Merge branch 'main' into s91-cto-compat-retirement

.sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md

@@ -0,0 +1,98 @@
+---
+title: CTO Case Agent Protocol Blocker
+status: draft
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+route: cto
+---
+
+# CTO Case Agent Protocol Blocker
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## CTO-WORK-028 - Case Agent Result Protocol Blocker
+
+Status: blocked.
+
+Record the first admitted real Case Stage 2 run after OpenAI Codex model admission.
+The run proves that provider/model admission now reaches Case execution, but does
+not prove Stage 2. Case failed before producing a workspace diff because its
+implementer agent result did not satisfy the Case result-envelope contract.
+
+Acceptance:
+
+- Real Case Stage 2 remains blocked until Case produces a Harness Evidence Interface pass report.
+- The admitted provider/model pair remains `openai-codex` / `gpt-5.5`.
+- The admission file remains `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`.
+- Evidence must show `case_process_started: true` before this blocker is accepted as the current blocker.
+- Evidence must show `case_model_admission_status: admitted`.
+- Evidence must show no target repository path was inspected or copied.
+- Evidence must show no workspace patch was produced.
+- Evidence must show tests did not pass.
+- The next implementation route must happen through the Hermes CTO harness seam, a Case-compatible provider adapter seam, or an external compatibility layer.
+- The next implementation route must not mutate Cortex Core, vendor Case source, or external developer repositories.
+- No real-repo, copied-repo, sandbox-repo, owned-repo, default-candidate, or Core promotion stage may use this failed run as pass evidence.
+
+## Evidence - 2026-06-01
+
+- Harness command class: real Case Stage 2 artificial fixture.
+- Run artifact directory: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028`.
+- Case binary path used by harness: `/tmp/workos-case/dist/ca`.
+- Case source pin for the built binary: `7959ac917cdeb0983b4aaa20bb9f42021747fed8`.
+- Report status: `fail`.
+- Backend: `case`.
+- Backend exit code: `1`.
+- Case process started: `true`.
+- Case model provider: `openai-codex`.
+- Case model: `gpt-5.5`.
+- Case model admission status: `admitted`.
+- Source admission status: `not_admitted`.
+- No target inspection proof: `stage2-no-target-inspection.json`.
+- Changed files: none.
+- Patch artifact: `patch.diff`.
+- Patch digest: `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`.
+- Tests command: `python3 -m pytest -q`.
+- Tests passed: `false`.
+- Required events passed: `false`.
+- Report blocker: `case engine failed with exit code 1`.
+- Case stderr evidence: implementer failed with `AGENT_RESULT start delimiter not found`.
+- Case stderr evidence: retry classified the failure as `agent-protocol-error`.
+- Case stdout evidence: unattended mode auto-selected `Abort`.
+- Result: Stage 2 is still blocked.
+
+## Current Interpretation
+
+This is a protocol compatibility blocker, not a provider approval blocker.
+
+The admitted provider/model reached Case. Case then failed because the implementer
+agent did not return output framed by the Case `AGENT_RESULT` delimiter contract.
+The evidence does not prove whether the defect is Case provider configuration,
+provider adapter behavior, Codex output framing, or harness invocation shape.
+
+## Required Next Route
+
+The next useful route is a small Case agent protocol compatibility investigation.
+It should answer only this question:
+
+```text
+What minimal non-vendor seam makes admitted Case execution return the required
+AGENT_RESULT envelope and produce a Stage 2 artificial fixture diff?
+```
+
+Allowed next actions:
+
+- Inspect Case provider adapter behavior read-only.
+- Inspect Hermes CTO Case invocation behavior.
+- Add fail-closed classification in Hermes CTO harness if needed.
+- Add a compatibility shim only outside vendor Case source.
+- Re-run real Case Stage 2 only after a specific protocol compatibility change exists.
+
+Forbidden next actions:
+
+- Do not edit `/tmp/workos-case` as the durable solution.
+- Do not mark Stage 2 validated from this run.
+- Do not promote Case to copied repo, sandbox repo, owned repo, or default candidate.
+- Do not write provider secrets to SOT, argv, task files, backend logs, reports, traces, or commits.

