Admit Stage 5 target sandbox repo

.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md

@@ -117,7 +117,7 @@ Done evidence: template artifact, issue reference, validator JSON, clean worktre
 
 Type: HITL
 
-Status: blocked.
+Status: validated.
 
 Blocked by: CTO-WORK-039 and explicit JP selection or approval of an owned low-risk noncritical Target Repository.
 
@@ -134,18 +134,18 @@ Acceptance criteria:
 - [x] Admission record includes all required forbidden actions.
 - [x] Admission record requires operator outcome.
 - [x] Local CTO validator checks the safe blocked record state.
-- [ ] JP supplies an owned low-risk noncritical repository path.
-- [ ] JP supplies ownership evidence.
-- [ ] JP supplies noncritical rationale.
-- [ ] JP supplies allowed paths and forbidden paths.
-- [ ] JP supplies approval source and approval timestamp.
-- [ ] Admission record is updated to `admitted` only after all required fields are present.
+- [x] JP supplies an owned low-risk noncritical repository path.
+- [x] JP supplies ownership evidence.
+- [x] JP supplies noncritical rationale.
+- [x] JP supplies allowed paths and forbidden paths.
+- [x] JP supplies approval source and approval timestamp.
+- [x] Admission record is updated to `admitted` only after all required fields are present.
 
 Allowed files: CTO child workspace planning docs and local validator only until a concrete Target Repository is approved.
 
 Validator: `python3 tools/validate_cto_child.py`
 
-Done evidence for current blocked state: admission JSON, issue reference, validator JSON, clean worktree, commit.
+Done evidence: admitted Target Repository admission JSON, dedicated sandbox repo initial commit, issue reference, validator JSON, clean worktree, commit.
 
 
 ### CTO-WORK-041 - Stage 5 Harness Target Admission Preflight
@@ -186,6 +186,15 @@ Done evidence:
 - Aggregate matrix artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T035347Z-run-all-fake-3188313/report.json`.
 - This validates Stage 5 admission preflight only. Stage 5 owned repository execution remains blocked by `CTO-WORK-040`.
 
+Validation evidence for `CTO-WORK-040`:
+
+- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
+- Target repo owner: `jp`.
+- Target repo risk classification: `low_risk_noncritical`.
+- Allowed paths: `src/`, `tests/`, `README.md`.
+- Forbidden paths include secret, deploy, infra, workflow, dependency-lock, vendor, and `.git/` paths.
+- Admission status: `admitted`.
+
 ## Granularity Check
 
 This is intentionally two slices: one planning route and one executable harness route. Stage 5 is not over-granular because it is the first proof involving an admitted owned repository and must separate repository ownership, approval, allowed paths, verification, and operator outcome before default candidacy.

.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json

@@ -1,12 +1,12 @@
 {
-  "admission_status": "not_admitted",
-  "target_repository_path": "",
-  "repository_owner": "",
-  "ownership_evidence": "",
-  "risk_classification": "",
-  "noncritical_rationale": "",
-  "allowed_paths": [],
-  "forbidden_paths": [],
+  "admission_status": "admitted",
+  "allowed_paths": [
+    "src/",
+    "tests/",
+    "README.md"
+  ],
+  "approval_source": "JP chat approval on 2026-06-01",
+  "approval_timestamp": "2026-06-01",
   "forbidden_actions": [
     "push",
     "merge",
@@ -19,8 +19,26 @@
     "vendor_source_mutation",
     "cortex_core_mutation"
   ],
-  "approval_source": "",
-  "approval_timestamp": "",
+  "forbidden_paths": [
+    ".env",
+    ".env.*",
+    "secrets/",
+    "credentials/",
+    "deploy/",
+    "infra/",
+    ".github/workflows/",
+    "package-lock.json",
+    "pnpm-lock.yaml",
+    "yarn.lock",
+    "node_modules/",
+    "vendor/",
+    ".git/"
+  ],
+  "noncritical_rationale": "Dedicated owned Stage 5 sandbox repo, not production, no customer data, no secrets, no deploy path, no external users, safe to delete after validation.",
   "operator_outcome_required": true,
-  "review_trigger": "before Stage 5 execution, before target repository path change, before allowed path change, before forbidden action change, before risk classification change"
+  "ownership_evidence": "JP chat approval on 2026-06-01 to create this dedicated Stage 5 target sandbox under /home/svrnty/workspaces/cortex-os.",
+  "repository_owner": "jp",
+  "review_trigger": "before Stage 5 execution against any different repository, before target repository path change, before allowed path change, before forbidden action change, before risk classification change",
+  "risk_classification": "low_risk_noncritical",
+  "target_repository_path": "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox"
 }

