Record governed execution evidence

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md

@@ -0,0 +1,57 @@
+---
+name: CTO Governed Execution Evidence Closeout
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Evidence Closeout
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Workboard
+
+- `CTO-WORK-071`
+
+## Result
+
+- governed execution evidence
+- one approved Harness run consumed
+- status: validated
+- CTO-WORK-049
+- CTO-WORK-069
+- r1-src-string-slugify
+- Runtime default activation remains false.
+- Do not activate Case as default backend.
+- This closeout does not authorize another Case run.
+
+## Target
+
+- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
+- target commit: `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`
+- target repo current state checked
+- target repository start clean: true
+- target repository ending clean: true
+
+## Harness Evidence
+
+- Harness report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`
+- Stage 5 proof: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`
+- case_process_started: true
+- changed files: `src/strings.py`, `test_strings.py`
+- allowed paths passed: true
+- forbidden paths passed: true
+- no forbidden actions: true
+- operator outcome: `accepted`
+
+## Current Target Validation
+
+- command: `python3 -m pytest -q`
+- result: `3 passed`
+
+## Scope Guard
+
+This closeout binds the prior approval to the single successful Harness run. It is not a new approval and does not authorize another Case run.

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md

@@ -0,0 +1,74 @@
+---
+name: CTO Governed Execution Evidence Issues
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Evidence Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue: CTO-WORK-070 - Governed Execution Evidence PRD
+
+Status: validated.
+
+Acceptance:
+
+- Define governed execution evidence for the approved Stage 5 run.
+- Bind `CTO-WORK-049` and `CTO-WORK-069`.
+- Record that one approved Harness run consumed the approval.
+- Require the Harness report and Stage 5 proof paths.
+- Preserve Runtime default activation remains false.
+- State: Do not activate Case as default backend.
+- State: This closeout does not authorize another Case run.
+
+## Issue: CTO-WORK-071 - Governed Execution Evidence Closeout
+
+Status: validated.
+
+Acceptance:
+
+- Record governed execution evidence.
+- Reference `r1-src-string-slugify`.
+- Reference target commit `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`.
+- Reference `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
+- Reference `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`.
+- Reference `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`.
+- Record case_process_started: true.
+- Record changed files: `src/strings.py`, `test_strings.py`.
+- Record allowed paths passed: true.
+- Record forbidden paths passed: true.
+- Record target repository start clean: true.
+- Record target repository ending clean: true.
+- Record `python3 -m pytest -q`.
+- Record `3 passed`.
+- State: Runtime default activation remains false.
+- State: Do not activate Case as default backend.
+- State: This closeout does not authorize another Case run.
+
+## Required Phrases
+
+- governed execution evidence
+- one approved Harness run consumed
+- CTO-WORK-049
+- CTO-WORK-069
+- r1-src-string-slugify
+- 7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741
+- /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox
+- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json
+- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json
+- case_process_started: true
+- changed files: `src/strings.py`, `test_strings.py`
+- allowed paths passed: true
+- forbidden paths passed: true
+- target repository start clean: true
+- target repository ending clean: true
+- python3 -m pytest -q
+- 3 passed
+- Runtime default activation remains false.
+- Do not activate Case as default backend.
+- This closeout does not authorize another Case run.

