Add first real workflow approval packet

2026-06-01 06:33:51 -04:00 · 2026-06-01 06:33:51 -04:00 · e2cd0d059c
commit e2cd0d059c
parent 451f626fb6
5 changed files with 186 additions and 0 deletions
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
@ -0,0 +1,123 @@
+---
+name: cto-first-real-governed-workflow-approval-packet
+tier: local
+status: validated
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local approval packet for the first real governed CTO workflow execution.
+---
+
+# CTO First Real Governed Workflow Approval Packet
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Status
+
+Status: validated as an approval packet only.
+
+This packet does not authorize execution. `CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract.
+
+## Proposed Target Repository
+
+- Target Repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
+- Admission source: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json`
+- Admission status: `admitted`
+- Repository owner: `jp`
+- Risk classification: `low_risk_noncritical`
+- Current observed state: clean `main` branch before approval packet creation
+
+## Proposed Task Contract
+
+Task: align `src/strings.py` `slugify` behavior with the already-proven root `strings.py` implementation and add coverage for repeated and outer whitespace.
+
+Allowed paths:
+
+- `src/strings.py`
+- `test_strings.py`
+
+Forbidden actions:
+
+- push
+- merge
+- deploy
+- close
+- pr_open
+- issue_close
+- public_publication
+- credential_change
+- vendor_source_mutation
+- cortex_core_mutation
+
+Forbidden paths:
+
+- `.env`
+- `.env.*`
+- `secrets/`
+- `credentials/`
+- `deploy/`
+- `infra/`
+- `.github/workflows/`
+- `.git/`
+
+Success criteria:
+
+- `src/strings.py` uses whitespace-splitting slug behavior equivalent to root `strings.py`.
+- `test_strings.py` includes coverage for repeated spaces and outer spaces through the `src.strings` implementation.
+- Target repository ends clean after Harness post-processing.
+- Harness Evidence Interface artifacts exist.
+- Hermes Control Surface can expose replay paths after execution.
+- Runtime default activation remains false.
+
+Validation command:
+
+```bash
+python3 -m pytest -q
+```
+
+Rollback expectation:
+
+- Revert the single target commit created by the Harness if JP rejects the operator outcome.
+- Do not push, merge, deploy, publish, or open a PR.
+
+## Required Approval
+
+Before execution, JP must approve this exact sentence:
+
+```text
+I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
+```
+
+Without that exact approval, execution remains blocked.
+
+## Execution Gate
+
+Execution must use only the CTO Harness Case seam with:
+
+- `CTO_HARNESS_ALLOW_CASE=1`
+- `CTO_HARNESS_CASE_STAGE=5`
+- `CTO_HARNESS_CASE_STAGE5_TARGET_ADMISSION_FILE` pointing to the admitted Target Repository record
+- `CTO_HARNESS_CASE_STAGE5_OPERATOR_OUTCOME` recorded after verification
+
+Case must not choose target, scope, authority, approval, success criteria, or default status.
+
+## Evidence Required After Execution
+
+- `report.json`
+- `report.md`
+- `events.normalized.jsonl`
+- `trace.jsonl`
+- `patch.diff`
+- `test.log`
+- backend logs
+- artifact digests
+- freshness proof
+- stage5 owned repo proof
+- Hermes Control Surface summary path
+
+## Non-Authority Notice
+
+This approval packet is child-local planning. It does not promote CTO artifacts into Core, does not activate Case as default backend, and does not authorize mutation before JP approval.
--- a/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
+++ b/.sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
@ -67,6 +67,35 @@ Validator: future focused real-workflow Harness validator, then `harness/evals/h

 Human gate: JP must approve the concrete Target Repository and task contract before execution.

+Readiness packet:
+
+- `CTO-WORK-050` defines the proposed Target Repository, task contract, allowed paths, forbidden actions, validation command, rollback expectation, and exact JP approval sentence.
+- `CTO-WORK-049` remains candidate until that approval is given and runtime evidence exists.
+
+### CTO-WORK-050 - First Real Governed Workflow Approval Packet
+
+Type: HITL
+
+Status: validated.
+
+Blocked by: CTO-WORK-049
+
+What to build: Define the exact approval packet for the first real governed workflow without mutating the Target Repository.
+
+Acceptance criteria:
+
+- [x] Packet names the concrete Target Repository.
+- [x] Packet references the existing Target Repository admission source.
+- [x] Packet defines a precise task contract.
+- [x] Packet defines allowed paths.
+- [x] Packet defines forbidden actions and forbidden paths.
+- [x] Packet defines validation command.
+- [x] Packet defines rollback expectation.
+- [x] Packet provides exact JP approval sentence.
+- [x] Packet states execution remains blocked without approval.
+
+Validator: `python3 tools/validate_cto_child.py`
+
 ## Granularity Check

 This is intentionally two slices. `CTO-WORK-048` is planning and route definition. `CTO-WORK-049` is the first real execution and remains candidate because it needs JP approval and runtime target selection.
--- a/README.md
+++ b/README.md
@ -58,6 +58,7 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-HERMES-CONTROL-SURFACE-ISSUES.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
 |       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
+|       |-- CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-BUILD-PRD.md
--- a/WORKBOARD.yaml
+++ b/WORKBOARD.yaml
@ -245,3 +245,8 @@ items:
    status: candidate
    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md
    owner: jp
+  - id: CTO-WORK-050
+    title: First Real Governed Workflow Approval Packet
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md
+    owner: jp
--- a/tools/validate_cto_child.py
+++ b/tools/validate_cto_child.py
@ -44,6 +44,7 @@ REQUIRED_FILES = [
    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md",
    ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md",
@ -110,6 +111,22 @@ REQUIRED_FIRST_REAL_WORKFLOW_PRD_PHRASES = [
 REQUIRED_FIRST_REAL_WORKFLOW_ISSUE_IDS = [
    "CTO-WORK-048",
    "CTO-WORK-049",
+    "CTO-WORK-050",
+]
+
+REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "This packet does not authorize execution.",
+    "`CTO-WORK-049` remains candidate until JP approves the exact Target Repository and task contract.",
+    "/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
+    ".sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json",
+    "align `src/strings.py` `slugify` behavior",
+    "`src/strings.py`",
+    "`test_strings.py`",
+    "python3 -m pytest -q",
+    "I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.",
+    "Without that exact approval, execution remains blocked.",
+    "Runtime default activation remains false.",
 ]

 REQUIRED_PRD_PHRASES = [
@ -978,6 +995,16 @@ def main() -> int:
            checked.append(f"first_real_workflow_issue_id:{issue_id}")
            if issue_id not in text:
                errors.append(f"missing_first_real_workflow_issue_id:{issue_id}")
+
+    first_real_workflow_approval_packet = ROOT / ".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md"
+    if first_real_workflow_approval_packet.is_file():
+        text = first_real_workflow_approval_packet.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("first_real_workflow_approval_packet_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_FIRST_REAL_WORKFLOW_APPROVAL_PACKET_PHRASES:
+            checked.append(f"first_real_workflow_approval_packet_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_first_real_workflow_approval_packet_phrase:{phrase}")
        if "core_promotion_status: not-promoted" not in text:
            errors.append("brief_missing_not_promoted_frontmatter")

@ -1561,6 +1588,7 @@ def main() -> int:
            "CTO-WORK-047": "validated",
            "CTO-WORK-048": "validated",
            "CTO-WORK-049": "candidate",
+            "CTO-WORK-050": "validated",
        }
        for issue_id, expected in expected_statuses.items():
            checked.append(f"workboard_status:{issue_id}:{expected}")