issue_id}")
         expected_statuses = {
             "CTO-WORK-002": "validated",
             "CTO-WORK-003": "validated",
@@ -487,6 +561,8 @@ def main() -> int:
             "CTO-WORK-012": "blocked",
             "CTO-WORK-013": "validated",
             "CTO-WORK-014": "validated",
+            "CTO-WORK-015": "validated",
+            "CTO-WORK-016": "blocked",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")
@@ -517,6 +593,10 @@ def main() -> int:
             errors.append("workboard_missing_provider_admission_prd_source")
         if "CTO-CASE-PROVIDER-ADMISSION-ISSUES.md" not in text:
             errors.append("workboard_missing_provider_admission_issues_source")
+        if "CTO-CASE-PROVIDER-BUILD-PRD.md" not in text:
+            errors.append("workboard_missing_provider_build_prd_source")
+        if "CTO-CASE-PROVIDER-BUILD-ISSUES.md" not in text:
+            errors.append("workboard_missing_provider_build_issues_source")
 
     payload = {
         "ok": not errors,