.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md

@@ -87,3 +87,41 @@ Required fields:
 - `review_trigger`: expiry, date, or condition that forces review.
 - `evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.
 - `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.
+
+## CTO-WORK-027 - OpenAI Codex Model Admission JSON
+
+Status: validated.
+
+Record the exact non-secret admission JSON required by `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` for the approved `openai-codex` / `gpt-5.5` primary provider path.
+
+Acceptance:
+
+- Admission file path is `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`.
+- Admission JSON has `status`: `admitted`.
+- Admission JSON has `provider`: `openai-codex`.
+- Admission JSON has `model`: `gpt-5.5`.
+- Admission JSON has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`.
+- Admission JSON has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.
+- Admission JSON has `approval_source`: `JP chat approval on 2026-05-31`.
+- Admission JSON has `admission_timestamp`.
+- Admission JSON has `review_trigger`.
+- Admission JSON contains no secret keys or secret values.
+- Fallback to `vllm` / `qwen3.6-35b-a3b` remains explicit decision-record context and must be represented in runtime evidence before it may count as a Case provider/model path.
+- `CTO-WORK-020` remains blocked until real Case Stage 2 produces a Harness Evidence Interface pass report using this admission file.
+- Real Case Stage 2 command must set `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` to this admission JSON path.
+
+## Post-Admission Runtime Evidence - 2026-06-01
+
+- Run artifact directory: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028`.
+- Report status: `fail`.
+- Backend: `case`.
+- Case process started: `true`.
+- Case model provider: `openai-codex`.
+- Case model: `gpt-5.5`.
+- Case model admission status: `admitted`.
+- The admitted provider/model path reached Case execution.
+- Case failed before producing a diff.
+- Case stderr recorded `AGENT_RESULT start delimiter not found`.
+- Case retry classified the failure as `agent-protocol-error`.
+- `CTO-WORK-020` remains blocked because no real Case Stage 2 pass report exists.
+- Current downstream blocker is tracked by `CTO-WORK-028`.

.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json

@@ -0,0 +1,10 @@
+{
+  "admission_timestamp": "2026-05-31T00:00:00-04:00",
+  "allowed_network_class": "codex-oauth-hosted-model-plus-local-vllm-fallback",
+  "approval_source": "JP chat approval on 2026-05-31",
+  "credential_source_class": "hermes-openai-codex-oauth-and-local-vllm-config",
+  "model": "gpt-5.5",
+  "provider": "openai-codex",
+  "review_trigger": "Before real Case Stage 2 admission JSON path changes, before credential source changes, before default/fallback model changes, or before promotion beyond copied artificial fixture.",
+  "status": "admitted"
+}

.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md

@@ -87,6 +87,19 @@ Validation Evidence:
 - The run timed out before patch application; tests failed because `strings.py` was unchanged.
 - This is an unadmitted external model path for CTO harness proof and must be blocked before Case process start.
 
+## Admitted Provider Runtime Evidence - 2026-06-01
+
+- Real Case Stage 2 run with `/tmp/workos-case/dist/ca` and admitted `openai-codex` / `gpt-5.5` produced report `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T013918Z-r1-string-slugify-2381028/report.json`.
+- Case process started after admission passed.
+- Backend exit code was `1`.
+- The harness recorded no changed files.
+- The patch artifact was empty.
+- Tests failed because the artificial fixture bug remained unchanged.
+- Case stderr recorded `AGENT_RESULT start delimiter not found`.
+- Case stderr classified the retry as `agent-protocol-error`.
+- `CTO-WORK-016` remains blocked because no real Case Stage 2 pass report exists.
+- Current downstream blocker is tracked by `CTO-WORK-028`.
+
 ## CTO-WORK-018 - Case Model Provider Admission Gate
 
 Status: validated.

