diff --git a/README.md b/README.md index e29c810..9824288 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,8 @@ This workspace is registered as a child-local planning workspace. Registration d | |-- CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md | |-- CTO-CASE-SOURCE-ADMISSION-RECORD.md | |-- CTO-CASE-ADAPTER-CONTRACT.md -| `-- CTO-CASE-FAILURE-FIXTURE-MATRIX.md +| |-- CTO-CASE-FAILURE-FIXTURE-MATRIX.md +| `-- CTO-CASE-STAGED-PROOF-GATES.md `-- tools/ `-- validate_cto_child.py ``` diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 4c2e705..6e5b3c3 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -36,6 +36,6 @@ items: owner: jp - id: CTO-WORK-008 title: Staged Proof Gate Records - status: candidate - source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-ISSUES.md + status: validated + source: sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md owner: jp diff --git a/sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md b/sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md new file mode 100644 index 0000000..39bfaa3 --- /dev/null +++ b/sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md @@ -0,0 +1,265 @@ +--- +name: cto-case-staged-proof-gates +tier: local +status: draft +owner: jp +source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md +created: 2026-05-31 +last_reviewed: 2026-05-31 +lifecycle_classification: planning +core_promotion_status: not-promoted +description: Child-local staged proof gate records for Case candidate backend progression. +--- + +# CTO Case Staged Proof Gates + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Purpose + +Define the staged proof gates Case must pass before it can be discussed as a candidate default backend. + +Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion. + +## Gate Rules + +- Stages must be completed in order. +- Each stage must preserve the CTO Harness Evidence Interface. +- Each stage must respect the Case Source Admission Record. +- Each stage must use the CTO Case Adapter Contract and Eligibility Decision. +- Each stage must account for the CTO Case Failure Fixture Matrix. +- Missing evidence means blocked, not partially accepted. +- Later stages must not reinterpret earlier stage success as broader mutation permission. + +## Stage Summary + +| Stage | Name | Allowed mutation scope | Promotion condition | +| --- | --- | --- | --- | +| 1 | Gated Case engine | none | Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. | +| 2 | Artificial fixture | copied artificial case only | Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. | +| 3 | Copied repo fixture | copied local repository fixture only | No source repository mutation; clean start/end and failure fixtures pass. | +| 4 | Disposable sandbox repo | disposable repository only | Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository. | +| 5 | Owned noncritical repo | explicitly owned low-risk repository only | Operator accepts bounded proof with source admission, approval, and allowed paths. | +| 6 | Candidate default | scoped real-repo use only | Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. | + +## Stage 1 - Gated Case Engine + +Entry gates: + +- Harness Evidence Interface Contract is validated. +- Case Adapter Contract is validated. +- Case Source Admission Record exists. +- Case Failure Fixture Matrix exists. + +Allowed mutation scope: none. + +Required artifacts: + +- `report.json`; +- `events.normalized.jsonl`; +- `trace.jsonl`; +- no-op `patch.diff`; +- no-op `test.log`; +- backend raw logs showing default-deny preflight. + +Validator expectation: + +- `case` is registered as a gated engine; +- `--engine case` is rejected unless explicitly enabled; +- no source files are changed; +- missing gate produces blocked status. + +Required failure classes: + +- provider unavailable; +- missing required event; +- artifact write failure. + +Promotion condition: + +- Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. + +## Stage 2 - Artificial Fixture + +Entry gates: + +- Stage 1 is validated. +- Artificial fixture task contract exists. +- Allowed paths and verification command are explicit. + +Allowed mutation scope: copied artificial case only. + +Required artifacts: + +- full Harness Evidence Interface artifact set; +- changed files list; +- allowed-write proof; +- verification log; +- digest and freshness proof. + +Validator expectation: + +- artificial fixture can pass through the Case adapter; +- fake lane remains default validation lane; +- Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures. + +Required failure classes: + +- no diff; +- disallowed file; +- failed tests; +- missing test command; +- missing required event. + +Promotion condition: + +- Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. + +## Stage 3 - Copied Repo Fixture + +Entry gates: + +- Stage 2 is validated. +- Copied repository fixture is created from an owned local source. +- Source repository remains read-only during fixture creation. + +Allowed mutation scope: copied local repository fixture only. + +Required artifacts: + +- full Harness Evidence Interface artifact set; +- clean starting tree proof for copied fixture; +- clean ending tree proof; +- source repository non-mutation proof; +- failure fixture results. + +Validator expectation: + +- all changes occur inside copied fixture; +- no hidden mutation occurs in source repository; +- dirty-starting-tree and dirty-ending-tree failures are detected. + +Required failure classes: + +- dirty starting tree; +- dirty ending tree; +- timeout; +- artifact write failure. + +Promotion condition: + +- copied repo fixture proves no source repo mutation and clean start/end behavior. + +## Stage 