From f5680290b0fc349864f621cdf85b6a68b421bc0e Mon Sep 17 00:00:00 2001 From: Svrnty Date: Sun, 31 May 2026 23:25:58 -0400 Subject: [PATCH] Add Case Stage 4 disposable sandbox PRD --- ...O-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md | 86 +++++++++++++++ .../CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md | 104 ++++++++++++++++++ .../CTO-CASE-STAGED-PROOF-GATES.md | 8 ++ README.md | 2 + WORKBOARD.yaml | 10 ++ tools/validate_cto_child.py | 49 +++++++++ 6 files changed, 259 insertions(+) create mode 100644 .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md create mode 100644 .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md diff --git a/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md b/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md new file mode 100644 index 0000000..2f0e612 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md @@ -0,0 +1,86 @@ +--- +name: cto-case-stage4-disposable-sandbox-issues +tier: local +status: draft +owner: jp +source: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md +created: 2026-06-01 +last_reviewed: 2026-06-01 +lifecycle_classification: planning +core_promotion_status: not-promoted +description: Child-local issue sequence for Stage 4 Case disposable sandbox repository proof. +--- + +# CTO Case Stage 4 Disposable Sandbox Issues + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Issue Sequence + +### CTO-WORK-035 - Stage 4 Disposable Sandbox PRD + +Type: AFK + +Status: validated. + +Blocked by: CTO-WORK-034 + +User stories covered: CTO Case Candidate Backend PRD stories 4, 5, 7, 8, 9, 10, 11, 13. + +What to build: Define the Stage 4 disposable sandbox repository proof before implementation starts. + +Acceptance criteria: + +- [ ] PRD states Stage 4 allowed mutation scope is `disposable repository only`. +- [ ] PRD requires Stage 3 validation before Stage 4. +- [ ] PRD requires `CTO_HARNESS_ALLOW_CASE=1` and `CTO_HARNESS_CASE_STAGE=4`. +- [ ] PRD requires approval requested/granted/denied events. +- [ ] PRD requires branch policy proof. +- [ ] PRD forbids push, merge, deploy, close, PR open, public publication, Target Repository mutation, source repository mutation, Case source mutation, vendor source mutation, Hermes WebUI mutation, and Cortex Core mutation. +- [ ] PRD requires full Harness Evidence Interface artifacts. +- [ ] PRD requires approval-denied, reviewer-reject, timeout, provider-unavailable, dirty-ending-tree, and disallowed-file failure fixtures. +- [ ] Local CTO validator checks Stage 4 PRD and issue artifact. + +Allowed files: CTO child workspace planning docs and local validator only. + +Validator: `python3 tools/validate_cto_child.py` + +Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit. + +### CTO-WORK-036 - Stage 4 Harness Disposable Sandbox Route + +Type: AFK + +Status: blocked. + +Blocked by: CTO-WORK-035 + +User stories covered: CTO Case Candidate Backend PRD stories 4, 5, 7, 8, 9, 10, 11, 13. + +What to build: In `/home/svrnty/workspaces/hermes/cto/harness`, implement the Stage 4 disposable sandbox repository route behind the existing `case` engine seam. + +Acceptance criteria: + +- [ ] `case` remains disabled by default. +- [ ] `CTO_HARNESS_ALLOW_CASE=1` remains required. +- [ ] `CTO_HARNESS_CASE_STAGE=4` is required before disposable sandbox Case execution. +- [ ] Missing Stage 4 gate emits blocked evidence and does not run Case. +- [ ] Approval denied blocks before mutation. +- [ ] Approval granted is recorded before mutation. +- [ ] Branch policy proof is recorded. +- [ ] Case mutates only the disposable repository. +- [ ] No Target Repository path is inspected or copied. +- [ ] No push, merge, deploy, close, PR open, or public publication occurs by default. +- [ ] Required artifacts include approval proof, branch proof, sandbox disposal or retention note, `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, and backend logs. +- [ ] Failure fixtures fail closed for approval denied, reviewer reject, timeout, provider unavailable, dirty ending tree, and disallowed file. +- [ ] Fake remains the default validation lane and broad health remains green after focused Stage 4 validation. + +Allowed files: Hermes CTO harness engine, disposable sandbox fixtures, focused Stage 4 validator, harness docs, and tests. WebUI, Core, Case source, vendor source, source repository, Target Repository, owned noncritical repositories, production repositories, and external developer repositories are forbidden. + +Validator: `python3 harness/runner/validate-case-stage4.py --harness-root harness --json`, then `harness/evals/health.sh --json`. + +Done evidence: Stage 4 pass report, failure fixture reports, approval proof, branch proof, sandbox disposal or retention note, artifact digests, clean worktree, commit. + +## Granularity Check + +This is intentionally two slices: one planning route and one executable harness route. Stage 4 adds approval and disposable repository policy, which are distinct from Stage 3 copied-repo non-mutation proof. