From 30b488e1b9ca9fbfbda3f3a2ce07c468afcbfe49 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Mon, 1 Jun 2026 07:55:25 -0400 Subject: [PATCH] Record governed execution approval --- .../CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md | 78 +++++++++++++++++ .../CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md | 85 +++++++++++++++++++ .../CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md | 61 +++++++++++++ WORKBOARD.yaml | 10 +++ tools/validate_cto_child.py | 63 ++++++++++++++ 5 files changed, 297 insertions(+) create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md new file mode 100644 index 0000000..3b5df63 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md @@ -0,0 +1,78 @@ +--- +name: CTO Governed Execution Approval Issues +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Approval Issues + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Issue: CTO-WORK-068 - Governed Execution Approval PRD + +Status: validated. + +Acceptance: + +- Define governed execution approval as a single-task approval capture. +- Preserve the exact approval packet. +- Record `approval_granted: true`. +- Record `execution_allowed: true`. +- Record `execution_scope: one approved Harness run only`. +- Preserve the admitted target repository. +- Preserve allowed paths. +- Preserve the Harness command. +- State: Runtime default activation remains false. +- State: Do not activate Case as default backend. +- State: Do not mutate any path outside the allowed paths. +- State: Do not edit upstream `hermes-agent`. +- State: Do not edit upstream `hermes-webui`. +- State: This record is not execution evidence. + +## Issue: CTO-WORK-069 - Governed Execution Approval Record + +Status: validated. + +Acceptance: + +- Create the governed execution approval record. +- Include the exact approval packet. +- Include `approval_granted: true`. +- Include `execution_allowed: true`. +- Include `execution_scope: one approved Harness run only`. +- Include `approval_source: JP chat approval`. +- Include the admitted target repository. +- Include allowed paths. +- Include the Harness command. +- State: Runtime default activation remains false. +- State: Do not activate Case as default backend. +- State: Do not mutate any path outside the allowed paths. +- State: Do not edit upstream `hermes-agent`. +- State: Do not edit upstream `hermes-webui`. +- State: This record is not execution evidence. + +## Exact Approval Packet + +```text +I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. +``` + +- governed execution approval +- single-task approval capture +- exact approval packet +- approval_granted: true +- execution_allowed: true +- execution_scope: one approved Harness run only +- admitted target repository +- allowed paths +- Harness command +- Runtime default activation remains false. +- Do not activate Case as default backend. +- Do not mutate any path outside the allowed paths. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. +- This record is not execution evidence. diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md new file mode 100644 index 0000000..517a856 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md @@ -0,0 +1,85 @@ +--- +name: CTO Governed Execution Approval PRD +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Approval PRD + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Problem Statement + +The governed execution request records the exact target, paths, and command, but it intentionally keeps approval closed. The CTO stack needs a governed execution approval record before the next Harness run can mutate an owned Target Repository. + +## Solution + +Create a single-task approval capture for the exact approval packet already issued by JP. This governed execution approval permits one approved Harness run only and does not make Case a default backend. + +## Scope + +- Record the exact approval packet. +- Record `approval_granted: true`. +- Record `execution_allowed: true`. +- Record `execution_scope: one approved Harness run only`. +- Preserve the admitted target repository. +- Preserve the allowed paths. +- Preserve the Harness command. +- Preserve that this record is not execution evidence. + +## Non-goals + +- Do not execute Case in this approval-capture slice. +- Do not activate Case as default backend. +- Do not mutate any path outside the allowed paths. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. +- Do not promote this local record into Core authority. + +## Acceptance Criteria + +- `WORKBOARD.yaml` records `CTO-WORK-068` and `CTO-WORK-069` as validated. +- The governed execution approval includes the exact approval packet. +- The governed execution approval includes `approval_granted: true`. +- The governed execution approval includes `execution_allowed: true`. +- Runtime default activation remains false. +- The next execution is constrained to one approved Harness run only. + +## Validation + +- `python3 tools/validate_cto_child.py` +- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py` + +## Risks + +The main risk is approval scope creep. The record prevents that by making the approval single-task, path-bound, and Harness-bound. This record is not execution evidence. + +## Success Definition + +CTO has a durable approval capture that can unlock the next real Harness execution slice without changing Core authority, runtime default state, or upstream vendor source. + +## Required Approval Packet + +```text +I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. +``` + +- governed execution approval +- single-task approval capture +- exact approval packet +- approval_granted: true +- execution_allowed: true +- execution_scope: one approved Harness run only +- admitted target repository +- allowed paths +- Harness command +- Runtime default activation remains false. +- Do not activate Case as default backend. +- Do not mutate any path outside the allowed paths. