Add CTO Case staged proof gates

README.md

@@ -36,7 +36,8 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md
 |       |-- CTO-CASE-SOURCE-ADMISSION-RECORD.md
 |       |-- CTO-CASE-ADAPTER-CONTRACT.md
-|       `-- CTO-CASE-FAILURE-FIXTURE-MATRIX.md
+|       |-- CTO-CASE-FAILURE-FIXTURE-MATRIX.md
+|       `-- CTO-CASE-STAGED-PROOF-GATES.md
 `-- tools/
     `-- validate_cto_child.py
 ```

WORKBOARD.yaml

@@ -36,6 +36,6 @@ items:
     owner: jp
   - id: CTO-WORK-008
     title: Staged Proof Gate Records
-    status: candidate
-    source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-ISSUES.md
+    status: validated
+    source: sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md
     owner: jp

sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md

@@ -0,0 +1,265 @@
+---
+name: cto-case-staged-proof-gates
+tier: local
+status: draft
+owner: jp
+source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md
+created: 2026-05-31
+last_reviewed: 2026-05-31
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local staged proof gate records for Case candidate backend progression.
+---
+
+# CTO Case Staged Proof Gates
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Purpose
+
+Define the staged proof gates Case must pass before it can be discussed as a candidate default backend.
+
+Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.
+
+## Gate Rules
+
+- Stages must be completed in order.
+- Each stage must preserve the CTO Harness Evidence Interface.
+- Each stage must respect the Case Source Admission Record.
+- Each stage must use the CTO Case Adapter Contract and Eligibility Decision.
+- Each stage must account for the CTO Case Failure Fixture Matrix.
+- Missing evidence means blocked, not partially accepted.
+- Later stages must not reinterpret earlier stage success as broader mutation permission.
+
+## Stage Summary
+
+| Stage | Name | Allowed mutation scope | Promotion condition |
+| --- | --- | --- | --- |
+| 1 | Gated Case engine | none | Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. |
+| 2 | Artificial fixture | copied artificial case only | Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. |
+| 3 | Copied repo fixture | copied local repository fixture only | No source repository mutation; clean start/end and failure fixtures pass. |
+| 4 | Disposable sandbox repo | disposable repository only | Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository. |
+| 5 | Owned noncritical repo | explicitly owned low-risk repository only | Operator accepts bounded proof with source admission, approval, and allowed paths. |
+| 6 | Candidate default | scoped real-repo use only | Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. |
+
+## Stage 1 - Gated Case Engine
+
+Entry gates:
+
+- Harness Evidence Interface Contract is validated.
+- Case Adapter Contract is validated.
+- Case Source Admission Record exists.
+- Case Failure Fixture Matrix exists.
+
+Allowed mutation scope: none.
+
+Required artifacts:
+
+- `report.json`;
+- `events.normalized.jsonl`;
+- `trace.jsonl`;
+- no-op `patch.diff`;
+- no-op `test.log`;
+- backend raw logs showing default-deny preflight.
+
+Validator expectation:
+
+- `case` is registered as a gated engine;
+- `--engine case` is rejected unless explicitly enabled;
+- no source files are changed;
+- missing gate produces blocked status.
+
+Required failure classes:
+
+- provider unavailable;
+- missing required event;
+- artifact write failure.
+
+Promotion condition:
+
+- Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes.
+
+## Stage 2 - Artificial Fixture
+
+Entry gates:
+
+- Stage 1 is validated.
+- Artificial fixture task contract exists.
+- Allowed paths and verification command are explicit.
+
+Allowed mutation scope: copied artificial case only.
+
+Required artifacts:
+
+- full Harness Evidence Interface artifact set;
+- changed files list;
+- allowed-write proof;
+- verification log;
+- digest and freshness proof.
+
+Validator expectation:
+
+- artificial fixture can pass through the Case adapter;
+- fake lane remains default validation lane;
+- Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures.
+
+Required failure classes:
+
+- no diff;
+- disallowed file;
+- failed tests;
+- missing test command;
+- missing required event.
+
+Promotion condition:
+
+- Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.
+
+## Stage 3 - Copied Repo Fixture
+
+Entry gates:
+
+- Stage 2 is validated.
+- Copied repository fixture is created from an owned local source.
+- Source repository remains read-only during fixture creation.
+
+Allowed mutation scope: copied local repository fixture only.
+
+Required artifacts:
+
+- full Harness Evidence Interface artifact set;
+- clean starting tree proof for copied fixture;
+- clean ending tree proof;
+- source repository non-mutation proof;
+- failure fixture results.
+
+Validator expectation:
+
+- all changes occur inside copied fixture;
+- no hidden mutation occurs in source repository;
+- dirty-starting-tree and dirty-ending-tree failures are detected.
+
+Required failure classes:
+
+- dirty starting tree;
+- dirty ending tree;
+- timeout;
+- artifact write failure.
+
+Promotion condition:
+
+- copied repo fixture proves no source repo mutation and clean start/end behavior.
+
+## Stage 4 - Disposable Sandbox Repo
+
+Entry gates:
+
+- Stage 3 is validated.
+- Disposable repository ownership and disposal policy are explicit.
+- Approval events are enabled for mutation mode.
+
+Allowed mutation scope: disposable repository only.
