hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Plan Hermes real refresh control replay

Browse Source
This commit is contained in:
Svrnty 2026-06-01 07:23:03 -04:00
parent 076458be4f
commit 6d3e10ace1
4 changed files with 231 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md Normal file
View File

@ -0,0 +1,81 @@
---
name: cto-hermes-real-refresh-control-replay-issues
tier: local
status: draft
owner: jp
source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
created: 2026-06-01
last_reviewed: 2026-06-01
lifecycle_classification: planning
core_promotion_status: not-promoted
description: Child-local issue sequence for exposing Stage 6 real-governed refresh evidence through Hermes CTO control replay.
---
# CTO Hermes Real Refresh Control Replay Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue Sequence
### CTO-WORK-056 - Hermes Real Refresh Control Replay PRD
Type: AFK
Status: validated.
Blocked by: CTO-WORK-055
What to build: Define the planning route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path.
Acceptance criteria:
- [x] PRD states Hermes displays and replays evidence but does not govern.
- [x] PRD requires Harness Evidence Interface artifacts as the source of truth.
- [x] PRD requires Stage 6 real-governed refresh status in the summary.
- [x] PRD requires refresh comparison artifact path in the summary.
- [x] PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
- [x] PRD requires read-only target repository proof status in the summary.
- [x] PRD separates candidate-default refresh eligibility from runtime default activation.
- [x] PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
- [x] PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
- [x] Local CTO validator checks the PRD and issue artifact.
Allowed files: CTO child workspace planning docs and local validator only.
Validator: `python3 tools/validate_cto_child.py`
Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.
### CTO-WORK-057 - Hermes Control Summary Real Refresh Replay Route
Type: AFK
Status: candidate.
Blocked by: CTO-WORK-056
What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, extend the Harness-backed WebUI summary path so Hermes can consume and replay Stage 6 real-governed refresh evidence.
Acceptance criteria:
- [ ] Summary exposes `case_stage6_real_governed_refresh` status.
- [ ] Summary exposes `stage6_real_governed_refresh_comparison_path`.
- [ ] Summary exposes real Stage 5 pass report and Stage 5 proof replay paths.
- [ ] Summary exposes read-only target repository proof status.
- [ ] Summary exposes candidate-default refresh eligibility separately from `runtime_default_activation`.
- [ ] Summary exposes Codex/Pi blocked-lane rationale from the refresh artifact.
- [ ] Summary exposes next operator action after real-refresh validation.
- [ ] Summary does not expose secrets, endpoints, credential values, or raw Target Repository content.
- [ ] Summary does not mutate Target Repositories, vendor source, external developer repositories, unowned repositories, or Cortex Core.
- [ ] Focused summary validator passes before aggregate Harness validation.
- [ ] Aggregate Harness validation runs once after focused validation passes and once after merge.
Allowed files: Hermes CTO harness summary command, summary validator, summary contract/docs, and command index. WebUI Runtime code, Core, Case source, vendor source, Target Repositories, and external developer repositories are forbidden.
Validator: `python3 harness/runner/validate-webui-summary.py --json`, then `./harness/evals/health.sh --json`.
Done evidence: Hermes sandcastle commit, focused summary validator output, summary JSON path, aggregate Harness health output, clean merge, and CTO evidence update.
## Granularity Check
This is intentionally two slices: one child-local planning route and one Hermes Harness implementation route. It avoids overbuilding a WebUI panel while adding the exact replay surface needed after `CTO-WORK-055`.

