Add first real workflow approval packet

2026-06-01 06:33:51 -04:00 · 2026-06-01 06:33:51 -04:00 · e2cd0d059c
commit e2cd0d059c
parent 451f626fb6
5 changed files with 186 additions and 0 deletions
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
@ -0,0 +1,123 @@
 ---
 name: cto-first-real-governed-workflow-approval-packet
 tier: local
 status: validated
 owner: jp
 source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
 created: 2026-06-01
 last_reviewed: 2026-06-01
 lifecycle_classification: planning
 core_promotion_status: not-promoted
 description: Child-local approval packet for the first real governed CTO workflow execution.
 ---
 # CTO First Real Governed Workflow Approval Packet
 Local planning SOT only. Not a Core Protocol. Not active Core authority.
 ## Status
 Status: validated as an approval packet only.
 This packet does not authorize execution. `CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract.
 ## Proposed Target Repository
 - Target Repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
 - Admission source: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json`
 - Admission status: `admitted`
 - Repository owner: `jp`
 - Risk classification: `low_risk_noncritical`
 - Current observed state: clean `main` branch before approval packet creation
 ## Proposed Task Contract
 Task: align `src/strings.py` `slugify` behavior with the already-proven root `strings.py` implementation and add coverage for repeated and outer whitespace.
 Allowed paths:
 - `src/strings.py`
 - `test_strings.py`
 Forbidden actions:
 - push
 - merge
 - deploy
 - close
 - pr_open
 - issue_close
 - public_publication
 - credential_change
 - vendor_source_mutation
 - cortex_core_mutation
 Forbidden paths:
 - `.env`
 - `.env.*`
 - `secrets/`
 - `credentials/`
 - `deploy/`
 - `infra/`
 - `.github/workflows/`
 - `.git/`
 Success criteria:
 - `src/strings.py` uses whitespace-splitting slug behavior equivalent to root `strings.py`.
 - `test_strings.py` includes coverage for repeated spaces and outer spaces through the `src.strings` implementation.
 - Target repository ends clean after Harness post-processing.
 - Harness Evidence Interface artifacts exist.
 - Hermes Control Surface can expose replay paths after execution.
 - Runtime default activation remains false.
 Validation command:
 ```bash
 python3 -m pytest -q
 ```
 Rollback expectation:
 - Revert the single target commit created by the Harness if JP rejects the operator outcome.
 - Do not push, merge, deploy, publish, or open a PR.
 ## Required Approval
 Before execution, JP must approve this exact sentence:
 ```text
 I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
 ```
 Without that exact approval, execution remains blocked.
 ## Execution Gate
 Execution must use only the CTO Harness Case seam with:
 - `CTO_HARNESS_ALLOW_CASE=1`
 - `CTO_HARNESS_CASE_STAGE=5`
 - `CTO_HARNESS_CASE_STAGE5_TARGET_ADMISSION_FILE` pointing to the admitted Target Repository record
 - `CTO_HARNESS_CASE_STAGE5_OPERATOR_OUTCOME` recorded after verification
 Case must not choose target, scope, authority, approval, success criteria, or default status.
 ## Evidence Required After Execution
 - `report.json`
 - `report.md`
 - `events.normalized.jsonl`
 - `trace.jsonl`
 - `patch.diff`
 - `test.log`
 - backend logs
 - artifact digests
 - freshness proof
 - stage5 owned repo proof
 - Hermes Control Surface summary path
 ## Non-Authority Notice
 This approval packet is child-local planning. It does not promote CTO artifacts into Core, does not activate Case as default backend, and does not authorize mutation before JP approval.
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
@ -67,6 +67,35 @@ Validator: future focused real-workflow Harness validator, then `harness/evals/h
 Human gate: JP must approve the concrete Target Repository and task contract before execution.
 Readiness packet:
 - `CTO-WORK-050` defines the proposed Target Repository, task contract, allowed paths, forbidden actions, validation command, rollback expectation, and exact JP approval sentence.
 - `CTO-WORK-049` remains candidate until that approval is given and runtime evidence exists.
 ### CTO-WORK-050 - First Real Governed Workflow Approval Packet
 Type: HITL
 Status: validated.
 Blocked by: CTO-WORK-049
 What to build: Define the exact approval packet for the first real governed workflow without mutating the Target Repository.
 Acceptance criteria:
 - [x] Packet names the concrete Target Repository.
 - [x] Packet references the existing Target Repository admission source.
 - [x] Packet defines a precise task contract.
 - [x] Packet defines allowed paths.
 - [x] Packet defines forbidden actions and forbidden paths.
 - [x] Packet defines validation command.
 - [x] Packet defines rollback expectation.
 - [x] Packet provides exact JP approval sentence.
 - [x] Packet states execution remains blocked without approval.
 Validator: `python3 tools/validate_cto_child.py`
 ## Granularity Check
 This is intentionally two slices. `CTO-WORK-048` is planning and route definition. `CTO-WORK-049` is the first real execution and remains candidate because it needs JP approval and runtime target selection.
--- a/README.md
+++ b/README.md
@ -58,6 +58,7 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-HERMES-CONTROL-SURFACE-ISSUES.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-BUILD-PRD.md
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -245,3 +245,8 @@ items:
    status: candidate
    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
    owner: jp
  - id: CTO-WORK-050
    title: First Real Governed Workflow Approval Packet
    status: validated
    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
    owner: jp
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -44,6 +44,7 @@ REQUIRED_FILES = [
    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md",
@ -110,6 +111,22 @@ REQUIRED_FIRST_REAL_WORKFLOW_PRD_PHRASES = [
 REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS = [
    "CTO-WORK-048",
    "CTO-WORK-049",
    "CTO-WORK-050",
 ]
 REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [
    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
    "This packet does not authorize execution.",
    "`CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract.",
    "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
    ".sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json",
    "align `src/strings.py` `slugify` behavior",
    "`src/strings.py`",
    "`test_strings.py`",
    "python3 -m pytest -q",
    "I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.",
    "Without that exact approval, execution remains blocked.",
    "Runtime default activation remains false.",
 ]
 REQUIRED_PRD_PHRASES = [
@ -978,6 +995,16 @@ def main() -> int:
            checked.append(f"first_real_workflow_issue_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_first_real_workflow_issue_id:{issue_id}")
    first_real_workflow_approval_packet = ROOT / ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md"
    if first_real_workflow_approval_packet.is_file():
        text = first_real_workflow_approval_packet.read_text(encoding="utf-8")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("first_real_workflow_approval_packet_missing_not_promoted_frontmatter")
        for phrase in REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES:
            checked.append(f"first_real_workflow_approval_packet_phrase:{phrase}")
            if phrase not in text:
                errors.append(f"missing_first_real_workflow_approval_packet_phrase:{phrase}")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("brief_missing_not_promoted_frontmatter")
@ -1561,6 +1588,7 @@ def main() -> int:
            "CTO-WORK-047": "validated",
            "CTO-WORK-048": "validated",
            "CTO-WORK-049": "candidate",
            "CTO-WORK-050": "validated",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")