From 6d3e10ace1ca60d1b33bdcb76d33b9f9f4549b6e Mon Sep 17 00:00:00 2001
From: Svrnty <info@svrnty.io>
Date: Mon, 1 Jun 2026 07:23:03 -0400
Subject: [PATCH] Plan Hermes real refresh control replay

---
 ...RMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md |  81 ++++++++++++++
 ...-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md | 100 ++++++++++++++++++
 WORKBOARD.yaml                                |  11 ++
 tools/validate_cto_child.py                   |  39 +++++++
 4 files changed, 231 insertions(+)
 create mode 100644 .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
 create mode 100644 .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md

diff --git a/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md b/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
new file mode 100644
index 0000000..3cb5017
--- /dev/null
+++ b/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
@@ -0,0 +1,81 @@
+---
+name: cto-hermes-real-refresh-control-replay-issues
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local issue sequence for exposing Stage 6 real-governed refresh evidence through Hermes CTO control replay.
+---
+
+# CTO Hermes Real Refresh Control Replay Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue Sequence
+
+### CTO-WORK-056 - Hermes Real Refresh Control Replay PRD
+
+Type: AFK
+
+Status: validated.
+
+Blocked by: CTO-WORK-055
+
+What to build: Define the planning route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path.
+
+Acceptance criteria:
+
+- [x] PRD states Hermes displays and replays evidence but does not govern.
+- [x] PRD requires Harness Evidence Interface artifacts as the source of truth.
+- [x] PRD requires Stage 6 real-governed refresh status in the summary.
+- [x] PRD requires refresh comparison artifact path in the summary.
+- [x] PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
+- [x] PRD requires read-only target repository proof status in the summary.
+- [x] PRD separates candidate-default refresh eligibility from runtime default activation.
+- [x] PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
+- [x] PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
+- [x] Local CTO validator checks the PRD and issue artifact.
+
+Allowed files: CTO child workspace planning docs and local validator only.
+
+Validator: `python3 tools/validate_cto_child.py`
+
+Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.
+
+### CTO-WORK-057 - Hermes Control Summary Real Refresh Replay Route
+
+Type: AFK
+
+Status: candidate.
+
+Blocked by: CTO-WORK-056
+
+What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, extend the Harness-backed WebUI summary path so Hermes can consume and replay Stage 6 real-governed refresh evidence.
+
+Acceptance criteria:
+
+- [ ] Summary exposes `case_stage6_real_governed_refresh` status.
+- [ ] Summary exposes `stage6_real_governed_refresh_comparison_path`.
+- [ ] Summary exposes real Stage 5 pass report and Stage 5 proof replay paths.
+- [ ] Summary exposes read-only target repository proof status.
+- [ ] Summary exposes candidate-default refresh eligibility separately from `runtime_default_activation`.
+- [ ] Summary exposes Codex/Pi blocked-lane rationale from the refresh artifact.
+- [ ] Summary exposes next operator action after real-refresh validation.
+- [ ] Summary does not expose secrets, endpoints, credential values, or raw Target Repository content.
+- [ ] Summary does not mutate Target Repositories, vendor source, external developer repositories, unowned repositories, or Cortex Core.
+- [ ] Focused summary validator passes before aggregate Harness validation.
+- [ ] Aggregate Harness validation runs once after focused validation passes and once after merge.
+
+Allowed files: Hermes CTO harness summary command, summary validator, summary contract/docs, and command index. WebUI Runtime code, Core, Case source, vendor source, Target Repositories, and external developer repositories are forbidden.
+
+Validator: `python3 harness/runner/validate-webui-summary.py --json`, then `./harness/evals/health.sh --json`.
+
+Done evidence: Hermes sandcastle commit, focused summary validator output, summary JSON path, aggregate Harness health output, clean merge, and CTO evidence update.
