Plan Hermes WebUI control panel

2026-06-01 07:30:07 -04:00 · 2026-06-01 07:30:07 -04:00 · d2f574802f
commit d2f574802f
parent be65b20cff
4 changed files with 227 additions and 0 deletions
--- a/.sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-ISSUES.md
@ -0,0 +1,79 @@
+---
+name: cto-hermes-webui-control-panel-issues
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local issue sequence for a Hermes WebUI consumer panel over the CTO Harness control summary.
+---
+
+# CTO Hermes WebUI Control Panel Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue Sequence
+
+### CTO-WORK-058 - Hermes WebUI Control Panel PRD
+
+Type: AFK
+
+Status: validated.
+
+Blocked by: CTO-WORK-057
+
+What to build: Define the route for a read-only Hermes WebUI consumer panel over the CTO Harness control summary.
+
+Acceptance criteria:
+
+- [x] PRD requires the panel to use the Hermes-owned extension/plugin surface, not upstream `hermes-webui` or `hermes-agent` edits.
+- [x] PRD requires Harness-backed summary data as the source of truth.
+- [x] PRD requires Stage 6 real-governed refresh status to be visible.
+- [x] PRD requires replay paths for refresh comparison, real Stage 5 pass report, and Stage 5 proof.
+- [x] PRD requires target repository read-only proof status to be visible.
+- [x] PRD separates candidate-default refresh eligibility from runtime default activation.
+- [x] PRD requires blocked Codex/Pi lane rationale to be visible.
+- [x] PRD forbids mutation actions, default activation, upstream source edits, Core promotion, target mutation, and secret exposure.
+- [x] Local CTO validator checks the PRD and issue artifact.
+
+Allowed files: CTO child workspace planning docs and local validator only.
+
+Validator: `python3 tools/validate_cto_child.py`
+
+Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.
+
+### CTO-WORK-059 - Hermes WebUI CTO Harness Control Panel
+
+Type: AFK
+
+Status: candidate.
+
+Blocked by: CTO-WORK-058
+
+What to build: In the Hermes-owned WebUI extension/plugin surface, add a read-only CTO Harness control panel or endpoint consumer over the validated `webui-summary.json` contract.
+
+Acceptance criteria:
+
+- [ ] Implementation does not edit upstream `hermes-webui` or `hermes-agent`.
+- [ ] Panel or endpoint consumes Harness-backed summary data.
+- [ ] Stage 6 real-governed refresh status is visible.
+- [ ] Refresh comparison, real Stage 5 pass report, and Stage 5 proof replay paths are visible.
+- [ ] Target repository read-only proof status is visible.
+- [ ] Candidate-default refresh eligibility is visually separated from runtime default activation.
+- [ ] Codex/Pi blocked-lane rationale is visible.
+- [ ] Next operator action is visible.
+- [ ] No mutation action, approval action, default activation, target mutation, Core mutation, vendor-source mutation, or secret exposure is added.
+- [ ] Focused contract/UI validator passes before any aggregate validation.
+
+Allowed files: Hermes-owned WebUI extension/plugin files and deterministic validators only. Upstream `hermes-webui`, upstream `hermes-agent`, Case source, vendor source, Target Repositories, Cortex Core, and external developer repositories are forbidden.
+
+Validator: relevant Hermes plugin/WebUI contract validator or a new deterministic validator for the panel data contract.
+
+Done evidence: Hermes sandcastle commit, focused validator output, rendered/contract artifact path if available, clean merge, and CTO evidence update.
+
+## Granularity Check
+
+This is intentionally two slices: one child-local planning route and one Hermes-owned implementation route. It avoids adding mutation controls or upstream WebUI edits while moving the endgoal toward actual Hermes visualization.
--- a/.sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md
+++ b/.sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md
@ -0,0 +1,99 @@
+---
+name: cto-hermes-webui-control-panel-prd
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local PRD for a Hermes WebUI consumer panel over the CTO Harness control summary.
+---
+
+# CTO Hermes WebUI Control Panel PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+Hermes now has a machine-readable CTO Harness control summary with Stage 6 real-governed refresh evidence. The operator still needs a visual control surface that can show the proof state, replay paths, blocked lanes, read-only target proof, and runtime-default status without opening raw JSON by hand.
+
+## Solution
+
+Add a bounded Hermes WebUI consumer panel through the existing Hermes extension/plugin surface. The panel must read the Harness-backed summary contract and render evidence state only. Hermes controls visibility and replay. Cortex remains SOT authority. CTO routes. Harness proves. Case remains a gated adapter and is not activated by the panel.
+
+## Scope
+
+- Add a WebUI-visible CTO Harness panel or endpoint consumer through the Hermes-owned extension/plugin surface.
+- Read the existing `webui-summary.json` contract or a Harness summary command result.
+- Display Stage 6 real-governed refresh status.
+- Display refresh comparison artifact path, real Stage 5 pass report path, and Stage 5 proof path.
+- Display target repository read-only proof status.
+- Display candidate-default refresh eligibility separately from runtime default activation.
+- Display Codex/Pi blocked-lane rationale.
+- Display next operator action.
+- Keep all source data Harness-backed.
+
+## Non-Goals
+
+- Do not edit upstream `hermes-webui`.
+- Do not edit upstream `hermes-agent`.
+- Do not activate Case as default backend.
+- Do not add approval, mutation, deploy, push, merge, close, PR open, or issue-close actions.
+- Do not rerun Case or mutate a Target Repository from the panel.
+- Do not expose secrets, endpoints, credential values, or raw Target Repository content.
+- Do not promote child-local CTO artifacts into Core.
+
+## User Stories
+
+1. As JP, I want a CTO Harness panel in Hermes, so that I can inspect real-refresh proof quickly.
+2. As Hermes, I want to render a stable summary contract, so that the UI does not reinterpret raw backend logs.
+3. As CTO, I want target read-only proof visible, so that real-repo protection is prominent.
+4. As Harness, I want replay links/paths visible, so that evidence can be audited.
+5. As Cortex, I want runtime default activation shown as false, so that visual control cannot create authority drift.
+
+## Acceptance Criteria
+
+- [ ] PRD requires the panel to use the Hermes-owned extension/plugin surface, not upstream `hermes-webui` or `hermes-agent` edits.
+- [ ] PRD requires Harness-backed summary data as the source of truth.
+- [ ] PRD requires Stage 6 real-governed refresh status to be visible.
+- [ ] PRD requires replay paths for refresh comparison, real Stage 5 pass report, and Stage 5 proof.
+- [ ] PRD requires target repository read-only proof status to be visible.
+- [ ] PRD separates candidate-default refresh eligibility from runtime default activation.
+- [ ] PRD requires blocked Codex/Pi lane rationale to be visible.
+- [ ] PRD forbids mutation actions, default activation, upstream source edits, Core promotion, target mutation, and secret exposure.
+- [ ] Local CTO validator checks the PRD and issue artifact.
+
+## Validation
+
+Planning validator: `python3 tools/validate_cto_child.py`.
+
+Implementation validation must use the relevant Hermes extension/plugin validator or a small deterministic contract validator. If WebUI runtime validation is unavailable, the implementation must at minimum validate the endpoint/rendered data contract without editing upstream code.
+
+## Risks
+
+- A visual panel may imply authority if default activation is not shown as false.
+- A panel may expose too much if it renders raw target content instead of artifact paths.
+- Editing upstream WebUI would violate the Hermes extension boundary.
+- Building mutation controls now would overreach the evidence surface.
+
+## Dependencies
+
+- `CTO-WORK-057` control summary real-refresh replay evidence is validated.
+- Hermes extension/plugin surface exists for WebUI additions.
+- CTO Harness `webui-summary.sh --json` remains validated.
+
+## Challenge Notes
+
+Accepted feedback: This is now worth doing because the machine-readable summary contract exists and is validated.
+
+Accepted feedback: The panel must be read-only and replay-oriented; approval and mutation controls require a later governed route.
+
+Rejected feedback: Editing upstream `hermes-webui` is not acceptable because Hermes customizations belong in the extension/plugin surface.
+
+Rejected feedback: Calling this complete from the CLI summary alone is insufficient because the endgoal explicitly requires Hermes visualization/ease of control.
+
+## Success Definition
+
+This slice succeeds when CTO has a validated route for adding a read-only Hermes WebUI consumer panel over the CTO Harness summary, preserving Cortex authority, Harness proof, target protection, and runtime default activation false.
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -286,4 +286,14 @@ items:
    status: validated
    source: .sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md
    owner: ""
+  - id: CTO-WORK-058
+    title: Hermes WebUI Control Panel PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md
+    owner: ""
+  - id: CTO-WORK-059
+    title: Hermes WebUI CTO Harness Control Panel
+    status: candidate
+    source: .sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-ISSUES.md
+    owner: ""