100
.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md Normal file
View File

@ -0,0 +1,100 @@
---
name: cto-hermes-real-refresh-control-replay-prd
tier: local
status: draft
owner: jp
source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md
created: 2026-06-01
last_reviewed: 2026-06-01
lifecycle_classification: planning
core_promotion_status: not-promoted
description: Child-local PRD for exposing Stage 6 real-governed refresh evidence through the Hermes CTO control summary and replay path.
---
# CTO Hermes Real Refresh Control Replay PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
Hermes already has a Harness-backed control summary, but that summary was validated before the Stage 6 real-governed refresh route existed. JP can now prove Case candidate-default readiness against the first real governed Stage 5 pass, but the Hermes-facing control surface does not yet expose that real-refresh status, artifact path, read-only target proof, or next operator action.
## Solution
Add a bounded real-refresh control replay slice. The CTO Harness summary must consume the Stage 6 real-governed refresh comparison artifact and expose it as replayable Hermes control state. Hermes may display and replay evidence; it must not govern, mutate targets, activate Case by default, or reinterpret raw backend logs as authority.
## Scope
- Extend the Hermes-facing CTO Harness summary contract with Stage 6 real-governed refresh fields.
- Expose the refresh comparison artifact path.
- Expose real Stage 5 pass report and Stage 5 proof paths as replay inputs.
- Expose read-only target repository proof status.
- Expose candidate-default refresh eligibility separately from runtime default activation.
- Expose blocked Codex/Pi lane rationale from the refresh artifact.
- Expose next operator action after real-refresh validation.
- Keep the source of truth as Harness Evidence Interface artifacts.
## Non-Goals
- Do not build a full Hermes WebUI panel in this slice.
- Do not add approval mutation actions.
- Do not activate Case as default backend.
- Do not rerun or mutate the real Target Repository.
- Do not promote child-local CTO artifacts into Core.
- Do not mutate vendor source, external developer repositories, Cortex Core, or unowned repositories.
- Do not expose secrets, endpoints, credentials, or raw Target Repository content.
## User Stories
1. As JP, I want the Hermes control summary to show Stage 6 real-refresh status, so that I can inspect candidate-default readiness without opening raw artifacts first.
2. As Hermes, I want replay paths for the refresh artifact, Stage 5 pass report, and Stage 5 proof, so that a future panel can link evidence without recomputing it.
3. As CTO, I want read-only target proof visible, so that real-repo safety is part of the operator surface.
4. As Harness, I want the summary generated from validated artifacts, so that control state remains proof-backed.
5. As Cortex, I want runtime default activation to remain explicit and false, so that candidate-default evidence cannot become authority by presentation.
## Acceptance Criteria
- [ ] PRD states Hermes displays and replays evidence but does not govern.
- [ ] PRD requires Harness Evidence Interface artifacts as the source of truth.
- [ ] PRD requires Stage 6 real-governed refresh status in the summary.
- [ ] PRD requires refresh comparison artifact path in the summary.
- [ ] PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
- [ ] PRD requires read-only target repository proof status in the summary.
- [ ] PRD separates candidate-default refresh eligibility from runtime default activation.
- [ ] PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
- [ ] PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
- [ ] Local CTO validator checks the PRD and issue artifact.
## Validation
Planning validator: `python3 tools/validate_cto_child.py`.
Implementation validator planned for Hermes: `python3 harness/runner/validate-webui-summary.py --json`, then `./harness/evals/health.sh --json` after focused validation passes.
## Risks
- A UI consumer may mistake candidate-default refresh eligibility for runtime default activation.
- A summary may become stale if it does not consume the latest refresh artifact.
- A replay path may expose too much target context if raw repository content is included instead of artifact paths.
- Building WebUI runtime behavior now would overreach the stable summary contract.
## Dependencies
- `CTO-WORK-055` Stage 6 real-governed refresh evidence is validated.
- Hermes CTO Harness has `validate-case-stage6-real-refresh.py`.
- Hermes CTO Harness aggregate health includes `case_stage6_real_governed_refresh`.
- Existing Hermes control summary route remains Harness-backed.
## Challenge Notes
Accepted feedback: This route is useful because the existing Hermes summary predates real-refresh evidence and therefore cannot yet be the operator replay surface for the strongest Case proof.
Accepted feedback: The slice must update the summary contract before any WebUI panel work, because the stable machine-readable surface is the real dependency.
Rejected feedback: Building a visual WebUI panel now is premature; proof-backed summary fields are the minimum useful control layer.
Rejected feedback: Activating Case as default is out of scope because runtime default remains earned by a later governed route.
## Success Definition
This slice succeeds when CTO has a validated child-local PRD and issue route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path, while preserving Cortex authority, Harness proof, target protection, and runtime default activation false.

