Record governed execution approval

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md

@@ -0,0 +1,78 @@
+---
+name: CTO Governed Execution Approval Issues
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Approval Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue: CTO-WORK-068 - Governed Execution Approval PRD
+
+Status: validated.
+
+Acceptance:
+
+- Define governed execution approval as a single-task approval capture.
+- Preserve the exact approval packet.
+- Record `approval_granted: true`.
+- Record `execution_allowed: true`.
+- Record `execution_scope: one approved Harness run only`.
+- Preserve the admitted target repository.
+- Preserve allowed paths.
+- Preserve the Harness command.
+- State: Runtime default activation remains false.
+- State: Do not activate Case as default backend.
+- State: Do not mutate any path outside the allowed paths.
+- State: Do not edit upstream `hermes-agent`.
+- State: Do not edit upstream `hermes-webui`.
+- State: This record is not execution evidence.
+
+## Issue: CTO-WORK-069 - Governed Execution Approval Record
+
+Status: validated.
+
+Acceptance:
+
+- Create the governed execution approval record.
+- Include the exact approval packet.
+- Include `approval_granted: true`.
+- Include `execution_allowed: true`.
+- Include `execution_scope: one approved Harness run only`.
+- Include `approval_source: JP chat approval`.
+- Include the admitted target repository.
+- Include allowed paths.
+- Include the Harness command.
+- State: Runtime default activation remains false.
+- State: Do not activate Case as default backend.
+- State: Do not mutate any path outside the allowed paths.
+- State: Do not edit upstream `hermes-agent`.
+- State: Do not edit upstream `hermes-webui`.
+- State: This record is not execution evidence.
+
+## Exact Approval Packet
+
+```text
+I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
+```
+
+- governed execution approval
+- single-task approval capture
+- exact approval packet
+- approval_granted: true
+- execution_allowed: true
+- execution_scope: one approved Harness run only
+- admitted target repository
+- allowed paths
+- Harness command
+- Runtime default activation remains false.
+- Do not activate Case as default backend.
+- Do not mutate any path outside the allowed paths.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+- This record is not execution evidence.

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md

@@ -0,0 +1,85 @@
+---
+name: CTO Governed Execution Approval PRD
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Approval PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+The governed execution request records the exact target, paths, and command, but it intentionally keeps approval closed. The CTO stack needs a governed execution approval record before the next Harness run can mutate an owned Target Repository.
+
+## Solution
+
+Create a single-task approval capture for the exact approval packet already issued by JP. This governed execution approval permits one approved Harness run only and does not make Case a default backend.
+
+## Scope
+
+- Record the exact approval packet.
+- Record `approval_granted: true`.
+- Record `execution_allowed: true`.
+- Record `execution_scope: one approved Harness run only`.
+- Preserve the admitted target repository.
+- Preserve the allowed paths.
+- Preserve the Harness command.
+- Preserve that this record is not execution evidence.
+
+## Non-goals
+
+- Do not execute Case in this approval-capture slice.
+- Do not activate Case as default backend.
+- Do not mutate any path outside the allowed paths.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+- Do not promote this local record into Core authority.
+
+## Acceptance Criteria
+
+- `WORKBOARD.yaml` records `CTO-WORK-068` and `CTO-WORK-069` as validated.
+- The governed execution approval includes the exact approval packet.
+- The governed execution approval includes `approval_granted: true`.
+- The governed execution approval includes `execution_allowed: true`.
+- Runtime default activation remains false.
+- The next execution is constrained to one approved Harness run only.
+
+## Validation
+
+- `python3 tools/validate_cto_child.py`
+- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
+
+## Risks
+
+The main risk is approval scope creep. The record prevents that by making the approval single-task, path-bound, and Harness-bound. This record is not execution evidence.
+
+## Success Definition
+
+CTO has a durable approval capture that can unlock the next real Harness execution slice without changing Core authority, runtime default state, or upstream vendor source.
+
+## Required Approval Packet
+
+```text
+I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
+```
+
+- governed execution approval
+- single-task approval capture
+- exact approval packet
+- approval_granted: true
+- execution_allowed: true
+- execution_scope: one approved Harness run only
+- admitted target repository
+- allowed paths
+- Harness command
+- Runtime default activation remains false.
+- Do not activate Case as default backend.
+- Do not mutate any path outside the allowed paths.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+- This record is not execution evidence.

