Add CTO Case staged proof gates
This commit is contained in:
Svrnty
@@ -0,0 +1,265 @@
|
||||
---
|
||||
name: cto-case-staged-proof-gates
|
||||
tier: local
|
||||
status: draft
|
||||
owner: jp
|
||||
source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md
|
||||
created: 2026-05-31
|
||||
last_reviewed: 2026-05-31
|
||||
lifecycle_classification: planning
|
||||
core_promotion_status: not-promoted
|
||||
description: Child-local staged proof gate records for Case candidate backend progression.
|
||||
---
|
||||
|
||||
# CTO Case Staged Proof Gates
|
||||
|
||||
Local planning SOT only. Not a Core Protocol. Not active Core authority.
|
||||
|
||||
## Purpose
|
||||
|
||||
Define the staged proof gates Case must pass before it can be discussed as a candidate default backend.
|
||||
|
||||
Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.
|
||||
|
||||
## Gate Rules
|
||||
|
||||
- Stages must be completed in order.
|
||||
- Each stage must preserve the CTO Harness Evidence Interface.
|
||||
- Each stage must respect the Case Source Admission Record.
|
||||
- Each stage must use the CTO Case Adapter Contract and Eligibility Decision.
|
||||
- Each stage must account for the CTO Case Failure Fixture Matrix.
|
||||
- Missing evidence means blocked, not partially accepted.
|
||||
- Later stages must not reinterpret earlier stage success as broader mutation permission.
|
||||
|
||||
## Stage Summary
|
||||
|
||||
| Stage | Name | Allowed mutation scope | Promotion condition |
|
||||
| --- | --- | --- | --- |
|
||||
| 1 | Gated Case engine | none | Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. |
|
||||
| 2 | Artificial fixture | copied artificial case only | Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. |
|
||||
| 3 | Copied repo fixture | copied local repository fixture only | No source repository mutation; clean start/end and failure fixtures pass. |
|
||||
| 4 | Disposable sandbox repo | disposable repository only | Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository. |
|
||||
| 5 | Owned noncritical repo | explicitly owned low-risk repository only | Operator accepts bounded proof with source admission, approval, and allowed paths. |
|
||||
| 6 | Candidate default | scoped real-repo use only | Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. |
|
||||
|
||||
## Stage 1 - Gated Case Engine
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Harness Evidence Interface Contract is validated.
|
||||
- Case Adapter Contract is validated.
|
||||
- Case Source Admission Record exists.
|
||||
- Case Failure Fixture Matrix exists.
|
||||
|
||||
Allowed mutation scope: none.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- `report.json`;
|
||||
- `events.normalized.jsonl`;
|
||||
- `trace.jsonl`;
|
||||
- no-op `patch.diff`;
|
||||
- no-op `test.log`;
|
||||
- backend raw logs showing default-deny preflight.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- `case` is registered as a gated engine;
|
||||
- `--engine case` is rejected unless explicitly enabled;
|
||||
- no source files are changed;
|
||||
- missing gate produces blocked status.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- provider unavailable;
|
||||
- missing required event;
|
||||
- artifact write failure.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes.
|
||||
|
||||
## Stage 2 - Artificial Fixture
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Stage 1 is validated.
|
||||
- Artificial fixture task contract exists.
|
||||
- Allowed paths and verification command are explicit.
|
||||
|
||||
Allowed mutation scope: copied artificial case only.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- full Harness Evidence Interface artifact set;
|
||||
- changed files list;
|
||||
- allowed-write proof;
|
||||
- verification log;
|
||||
- digest and freshness proof.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- artificial fixture can pass through the Case adapter;
|
||||
- fake lane remains default validation lane;
|
||||
- Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- no diff;
|
||||
- disallowed file;
|
||||
- failed tests;
|
||||
- missing test command;
|
||||
- missing required event.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.
|
||||
|
||||
## Stage 3 - Copied Repo Fixture
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Stage 2 is validated.
|
||||
- Copied repository fixture is created from an owned local source.
|
||||
- Source repository remains read-only during fixture creation.