--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -48,6 +48,8 @@ REQUIRED_FILES = [
    ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@ -135,6 +137,21 @@ REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [
    "Runtime default activation remains false.",
 ]

+REQUIRED_HERMES_WEBUI_CONTROL_PANEL_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "Hermes WebUI consumer panel",
+    "Hermes-owned extension/plugin surface",
+    "Do not edit upstream `hermes-webui`.",
+    "Do not edit upstream `hermes-agent`.",
+    "Harness-backed summary data as the source of truth",
+    "Stage 6 real-governed refresh status",
+    "refresh comparison, real Stage 5 pass report, and Stage 5 proof",
+    "target repository read-only proof status",
+    "candidate-default refresh eligibility from runtime default activation",
+    "blocked Codex/Pi lane rationale",
+    "Do not activate Case as default backend.",
+]
+
 REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
    "CTO-WORK-057",
@ -1128,6 +1145,26 @@ def main() -> int:
            if phrase not in text:
                errors.append(f"missing_hermes_real_refresh_control_replay_issue_phrase:{phrase}")

+    hermes_webui_control_panel_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-PRD.md"
+    if hermes_webui_control_panel_prd.is_file():
+        text = hermes_webui_control_panel_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_webui_control_panel_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_HERMES_WEBUI_CONTROL_PANEL_PHRASES:
+            checked.append(f"hermes_webui_control_panel_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_hermes_webui_control_panel_prd_phrase:{phrase}")
+
+    hermes_webui_control_panel_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-WEBUI-CONTROL-PANEL-ISSUES.md"
+    if hermes_webui_control_panel_issues.is_file():
+        text = hermes_webui_control_panel_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_webui_control_panel_issues_missing_not_promoted_frontmatter")
+        for phrase in ["CTO-WORK-058", "CTO-WORK-059", "upstream `hermes-webui`", "upstream `hermes-agent`", "runtime default activation"]:
+            checked.append(f"hermes_webui_control_panel_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_hermes_webui_control_panel_issue_phrase:{phrase}")
+
    hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md"
    if hermes_real_refresh_control_replay_evidence.is_file():
        text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8")
@ -1736,6 +1773,8 @@ def main() -> int:
            "CTO-WORK-055": "validated",
            "CTO-WORK-056": "validated",
            "CTO-WORK-057": "validated",
+            "CTO-WORK-058": "validated",
+            "CTO-WORK-059": "candidate",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")