README.md

@@ -52,7 +52,9 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-CASE-LOCAL-PROVIDER-ROUTE-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md
 |       |-- CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md
-|       `-- CTO-CASE-PROVIDER-DECISION-RECORD.md
+|       |-- CTO-CASE-PROVIDER-DECISION-RECORD.md
+|       |-- CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json
+|       `-- CTO-CASE-AGENT-PROTOCOL-BLOCKER.md
 `-- tools/
     `-- validate_cto_child.py
 ```

WORKBOARD.yaml

@@ -130,3 +130,13 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md
     owner: ""
+  - id: CTO-WORK-027
+    title: OpenAI Codex Model Admission JSON
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json
+    owner: ""
+  - id: CTO-WORK-028
+    title: Case Agent Result Protocol Blocker
+    status: blocked
+    source: .sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md
+    owner: jp

tools/validate_cto_child.py

@@ -39,6 +39,8 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-PRD.md",
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-PACKET-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md",
+    ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json",
+    ".sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md",
 ]
 
 REQUIRED_BRIEF_PHRASES = [
@@ -420,6 +422,7 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_PRD_PHRASES = [
 REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_IDS = [
     "CTO-WORK-019",
     "CTO-WORK-020",
+    "CTO-WORK-027",
 ]
 
 REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [
@@ -454,8 +457,29 @@ REQUIRED_MODEL_PROVIDER_ADMISSION_ISSUE_PHRASES = [
     "`review_trigger`: expiry, date, or condition that forces review.",
     "`evidence_sources`: references to existing admission/build evidence, not copied runtime evidence.",
     "`effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.",
+    "CTO-WORK-027 - OpenAI Codex Model Admission JSON",
+    "Admission file path is `.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json`.",
+    "Admission JSON has `status`: `admitted`.",
+    "Admission JSON has `provider`: `openai-codex`.",
+    "Admission JSON has `model`: `gpt-5.5`.",
+    "Admission JSON has `credential_source_class`: `hermes-openai-codex-oauth-and-local-vllm-config`.",
+    "Admission JSON has `allowed_network_class`: `codex-oauth-hosted-model-plus-local-vllm-fallback`.",
+    "Admission JSON has `approval_source`: `JP chat approval on 2026-05-31`.",
+    "Admission JSON contains no secret keys or secret values.",
+    "Fallback to `vllm` / `qwen3.6-35b-a3b` remains explicit decision-record context and must be represented in runtime evidence before it may count as a Case provider/model path.",
+    "`CTO-WORK-020` remains blocked until real Case Stage 2 produces a Harness Evidence Interface pass report using this admission file.",
+    "Real Case Stage 2 command must set `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` to this admission JSON path.",
 ]
 
+REQUIRED_OPENAI_CODEX_ADMISSION_JSON = {
+    "status": "admitted",
+    "provider": "openai-codex",
+    "model": "gpt-5.5",
+    "credential_source_class": "hermes-openai-codex-oauth-and-local-vllm-config",
+    "allowed_network_class": "codex-oauth-hosted-model-plus-local-vllm-fallback",
+    "approval_source": "JP chat approval on 2026-05-31",
+}
+
 REQUIRED_LOCAL_PROVIDER_ROUTE_PRD_PHRASES = [
     "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
     "`CTO-WORK-020` remains blocked until a provider policy decision exists.",
@@ -845,6 +869,30 @@ def main() -> int:
             if phrase not in text:
                 errors.append(f"missing_model_provider_admission_issue_phrase:{phrase}")
 
+    openai_codex_admission = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json"
+    if openai_codex_admission.is_file():
+        checked.append("openai_codex_admission_json:parse")
+        try:
+            payload = json.loads(openai_codex_admission.read_text(encoding="utf-8"))
+        except json.JSONDecodeError as exc:
+            errors.append(f"openai_codex_admission_invalid_json:{exc}")
+            payload = {}
+        if not isinstance(payload, dict):
+            errors.append("openai_codex_admission_must_be_object")
+            payload = {}
+        for key, expected in REQUIRED_OPENAI_CODEX_ADMISSION_JSON.items():
+            checked.append(f"openai_codex_admission_json:{key}")
+            if payload.get(key) != expected:
+                errors.append(f"openai_codex_admission_mismatch:{key}:expected_{expected}:actual_{payload.get(key)}")
+        for key in ["admission_timestamp", "review_trigger"]:
+            checked.append(f"openai_codex_admission_json:{key}")
+            if not isinstance(payload.get(key), str) or not payload.get(key):
+                errors.append(f"openai_codex_admission_missing:{key}")
+        for key in payload:
+            checked.append(f"openai_codex_admission_json_secret_key:{key}")
+            if key.lower() in {"api_key", "apikey", "access_token", "token", "secret", "password", "credential_value"}:
+                errors.append(f"openai_codex_admission_forbidden_secret_key:{key}")
+
     local_provider_route_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-LOCAL-PROVIDER-ROUTE-PRD.md"
     if local_provider_route_prd.is_file():
         text = local_provider_route_prd.read_text(encoding="utf-8")
@@ -968,6 +1016,7 @@ def main() -> int:
             "CTO-WORK-024": "validated",
             "CTO-WORK-025": "validated",
             "CTO-WORK-026": "validated",
+            "CTO-WORK-027": "validated",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")
@@ -1016,6 +1065,8 @@ def main() -> int:
             errors.append("workboard_missing_provider_decision_packet_issues_source")
         if "CTO-CASE-PROVIDER-DECISION-RECORD.md" not in text:
             errors.append("workboard_missing_provider_decision_record_source")
+        if "CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json" not in text:
+            errors.append("workboard_missing_openai_codex_admission_json_source")
 
     payload = {
         "ok": not errors,