Add CTO Case source admission record

README.md

@@ -33,7 +33,8 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-CASE-BACKEND-BRIEF.md
 |       |-- CTO-CASE-CANDIDATE-BACKEND-PRD.md
 |       |-- CTO-CASE-CANDIDATE-BACKEND-ISSUES.md
-|       `-- CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md
+|       |-- CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md
+|       `-- CTO-CASE-SOURCE-ADMISSION-RECORD.md
 `-- tools/
     `-- validate_cto_child.py
 ```

WORKBOARD.yaml

@@ -21,8 +21,8 @@ items:
     owner: jp
   - id: CTO-WORK-005
     title: Case Source Admission Record
-    status: candidate
+    status: validated
-    source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-ISSUES.md
+    source: sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md
     owner: jp
   - id: CTO-WORK-006
     title: Case Adapter Contract And Eligibility Decision

sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md

@@ -0,0 +1,129 @@
+---
+name: cto-case-source-admission-record
+tier: local
+status: draft
+owner: jp
+source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md
+created: 2026-05-31
+last_reviewed: 2026-05-31
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local source admission record for evaluating Case as a candidate CTO backend.
+---
+
+# CTO Case Source Admission Record
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Purpose
+
+Record the minimum source admission facts required before Case can progress beyond planning as a Case Candidate Backend.
+
+This record does not admit Case for execution. It records a pinned public source observation and names the remaining blockers before any non-artificial run.
+
+## Non-Authority Notice
+
+This record does not authorize Runtime behavior, WebUI Product behavior, Case execution, real-repo mutation, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.
+
+## Source Identity
+
+| Field | Value |
+| --- | --- |
+| Source name | Case |
+| Source URL | `https://github.com/workos/case.git` |
+| Source web URL | `https://github.com/workos/case` |
+| Source type | public Git repository |
+| Observed branch | `main` |
+| Pinned commit | `7959ac917cdeb0983b4aaa20bb9f42021747fed8` |
+| Commit date | `2026-05-19T18:05:46-07:00` |
+| Retrieval date | `2026-05-31` |
+| Retrieval command | `git clone --depth 1 https://github.com/workos/case.git` |
+| Integrity reference | pinned Git commit SHA-1 `7959ac917cdeb0983b4aaa20bb9f42021747fed8` |
+
+## License Note
+
+License status is unresolved.
+
+Observed facts from the retrieval:
+
+- no top-level `LICENSE` or `LICENSE.md` file was found in the shallow clone;
+- `package.json` did not expose a license field in the inspected section;
+- `package.json` contains `"private": true`.
+
+Admission consequence: Case is not admitted for non-artificial execution until a human-readable license note is completed and the allowed internal-use posture is explicit.
+
+## Source Boundary
+
+Protected source boundary:
+
+- do not mutate the Case repository;
+- do not vendor Case source into Cortex OS Core;
+- do not copy Case implementation source into this child workspace;
+- do not treat Case source as Cortex OS authority;
+- do not run Case against a Target Repository from this record alone.
+
+Allowed planning use:
+
+- reference the source URL;
+- reference the pinned commit;
+- inspect public metadata for admission planning;
+- define adapter contracts against observed behavior without importing vendor implementation.
+
+## Allowed Execution Mode
+
+Current allowed execution mode: planning-only.
+
+Blocked modes:
+
+- artificial Case run;
+- copied repository fixture run;
+- disposable sandbox repository run;
+- owned noncritical repository run;
+- candidate-default real-repo use.
+
+Mode unlock requires a later validated adapter contract, source license note, harness evidence validation, explicit gate, and staged proof record.
+
+## Update Rule
+
+Changing the pinned Case source requires:
+
+- previous source URL;
+- previous pinned commit or tag;
+- new source URL;
+- new pinned commit or tag;
+- retrieval date;
+- retrieval command;
+- license note review;
+- rerun of applicable adapter fixtures;
+- evidence record naming previous and new source IDs.
+
+No moving branch reference may be used as proof without a pinned commit or tag.
+
+## Admission Status
+
+Status: not admitted for execution.
+
+Reason: source identity is pinned, but license note and executable adapter proof are incomplete.
+
+## Evidence
+
+Observed retrieval commands:
+
+```text
+git ls-remote https://github.com/workos/case.git HEAD refs/heads/main refs/tags/*
+git clone --depth 1 https://github.com/workos/case.git
+git rev-parse HEAD
+git show -s --format=%cI HEAD
+git remote get-url origin
+```
+
+Observed source metadata:
+
+```text
+HEAD: 7959ac917cdeb0983b4aaa20bb9f42021747fed8
+origin: https://github.com/workos/case.git
+commit date: 2026-05-19T18:05:46-07:00
+package private: true
+license file: not found in shallow clone
+license field: not observed in inspected package.json
+```

tools/validate_cto_child.py

@@ -19,6 +19,7 @@ REQUIRED_FILES = [
     "sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md",
     "sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-ISSUES.md",
     "sot/03-PROTOCOLS/CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md",
+    "sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md",
 ]
 
 REQUIRED_BRIEF_PHRASES = [
@@ -80,6 +81,22 @@ REQUIRED_EVIDENCE_INTERFACE_PHRASES = [
     "fail closed",
 ]
 
+REQUIRED_SOURCE_ADMISSION_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "This record does not authorize Runtime behavior",
+    "https://github.com/workos/case.git",
+    "7959ac917cdeb0983b4aaa20bb9f42021747fed8",
+    "2026-05-31",
+    "git clone --depth 1 https://github.com/workos/case.git",
+    "License status is unresolved.",
+    "package private: true",
+    "Status: not admitted for execution.",
+    "Current allowed execution mode: planning-only.",
+    "do not mutate the Case repository",
+    "do not vendor Case source into Cortex OS Core",
+    "No moving branch reference may be used as proof without a pinned commit or tag.",
+]
+
 
 def main() -> int:
     checked: list[str] = []
@@ -137,6 +154,16 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_evidence_interface_phrase:{phrase}")
 
+    source_admission = ROOT / "sot/03-PROTOCOLS/CTO-CASE-SOURCE-ADMISSION-RECORD.md"
+    if source_admission.is_file():
+        text = source_admission.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("source_admission_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_SOURCE_ADMISSION_PHRASES:
+            checked.append(f"source_admission_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_source_admission_phrase:{phrase}")
+
     board = ROOT / "WORKBOARD.yaml"
     if board.is_file():
         text = board.read_text(encoding="utf-8")
@@ -148,6 +175,8 @@ def main() -> int:
             errors.append("workboard_missing_evidence_interface_contract_source")
         if "CTO-WORK-004" in text and "status: validated" not in text:
             errors.append("workboard_cto_work_004_not_validated")
+        if "CTO-CASE-SOURCE-ADMISSION-RECORD.md" not in text:
+            errors.append("workboard_missing_source_admission_record_source")
 
     payload = {
         "ok": not errors,