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. +- This record is not execution evidence. diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md new file mode 100644 index 0000000..564d7ce --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md @@ -0,0 +1,61 @@ +--- +name: CTO Governed Execution Approval Record +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Approval Record + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Workboard + +- `CTO-WORK-069` + +## Approval State + +- governed execution approval +- single-task approval capture +- approval_source: JP chat approval +- approval_granted: true +- execution_allowed: true +- execution_scope: one approved Harness run only +- Runtime default activation remains false. +- This record is not execution evidence. + +## Exact Approval Packet + +- exact approval packet + +```text +I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. +``` + +## Admitted Target Repository + +- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox` + +## Allowed Paths + +- allowed paths: `src/strings.py` +- allowed paths: `test_strings.py` + +## Harness Command + +- Harness command: `python3 -m pytest -q` + +## Guardrails + +- Do not activate Case as default backend. +- Do not mutate any path outside the allowed paths. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. +- This record is not execution evidence. + +## Next Allowed Action + +The next allowed action is one approved Harness run against the admitted target repository for the approved `src/strings.py` slugify alignment task. diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 87c4db4..8c2023a 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -336,3 +336,13 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md owner: "" + - id: CTO-WORK-068 + title: Governed Execution Approval PRD + status: validated + source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md + owner: "" + - id: CTO-WORK-069 + title: Governed Execution Approval Record + status: validated + source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md + owner: jp diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 7fa5352..2b54ad1 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -63,6 +63,9 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md", ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md", ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md", @@ -298,6 +301,26 @@ REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES = [ "JP approval is still required before execution.", ] +REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "governed execution approval", + "single-task approval capture", + "exact approval packet", + "I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.", + "approval_granted: true", + "execution_allowed: true", + "execution_scope: one approved Harness run only", + "admitted target repository", + "allowed paths", + "Harness command", + "Runtime default activation remains false.", + "Do not activate Case as default backend.", + "Do not mutate any path outside the allowed paths.", + "Do not edit upstream `hermes-agent`.", + "Do not edit upstream `hermes-webui`.", + "This record is not execution evidence.", +] + REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [ "Local planning SOT only. Not a Core Protocol. Not active Core authority.", "CTO-WORK-057", @@ -1448,6 +1471,44 @@ def main() -> int: if phrase not in text: errors.append(f"missing_governed_execution_request_record_phrase:{phrase}") + governed_execution_approval_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md" + if governed_execution_approval_prd.is_file(): + text = governed_execution_approval_prd.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_approval_prd_missing_not_promoted_frontmatter") + for phrase in REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES: + checked.append(f"governed_execution_approval_prd_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_approval_prd_phrase:{phrase}") + + governed_execution_approval_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md" + if governed_execution_approval_issues.is_file(): + text = governed_execution_approval_issues.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_approval_issues_missing_not_promoted_frontmatter") + for phrase in ["CTO-WORK-068", "CTO-WORK-069", *REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES]: + checked.append(f"governed_execution_approval_issue_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_approval_issue_phrase:{phrase}") + + governed_execution_approval_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md" + if governed_execution_approval_record.is_file(): + text = governed_execution_approval_record.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_approval_record_missing_not_promoted_frontmatter") + for phrase in [ + "CTO-WORK-069", + "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox", + "src/strings.py", + "test_strings.py", + "python3 -m pytest -q", + "approval_source: JP chat approval", + *REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES, + ]: + checked.append(f"governed_execution_approval_record_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_approval_record_phrase:{phrase}") + hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md" if hermes_real_refresh_control_replay_evidence.is_file(): text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8") @@ -2066,6 +2127,8 @@ def main() -> int: "CTO-WORK-065": "validated", "CTO-WORK-066": "validated", "CTO-WORK-067": "validated", + "CTO-WORK-068": "validated", + "CTO-WORK-069": "validated", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}")