4 - Disposable Sandbox Repo + +Entry gates: + +- Stage 3 is validated. +- Disposable repository ownership and disposal policy are explicit. +- Approval events are enabled for mutation mode. + +Allowed mutation scope: disposable repository only. + +Required artifacts: + +- full Harness Evidence Interface artifact set; +- approval event proof; +- branch policy proof; +- sandbox disposal or retention note; +- failure matrix coverage for sandbox mode. + +Validator expectation: + +- mutation occurs only in disposable repository; +- approval denied fails closed; +- branch policy is recorded; +- no merge, push, deploy, or close occurs unless explicitly allowed by the task contract. + +Required failure classes: + +- approval denied; +- reviewer reject; +- timeout; +- provider unavailable. + +Promotion condition: + +- disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior. + +## Stage 5 - Owned Noncritical Repo + +Entry gates: + +- Stage 4 is validated. +- Target Repository ownership is explicit. +- Repository is low risk and noncritical. +- Human approval is recorded before mutation. +- Source license note is resolved for the requested execution mode. + +Allowed mutation scope: explicitly owned low-risk repository only. + +Required artifacts: + +- full Harness Evidence Interface artifact set; +- Target Repository ownership proof; +- approval event proof; +- allowed paths and forbidden actions; +- post-run operator acceptance or rejection. + +Validator expectation: + +- mutation stays inside allowed paths; +- no direct push, merge, deploy, or close occurs unless task contract explicitly allows it; +- operator approval and outcome are replayable. + +Required failure classes: + +- disallowed file; +- failed tests; +- approval denied; +- dirty ending tree. + +Promotion condition: + +- operator accepts bounded proof with source admission, approval, and allowed paths. + +## Stage 6 - Candidate Default + +Entry gates: + +- Stage 5 is validated. +- Comparison fixtures exist for fake, Codex, and Pi where applicable. +- Case source admission is current. +- Failure matrix coverage is complete or explicitly blocked with rationale. + +Allowed mutation scope: scoped real-repo use only. + +Required artifacts: + +- full Harness Evidence Interface artifact set; +- comparative evidence against fake, Codex, and Pi where applicable; +- failure closure evidence; +- source admission freshness; +- operator acceptance. + +Validator expectation: + +- Case matches or beats existing lanes on report shape; +- Case matches or beats existing lanes on event validity; +- Case matches or beats existing lanes on allowed-path compliance; +- Case matches or beats existing lanes on failure closure; +- Case matches or beats existing lanes on artifact completeness. + +Required failure classes: + +- all failure matrix rows, unless a row is explicitly blocked by a governed stage record. + +Promotion condition: + +- Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. + +## Final Guard + +These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation. + +Any future implementation must start with Stage 1 and must not skip to real-repo execution. diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index c3af202..f37cac9 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -22,6 +22,7 @@ REQUIRED_FILES = [ "sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md", "sot/03-PROTOCOLS/CTO-CASE-ADAPTER-CONTRACT.md", "sot/03-PROTOCOLS/CTO-CASE-FAILURE-FIXTURE-MATRIX.md", + "sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md", ] REQUIRED_BRIEF_PHRASES = [ @@ -157,6 +158,30 @@ REQUIRED_FAILURE_FIXTURE_PHRASES = [ "fail closed", ] +REQUIRED_STAGED_PROOF_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "Default status is earned, not assumed.", + "Stages must be completed in order.", + "Missing evidence means blocked, not partially accepted.", + "Stage 1 - Gated Case Engine", + "Stage 2 - Artificial Fixture", + "Stage 3 - Copied Repo Fixture", + "Stage 4 - Disposable Sandbox Repo", + "Stage 5 - Owned Noncritical Repo", + "Stage 6 - Candidate Default", + "Allowed mutation scope: none.", + "Allowed mutation scope: copied artificial case only.", + "Allowed mutation scope: copied local repository fixture only.", + "Allowed mutation scope: disposable repository only.", + "Allowed mutation scope: explicitly owned low-risk repository only.", + "Allowed mutation scope: scoped real-repo use only.", + "fake, Codex, and Pi where applicable", + "Case matches or beats existing lanes on report shape", + "Case matches or beats existing lanes on failure closure", + "Any future implementation must start with Stage 1", + "must not skip to real-repo execution", +] + def main() -> int: checked: list[str] = [] @@ -244,6 +269,16 @@ def main() -> int: if phrase not in text: errors.append(f"missing_failure_matrix_phrase:{phrase}") + staged_proof = ROOT / "sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md" + if staged_proof.is_file(): + text = staged_proof.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("staged_proof_missing_not_promoted_frontmatter") + for phrase in REQUIRED_STAGED_PROOF_PHRASES: + checked.append(f"staged_proof_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_staged_proof_phrase:{phrase}") + board = ROOT / "WORKBOARD.yaml" if board.is_file(): text = board.read_text(encoding="utf-8") @@ -261,6 +296,8 @@ def main() -> int: errors.append("workboard_missing_adapter_contract_source") if "CTO-CASE-FAILURE-FIXTURE-MATRIX.md" not in text: errors.append("workboard_missing_failure_matrix_source") + if "CTO-CASE-STAGED-PROOF-GATES.md" not in text: + errors.append("workboard_missing_staged_proof_gates_source") payload = { "ok": not errors,