Add Hermes control surface planning

.sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md

@@ -0,0 +1,82 @@
+---
+name: cto-hermes-control-surface-issues
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local issue sequence for Hermes-visible CTO Harness control summary.
+---
+
+# CTO Hermes Control Surface Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Issue Sequence
+
+### CTO-WORK-044 - Hermes Control Surface PRD
+
+Type: AFK
+
+Status: validated.
+
+Blocked by: CTO-WORK-043
+
+User stories covered: CTO Hermes Control Surface PRD stories 1, 2, 3, 4, 5.
+
+What to build: Define the Hermes-facing CTO Harness control summary before implementation starts.
+
+Acceptance criteria:
+
+- [x] PRD states Hermes controls visibility, approval, and replay but does not govern.
+- [x] PRD requires the surface to be backed by Harness Evidence Interface artifacts.
+- [x] PRD requires proof ladder status through Stage 6.
+- [x] PRD separates candidate-default eligibility from runtime default activation.
+- [x] PRD requires replay paths for matrix and Stage 6 comparison evidence.
+- [x] PRD requires blocked comparison lanes to include rationale.
+- [x] PRD forbids secrets, endpoints, credentials, Target Repository mutation, vendor-source mutation, external developer repository mutation, and Core mutation.
+- [x] Local CTO validator checks the PRD and issue artifact.
+
+Allowed files: CTO child workspace planning docs and local validator only.
+
+Validator: `python3 tools/validate_cto_child.py`
+
+Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.
+
+### CTO-WORK-045 - Harness-Backed Hermes Control Summary
+
+Type: AFK
+
+Status: candidate.
+
+Blocked by: CTO-WORK-044
+
+User stories covered: CTO Hermes Control Surface PRD stories 1, 2, 3, 4, 5.
+
+What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, extend the WebUI summary path so Hermes can consume a compact CTO Harness control summary backed by validated evidence.
+
+Acceptance criteria:
+
+- [ ] Summary command remains Harness-backed and deterministic.
+- [ ] Summary exposes proof ladder status through Stage 6.
+- [ ] Summary exposes Stage 6 candidate-default eligibility.
+- [ ] Summary exposes runtime default activation as `false` unless a later governed route changes it.
+- [ ] Summary exposes matrix report and Stage 6 comparison report paths.
+- [ ] Summary exposes blocked Codex/Pi lane rationale when not applicable.
+- [ ] Summary exposes next recommended operator action.
+- [ ] Summary does not expose secrets, endpoints, credential values, or raw Target Repository content.
+- [ ] Summary does not mutate Target Repositories, vendor source, external developer repositories, or Cortex Core.
+- [ ] Focused summary validator passes and aggregate Harness health remains green.
+
+Allowed files: Hermes CTO harness summary command, summary validator, summary contract/docs, and command index. WebUI Runtime code, Core, Case source, vendor source, Target Repositories, and external developer repositories are forbidden.
+
+Validator: `python3 harness/runner/validate-webui-summary.py --json`, then `harness/evals/health.sh --json`.
+
+Done evidence: summary JSON, focused validator JSON, aggregate health JSON, clean worktree, commit.
+
+## Granularity Check
+
+This is intentionally two slices: one planning route and one Harness-backed summary route. It avoids overbuilding a WebUI panel before the stable summary contract exists.

.sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md

@@ -0,0 +1,86 @@
+---
+name: cto-hermes-control-surface-prd
+tier: local
+status: draft
+owner: jp
+source: WORKBOARD.yaml next ROI after CTO-WORK-043
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local PRD for a Hermes-visible CTO Harness control summary surface.
+---
+
+# CTO Hermes Control Surface PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+The Case proof ladder is validated through Stage 6, but the operator surface still has to inspect raw harness commands and scattered runtime artifacts. That makes Hermes weak as the control and replay layer. JP needs a compact Hermes-facing summary that shows proof state, candidate-default status, blocked comparison lanes, replay artifact paths, and next action without giving Hermes or Case authority.
+
+## Solution
+
+Add a read-oriented Hermes Control Surface summary behind the CTO Harness. Hermes controls visibility, approval, and replay; Cortex remains SOT authority; CTO routes; Harness proves; Case executes only after proof. The first slice is a deterministic `webui-summary.sh --json` contract that exposes current Harness health, Stage 6 candidate-default comparison status, proof artifact paths, blocked-lane rationale, and default-activation status.
+
+## Scope
+
+- Define a Hermes-facing CTO Harness summary contract.
+- Keep the surface backed by Harness Evidence Interface artifacts.
+- Expose proof ladder status through Stage 6.
+- Expose candidate-default eligibility separately from runtime default activation.
+- Expose replay paths for matrix, Stage 6 comparison, and failure closure reports.
+- Expose blocked Codex/Pi lane rationale when deterministic validation does not run those lanes.
+- Keep fake as default validation lane.
+
+## Non-Goals
+
+- Do not build a full Hermes WebUI panel in this slice.
+- Do not add approval mutation actions.
+- Do not activate Case as default backend.
+- Do not promote child-local CTO artifacts into Core.
+- Do not mutate Target Repositories, vendor source, external developer repositories, or Cortex Core.
+- Do not store secrets, endpoints, or credential values in reports.
+
+## User Stories
+
+1. As JP, I want one Hermes-facing summary of CTO Harness state, so that I can inspect proof without reading raw logs.
+2. As Hermes, I want replay artifact paths, so that a future panel can link to evidence instead of reinterpreting backend logs.
+3. As CTO, I want candidate-default status separated from default activation, so that Case cannot become authority by wording.
+4. As Harness, I want the control surface generated from validated evidence, so that UI state stays proof-backed.
+5. As Cortex, I want the summary to remain child-local and non-authoritative, so that Core SOT remains the authority layer.
+
+## Acceptance Criteria
+
+- [ ] PRD states Hermes controls visibility, approval, and replay but does not govern.
+- [ ] PRD requires the surface to be backed by Harness Evidence Interface artifacts.
+- [ ] PRD requires proof ladder status through Stage 6.
+- [ ] PRD separates candidate-default eligibility from runtime default activation.
+- [ ] PRD requires replay paths for matrix and Stage 6 comparison evidence.
+- [ ] PRD requires blocked comparison lanes to include rationale.
+- [ ] PRD forbids secrets, endpoints, credentials, Target Repository mutation, vendor-source mutation, external developer repository mutation, and Core mutation.
+- [ ] Local CTO validator checks the PRD and issue artifact.
+
+## Validation
+
+Planning validator: `python3 tools/validate_cto_child.py`.
+
+Implementation validator planned for Hermes: `python3 harness/runner/validate-webui-summary.py --json`, then `harness/evals/health.sh --json` after focused validation passes.
+
+## Risks
+
+- Summary fields may be mistaken for Core authority.
+- UI consumers may treat candidate-default eligibility as runtime default activation.
+- Artifact paths may become stale if not generated from fresh Harness runs.
+- A broad WebUI implementation now would overreach before the summary contract is stable.
+
+## Dependencies
+
+- Stage 6 candidate-default comparison proof is validated.
+- Harness Evidence Interface remains active.
+- Hermes CTO harness commands remain the evidence source.
+- Future WebUI work consumes this summary instead of raw backend logs.
+
+## Success Definition
+
+This slice succeeds when Hermes can consume one Harness-generated summary showing proof ladder state, Stage 6 candidate-default evidence, blocked-lane rationale, replay paths, next action, and default activation false, without changing authority, mutating repositories, or bypassing Harness validation.

CONTEXT.md

@@ -28,3 +28,7 @@ _Avoid_: vendor source, hidden workspace, disposable scratch by default
 **Copied Repository Fixture**:
 A runtime copy of an owned local source repository used to prove backend behavior without mutating the source repository or a Target Repository.
 _Avoid_: Target Repository, live repo, external developer source
+
+**Hermes Control Surface**:
+A Hermes-facing summary and replay surface for CTO Harness state, approval context, and evidence links. It controls visibility and interaction but does not govern.
+_Avoid_: Core authority, runtime default switch, backend approval source

README.md

@@ -52,6 +52,8 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json
 |       |-- CTO-CASE-STAGE6-CANDIDATE-DEFAULT-PRD.md
 |       |-- CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md
+|       |-- CTO-HERMES-CONTROL-SURFACE-PRD.md
+|       |-- CTO-HERMES-CONTROL-SURFACE-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md
 |       |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md
 |       |-- CTO-CASE-PROVIDER-BUILD-PRD.md

WORKBOARD.yaml

@@ -215,3 +215,13 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md
     owner: jp
+  - id: CTO-WORK-044
+    title: Hermes Control Surface PRD
+    status: validated
+    source: .sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md
+    owner: ""
+  - id: CTO-WORK-045
+    title: Harness-Backed Hermes Control Summary
+    status: candidate
+    source: .sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md
+    owner: jp

tools/validate_cto_child.py

@@ -38,6 +38,8 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION.json",
     ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-PRD.md",
     ".sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md",
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md",
@@ -364,6 +366,25 @@ REQUIRED_STAGE6_ISSUE_IDS = [
     "CTO-WORK-043",
 ]
 
