Record governed execution request

2026-06-01 07:51:09 -04:00 · 2026-06-01 07:51:09 -04:00 · b7a7354f97
commit b7a7354f97
parent 61b6cffa34
5 changed files with 241 additions and 0 deletions
--- a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md
@ -0,0 +1,49 @@
+---
+name: CTO Governed Execution Request Issues
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Request Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue: CTO-WORK-066 - Governed Execution Request PRD
+
+Status: validated.
+
+Acceptance:
+
+- Define the governed execution request scope.
+- Require a non-mutating execution request record.
+- Preserve the exact approval packet, admitted target repository, allowed paths, and Harness command.
+- Record `approval_granted: false`.
+- Record `execution_allowed: false`.
+- State: Do not execute Case.
+- State: Do not activate Case as default backend.
+- State: Do not mutate target repositories.
+- State: Runtime default activation remains false.
+- State: JP approval is still required before execution.
+
+## Issue: CTO-WORK-067 - Governed Execution Request Record
+
+Status: validated.
+
+Acceptance:
+
+- Create the governed execution request record.
+- Include the admitted target repository.
+- Include allowed paths.
+- Include the Harness command.
+- Include proof pointers from prior Harness and Hermes evidence.
+- Keep `approval_granted: false`.
+- Keep `execution_allowed: false`.
+- State: Do not execute Case.
+- State: Do not activate Case as default backend.
+- State: Do not mutate target repositories.
+- State: Runtime default activation remains false.
+- State: JP approval is still required before execution.
--- a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md
+++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md
@ -0,0 +1,55 @@
+---
+name: CTO Governed Execution Request PRD
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Request PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem
+
+The CTO stack has an exact approval packet and Hermes can show it, but there is no durable governed execution request that records the proposed action before any backend runs.
+
+The next useful step is a governed execution request that creates a non-mutating execution request record. The record must preserve the exact approval packet, admitted target repository, allowed paths, Harness command, proof pointers, and blocked actions.
+
+## Scope
+
+- Create a local CTO planning record for the approved candidate task shape.
+- Keep `approval_granted: false`.
+- Keep `execution_allowed: false`.
+- Name the admitted target repository and allowed paths.
+- Name the Harness command that would run only after approval.
+- Preserve that JP approval is still required before execution.
+
+## Non-goals
+
+- Do not execute Case.
+- Do not activate Case as default backend.
+- Do not mutate target repositories.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+- Do not change Core authority.
+
+## Acceptance Criteria
+
+- `WORKBOARD.yaml` records `CTO-WORK-066` and `CTO-WORK-067` as validated.
+- The governed execution request includes `approval_granted: false`.
+- The governed execution request includes `execution_allowed: false`.
+- Runtime default activation remains false.
+- JP approval is still required before execution.
+- Local validation checks the new record and its guardrails.
+
+## Validation
+
+- `python3 tools/validate_cto_child.py`
+- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
+
+## Risk
+
+The main risk is accidentally treating request creation as execution approval. The guardrail is explicit: Do not execute Case. Do not mutate target repositories. JP approval is still required before execution.
--- a/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md
+++ b/.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md
@ -0,0 +1,68 @@
+---
+name: CTO Governed Execution Request Record
+status: validated
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+---
+
+# CTO Governed Execution Request Record
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Workboard
+
+- `CTO-WORK-067`
+
+## Request State
+
+- governed execution request
+- non-mutating execution request record
+- approval_granted: false
+- execution_allowed: false
+- Runtime default activation remains false.
+- JP approval is still required before execution.
+
+## Exact Approval Packet
+
+The exact approval packet remains the prior text:
+
+```text
+I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
+```
+
+This record does not grant that approval. It preserves the exact approval packet for later JP action.
+
+## Admitted Target Repository
+
+- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
+
+## Allowed Paths
+
+- allowed paths: `src/strings.py`
+- allowed paths: `test_strings.py`
+
+## Harness Command
+
+- Harness command: `python3 -m pytest -q`
+
+## Required Evidence Pointers
+
+- Approval packet evidence: `.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md`
+- Stage 5 report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`
+- Stage 5 target proof: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`
+- Stage 6 replay comparison: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T112448Z-stage6-real-governed-refresh/stage6-real-governed-refresh-comparison.json`
+
+## Blocked Actions
+
+- Do not execute Case.
+- Do not activate Case as default backend.
+- Do not mutate target repositories.
+- Do not edit upstream `hermes-agent`.
+- Do not edit upstream `hermes-webui`.
+
+## Next Allowed Action
+
+The next allowed action is review of this governed execution request. Actual execution requires JP approval after this record is visible and validated.
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -326,3 +326,13 @@ items:
    status: validated
    source: .sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md
    owner: ""
+  - id: CTO-WORK-066
+    title: Governed Execution Request PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md
+    owner: ""
+  - id: CTO-WORK-067
+    title: Governed Execution Request Record
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md
+    owner: ""
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -60,6 +60,9 @@ REQUIRED_FILES = [
    ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@ -278,6 +281,23 @@ REQUIRED_HERMES_APPROVAL_PACKET_EVIDENCE_PHRASES = [
    "Hermes prepares approval text; JP remains the approver.",
 ]

+REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "governed execution request",
+    "non-mutating execution request record",
+    "exact approval packet",
+    "admitted target repository",
+    "allowed paths",
+    "Harness command",
+    "approval_granted: false",
+    "execution_allowed: false",
+    "Do not execute Case.",
+    "Do not activate Case as default backend.",
+    "Do not mutate target repositories.",
+    "Runtime default activation remains false.",
+    "JP approval is still required before execution.",
+]
+
 REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
    "CTO-WORK-057",
@ -1391,6 +1411,43 @@ def main() -> int:
            if phrase not in text:
                errors.append(f"missing_hermes_approval_packet_evidence_phrase:{phrase}")

+    governed_execution_request_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md"
+    if governed_execution_request_prd.is_file():
+        text = governed_execution_request_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_request_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES:
+            checked.append(f"governed_execution_request_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_request_prd_phrase:{phrase}")
+
+    governed_execution_request_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md"
+    if governed_execution_request_issues.is_file():
+        text = governed_execution_request_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_request_issues_missing_not_promoted_frontmatter")
+        for phrase in ["CTO-WORK-066", "CTO-WORK-067", *REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES]:
+            checked.append(f"governed_execution_request_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_request_issue_phrase:{phrase}")
+
+    governed_execution_request_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md"
+    if governed_execution_request_record.is_file():
+        text = governed_execution_request_record.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("governed_execution_request_record_missing_not_promoted_frontmatter")
+        for phrase in [
+            "CTO-WORK-067",
+            "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
+            "src/strings.py",
+            "test_strings.py",
+            "python3 -m pytest -q",
+            *REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES,
+        ]:
+            checked.append(f"governed_execution_request_record_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_governed_execution_request_record_phrase:{phrase}")
+
    hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md"
    if hermes_real_refresh_control_replay_evidence.is_file():
        text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8")
@ -2007,6 +2064,8 @@ def main() -> int:
            "CTO-WORK-063": "validated",
            "CTO-WORK-064": "validated",
            "CTO-WORK-065": "validated",
+            "CTO-WORK-066": "validated",
+            "CTO-WORK-067": "validated",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")