From b7a7354f97fb6f3b59da3a91637aa3997c921332 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Mon, 1 Jun 2026 07:51:09 -0400 Subject: [PATCH] Record governed execution request --- .../CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md | 49 +++++++++++++ .../CTO-GOVERNED-EXECUTION-REQUEST-PRD.md | 55 +++++++++++++++ .../CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md | 68 +++++++++++++++++++ WORKBOARD.yaml | 10 +++ tools/validate_cto_child.py | 59 ++++++++++++++++ 5 files changed, 241 insertions(+) create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md create mode 100644 .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md new file mode 100644 index 0000000..8f85b1a --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md @@ -0,0 +1,49 @@ +--- +name: CTO Governed Execution Request Issues +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Request Issues + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Issue: CTO-WORK-066 - Governed Execution Request PRD + +Status: validated. + +Acceptance: + +- Define the governed execution request scope. +- Require a non-mutating execution request record. +- Preserve the exact approval packet, admitted target repository, allowed paths, and Harness command. +- Record `approval_granted: false`. +- Record `execution_allowed: false`. +- State: Do not execute Case. +- State: Do not activate Case as default backend. +- State: Do not mutate target repositories. +- State: Runtime default activation remains false. +- State: JP approval is still required before execution. + +## Issue: CTO-WORK-067 - Governed Execution Request Record + +Status: validated. + +Acceptance: + +- Create the governed execution request record. +- Include the admitted target repository. +- Include allowed paths. +- Include the Harness command. +- Include proof pointers from prior Harness and Hermes evidence. +- Keep `approval_granted: false`. +- Keep `execution_allowed: false`. +- State: Do not execute Case. +- State: Do not activate Case as default backend. +- State: Do not mutate target repositories. +- State: Runtime default activation remains false. +- State: JP approval is still required before execution. diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md new file mode 100644 index 0000000..13994ab --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md @@ -0,0 +1,55 @@ +--- +name: CTO Governed Execution Request PRD +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Request PRD + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Problem + +The CTO stack has an exact approval packet and Hermes can show it, but there is no durable governed execution request that records the proposed action before any backend runs. + +The next useful step is a governed execution request that creates a non-mutating execution request record. The record must preserve the exact approval packet, admitted target repository, allowed paths, Harness command, proof pointers, and blocked actions. + +## Scope + +- Create a local CTO planning record for the approved candidate task shape. +- Keep `approval_granted: false`. +- Keep `execution_allowed: false`. +- Name the admitted target repository and allowed paths. +- Name the Harness command that would run only after approval. +- Preserve that JP approval is still required before execution. + +## Non-goals + +- Do not execute Case. +- Do not activate Case as default backend. +- Do not mutate target repositories. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. +- Do not change Core authority. + +## Acceptance Criteria + +- `WORKBOARD.yaml` records `CTO-WORK-066` and `CTO-WORK-067` as validated. +- The governed execution request includes `approval_granted: false`. +- The governed execution request includes `execution_allowed: false`. +- Runtime default activation remains false. +- JP approval is still required before execution. +- Local validation checks the new record and its guardrails. + +## Validation + +- `python3 tools/validate_cto_child.py` +- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py` + +## Risk + +The main risk is accidentally treating request creation as execution approval. The guardrail is explicit: Do not execute Case. Do not mutate target repositories. JP approval is still required before execution. diff --git a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md new file mode 100644 index 0000000..83c5928 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md @@ -0,0 +1,68 @@ +--- +name: CTO Governed Execution Request Record +status: validated +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +--- + +# CTO Governed Execution Request Record + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Workboard + +- `CTO-WORK-067` + +## Request State + +- governed execution request +- non-mutating execution request record +- approval_granted: false +- execution_allowed: false +- Runtime default activation remains false. +- JP approval is still required before execution. + +## Exact Approval Packet + +The exact approval packet remains the prior text: + +```text +I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. +``` + +This record does not grant that approval. It preserves the exact approval packet for later JP action. + +## Admitted Target Repository + +- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox` + +## Allowed Paths + +- allowed paths: `src/strings.py` +- allowed paths: `test_strings.py` + +## Harness Command + +- Harness command: `python3 -m pytest -q` + +## Required Evidence Pointers + +- Approval packet evidence: `.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md` +- Stage 5 report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json` +- Stage 5 target proof: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json` +- Stage 6 replay comparison: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T112448Z-stage6-real-governed-refresh/stage6-real-governed-refresh-comparison.json` + +## Blocked Actions + +- Do not execute Case. +- Do not activate Case as default backend. +- Do not mutate target repositories. +- Do not edit upstream `hermes-agent`. +- Do not edit upstream `hermes-webui`. + +## Next Allowed Action + +The next allowed action is review of this governed execution request. Actual execution requires JP approval after this record is visible and validated. diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index a1dd379..87c4db4 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -326,3 +326,13 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md owner: "" + - id: CTO-WORK-066 + title: Governed Execution Request PRD + status: validated + source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md + owner: "" + - id: CTO-WORK-067 + title: Governed Execution Request Record + status: validated + source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md + owner: "" diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index c69c0cd..7fa5352 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -60,6 +60,9 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md", ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md", ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md", + ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md", @@ -278,6 +281,23 @@ REQUIRED_HERMES_APPROVAL_PACKET_EVIDENCE_PHRASES = [ "Hermes prepares approval text; JP remains the approver.", ] +REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "governed execution request", + "non-mutating execution request record", + "exact approval packet", + "admitted target repository", + "allowed paths", + "Harness command", + "approval_granted: false", + "execution_allowed: false", + "Do not execute Case.", + "Do not activate Case as default backend.", + "Do not mutate target repositories.", + "Runtime default activation remains false.", + "JP approval is still required before execution.", +] + REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [ "Local planning SOT only. Not a Core Protocol. Not active Core authority.", "CTO-WORK-057", @@ -1391,6 +1411,43 @@ def main() -> int: if phrase not in text: errors.append(f"missing_hermes_approval_packet_evidence_phrase:{phrase}") + governed_execution_request_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md" + if governed_execution_request_prd.is_file(): + text = governed_execution_request_prd.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_request_prd_missing_not_promoted_frontmatter") + for phrase in REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES: + checked.append(f"governed_execution_request_prd_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_request_prd_phrase:{phrase}") + + governed_execution_request_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md" + if governed_execution_request_issues.is_file(): + text = governed_execution_request_issues.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_request_issues_missing_not_promoted_frontmatter") + for phrase in ["CTO-WORK-066", "CTO-WORK-067", *REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES]: + checked.append(f"governed_execution_request_issue_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_request_issue_phrase:{phrase}") + + governed_execution_request_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md" + if governed_execution_request_record.is_file(): + text = governed_execution_request_record.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("governed_execution_request_record_missing_not_promoted_frontmatter") + for phrase in [ + "CTO-WORK-067", + "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox", + "src/strings.py", + "test_strings.py", + "python3 -m pytest -q", + *REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES, + ]: + checked.append(f"governed_execution_request_record_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_governed_execution_request_record_phrase:{phrase}") + hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md" if hermes_real_refresh_control_replay_evidence.is_file(): text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8") @@ -2007,6 +2064,8 @@ def main() -> int: "CTO-WORK-063": "validated", "CTO-WORK-064": "validated", "CTO-WORK-065": "validated", + "CTO-WORK-066": "validated", + "CTO-WORK-067": "validated", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}")