11
WORKBOARD.yaml
View File

@ -276,3 +276,14 @@ items:
status: validated status: validated
source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-ISSUES.md source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-ISSUES.md
owner: "" owner: ""
- id: CTO-WORK-056
title: Hermes Real Refresh Control Replay PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
owner: ""
- id: CTO-WORK-057
title: Hermes Control Summary Real Refresh Replay Route
status: candidate
source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
owner: ""

39
tools/validate_cto_child.py
View File

@ -45,6 +45,8 @@ REQUIRED_FILES = [
".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md", ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md",
".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md", ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md", ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@ -132,6 +134,21 @@ REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [
"Runtime default activation remains false.", "Runtime default activation remains false.",
] ]
REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"Hermes may display and replay evidence; it must not govern",
"Harness Evidence Interface artifacts",
"Stage 6 real-governed refresh status",
"refresh comparison artifact path",
"real Stage 5 pass report and Stage 5 proof paths",
"read-only target repository proof status",
"candidate-default refresh eligibility separately from runtime default activation",
"blocked Codex/Pi lane rationale",
"Do not build a full Hermes WebUI panel in this slice.",
"Do not activate Case as default backend.",
"Do not rerun or mutate the real Target Repository.",
]
REQUIRED_STAGE6_REAL_REFRESH_EVIDENCE_PHRASES = [ REQUIRED_STAGE6_REAL_REFRESH_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.", "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"CTO-WORK-055", "CTO-WORK-055",
@ -1072,6 +1089,26 @@ def main() -> int:
if phrase not in text: if phrase not in text:
errors.append(f"missing_stage6_real_refresh_issue_phrase:{phrase}") errors.append(f"missing_stage6_real_refresh_issue_phrase:{phrase}")
hermes_real_refresh_control_replay_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md"
if hermes_real_refresh_control_replay_prd.is_file():
text = hermes_real_refresh_control_replay_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_real_refresh_control_replay_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_PHRASES:
checked.append(f"hermes_real_refresh_control_replay_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_real_refresh_control_replay_prd_phrase:{phrase}")
hermes_real_refresh_control_replay_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md"
if hermes_real_refresh_control_replay_issues.is_file():
text = hermes_real_refresh_control_replay_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_real_refresh_control_replay_issues_missing_not_promoted_frontmatter")
for phrase in ["CTO-WORK-056", "CTO-WORK-057", "case_stage6_real_governed_refresh", "stage6_real_governed_refresh_comparison_path", "runtime_default_activation"]:
checked.append(f"hermes_real_refresh_control_replay_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_real_refresh_control_replay_issue_phrase:{phrase}")
stage6_real_refresh_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md" stage6_real_refresh_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md"
if stage6_real_refresh_evidence.is_file(): if stage6_real_refresh_evidence.is_file():
text = stage6_real_refresh_evidence.read_text(encoding="utf-8") text = stage6_real_refresh_evidence.read_text(encoding="utf-8")
@ -1668,6 +1705,8 @@ def main() -> int:
"CTO-WORK-053": "validated", "CTO-WORK-053": "validated",
"CTO-WORK-054": "validated", "CTO-WORK-054": "validated",
"CTO-WORK-055": "validated", "CTO-WORK-055": "validated",
"CTO-WORK-056": "validated",
"CTO-WORK-057": "candidate",
} }
for issue_id, expected in expected_statuses.items(): for issue_id, expected in expected_statuses.items():
checked.append(f"workboard_status:{issue_id}:{expected}") checked.append(f"workboard_status:{issue_id}:{expected}")