.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md

@@ -0,0 +1,78 @@
+---
+name: CTO Governed Execution Evidence PRD
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Evidence PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+The governed execution approval exists, and the approved Stage 5 run already produced Harness evidence. CTO needs a closeout that binds the approval record to the actual Harness evidence and prevents accidental rerun under the same single-task approval.
+
+## Solution
+
+Record governed execution evidence for `CTO-WORK-049` and `CTO-WORK-069`. Mark the approval as consumed by the existing `r1-src-string-slugify` Harness pass report.
+
+## Scope
+
+- Reference the pass report and Stage 5 proof.
+- Reference the admitted target repository.
+- Reference target commit `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`.
+- Record that one approved Harness run consumed the approval.
+- Record the current target repo validation command and result.
+- Preserve that Runtime default activation remains false.
+
+## Non-goals
+
+- Do not rerun Case.
+- Do not activate Case as default backend.
+- Do not authorize another Case run.
+- Do not mutate target repositories in this closeout slice.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+
+## Acceptance Criteria
+
+- `WORKBOARD.yaml` records `CTO-WORK-070` and `CTO-WORK-071` as validated.
+- The closeout references the Harness report.
+- The closeout references the Stage 5 proof.
+- The closeout states case_process_started: true.
+- The closeout states changed files: `src/strings.py`, `test_strings.py`.
+- The closeout states allowed paths passed: true and forbidden paths passed: true.
+- The closeout records `python3 -m pytest -q` and `3 passed`.
+- This closeout does not authorize another Case run.
+
+## Validation
+
+- `python3 tools/validate_cto_child.py`
+- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
+
+## Required Evidence
+
+- governed execution evidence
+- one approved Harness run consumed
+- CTO-WORK-049
+- CTO-WORK-069
+- r1-src-string-slugify
+- 7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741
+- /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox
+- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json
+- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json
+- case_process_started: true
+- changed files: `src/strings.py`, `test_strings.py`
+- allowed paths passed: true
+- forbidden paths passed: true
+- target repository start clean: true
+- target repository ending clean: true
+- python3 -m pytest -q
+- 3 passed
+- Runtime default activation remains false.
+- Do not activate Case as default backend.
+- This closeout does not authorize another Case run.

WORKBOARD.yaml

@@ -346,3 +346,13 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md
     owner: jp
+  - id: CTO-WORK-070
+    title: Governed Execution Evidence PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md
+    owner: ""
+  - id: CTO-WORK-071
+    title: Governed Execution Evidence Closeout
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md
+    owner: ""

tools/validate_cto_child.py

@@ -66,6 +66,9 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md",
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@@ -321,6 +324,30 @@ REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES = [
     "This record is not execution evidence.",
 ]
 
+REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "governed execution evidence",
+    "one approved Harness run consumed",
+    "CTO-WORK-049",
+    "CTO-WORK-069",
+    "r1-src-string-slugify",
+    "7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741",
+    "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
+    "/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json",
+    "/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json",
+    "case_process_started: true",
+    "changed files: `src/strings.py`, `test_strings.py`",
+    "allowed paths passed: true",
+    "forbidden paths passed: true",
+    "target repository start clean: true",
+    "target repository ending clean: true",
+    "python3 -m pytest -q",
+    "3 passed",
+    "Runtime default activation remains false.",
+    "Do not activate Case as default backend.",
+    "This closeout does not authorize another Case run.",
+]
+
 REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [
     "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
     "CTO-WORK-057",
@@ -1509,6 +1536,41 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_governed_execution_approval_record_phrase:{phrase}")
 
+    governed_execution_evidence_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md"
+    if governed_execution_evidence_prd.is_file():
+        text = governed_execution_evidence_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_evidence_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES:
+            checked.append(f"governed_execution_evidence_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_evidence_prd_phrase:{phrase}")
+
+    governed_execution_evidence_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md"
+    if governed_execution_evidence_issues.is_file():
+        text = governed_execution_evidence_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_evidence_issues_missing_not_promoted_frontmatter")
+        for phrase in ["CTO-WORK-070", "CTO-WORK-071", *REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES]:
+            checked.append(f"governed_execution_evidence_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_evidence_issue_phrase:{phrase}")
+
+    governed_execution_evidence_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md"
+    if governed_execution_evidence_closeout.is_file():
+        text = governed_execution_evidence_closeout.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_evidence_closeout_missing_not_promoted_frontmatter")
+        for phrase in [
+            "CTO-WORK-071",
+            "status: validated",
+            "target repo current state checked",
+            *REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES,
+        ]:
+            checked.append(f"governed_execution_evidence_closeout_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_evidence_closeout_phrase:{phrase}")
+
     hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md"
     if hermes_real_refresh_control_replay_evidence.is_file():
         text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8")
@@ -2129,6 +2191,8 @@ def main() -> int:
             "CTO-WORK-067": "validated",
             "CTO-WORK-068": "validated",
             "CTO-WORK-069": "validated",
+            "CTO-WORK-070": "validated",
+            "CTO-WORK-071": "validated",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")