+REQUIRED_HERMES_CONTROL_SURFACE_PRD_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "Hermes controls visibility, approval, and replay but does not govern.",
+    "Harness Evidence Interface artifacts",
+    "proof ladder status through Stage 6",
+    "candidate-default eligibility separately from runtime default activation",
+    "replay paths for matrix and Stage 6 comparison evidence",
+    "blocked comparison lanes to include rationale",
+    "Do not build a full Hermes WebUI panel in this slice.",
+    "Do not activate Case as default backend.",
+    "Do not store secrets, endpoints, or credential values in reports.",
+    "This slice succeeds when Hermes can consume one Harness-generated summary",
+]
+
+REQUIRED_HERMES_CONTROL_SURFACE_ISSUE_IDS = [
+    "CTO-WORK-044",
+    "CTO-WORK-045",
+]
+
 REQUIRED_STAGE5_TARGET_ADMISSION_TEMPLATE_PHRASES = [
     "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
     "This artifact is a template only. No Target Repository is admitted by this file.",
@@ -1140,6 +1161,28 @@ def main() -> int:
             if issue_id not in text:
                 errors.append(f"missing_stage6_issue_id:{issue_id}")
 
+    hermes_control_surface_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-PRD.md"
+    if hermes_control_surface_prd.is_file():
+        text = hermes_control_surface_prd.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_control_surface_prd_missing_not_promoted_frontmatter")
+        for phrase in REQUIRED_HERMES_CONTROL_SURFACE_PRD_PHRASES:
+            checked.append(f"hermes_control_surface_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_hermes_control_surface_prd_phrase:{phrase}")
+
+    hermes_control_surface_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONTROL-SURFACE-ISSUES.md"
+    if hermes_control_surface_issues.is_file():
+        text = hermes_control_surface_issues.read_text(encoding="utf-8")
+        if "core_promotion_status: not-promoted" not in text:
+            errors.append("hermes_control_surface_issues_missing_not_promoted_frontmatter")
+        if "Local planning SOT only. Not a Core Protocol. Not active Core authority." not in text:
+            errors.append("hermes_control_surface_issues_missing_local_planning_notice")
+        for issue_id in REQUIRED_HERMES_CONTROL_SURFACE_ISSUE_IDS:
+            checked.append(f"hermes_control_surface_issue_id:{issue_id}")
+            if issue_id not in text:
+                errors.append(f"missing_hermes_control_surface_issue_id:{issue_id}")
+
     provider_admission_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md"
     if provider_admission_prd.is_file():
         text = provider_admission_prd.read_text(encoding="utf-8")
@@ -1347,6 +1390,10 @@ def main() -> int:
             checked.append(f"workboard_id:{issue_id}")
             if issue_id not in text:
                 errors.append(f"missing_workboard_id:{issue_id}")
+        for issue_id in REQUIRED_HERMES_CONTROL_SURFACE_ISSUE_IDS:
+            checked.append(f"workboard_id:{issue_id}")
+            if issue_id not in text:
+                errors.append(f"missing_workboard_id:{issue_id}")
         for issue_id in REQUIRED_PROVIDER_ADMISSION_ISSUE_IDS:
             checked.append(f"workboard_id:{issue_id}")
             if issue_id not in text:
@@ -1407,6 +1454,8 @@ def main() -> int:
             "CTO-WORK-041": "validated",
             "CTO-WORK-042": "validated",
             "CTO-WORK-043": "validated",
+            "CTO-WORK-044": "validated",
+            "CTO-WORK-045": "candidate",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")
@@ -1453,6 +1502,10 @@ def main() -> int:
             errors.append("workboard_missing_stage6_prd_source")
         if "CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md" not in text:
             errors.append("workboard_missing_stage6_issues_source")
+        if "CTO-HERMES-CONTROL-SURFACE-PRD.md" not in text:
+            errors.append("workboard_missing_hermes_control_surface_prd_source")
+        if "CTO-HERMES-CONTROL-SURFACE-ISSUES.md" not in text:
+            errors.append("workboard_missing_hermes_control_surface_issues_source")
         if "CTO-CASE-PROVIDER-ADMISSION-PRD.md" not in text:
             errors.append("workboard_missing_provider_admission_prd_source")
         if "CTO-CASE-PROVIDER-ADMISSION-ISSUES.md" not in text: