From 51546ccbf509628d4962d8749eaef331db6bdd77 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Mon, 1 Jun 2026 05:52:55 -0400 Subject: [PATCH] Admit Stage 5 target sandbox repo --- ...SE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md | 25 ++++++++---- ...SE-STAGE5-TARGET-REPOSITORY-ADMISSION.json | 40 ++++++++++++++----- WORKBOARD.yaml | 4 +- tools/validate_cto_child.py | 26 +++++++----- 4 files changed, 63 insertions(+), 32 deletions(-) diff --git a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md index 168bde8..7e673f2 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md +++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md @@ -117,7 +117,7 @@ Done evidence: template artifact, issue reference, validator JSON, clean worktre Type: HITL -Status: blocked. +Status: validated. Blocked by: CTO-WORK-039 and explicit JP selection or approval of an owned low-risk noncritical Target Repository. @@ -134,18 +134,18 @@ Acceptance criteria: - [x] Admission record includes all required forbidden actions. - [x] Admission record requires operator outcome. - [x] Local CTO validator checks the safe blocked record state. -- [ ] JP supplies an owned low-risk noncritical repository path. -- [ ] JP supplies ownership evidence. -- [ ] JP supplies noncritical rationale. -- [ ] JP supplies allowed paths and forbidden paths. -- [ ] JP supplies approval source and approval timestamp. -- [ ] Admission record is updated to `admitted` only after all required fields are present. +- [x] JP supplies an owned low-risk noncritical repository path. +- [x] JP supplies ownership evidence. +- [x] JP supplies noncritical rationale. +- [x] JP supplies allowed paths and forbidden paths. +- [x] JP supplies approval source and approval timestamp. +- [x] Admission record is updated to `admitted` only after all required fields are present. Allowed files: CTO child workspace planning docs and local validator only until a concrete Target Repository is approved. Validator: `python3 tools/validate_cto_child.py` -Done evidence for current blocked state: admission JSON, issue reference, validator JSON, clean worktree, commit. +Done evidence: admitted Target Repository admission JSON, dedicated sandbox repo initial commit, issue reference, validator JSON, clean worktree, commit. ### CTO-WORK-041 - Stage 5 Harness Target Admission Preflight @@ -186,6 +186,15 @@ Done evidence: - Aggregate matrix artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T035347Z-run-all-fake-3188313/report.json`. - This validates Stage 5 admission preflight only. Stage 5 owned repository execution remains blocked by `CTO-WORK-040`. +Validation evidence for `CTO-WORK-040`: + +- Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`. +- Target repo owner: `jp`. +- Target repo risk classification: `low_risk_noncritical`. +- Allowed paths: `src/`, `tests/`, `README.md`. +- Forbidden paths include secret, deploy, infra, workflow, dependency-lock, vendor, and `.git/` paths. +- Admission status: `admitted`. + ## Granularity Check This is intentionally two slices: one planning route and one executable harness route. Stage 5 is not over-granular because it is the first proof involving an admitted owned repository and must separate repository ownership, approval, allowed paths, verification, and operator outcome before default candidacy. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json index a346c74..aff49c8 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json +++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json @@ -1,12 +1,12 @@ { - "admission_status": "not_admitted", - "target_repository_path": "", - "repository_owner": "", - "ownership_evidence": "", - "risk_classification": "", - "noncritical_rationale": "", - "allowed_paths": [], - "forbidden_paths": [], + "admission_status": "admitted", + "allowed_paths": [ + "src/", + "tests/", + "README.md" + ], + "approval_source": "JP chat approval on 2026-06-01", + "approval_timestamp": "2026-06-01", "forbidden_actions": [ "push", "merge", @@ -19,8 +19,26 @@ "vendor_source_mutation", "cortex_core_mutation" ], - "approval_source": "", - "approval_timestamp": "", + "forbidden_paths": [ + ".env", + ".env.*", + "secrets/", + "credentials/", + "deploy/", + "infra/", + ".github/workflows/", + "package-lock.json", + "pnpm-lock.yaml", + "yarn.lock", + "node_modules/", + "vendor/", + ".git/" + ], + "noncritical_rationale": "Dedicated owned Stage 5 sandbox repo, not production, no customer data, no secrets, no deploy path, no external users, safe to delete after validation.", "operator_outcome_required": true, - "review_trigger": "before Stage 5 execution, before target repository path change, before allowed path change, before forbidden action change, before risk classification change" + "ownership_evidence": "JP chat approval on 2026-06-01 to create this dedicated Stage 5 target sandbox under /home/svrnty/workspaces/cortex-os.", + "repository_owner": "jp", + "review_trigger": "before Stage 5 execution against any different repository, before target repository path change, before allowed path change, before forbidden action change, before risk classification change", + "risk_classification": "low_risk_noncritical", + "target_repository_path": "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox" } diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 25430ef..2c786f0 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -197,9 +197,9 @@ items: owner: "" - id: CTO-WORK-040 title: Stage 5 Target Repository Admission Record - status: blocked + status: validated source: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json - owner: jp + owner: "" - id: CTO-WORK-041 title: Stage 5 Harness Target Admission Preflight status: validated diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 4e046af..9e7509f 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -359,14 +359,14 @@ REQUIRED_STAGE5_TARGET_ADMISSION_TEMPLATE_PHRASES = [ ] REQUIRED_STAGE5_TARGET_ADMISSION_JSON = { - "admission_status": "not_admitted", - "target_repository_path": "", - "repository_owner": "", - "ownership_evidence": "", - "risk_classification": "", - "noncritical_rationale": "", - "approval_source": "", - "approval_timestamp": "", + "admission_status": "admitted", + "target_repository_path": "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox", + "repository_owner": "jp", + "ownership_evidence": "JP chat approval on 2026-06-01 to create this dedicated Stage 5 target sandbox under /home/svrnty/workspaces/cortex-os.", + "risk_classification": "low_risk_noncritical", + "noncritical_rationale": "Dedicated owned Stage 5 sandbox repo, not production, no customer data, no secrets, no deploy path, no external users, safe to delete after validation.", + "approval_source": "JP chat approval on 2026-06-01", + "approval_timestamp": "2026-06-01", "operator_outcome_required": True, } @@ -1080,8 +1080,12 @@ def main() -> int: checked.append(f"stage5_target_admission_forbidden_action:{action}") if action not in forbidden_actions: errors.append(f"stage5_target_admission_missing_forbidden_action:{action}") - if payload.get("allowed_paths") != []: - errors.append("stage5_target_admission_allowed_paths_must_be_empty_while_not_admitted") + allowed_paths = payload.get("allowed_paths") + if not isinstance(allowed_paths, list) or allowed_paths != ["src/", "tests/", "README.md"]: + errors.append(f"stage5_target_admission_allowed_paths_mismatch:actual_{allowed_paths}") + forbidden_paths = payload.get("forbidden_paths") + if not isinstance(forbidden_paths, list) or ".git/" not in forbidden_paths or "secrets/" not in forbidden_paths or "deploy/" not in forbidden_paths: + errors.append("stage5_target_admission_forbidden_paths_incomplete") if not isinstance(payload.get("review_trigger"), str) or not payload.get("review_trigger"): errors.append("stage5_target_admission_missing_review_trigger") for key in payload: @@ -1348,7 +1352,7 @@ def main() -> int: "CTO-WORK-037": "validated", "CTO-WORK-038": "blocked", "CTO-WORK-039": "validated", - "CTO-WORK-040": "blocked", + "CTO-WORK-040": "validated", "CTO-WORK-041": "validated", } for issue_id, expected in expected_statuses.items():