+
+## Granularity Check
+
+This is intentionally two slices: one child-local planning route and one Hermes Harness implementation route. It avoids overbuilding a WebUI panel while adding the exact replay surface needed after `CTO-WORK-055`.
diff --git a/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md b/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
new file mode 100644
index 0000000..f223be9
--- /dev/null
+++ b/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
@@ -0,0 +1,100 @@
+---
+name: cto-hermes-real-refresh-control-replay-prd
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local PRD for exposing Stage 6 real-governed refresh evidence through the Hermes CTO control summary and replay path.
+---
+
+# CTO Hermes Real Refresh Control Replay PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+Hermes already has a Harness-backed control summary, but that summary was validated before the Stage 6 real-governed refresh route existed. JP can now prove Case candidate-default readiness against the first real governed Stage 5 pass, but the Hermes-facing control surface does not yet expose that real-refresh status, artifact path, read-only target proof, or next operator action.
+
+## Solution
+
+Add a bounded real-refresh control replay slice. The CTO Harness summary must consume the Stage 6 real-governed refresh comparison artifact and expose it as replayable Hermes control state. Hermes may display and replay evidence; it must not govern, mutate targets, activate Case by default, or reinterpret raw backend logs as authority.
+
+## Scope
+
+- Extend the Hermes-facing CTO Harness summary contract with Stage 6 real-governed refresh fields.
+- Expose the refresh comparison artifact path.
+- Expose real Stage 5 pass report and Stage 5 proof paths as replay inputs.
+- Expose read-only target repository proof status.
+- Expose candidate-default refresh eligibility separately from runtime default activation.
+- Expose blocked Codex/Pi lane rationale from the refresh artifact.
+- Expose next operator action after real-refresh validation.
+- Keep the source of truth as Harness Evidence Interface artifacts.
+
+## Non-Goals
+
+- Do not build a full Hermes WebUI panel in this slice.
+- Do not add approval mutation actions.
+- Do not activate Case as default backend.
+- Do not rerun or mutate the real Target Repository.
+- Do not promote child-local CTO artifacts into Core.
+- Do not mutate vendor source, external developer repositories, Cortex Core, or unowned repositories.
+- Do not expose secrets, endpoints, credentials, or raw Target Repository content.
+
+## User Stories
+
+1. As JP, I want the Hermes control summary to show Stage 6 real-refresh status, so that I can inspect candidate-default readiness without opening raw artifacts first.
+2. As Hermes, I want replay paths for the refresh artifact, Stage 5 pass report, and Stage 5 proof, so that a future panel can link evidence without recomputing it.
+3. As CTO, I want read-only target proof visible, so that real-repo safety is part of the operator surface.
+4. As Harness, I want the summary generated from validated artifacts, so that control state remains proof-backed.
+5. As Cortex, I want runtime default activation to remain explicit and false, so that candidate-default evidence cannot become authority by presentation.
+
+## Acceptance Criteria
+
+- [ ] PRD states Hermes displays and replays evidence but does not govern.
+- [ ] PRD requires Harness Evidence Interface artifacts as the source of truth.
+- [ ] PRD requires Stage 6 real-governed refresh status in the summary.
+- [ ] PRD requires refresh comparison artifact path in the summary.
+- [ ] PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
+- [ ] PRD requires read-only target repository proof status in the summary.
+- [ ] PRD separates candidate-default refresh eligibility from runtime default activation.
+- [ ] PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
+- [ ] PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
+- [ ] Local CTO validator checks the PRD and issue artifact.
+
+## Validation
+
+Planning validator: `python3 tools/validate_cto_child.py`.
+
+Implementation validator planned for Hermes: `python3 harness/runner/validate-webui-summary.py --json`, then `./harness/evals/health.sh --json` after focused validation passes.
+
+## Risks
+
+- A UI consumer may mistake candidate-default refresh eligibility for runtime default activation.
+- A summary may become stale if it does not consume the latest refresh artifact.
+- A replay path may expose too much target context if raw repository content is included instead of artifact paths.
+- Building WebUI runtime behavior now would overreach the stable summary contract.