|
||||
|
||||
Allowed mutation scope: copied local repository fixture only.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- full Harness Evidence Interface artifact set;
|
||||
- clean starting tree proof for copied fixture;
|
||||
- clean ending tree proof;
|
||||
- source repository non-mutation proof;
|
||||
- failure fixture results.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- all changes occur inside copied fixture;
|
||||
- no hidden mutation occurs in source repository;
|
||||
- dirty-starting-tree and dirty-ending-tree failures are detected.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- dirty starting tree;
|
||||
- dirty ending tree;
|
||||
- timeout;
|
||||
- artifact write failure.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- copied repo fixture proves no source repo mutation and clean start/end behavior.
|
||||
|
||||
## Stage 4 - Disposable Sandbox Repo
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Stage 3 is validated.
|
||||
- Disposable repository ownership and disposal policy are explicit.
|
||||
- Approval events are enabled for mutation mode.
|
||||
|
||||
Allowed mutation scope: disposable repository only.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- full Harness Evidence Interface artifact set;
|
||||
- approval event proof;
|
||||
- branch policy proof;
|
||||
- sandbox disposal or retention note;
|
||||
- failure matrix coverage for sandbox mode.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- mutation occurs only in disposable repository;
|
||||
- approval denied fails closed;
|
||||
- branch policy is recorded;
|
||||
- no merge, push, deploy, or close occurs unless explicitly allowed by the task contract.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- approval denied;
|
||||
- reviewer reject;
|
||||
- timeout;
|
||||
- provider unavailable.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior.
|
||||
|
||||
## Stage 5 - Owned Noncritical Repo
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Stage 4 is validated.
|
||||
- Target Repository ownership is explicit.
|
||||
- Repository is low risk and noncritical.
|
||||
- Human approval is recorded before mutation.
|
||||
- Source license note is resolved for the requested execution mode.
|
||||
|
||||
Allowed mutation scope: explicitly owned low-risk repository only.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- full Harness Evidence Interface artifact set;
|
||||
- Target Repository ownership proof;
|
||||
- approval event proof;
|
||||
- allowed paths and forbidden actions;
|
||||
- post-run operator acceptance or rejection.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- mutation stays inside allowed paths;
|
||||
- no direct push, merge, deploy, or close occurs unless task contract explicitly allows it;
|
||||
- operator approval and outcome are replayable.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- disallowed file;
|
||||
- failed tests;
|
||||
- approval denied;
|
||||
- dirty ending tree.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- operator accepts bounded proof with source admission, approval, and allowed paths.
|
||||
|
||||
## Stage 6 - Candidate Default
|
||||
|
||||
Entry gates:
|
||||
|
||||
- Stage 5 is validated.
|
||||
- Comparison fixtures exist for fake, Codex, and Pi where applicable.
|
||||
- Case source admission is current.
|
||||
- Failure matrix coverage is complete or explicitly blocked with rationale.
|
||||
|
||||
Allowed mutation scope: scoped real-repo use only.
|
||||
|
||||
Required artifacts:
|
||||
|
||||
- full Harness Evidence Interface artifact set;
|
||||
- comparative evidence against fake, Codex, and Pi where applicable;
|
||||
- failure closure evidence;
|
||||
- source admission freshness;
|
||||
- operator acceptance.
|
||||
|
||||
Validator expectation:
|
||||
|
||||
- Case matches or beats existing lanes on report shape;
|
||||
- Case matches or beats existing lanes on event validity;
|
||||
- Case matches or beats existing lanes on allowed-path compliance;
|
||||
- Case matches or beats existing lanes on failure closure;
|
||||
- Case matches or beats existing lanes on artifact completeness.
|
||||
|
||||
Required failure classes:
|
||||
|
||||
- all failure matrix rows, unless a row is explicitly blocked by a governed stage record.
|
||||
|
||||
Promotion condition:
|
||||
|
||||
- Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.
|
||||
|
||||
## Final Guard
|
||||
|
||||
These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation.
|
||||
|
||||
Any future implementation must start with Stage 1 and must not skip to real-repo execution.
|
||||
Reference in New Issue
Block a user