+
+Required artifacts:
+
+- full Harness Evidence Interface artifact set;
+- approval event proof;
+- branch policy proof;
+- sandbox disposal or retention note;
+- failure matrix coverage for sandbox mode.
+
+Validator expectation:
+
+- mutation occurs only in disposable repository;
+- approval denied fails closed;
+- branch policy is recorded;
+- no merge, push, deploy, or close occurs unless explicitly allowed by the task contract.
+
+Required failure classes:
+
+- approval denied;
+- reviewer reject;
+- timeout;
+- provider unavailable.
+
+Promotion condition:
+
+- disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior.
+
+## Stage 5 - Owned Noncritical Repo
+
+Entry gates:
+
+- Stage 4 is validated.
+- Target Repository ownership is explicit.
+- Repository is low risk and noncritical.
+- Human approval is recorded before mutation.
+- Source license note is resolved for the requested execution mode.
+
+Allowed mutation scope: explicitly owned low-risk repository only.
+
+Required artifacts:
+
+- full Harness Evidence Interface artifact set;
+- Target Repository ownership proof;
+- approval event proof;
+- allowed paths and forbidden actions;
+- post-run operator acceptance or rejection.
+
+Validator expectation:
+
+- mutation stays inside allowed paths;
+- no direct push, merge, deploy, or close occurs unless task contract explicitly allows it;
+- operator approval and outcome are replayable.
+
+Required failure classes:
+
+- disallowed file;
+- failed tests;
+- approval denied;
+- dirty ending tree.
+
+Promotion condition:
+
+- operator accepts bounded proof with source admission, approval, and allowed paths.
+
+## Stage 6 - Candidate Default
+
+Entry gates:
+
+- Stage 5 is validated.
+- Comparison fixtures exist for fake, Codex, and Pi where applicable.
+- Case source admission is current.
+- Failure matrix coverage is complete or explicitly blocked with rationale.
+
+Allowed mutation scope: scoped real-repo use only.
+
+Required artifacts:
+
+- full Harness Evidence Interface artifact set;
+- comparative evidence against fake, Codex, and Pi where applicable;
+- failure closure evidence;
+- source admission freshness;
+- operator acceptance.
+
+Validator expectation:
+
+- Case matches or beats existing lanes on report shape;
+- Case matches or beats existing lanes on event validity;
+- Case matches or beats existing lanes on allowed-path compliance;
+- Case matches or beats existing lanes on failure closure;
+- Case matches or beats existing lanes on artifact completeness.
+
+Required failure classes:
+
+- all failure matrix rows, unless a row is explicitly blocked by a governed stage record.
+
+Promotion condition:
+
+- Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.
+
+## Final Guard
+
+These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation.
+
+Any future implementation must start with Stage 1 and must not skip to real-repo execution.

tools/validate_cto_child.py

@@ -22,6 +22,7 @@ REQUIRED_FILES = [
     "sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md",
     "sot/03-PROTOCOLS/CTO-CASE-ADAPTER-CONTRACT.md",
     "sot/03-PROTOCOLS/CTO-CASE-FAILURE-FIXTURE-MATRIX.md",
+    "sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md",
 ]
 
 REQUIRED_BRIEF_PHRASES = [
@@ -157,6 +158,30 @@ REQUIRED_FAILURE_FIXTURE_PHRASES = [
     "fail closed",
 ]
 
+REQUIRED_STAGED_PROOF_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "Default status is earned, not assumed.",
+    "Stages must be completed in order.",
+    "Missing evidence means blocked, not partially accepted.",
+    "Stage 1 - Gated Case Engine",
+    "Stage 2 - Artificial Fixture",
+    "Stage 3 - Copied Repo Fixture",
+    "Stage 4 - Disposable Sandbox Repo",
+    "Stage 5 - Owned Noncritical Repo",
+    "Stage 6 - Candidate Default",
+    "Allowed mutation scope: none.",
+    "Allowed mutation scope: copied artificial case only.",
+    "Allowed mutation scope: copied local repository fixture only.",
+    "Allowed mutation scope: disposable repository only.",
+    "Allowed mutation scope: explicitly owned low-risk repository only.",
+    "Allowed mutation scope: scoped real-repo use only.",
+    "fake, Codex, and Pi where applicable",
+    "Case matches or beats existing lanes on report shape",
+    "Case matches or beats existing lanes on failure closure",
+    "Any future implementation must start with Stage 1",
+    "must not skip to real-repo execution",
+]
+
 
 def main() -> int:
     checked: list[str] = []
@@ -244,6 +269,16 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_failure_matrix_phrase:{phrase}")
 
+    staged_proof = ROOT / "sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md"
+    if staged_proof.is_file():
+        text = staged_proof.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("staged_proof_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_STAGED_PROOF_PHRASES:
+            checked.append(f"staged_proof_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_staged_proof_phrase:{phrase}")
+
     board = ROOT / "WORKBOARD.yaml"
     if board.is_file():
         text = board.read_text(encoding="utf-8")
@@ -261,6 +296,8 @@ def main() -> int:
             errors.append("workboard_missing_adapter_contract_source")
         if "CTO-CASE-FAILURE-FIXTURE-MATRIX.md" not in text:
             errors.append("workboard_missing_failure_matrix_source")
+        if "CTO-CASE-STAGED-PROOF-GATES.md" not in text:
+            errors.append("workboard_missing_staged_proof_gates_source")
 
     payload = {
         "ok": not errors,