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md

@@ -0,0 +1,61 @@
+---
+name: CTO Governed Execution Approval Record
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Approval Record
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Workboard
+
+- `CTO-WORK-069`
+
+## Approval State
+
+- governed execution approval
+- single-task approval capture
+- approval_source: JP chat approval
+- approval_granted: true
+- execution_allowed: true
+- execution_scope: one approved Harness run only
+- Runtime default activation remains false.
+- This record is not execution evidence.
+
+## Exact Approval Packet
+
+- exact approval packet
+
+```text
+I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
+```
+
+## Admitted Target Repository
+
+- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
+
+## Allowed Paths
+
+- allowed paths: `src/strings.py`
+- allowed paths: `test_strings.py`
+
+## Harness Command
+
+- Harness command: `python3 -m pytest -q`
+
+## Guardrails
+
+- Do not activate Case as default backend.
+- Do not mutate any path outside the allowed paths.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+- This record is not execution evidence.
+
+## Next Allowed Action
+
+The next allowed action is one approved Harness run against the admitted target repository for the approved `src/strings.py` slugify alignment task.

WORKBOARD.yaml

@@ -336,3 +336,13 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md
     owner: ""
+  - id: CTO-WORK-068
+    title: Governed Execution Approval PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md
+    owner: ""
+  - id: CTO-WORK-069
+    title: Governed Execution Approval Record
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md
+    owner: jp

tools/validate_cto_child.py

@@ -63,6 +63,9 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md",
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@@ -298,6 +301,26 @@ REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES = [
     "JP approval is still required before execution.",
 ]
 
+REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "governed execution approval",
+    "single-task approval capture",
+    "exact approval packet",
+    "I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.",
+    "approval_granted: true",
+    "execution_allowed: true",
+    "execution_scope: one approved Harness run only",
+    "admitted target repository",
+    "allowed paths",
+    "Harness command",
+    "Runtime default activation remains false.",
+    "Do not activate Case as default backend.",
+    "Do not mutate any path outside the allowed paths.",
+    "Do not edit upstream `hermes-agent`.",
+    "Do not edit upstream `hermes-webui`.",
+    "This record is not execution evidence.",
+]
+
 REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [
     "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
     "CTO-WORK-057",
@@ -1448,6 +1471,44 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_governed_execution_request_record_phrase:{phrase}")
 
+    governed_execution_approval_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md"
+    if governed_execution_approval_prd.is_file():
+        text = governed_execution_approval_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_approval_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES:
+            checked.append(f"governed_execution_approval_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_approval_prd_phrase:{phrase}")
+
+    governed_execution_approval_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md"
+    if governed_execution_approval_issues.is_file():
+        text = governed_execution_approval_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_approval_issues_missing_not_promoted_frontmatter")
+        for phrase in ["CTO-WORK-068", "CTO-WORK-069", *REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES]:
+            checked.append(f"governed_execution_approval_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_approval_issue_phrase:{phrase}")
+
+    governed_execution_approval_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md"
+    if governed_execution_approval_record.is_file():
+        text = governed_execution_approval_record.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_approval_record_missing_not_promoted_frontmatter")
+        for phrase in [
+            "CTO-WORK-069",
+            "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
+            "src/strings.py",
+            "test_strings.py",
+            "python3 -m pytest -q",
+            "approval_source: JP chat approval",
+            *REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES,
+        ]:
+            checked.append(f"governed_execution_approval_record_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_approval_record_phrase:{phrase}")
+
     hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md"
     if hermes_real_refresh_control_replay_evidence.is_file():
         text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8")
@@ -2066,6 +2127,8 @@ def main() -> int:
             "CTO-WORK-065": "validated",
             "CTO-WORK-066": "validated",
             "CTO-WORK-067": "validated",
+            "CTO-WORK-068": "validated",
+            "CTO-WORK-069": "validated",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")