Add first real governed workflow route

2026-06-01 06:30:28 -04:00 · 2026-06-01 06:30:28 -04:00 · 451f626fb6
commit 451f626fb6
parent 0c30d27b06
6 changed files with 246 additions and 0 deletions
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
@ -0,0 +1,72 @@
 ---
 name: cto-first-real-governed-workflow-issues
 tier: local
 status: draft
 owner: jp
 source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
 created: 2026-06-01
 last_reviewed: 2026-06-01
 lifecycle_classification: planning
 core_promotion_status: not-promoted
 description: Child-local issue sequence for the first real governed CTO workflow delegation.
 ---
 # CTO First Real Governed Workflow Issues
 Local planning SOT only. Not a Core Protocol. Not active Core authority.
 ## Issue Sequence
 ### CTO-WORK-048 - First Real Governed Workflow PRD
 Type: AFK
 Status: validated.
 Blocked by: CTO-WORK-047
 What to build: Define the gated route for one real governed coding workflow without executing it or changing backend default status.
 Acceptance criteria:
 - [x] PRD requires precise brief or issue.
 - [x] PRD requires current Target Repository admission.
 - [x] PRD requires JP/Hermes approval before mutation.
 - [x] PRD requires Case execution through CTO Harness only.
 - [x] PRD requires Harness Evidence Interface artifacts for acceptance.
 - [x] PRD requires Hermes Control Surface replay paths after execution.
 - [x] PRD keeps runtime default activation false.
 - [x] Local CTO validator checks the PRD.
 Validator: `python3 tools/validate_cto_child.py`
 ### CTO-WORK-049 - First Real Governed Workflow Execution
 Type: HITL
 Status: candidate.
 Blocked by: CTO-WORK-048
 What to build: Execute one bounded real coding task through CTO, Hermes approval, CTO Harness, and Case, then record evidence without activating Case as default.
 Acceptance criteria:
 - [ ] A concrete owned low-risk Target Repository is selected.
 - [ ] Target Repository admission is current and references no secrets.
 - [ ] A precise task contract exists with allowed paths, forbidden actions, success criteria, validation command, and rollback expectation.
 - [ ] JP/Hermes approval is recorded before mutation.
 - [ ] Case runs only through CTO Harness.
 - [ ] Runtime default activation remains false.
 - [ ] Harness Evidence Interface artifacts exist and pass focused validation.
 - [ ] Hermes Control Surface exposes replay paths for the run.
 - [ ] Operator acceptance or rejection is recorded after verification.
 - [ ] Aggregate Harness health passes once before merge and once after merge.
 Validator: future focused real-workflow Harness validator, then `harness/evals/health.sh --json`.
 Human gate: JP must approve the concrete Target Repository and task contract before execution.
 ## Granularity Check
 This is intentionally two slices. `CTO-WORK-048` is planning and route definition. `CTO-WORK-049` is the first real execution and remains candidate because it needs JP approval and runtime target selection.
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
@ -0,0 +1,106 @@
 ---
 name: cto-first-real-governed-workflow-prd
 tier: local
 status: validated
 owner: jp
 source: WORKBOARD.yaml next ROI after CTO-WORK-047
 created: 2026-06-01
 last_reviewed: 2026-06-01
 lifecycle_classification: planning
 core_promotion_status: not-promoted
 description: Child-local PRD for the first real governed workflow delegation through CTO, Hermes, Harness, and Case.
 ---
 # CTO First Real Governed Workflow PRD
 Local planning SOT only. Not a Core Protocol. Not active Core authority.
 ## Problem Statement
 The CTO product surface has proof through Stage 6 and a Hermes-facing control summary, but it has not yet proven one real governed workflow from precise brief to bounded code change using the full operator path.
 The next useful proof is not another synthetic stage. It is one low-risk real task that shows Cortex governs, Hermes controls, CTO routes, Harness proves, and Case executes only after proof and approval.
 ## Solution
 Define a first real Governed Workflow Delegation route. The route must start from a precise task contract, use an explicitly admitted owned low-risk Target Repository, require JP approval before mutation, execute only through the CTO Harness Case seam, and accept completion only from Harness Evidence Interface artifacts.
 This PRD does not run the workflow. It defines the gates required before `CTO-WORK-049` may execute.
