From e2cd0d059cfbb9ecaf445602c642aa308cb18bf5 Mon Sep 17 00:00:00 2001 From: Svrnty Date: Mon, 1 Jun 2026 06:33:51 -0400 Subject: [PATCH] Add first real workflow approval packet --- ...-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md | 123 ++++++++++++++++++ ...CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md | 29 +++++ README.md | 1 + WORKBOARD.yaml | 5 + tools/validate_cto_child.py | 28 ++++ 5 files changed, 186 insertions(+) create mode 100644 .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md diff --git a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md new file mode 100644 index 0000000..f6bb818 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md @@ -0,0 +1,123 @@ +--- +name: cto-first-real-governed-workflow-approval-packet +tier: local +status: validated +owner: jp +source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md +created: 2026-06-01 +last_reviewed: 2026-06-01 +lifecycle_classification: planning +core_promotion_status: not-promoted +description: Child-local approval packet for the first real governed CTO workflow execution. +--- + +# CTO First Real Governed Workflow Approval Packet + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Status + +Status: validated as an approval packet only. + +This packet does not authorize execution. `CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract. + +## Proposed Target Repository + +- Target Repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox` +- Admission source: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json` +- Admission status: `admitted` +- Repository owner: `jp` +- Risk classification: `low_risk_noncritical` +- Current observed state: clean `main` branch before approval packet creation + +## Proposed Task Contract + +Task: align `src/strings.py` `slugify` behavior with the already-proven root `strings.py` implementation and add coverage for repeated and outer whitespace. + +Allowed paths: + +- `src/strings.py` +- `test_strings.py` + +Forbidden actions: + +- push +- merge +- deploy +- close +- pr_open +- issue_close +- public_publication +- credential_change +- vendor_source_mutation +- cortex_core_mutation + +Forbidden paths: + +- `.env` +- `.env.*` +- `secrets/` +- `credentials/` +- `deploy/` +- `infra/` +- `.github/workflows/` +- `.git/` + +Success criteria: + +- `src/strings.py` uses whitespace-splitting slug behavior equivalent to root `strings.py`. +- `test_strings.py` includes coverage for repeated spaces and outer spaces through the `src.strings` implementation. +- Target repository ends clean after Harness post-processing. +- Harness Evidence Interface artifacts exist. +- Hermes Control Surface can expose replay paths after execution. +- Runtime default activation remains false. + +Validation command: + +```bash +python3 -m pytest -q +``` + +Rollback expectation: + +- Revert the single target commit created by the Harness if JP rejects the operator outcome. +- Do not push, merge, deploy, publish, or open a PR. + +## Required Approval + +Before execution, JP must approve this exact sentence: + +```text +I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. +``` + +Without that exact approval, execution remains blocked. + +## Execution Gate + +Execution must use only the CTO Harness Case seam with: + +- `CTO_HARNESS_ALLOW_CASE=1` +- `CTO_HARNESS_CASE_STAGE=5` +- `CTO_HARNESS_CASE_STAGE5_TARGET_ADMISSION_FILE` pointing to the admitted Target Repository record +- `CTO_HARNESS_CASE_STAGE5_OPERATOR_OUTCOME` recorded after verification + +Case must not choose target, scope, authority, approval, success criteria, or default status. + +## Evidence Required After Execution + +- `report.json` +- `report.md` +- `events.normalized.jsonl` +- `trace.jsonl` +- `patch.diff` +- `test.log` +- backend logs +- artifact digests +- freshness proof +- stage5 owned repo proof +- Hermes Control Surface summary path + +## Non-Authority Notice + +This approval packet is child-local planning. It does not promote CTO artifacts into Core, does not activate Case as default backend, and does not authorize mutation before JP approval. diff --git a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md index ca44128..33550fd 100644 --- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md +++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md @@ -67,6 +67,35 @@ Validator: future focused real-workflow Harness validator, then `harness/evals/h Human gate: JP must approve the concrete Target Repository and task contract before execution. +Readiness packet: + +- `CTO-WORK-050` defines the proposed Target Repository, task contract, allowed paths, forbidden actions, validation command, rollback expectation, and exact JP approval sentence. +- `CTO-WORK-049` remains candidate until that approval is given and runtime evidence exists. + +### CTO-WORK-050 - First Real Governed Workflow Approval Packet + +Type: HITL + +Status: validated. + +Blocked by: CTO-WORK-049 + +What to build: Define the exact approval packet for the first real governed workflow without mutating the Target Repository. + +Acceptance criteria: + +- [x] Packet names the concrete Target Repository. +- [x] Packet references the existing Target Repository admission source. +- [x] Packet defines a precise task contract. +- [x] Packet defines allowed paths. +- [x] Packet defines forbidden actions and forbidden paths. +- [x] Packet defines validation command. +- [x] Packet defines rollback expectation. +- [x] Packet provides exact JP approval sentence. +- [x] Packet states execution remains blocked without approval. + +Validator: `python3 tools/validate_cto_child.py` + ## Granularity Check This is intentionally two slices. `CTO-WORK-048` is planning and route definition. `CTO-WORK-049` is the first real execution and remains candidate because it needs JP approval and runtime target selection. diff --git a/README.md b/README.md index 62475a3..687718c 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ This workspace is registered as a child-local planning workspace. Registration d | |-- CTO-HERMES-CONTROL-SURFACE-ISSUES.md | |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md | |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md +| |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md | |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md | |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md | |-- CTO-CASE-PROVIDER-BUILD-PRD.md diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index d15c30c..4f281fa 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -245,3 +245,8 @@ items: status: candidate source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md owner: jp + - id: CTO-WORK-050 + title: First Real Governed Workflow Approval Packet + status: validated + source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md + owner: jp diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 466e09d..d4dab13 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -44,6 +44,7 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md", ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md", + ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md", @@ -110,6 +111,22 @@ REQUIRED_FIRST_REAL_WORKFLOW_PRD_PHRASES = [ REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS = [ "CTO-WORK-048", "CTO-WORK-049", + "CTO-WORK-050", +] + +REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "This packet does not authorize execution.", + "`CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract.", + "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox", + ".sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json", + "align `src/strings.py` `slugify` behavior", + "`src/strings.py`", + "`test_strings.py`", + "python3 -m pytest -q", + "I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.", + "Without that exact approval, execution remains blocked.", + "Runtime default activation remains false.", ] REQUIRED_PRD_PHRASES = [ @@ -978,6 +995,16 @@ def main() -> int: checked.append(f"first_real_workflow_issue_id:{issue_id}") if issue_id not in text: errors.append(f"missing_first_real_workflow_issue_id:{issue_id}") + + first_real_workflow_approval_packet = ROOT / ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md" + if first_real_workflow_approval_packet.is_file(): + text = first_real_workflow_approval_packet.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("first_real_workflow_approval_packet_missing_not_promoted_frontmatter") + for phrase in REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES: + checked.append(f"first_real_workflow_approval_packet_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_first_real_workflow_approval_packet_phrase:{phrase}") if "core_promotion_status: not-promoted" not in text: errors.append("brief_missing_not_promoted_frontmatter") @@ -1561,6 +1588,7 @@ def main() -> int: "CTO-WORK-047": "validated", "CTO-WORK-048": "validated", "CTO-WORK-049": "candidate", + "CTO-WORK-050": "validated", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}")