From 7a68d85191277a0d48f5a2fe97c901d2391a1fe1 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Sun, 31 May 2026 21:37:30 -0400 Subject: [PATCH 1/2] Admit OpenAI Codex model pair --- ...TO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md | 22 ++++++++ ...OVIDER-ADMISSION.openai-codex-gpt-5.5.json | 10 ++++ README.md | 3 +- WORKBOARD.yaml | 5 ++ tools/validate_cto_child.py | 50 +++++++++++++++++++ 5 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 .sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json diff --git a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md index 9dea913..d47c5f0 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md +++ b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md @@ -87,3 +87,25 @@ Required fields: - `review_trigger`: expiry, date, or condition that forces review. - `evidence_sources`: references to existing admission/build evidence, not copied runtime evidence. - `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`. + +## CTO-WORK-027 - OpenAI Codex Model Admission JSON + +Status: validated. + +Record the exact non-secret admission JSON required by `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` for the approved `openai-codex` / `gpt-5.5` primary provider path. + +Acceptance: + +- Admission file path is `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`. +- Admission JSON has `status`: `admitted`. +- Admission JSON has `provider`: `openai-codex`. +- Admission JSON has `model`: `gpt-5.5`. +- Admission JSON has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`. +- Admission JSON has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`. +- Admission JSON has `approval_source`: `JP chat approval on 2026-05-31`. +- Admission JSON has `admission_timestamp`. +- Admission JSON has `review_trigger`. +- Admission JSON contains no secret keys or secret values. +- Fallback to `vllm` / `qwen3.6-35b-a3b` remains explicit decision-record context and must be represented in runtime evidence before it may count as a Case provider/model path. +- `CTO-WORK-020` remains blocked until real Case Stage 2 produces a Harness Evidence Interface pass report using this admission file. +- Real Case Stage 2 command must set `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` to this admission JSON path. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json new file mode 100644 index 0000000..b3a9a33 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json @@ -0,0 +1,10 @@ +{ + "admission_timestamp": "2026-05-31T00:00:00-04:00", + "allowed_network_class": "codex-oauth-hosted-model-plus-local-vllm-fallback", + "approval_source": "JP chat approval on 2026-05-31", + "credential_source_class": "hermes-openai-codex-oauth-and-local-vllm-config", + "model": "gpt-5.5", + "provider": "openai-codex", + "review_trigger": "Before real Case Stage 2 admission JSON path changes, before credential source changes, before default/fallback model changes, or before promotion beyond copied artificial fixture.", + "status": "admitted" +} diff --git a/README.md b/README.md index e83741d..6a7cf3c 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,8 @@ This workspace is registered as a child-local planning workspace. Registration d | |-- CTO-CASE-LOCAL-PROVIDER-ROUTE-ISSUES.md | |-- CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md | |-- CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md -| `-- CTO-CASE-PROVIDER-DECISION-RECORD.md +| |-- CTO-CASE-PROVIDER-DECISION-RECORD.md +| `-- CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json `-- tools/ `-- validate_cto_child.py ``` diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 63e24d7..a1c73b4 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -130,3 +130,8 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md owner: "" + - id: CTO-WORK-027 + title: OpenAI Codex Model Admission JSON + status: validated + source: .sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json + owner: "" diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index f335b9c..56c228a 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -39,6 +39,7 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md", + ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json", ] REQUIRED_BRIEF_PHRASES = [ @@ -420,6 +421,7 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_PRD_PHRASES = [ REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_IDS = [ "CTO-WORK-019", "CTO-WORK-020", + "CTO-WORK-027", ] REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [ @@ -454,8 +456,29 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [ "`review_trigger`: expiry, date, or condition that forces review.", "`evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.", "`effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.", + "CTO-WORK-027 - OpenAI Codex Model Admission JSON", + "Admission file path is `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`.", + "Admission JSON has `status`: `admitted`.", + "Admission JSON has `provider`: `openai-codex`.", + "Admission JSON has `model`: `gpt-5.5`.", + "Admission JSON has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`.", + "Admission JSON has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.", + "Admission JSON has `approval_source`: `JP chat approval on 2026-05-31`.", + "Admission JSON contains no secret keys or secret values.", + "Fallback to `vllm` / `qwen3.6-35b-a3b` remains explicit decision-record context and must be represented in runtime evidence before it may count as a Case provider/model path.", + "`CTO-WORK-020` remains blocked until real Case Stage 2 produces a Harness Evidence Interface pass report using this admission file.", + "Real Case Stage 2 command must set `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` to this admission JSON path.", ] +REQUIRED_OPENAI_CODEX_ADMISSION_JSON = { + "status": "admitted", + "provider": "openai-codex", + "model": "gpt-5.5", + "credential_source_class": "hermes-openai-codex-oauth-and-local-vllm-config", + "allowed_network_class": "codex-oauth-hosted-model-plus-local-vllm-fallback", + "approval_source": "JP chat approval on 2026-05-31", +} + REQUIRED_LOCAL_PROVIDER_ROUTE_PRD_PHRASES = [ "Local planning SOT only. Not a Core Protocol. Not active Core authority.", "`CTO-WORK-020` remains blocked until a provider policy decision exists.", @@ -845,6 +868,30 @@ def main() -> int: if phrase not in text: errors.append(f"missing_model_provider_admission_issue_phrase:{phrase}") + openai_codex_admission = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json" + if openai_codex_admission.is_file(): + checked.append("openai_codex_admission_json:parse") + try: + payload = json.loads(openai_codex_admission.read_text(encoding="utf-8")) + except json.JSONDecodeError as exc: + errors.append(f"openai_codex_admission_invalid_json:{exc}") + payload = {} + if not isinstance(payload, dict): + errors.append("openai_codex_admission_must_be_object") + payload = {} + for key, expected in REQUIRED_OPENAI_CODEX_ADMISSION_JSON.items(): + checked.append(f"openai_codex_admission_json:{key}") + if payload.get(key) != expected: + errors.append(f"openai_codex_admission_mismatch:{key}:expected_{expected}:actual_{payload.get(key)}") + for key in ["admission_timestamp", "review_trigger"]: + checked.append(f"openai_codex_admission_json:{key}") + if not isinstance(payload.get(key), str) or not payload.get(key): + errors.append(f"openai_codex_admission_missing:{key}") + for key in payload: + checked.append(f"openai_codex_admission_json_secret_key:{key}") + if key.lower() in {"api_key", "apikey", "access_token", "token", "secret", "password", "credential_value"}: + errors.append(f"openai_codex_admission_forbidden_secret_key:{key}") + local_provider_route_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-LOCAL-PROVIDER-ROUTE-PRD.md" if local_provider_route_prd.is_file(): text = local_provider_route_prd.read_text(encoding="utf-8") @@ -968,6 +1015,7 @@ def main() -> int: "CTO-WORK-024": "validated", "CTO-WORK-025": "validated", "CTO-WORK-026": "validated", + "CTO-WORK-027": "validated", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}") @@ -1016,6 +1064,8 @@ def main() -> int: errors.append("workboard_missing_provider_decision_packet_issues_source") if "CTO-CASE-PROVIDER-DECISION-RECORD.md" not in text: errors.append("workboard_missing_provider_decision_record_source") + if "CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json" not in text: + errors.append("workboard_missing_openai_codex_admission_json_source") payload = { "ok": not errors, From 4e9cca3a531664a16435cb2bd2bb3d796de92a3d Mon Sep 17 00:00:00 2001 From: Svrnty Date: Sun, 31 May 2026 21:42:58 -0400 Subject: [PATCH 2/2] Record Case agent protocol blocker --- .../CTO-CASE-AGENT-PROTOCOL-BLOCKER.md | 98 +++++++++++++++++++ ...TO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md | 16 +++ .../CTO-CASE-PROVIDER-BUILD-ISSUES.md | 13 +++ README.md | 3 +- WORKBOARD.yaml | 5 + tools/validate_cto_child.py | 1 + 6 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 .sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md diff --git a/.sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md b/.sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md new file mode 100644 index 0000000..a33bd14 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md @@ -0,0 +1,98 @@ +--- +title: CTO Case Agent Protocol Blocker +status: draft +lifecycle_classification: sot +owner: jp +created: 2026-06-01 +last_reviewed: 2026-06-01 +core_promotion_status: not-promoted +route: cto +--- + +# CTO Case Agent Protocol Blocker + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## CTO-WORK-028 - Case Agent Result Protocol Blocker + +Status: blocked. + +Record the first admitted real Case Stage 2 run after OpenAI Codex model admission. +The run proves that provider/model admission now reaches Case execution, but does +not prove Stage 2. Case failed before producing a workspace diff because its +implementer agent result did not satisfy the Case result-envelope contract. + +Acceptance: + +- Real Case Stage 2 remains blocked until Case produces a Harness Evidence Interface pass report. +- The admitted provider/model pair remains `openai-codex` / `gpt-5.5`. +- The admission file remains `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`. +- Evidence must show `case_process_started: true` before this blocker is accepted as the current blocker. +- Evidence must show `case_model_admission_status: admitted`. +- Evidence must show no target repository path was inspected or copied. +- Evidence must show no workspace patch was produced. +- Evidence must show tests did not pass. +- The next implementation route must happen through the Hermes CTO harness seam, a Case-compatible provider adapter seam, or an external compatibility layer. +- The next implementation route must not mutate Cortex Core, vendor Case source, or external developer repositories. +- No real-repo, copied-repo, sandbox-repo, owned-repo, default-candidate, or Core promotion stage may use this failed run as pass evidence. + +## Evidence - 2026-06-01 + +- Harness command class: real Case Stage 2 artificial fixture. +- Run artifact directory: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028`. +- Case binary path used by harness: `/tmp/workos-case/dist/ca`. +- Case source pin for the built binary: `7959ac917cdeb0983b4aaa20bb9f42021747fed8`. +- Report status: `fail`. +- Backend: `case`. +- Backend exit code: `1`. +- Case process started: `true`. +- Case model provider: `openai-codex`. +- Case model: `gpt-5.5`. +- Case model admission status: `admitted`. +- Source admission status: `not_admitted`. +- No target inspection proof: `stage2-no-target-inspection.json`. +- Changed files: none. +- Patch artifact: `patch.diff`. +- Patch