+
+## Dependencies
+
+- `CTO-WORK-055` Stage 6 real-governed refresh evidence is validated.
+- Hermes CTO Harness has `validate-case-stage6-real-refresh.py`.
+- Hermes CTO Harness aggregate health includes `case_stage6_real_governed_refresh`.
+- Existing Hermes control summary route remains Harness-backed.
+
+## Challenge Notes
+
+Accepted feedback: This route is useful because the existing Hermes summary predates real-refresh evidence and therefore cannot yet be the operator replay surface for the strongest Case proof.
+
+Accepted feedback: The slice must update the summary contract before any WebUI panel work, because the stable machine-readable surface is the real dependency.
+
+Rejected feedback: Building a visual WebUI panel now is premature; proof-backed summary fields are the minimum useful control layer.
+
+Rejected feedback: Activating Case as default is out of scope because runtime default remains earned by a later governed route.
+
+## Success Definition
+
+This slice succeeds when CTO has a validated child-local PRD and issue route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path, while preserving Cortex authority, Harness proof, target protection, and runtime default activation false.
diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml
index dfe021b..4aef53d 100644
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@@ -276,3 +276,14 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-ISSUES.md
     owner: ""
+  - id: CTO-WORK-056
+    title: Hermes Real Refresh Control Replay PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
+    owner: ""
+  - id: CTO-WORK-057
+    title: Hermes Control Summary Real Refresh Replay Route
+    status: candidate
+    source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
+    owner: ""
+
diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py
index 4f38fad..da5081a 100644
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@@ -45,6 +45,8 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md",
     ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md",
     ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@@ -132,6 +134,21 @@ REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [
     "Runtime default activation remains false.",
 ]
 
+REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "Hermes may display and replay evidence; it must not govern",
+    "Harness Evidence Interface artifacts",
+    "Stage 6 real-governed refresh status",
+    "refresh comparison artifact path",
+    "real Stage 5 pass report and Stage 5 proof paths",
+    "read-only target repository proof status",
+    "candidate-default refresh eligibility separately from runtime default activation",
+    "blocked Codex/Pi lane rationale",
+    "Do not build a full Hermes WebUI panel in this slice.",
+    "Do not activate Case as default backend.",
+    "Do not rerun or mutate the real Target Repository.",
+]
+
 REQUIRED_STAGE6_REAL_REFRESH_EVIDENCE_PHRASES = [
     "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
     "CTO-WORK-055",
@@ -1072,6 +1089,26 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_stage6_real_refresh_issue_phrase:{phrase}")
 
+    hermes_real_refresh_control_replay_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md"
+    if hermes_real_refresh_control_replay_prd.is_file():
+        text = hermes_real_refresh_control_replay_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_real_refresh_control_replay_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_PHRASES:
+            checked.append(f"hermes_real_refresh_control_replay_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_hermes_real_refresh_control_replay_prd_phrase:{phrase}")
+
+    hermes_real_refresh_control_replay_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md"
+    if hermes_real_refresh_control_replay_issues.is_file():
+        text = hermes_real_refresh_control_replay_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_real_refresh_control_replay_issues_missing_not_promoted_frontmatter")
+        for phrase in ["CTO-WORK-056", "CTO-WORK-057", "case_stage6_real_governed_refresh", "stage6_real_governed_refresh_comparison_path", "runtime_default_activation"]:
+            checked.append(f"hermes_real_refresh_control_replay_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_hermes_real_refresh_control_replay_issue_phrase:{phrase}")
+
     stage6_real_refresh_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md"
     if stage6_real_refresh_evidence.is_file():
         text = stage6_real_refresh_evidence.read_text(encoding="utf-8")
@@ -1668,6 +1705,8 @@ def main() -> int:
             "CTO-WORK-053": "validated",
             "CTO-WORK-054": "validated",
             "CTO-WORK-055": "validated",
+            "CTO-WORK-056": "validated",
+            "CTO-WORK-057": "candidate",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")