WORKBOARD.yaml

@@ -197,9 +197,9 @@ items:
     owner: ""
   - id: CTO-WORK-040
     title: Stage 5 Target Repository Admission Record
-    status: blocked
+    status: validated
     source: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json
-    owner: jp
+    owner: ""
   - id: CTO-WORK-041
     title: Stage 5 Harness Target Admission Preflight
     status: validated

tools/validate_cto_child.py

@@ -359,14 +359,14 @@ REQUIRED_STAGE5_TARGET_ADMISSION_TEMPLATE_PHRASES = [
 ]
 
 REQUIRED_STAGE5_TARGET_ADMISSION_JSON = {
-    "admission_status": "not_admitted",
-    "target_repository_path": "",
-    "repository_owner": "",
-    "ownership_evidence": "",
-    "risk_classification": "",
-    "noncritical_rationale": "",
-    "approval_source": "",
-    "approval_timestamp": "",
+    "admission_status": "admitted",
+    "target_repository_path": "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
+    "repository_owner": "jp",
+    "ownership_evidence": "JP chat approval on 2026-06-01 to create this dedicated Stage 5 target sandbox under /home/svrnty/workspaces/cortex-os.",
+    "risk_classification": "low_risk_noncritical",
+    "noncritical_rationale": "Dedicated owned Stage 5 sandbox repo, not production, no customer data, no secrets, no deploy path, no external users, safe to delete after validation.",
+    "approval_source": "JP chat approval on 2026-06-01",
+    "approval_timestamp": "2026-06-01",
     "operator_outcome_required": True,
 }
 
@@ -1080,8 +1080,12 @@ def main() -> int:
                 checked.append(f"stage5_target_admission_forbidden_action:{action}")
                 if action not in forbidden_actions:
                     errors.append(f"stage5_target_admission_missing_forbidden_action:{action}")
-        if payload.get("allowed_paths") != []:
-            errors.append("stage5_target_admission_allowed_paths_must_be_empty_while_not_admitted")
+        allowed_paths = payload.get("allowed_paths")
+        if not isinstance(allowed_paths, list) or allowed_paths != ["src/", "tests/", "README.md"]:
+            errors.append(f"stage5_target_admission_allowed_paths_mismatch:actual_{allowed_paths}")
+        forbidden_paths = payload.get("forbidden_paths")
+        if not isinstance(forbidden_paths, list) or ".git/" not in forbidden_paths or "secrets/" not in forbidden_paths or "deploy/" not in forbidden_paths:
+            errors.append("stage5_target_admission_forbidden_paths_incomplete")
         if not isinstance(payload.get("review_trigger"), str) or not payload.get("review_trigger"):
             errors.append("stage5_target_admission_missing_review_trigger")
         for key in payload:
@@ -1348,7 +1352,7 @@ def main() -> int:
             "CTO-WORK-037": "validated",
             "CTO-WORK-038": "blocked",
             "CTO-WORK-039": "validated",
-            "CTO-WORK-040": "blocked",
+            "CTO-WORK-040": "validated",
             "CTO-WORK-041": "validated",
         }
         for issue_id, expected in expected_statuses.items():