digest: `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`. +- Tests command: `python3 -m pytest -q`. +- Tests passed: `false`. +- Required events passed: `false`. +- Report blocker: `case engine failed with exit code 1`. +- Case stderr evidence: implementer failed with `AGENT_RESULT start delimiter not found`. +- Case stderr evidence: retry classified the failure as `agent-protocol-error`. +- Case stdout evidence: unattended mode auto-selected `Abort`. +- Result: Stage 2 is still blocked. + +## Current Interpretation + +This is a protocol compatibility blocker, not a provider approval blocker. + +The admitted provider/model reached Case. Case then failed because the implementer +agent did not return output framed by the Case `AGENT_RESULT` delimiter contract. +The evidence does not prove whether the defect is Case provider configuration, +provider adapter behavior, Codex output framing, or harness invocation shape. + +## Required Next Route + +The next useful route is a small Case agent protocol compatibility investigation. +It should answer only this question: + +```text +What minimal non-vendor seam makes admitted Case execution return the required +AGENT_RESULT envelope and produce a Stage 2 artificial fixture diff? +``` + +Allowed next actions: + +- Inspect Case provider adapter behavior read-only. +- Inspect Hermes CTO Case invocation behavior. +- Add fail-closed classification in Hermes CTO harness if needed. +- Add a compatibility shim only outside vendor Case source. +- Re-run real Case Stage 2 only after a specific protocol compatibility change exists. + +Forbidden next actions: + +- Do not edit `/tmp/workos-case` as the durable solution. +- Do not mark Stage 2 validated from this run. +- Do not promote Case to copied repo, sandbox repo, owned repo, or default candidate. +- Do not write provider secrets to SOT, argv, task files, backend logs, reports, traces, or commits. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md index d47c5f0..8c68cb2 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md +++ b/.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md @@ -109,3 +109,19 @@ Acceptance: - Fallback to `vllm` / `qwen3.6-35b-a3b` remains explicit decision-record context and must be represented in runtime evidence before it may count as a Case provider/model path. - `CTO-WORK-020` remains blocked until real Case Stage 2 produces a Harness Evidence Interface pass report using this admission file. - Real Case Stage 2 command must set `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` to this admission JSON path. + +## Post-Admission Runtime Evidence - 2026-06-01 + +- Run artifact directory: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028`. +- Report status: `fail`. +- Backend: `case`. +- Case process started: `true`. +- Case model provider: `openai-codex`. +- Case model: `gpt-5.5`. +- Case model admission status: `admitted`. +- The admitted provider/model path reached Case execution. +- Case failed before producing a diff. +- Case stderr recorded `AGENT_RESULT start delimiter not found`. +- Case retry classified the failure as `agent-protocol-error`. +- `CTO-WORK-020` remains blocked because no real Case Stage 2 pass report exists. +- Current downstream blocker is tracked by `CTO-WORK-028`. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md b/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md index 4ba450d..9190dad 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md +++ b/.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md @@ -87,6 +87,19 @@ Validation Evidence: - The run timed out before patch application; tests failed because `strings.py` was unchanged. - This is an unadmitted external model path for CTO harness proof and must be blocked before Case process start. +## Admitted Provider Runtime Evidence - 2026-06-01 + +- Real Case Stage 2 run with `/tmp/workos-case/dist/ca` and admitted `openai-codex` / `gpt-5.5` produced report `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028/report.json`. +- Case process started after admission passed. +- Backend exit code was `1`. +- The harness recorded no changed files. +- The patch artifact was empty. +- Tests failed because the artificial fixture bug remained unchanged. +- Case stderr recorded `AGENT_RESULT start delimiter not found`. +- Case stderr classified the retry as `agent-protocol-error`. +- `CTO-WORK-016` remains blocked because no real Case Stage 2 pass report exists. +- Current downstream blocker is tracked by `CTO-WORK-028`. + ## CTO-WORK-018 - Case Model Provider Admission Gate Status: validated. diff --git a/README.md b/README.md index 6a7cf3c..3559815 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,8 @@ This workspace is registered as a child-local planning workspace. Registration d | |-- CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md | |-- CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md | |-- CTO-CASE-PROVIDER-DECISION-RECORD.md -| `-- CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json +| |-- CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json +| `-- CTO-CASE-AGENT-PROTOCOL-BLOCKER.md `-- tools/ `-- validate_cto_child.py ``` diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index a1c73b4..6c8a908 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -135,3 +135,8 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json owner: "" + - id: CTO-WORK-028 + title: Case Agent Result Protocol Blocker + status: blocked + source: .sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md + owner: jp diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 56c228a..bad9732 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -40,6 +40,7 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md", ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json", + ".sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md", ] REQUIRED_BRIEF_PHRASES = [