From 314579f91c76b2ecb1826f975ccdae400e9b6f12 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Mon, 1 Jun 2026 08:08:17 -0400 Subject: [PATCH] Record Hermes consumed approval evidence --- ...MES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md | 67 ++++++++++++++ ...ERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md | 75 ++++++++++++++++ ...O-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md | 87 +++++++++++++++++++ WORKBOARD.yaml | 10 +++ tools/validate_cto_child.py | 71 +++++++++++++++ 5 files changed, 310 insertions(+) create mode 100644 .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md create mode 100644 .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md create mode 100644 .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md diff --git a/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md new file mode 100644 index 0000000..fd6c969 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md @@ -0,0 +1,67 @@ +--- +name: CTO Hermes Consumed Approval Evidence Closeout +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Hermes Consumed Approval Evidence Closeout + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Workboard + +- `CTO-WORK-073` + +## Result + +- Hermes consumed approval evidence +- status: validated +- CTO-WORK-072 +- CTO-WORK-073 +- governed_execution +- approval_consumed +- consumed_by_pass_evidence +- approval_required: true +- approval_granted: true +- execution_allowed: false +- Case runtime default active: false +- target repository mutation: false +- Runtime default activation remains false. +- Do not activate Case as default backend. +- This closeout does not authorize another Case run. + +## Hermes Plugin Evidence + +- plugin commit: `6f694b4 feat(plugin): surface consumed CTO approval evidence` +- route: `/api/cto/control-summary` +- backend file: `routes/cto_control_summary.py` +- panel file: `cto_control_panel.js` +- schema_version: `0.2.0` +- approval packet status: `consumed_by_pass_evidence` +- Stage 5 pass replay path +- Stage 5 proof replay path +- consumed pass path shown: true +- consumed proof path shown: true + +## Validation Evidence + +- command: `python3 -m pytest tests/ -q` +- result: `108 passed` +- command: `python3 scripts/ast-connection-map.py --check` +- result: `CONNECTION-MAP.md is fresh` + +## Boundary Evidence + +- upstream `hermes-webui` edited: false +- upstream `hermes-agent` edited: false +- plugin-only change: true +- Harness-backed summary data remains the source of truth. +- Hermes visualizes control state; CTO and Harness remain the gates. + +## Scope Guard + +This closeout records a UI/control-surface reflection of already-consumed approval evidence. It is not a new approval and does not authorize another Case run. diff --git a/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md new file mode 100644 index 0000000..bb92f24 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md @@ -0,0 +1,75 @@ +--- +name: CTO Hermes Consumed Approval Evidence Issues +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Hermes Consumed Approval Evidence Issues + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Issue: CTO-WORK-072 - Hermes Consumed Approval Evidence PRD + +Status: validated. + +Acceptance: + +- Define Hermes consumed approval evidence. +- Record `governed_execution`. +- Record `approval_consumed`. +- Record `consumed_by_pass_evidence`. +- Require execution_allowed: false after approval consumption. +- Preserve Case runtime default active: false. +- Preserve target repository mutation: false. +- State: Do not activate Case as default backend. +- State: This closeout does not authorize another Case run. + +## Issue: CTO-WORK-073 - Hermes Consumed Approval Evidence Closeout + +Status: validated. + +Acceptance: + +- Record Hermes consumed approval evidence. +- Reference `6f694b4 feat(plugin): surface consumed CTO approval evidence`. +- Reference `/api/cto/control-summary`. +- Reference `cto_control_panel.js`. +- Reference `routes/cto_control_summary.py`. +- Record `python3 -m pytest tests/ -q`. +- Record `108 passed`. +- Record `python3 scripts/ast-connection-map.py --check`. +- Record `CONNECTION-MAP.md is fresh`. +- Record upstream `hermes-webui` edited: false. +- Record upstream `hermes-agent` edited: false. + +## Required Phrases + +- Hermes consumed approval evidence +- CTO-WORK-072 +- CTO-WORK-073 +- 6f694b4 feat(plugin): surface consumed CTO approval evidence +- /api/cto/control-summary +- governed_execution +- approval_consumed +- consumed_by_pass_evidence +- execution_allowed: false +- approval_granted: true +- approval_required: true +- Stage 5 pass replay path +- Stage 5 proof replay path +- cto_control_panel.js +- routes/cto_control_summary.py +- python3 -m pytest tests/ -q +- 108 passed +- python3 scripts/ast-connection-map.py --check +- CONNECTION-MAP.md is fresh +- Case runtime default active: false +- target repository mutation: false +- upstream `hermes-webui` edited: false +- upstream `hermes-agent` edited: false +- Do not activate Case as default backend. +- This closeout does not authorize another Case run. diff --git a/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md new file mode 100644 index 0000000..d57b919 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md @@ -0,0 +1,87 @@ +--- +name: CTO Hermes Consumed Approval Evidence PRD +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Hermes Consumed Approval Evidence PRD + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Problem Statement + +Hermes already exposes approval state and approval packet data, and the approved Stage 5 Case run already has pass evidence. The WebUI needs to show that this approval is consumed, not still available for rerun. + +## Solution + +Record the Hermes plugin closeout for consumed approval evidence. The `/api/cto/control-summary` route now exposes `governed_execution`, `approval_consumed`, and `consumed_by_pass_evidence`. The CTO panel shows consumed pass and consumed proof paths. + +## Scope + +- Record Hermes plugin commit `6f694b4 feat(plugin): surface consumed CTO approval evidence`. +- Record the governed execution consumed approval state. +- Record that execution_allowed remains false after consumption. +- Record Stage 5 pass and Stage 5 proof replay paths. +- Record that Case runtime default active remains false. +- Record that target repository mutation remains false. +- Record that upstream `hermes-webui` edited: false. +- Record that upstream `hermes-agent` edited: false. + +## Non-goals + +- Do not rerun Case. +- Do not create a new JP approval. +- Do not activate Case as default backend. +- Do not mutate target repositories. +- Do not edit upstream `hermes-webui`. +- Do not edit upstream `hermes-agent`. + +## Acceptance Criteria + +- `WORKBOARD.yaml` records `CTO-WORK-072` and `CTO-WORK-073` as validated. +- The PRD records `governed_execution`. +- The PRD records `approval_consumed`. +- The PRD records `consumed_by_pass_evidence`. +- The closeout references plugin commit `6f694b4 feat(plugin): surface consumed CTO approval evidence`. +- The closeout records `/api/cto/control-summary`. +- The closeout records `cto_control_panel.js`. +- The closeout records `routes/cto_control_summary.py`. +- The closeout records `python3 -m pytest tests/ -q` and `108 passed`. +- The closeout records `python3 scripts/ast-connection-map.py --check` and `CONNECTION-MAP.md is fresh`. + +## Validation + +- `python3 tools/validate_cto_child.py` +- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py` + +## Required Evidence + +- Hermes consumed approval evidence +- CTO-WORK-072 +- CTO-WORK-073 +- 6f694b4 feat(plugin): surface consumed CTO approval evidence +- /api/cto/control-summary +- governed_execution +- approval_consumed +- consumed_by_pass_evidence +- execution_allowed: false +- approval_granted: true +- approval_required: true +- Stage 5 pass replay path +- Stage 5 proof replay path +- cto_control_panel.js +- routes/cto_control_summary.py +- python3 -m pytest tests/ -q +- 108 passed +- python3 scripts/ast-connection-map.py --check +- CONNECTION-MAP.md is fresh +- Case runtime default active: false +- target repository mutation: false +- upstream `hermes-webui` edited: false +- upstream `hermes-agent` edited: false +- Do not activate Case as default backend. +- This closeout does not authorize another Case run. diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 9ad0685..336adde 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -356,3 +356,13 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md owner: "" + - id: CTO-WORK-072 + title: Hermes Consumed Approval Evidence PRD + status: validated + source: .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md + owner: "" + - id: CTO-WORK-073 + title: Hermes Consumed Approval Evidence Closeout + status: validated + source: .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md + owner: "" diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 0c5e831..d37f677 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -69,6 +69,9 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md", ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md", ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md", + ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md", + ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md", + ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md", @@ -348,6 +351,35 @@ REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES = [ "This closeout does not authorize another Case run.", ] +REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "Hermes consumed approval evidence", + "CTO-WORK-072", + "CTO-WORK-073", + "6f694b4 feat(plugin): surface consumed CTO approval evidence", + "/api/cto/control-summary", + "governed_execution", + "approval_consumed", + "consumed_by_pass_evidence", + "execution_allowed: false", + "approval_granted: true", + "approval_required: true", + "Stage 5 pass replay path", + "Stage 5 proof replay path", + "cto_control_panel.js", + "routes/cto_control_summary.py", + "python3 -m pytest tests/ -q", + "108 passed", + "python3 scripts/ast-connection-map.py --check", + "CONNECTION-MAP.md is fresh", + "Case runtime default active: false", + "target repository mutation: false", + "upstream `hermes-webui` edited: false", + "upstream `hermes-agent` edited: false", + "Do not activate Case as default backend.", + "This closeout does not authorize another Case run.", +] + REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [ "Local planning SOT only. Not a Core Protocol. Not active Core authority.", "CTO-WORK-057", @@ -1571,6 +1603,43 @@ def main() -> int: if phrase not in text: errors.append(f"missing_governed_execution_evidence_closeout_phrase:{phrase}") + hermes_consumed_approval_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md" + if hermes_consumed_approval_prd.is_file(): + text = hermes_consumed_approval_prd.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("hermes_consumed_approval_prd_missing_not_promoted_frontmatter") + for phrase in REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES: + checked.append(f"hermes_consumed_approval_prd_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_hermes_consumed_approval_prd_phrase:{phrase}") + + hermes_consumed_approval_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md" + if hermes_consumed_approval_issues.is_file(): + text = hermes_consumed_approval_issues.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("hermes_consumed_approval_issues_missing_not_promoted_frontmatter") + for phrase in REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES: + checked.append(f"hermes_consumed_approval_issue_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_hermes_consumed_approval_issue_phrase:{phrase}") + + hermes_consumed_approval_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md" + if hermes_consumed_approval_closeout.is_file(): + text = hermes_consumed_approval_closeout.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("hermes_consumed_approval_closeout_missing_not_promoted_frontmatter") + for phrase in [ + "status: validated", + "schema_version: `0.2.0`", + "plugin-only change: true", + "Harness-backed summary data remains the source of truth.", + "Hermes visualizes control state; CTO and Harness remain the gates.", + *REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES, + ]: + checked.append(f"hermes_consumed_approval_closeout_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_hermes_consumed_approval_closeout_phrase:{phrase}") + hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md" if hermes_real_refresh_control_replay_evidence.is_file(): text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8") @@ -2193,6 +2262,8 @@ def main() -> int: "CTO-WORK-069": "validated", "CTO-WORK-070": "validated", "CTO-WORK-071": "validated", + "CTO-WORK-072": "validated", + "CTO-WORK-073": "validated", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}")