 ## Scope
 - Define the first real governed workflow route.
 - Require a precise brief, PRD or issue, architecture notes when relevant, allowed paths, forbidden actions, success criteria, validation command, and rollback expectation.
 - Require Target Repository admission to be current, owned, noncritical, and low risk.
 - Require Hermes/operator approval before mutation.
 - Require CTO to select only an eligible backend.
 - Require Case to execute only behind the CTO Harness seam.
 - Require Harness Evidence Interface artifacts for acceptance.
 - Require Hermes Control Surface replay paths after execution.
 - Keep runtime default activation false.
 ## Non-Goals
 - Do not activate Case as default backend.
 - Do not promote CTO artifacts into Core.
 - Do not execute against Cortex Core, vendor source, external developer repositories, production repositories, critical repositories, or unowned repositories.
 - Do not allow push, merge, deploy, close, PR open, issue close, public publication, credential change, or infrastructure mutation.
 - Do not treat model/provider availability as proof of workflow safety.
 - Do not let Case choose its own target, scope, authority, approval, or success criteria.
 ## User Stories
 1. As JP, I want one real governed coding workflow, so that the CTO product surface proves end-to-end usefulness beyond synthetic fixtures.
 2. As Cortex, I want the workflow bounded by existing SOT and validator discipline, so that execution does not create authority drift.
 3. As Hermes, I want approval and replay paths, so that operator control is visible before and after mutation.
 4. As CTO, I want backend eligibility checked before execution, so that routing is explicit and reversible.
 5. As Harness, I want all acceptance to come from standard artifacts, so that success is evidence-backed and auditable.
 6. As a Target Repository owner, I want allowed-path and forbidden-action enforcement, so that the workflow cannot widen scope during execution.
 ## Acceptance Criteria
 - `CTO-WORK-049` stays candidate until a concrete Target Repository and task contract are admitted.
 - The route requires a precise brief or issue before execution.
 - The route requires current Target Repository admission.
 - The route requires JP/Hermes approval before mutation.
 - The route requires Case execution through CTO Harness only.
 - The route requires runtime default activation to remain false.
 - The route requires allowed-path and forbidden-action proof.
 - The route requires tests or an explicit no-test rationale before acceptance.
 - The route requires Harness Evidence Interface artifacts: `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, artifact digests, and freshness proof.
 - The route requires Hermes Control Surface replay paths after execution.
 - The route requires operator acceptance or rejection after verification.
 - The route fails closed for missing approval, missing target admission, dirty starting tree, disallowed path, forbidden action, failed validation, provider failure, timeout, dirty ending tree, or missing operator outcome.
 - Local CTO validator checks this PRD and issue artifact.
 ## Validation
 Planning validator:
 ```bash
 python3 tools/validate_cto_child.py
 ```
 Execution validator for `CTO-WORK-049` is not satisfied by this PRD. It must be a future focused Harness command that proves the real workflow artifact path and then `harness/evals/health.sh --json` once before merge and once after merge.
 ## Risks
 - Overclaiming this PRD as execution proof. Mitigation: keep `CTO-WORK-049` candidate.
 - Target scope drift. Mitigation: require admission, allowed paths, and forbidden actions before mutation.
 - Approval drift. Mitigation: require JP/Hermes approval before mutation and operator outcome after verification.
 - Evidence drift. Mitigation: accept only Harness Evidence Interface artifacts.
 - Default drift. Mitigation: runtime default activation remains false.
 ## Dependencies
 - `CTO-WORK-043` Stage 6 candidate-default comparison is validated.
 - `CTO-WORK-045` Hermes Control Surface summary is validated.
 - `CTO-WORK-047` architecture brief closeout is validated.
 - A concrete owned low-risk Target Repository is selected and admitted.
 - A precise task contract exists.
 - Runtime Case/provider configuration is available without committing secrets or endpoint values.
 - JP approval is recorded before mutation.
 ## Success Definition
 This PRD succeeds when the first real Governed Workflow Delegation route is specified as a candidate execution item with all gates explicit, no authority drift, no default activation, and no execution claim before runtime evidence exists.
--- a/CONTEXT.md
+++ b/CONTEXT.md
@ -32,3 +32,7 @@ _Avoid_: Target Repository, live repo, external developer source
 **Hermes Control Surface**:
 A Hermes-facing summary and replay surface for CTO Harness state, approval context, and evidence links. It controls visibility and interaction but does not govern.
 _Avoid_: Core authority, runtime default switch, backend approval source
 **Governed Workflow Delegation**:
 A bounded real coding task routed through CTO, approved through Hermes/operator policy, executed by an eligible backend, and accepted only through CTO Harness evidence.
 _Avoid_: autonomous default execution, unmanaged Case task, direct repo mutation
--- a/README.md
+++ b/README.md
@ -56,6 +56,8 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md
 |       |-- CTO-HERMES-CONTROL-SURFACE-PRD.md
 |       |-- CTO-HERMES-CONTROL-SURFACE-ISSUES.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-BUILD-PRD.md
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -235,3 +235,13 @@ items:
    status: validated
    source: .sot/03-PROTOCOLS/CTO-ARCHITECTURE-BRIEF-CLOSEOUT-ISSUES.md
    owner: ""
  - id: CTO-WORK-048
    title: First Real Governed Workflow PRD
    status: validated
    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
    owner: ""
  - id: CTO-WORK-049
    title: First Real Governed Workflow Execution
    status: candidate
    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
    owner: jp
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -42,6 +42,8 @@ REQUIRED_FILES = [
    ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md",
@ -90,6 +92,26 @@ REQUIRED_ARCHITECTURE_CLOSEOUT_ISSUE_IDS = [
    "CTO-WORK-047",
 ]
 REQUIRED_FIRST_REAL_WORKFLOW_PRD_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
    "The next useful proof is not another synthetic stage.",
    "Governed Workflow Delegation",
    "precise task contract",
    "explicitly admitted owned low-risk Target Repository",
    "JP approval before mutation",
    "CTO Harness Case seam",
    "Harness Evidence Interface artifacts",
    "Hermes Control Surface replay paths",
    "runtime default activation false",
    "`CTO-WORK-049` stays candidate until a concrete Target Repository and task contract are admitted.",
    "future focused Harness command",
 ]
 REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS = [
    "CTO-WORK-048",
    "CTO-WORK-049",
 ]
 REQUIRED_PRD_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
    "Case Candidate Backend",
@ -932,6 +954,30 @@ def main() -> int:
            checked.append(f"architecture_closeout_issue_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_architecture_closeout_issue_id:{issue_id}")
    first_real_workflow_prd = ROOT / ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md"
    if first_real_workflow_prd.is_file():
        text = first_real_workflow_prd.read_text(encoding="utf-8")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("first_real_workflow_prd_missing_not_promoted_frontmatter")
        for phrase in REQUIRED_FIRST_REAL_WORKFLOW_PRD_PHRASES:
            checked.append(f"first_real_workflow_prd_phrase:{phrase}")
            if phrase not in text:
                errors.append(f"missing_first_real_workflow_prd_phrase:{phrase}")
    first_real_workflow_issues = ROOT / ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md"
    if first_real_workflow_issues.is_file():
        text = first_real_workflow_issues.read_text(encoding="utf-8")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("first_real_workflow_issues_missing_not_promoted_frontmatter")
        if "Local planning SOT only. Not a Core Protocol. Not active Core authority." not in text:
            errors.append("first_real_workflow_issues_missing_local_planning_notice")
        if "Human gate: JP must approve the concrete Target Repository and task contract before execution." not in text:
            errors.append("first_real_workflow_issues_missing_human_gate")
        for issue_id in REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS:
            checked.append(f"first_real_workflow_issue_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_first_real_workflow_issue_id:{issue_id}")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("brief_missing_not_promoted_frontmatter")
@ -1444,6 +1490,10 @@ def main() -> int:
            checked.append(f"workboard_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_workboard_id:{issue_id}")
        for issue_id in REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS:
            checked.append(f"workboard_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_workboard_id:{issue_id}")
        for issue_id in REQUIRED_PROVIDER_ADMISSION_ISSUE_IDS:
            checked.append(f"workboard_id:{issue_id}")
            if issue_id not in text:
@ -1509,6 +1559,8 @@ def main() -> int:
            "CTO-WORK-045": "validated",
            "CTO-WORK-046": "validated",
            "CTO-WORK-047": "validated",
            "CTO-WORK-048": "validated",
            "CTO-WORK-049": "candidate",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")