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md b/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md new file mode 100644 index 0000000..7885876 --- /dev/null +++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md @@ -0,0 +1,104 @@ +--- +name: cto-case-stage4-disposable-sandbox-prd +tier: local +status: draft +owner: jp +source: .sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md +created: 2026-06-01 +last_reviewed: 2026-06-01 +lifecycle_classification: planning +core_promotion_status: not-promoted +description: Child-local PRD for Stage 4 Case disposable sandbox repository proof. +--- + +# CTO Case Stage 4 Disposable Sandbox PRD + +Local planning SOT only. Not a Core Protocol. Not active Core authority. + +## Problem Statement + +Stage 3 proves Case can change a copied local repository fixture without mutating the source repository. It does not prove branch policy, approval denial, sandbox disposal, or fail-closed behavior in a disposable repository. Stage 4 must prove the next narrow behavior before any owned repository is eligible. + +## Solution + +Add a Stage 4 disposable sandbox repository route for the Hermes CTO Harness. The route creates or admits only a throwaway repository, runs Case behind the existing `case` seam, records approval events, and proves no push, merge, deploy, close, or source promotion occurs unless the task contract explicitly allows it. + +Stage 4 keeps all earlier gates. `case` remains disabled by default. `CTO_HARNESS_ALLOW_CASE=1` and `CTO_HARNESS_CASE_STAGE=4` are required. Missing gates mean blocked, not warning. + +Allowed mutation scope is `disposable repository only`. Writable roots are limited to `runtime_workspace_root`, `run_artifact_dir`, and the disposable repository copy created for the run. Target Repository, source repository, Case source, vendor source, external developer repositories, Hermes WebUI, and Cortex Core are forbidden. + +## Scope + +- Define one disposable sandbox repository proof route. +- Require Stage 3 validated evidence before Stage 4 execution. +- Require disposable repository ownership, creation source, and disposal or retention policy. +- Require approval requested/granted/denied event handling. +- Require branch policy proof. +- Require no push, merge, deploy, close, PR open, or public publication by default. +- No push, merge, deploy, close, PR open, or public publication occurs by default. +- Preserve full Harness Evidence Interface artifacts. +- Add approval-denied, reviewer-reject, timeout, provider-unavailable, dirty-ending-tree, and disallowed-file failure fixtures. + +## Non-Goals + +- Do not mutate an owned noncritical repository. +- Do not mutate a production Target Repository. +- Do not grant default backend status. +- Do not push, merge, deploy, close, open a pull request, or publish. +- Do not resolve Case license or source admission for broader real-repo work. +- Do not approve Stage 5, Stage 6, WebUI Runtime behavior, or Core promotion. + +## Acceptance Criteria + +- Stage 4 entry requires Stage 3 validated. +- `CTO_HARNESS_ALLOW_CASE=1` remains required. +- `CTO_HARNESS_CASE_STAGE=4` is required. +- Missing Stage 4 gate blocks before Case starts. +- Disposable repository is created or admitted under run artifact control. +- Approval denied fails closed before mutation. +- Approval granted is recorded before mutation. +- Branch policy is recorded before Case starts. +- Case mutates only the disposable repository. +- No Target Repository path is inspected or copied. +- No source repository is mutated. +- No push, merge, deploy, close, PR open, or public publication occurs unless explicitly allowed by task contract. +- `report.json` records `backend: case`, `case_process_started`, `allowed_mutation_scope: disposable repository only`, `approval_status`, `branch_policy`, `disposable_repository_dir`, `changed_files`, `blockers`, `artifact_digests`, and freshness proof. +- Required artifacts include `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, approval proof, branch proof, and sandbox disposal or retention note. +- Fake remains the default validation lane. + +## Validation + +- Focused validator: `python3 harness/runner/validate-case-stage4.py --harness-root harness --json`. +- The Stage 4 validator must require Stage 3 validation first. +- The validator must prove missing Stage 4 gate blocks before `case_process_started`. +- The validator must prove approval denied fails closed. +- The validator must prove approval granted records before mutation. +- The validator must prove no Target Repository path is inspected or copied. +- The validator must prove no push, merge, deploy, close, or PR open occurs by default. +- Broader Hermes health must run once after focused Stage 4 validation passes. +- CTO child validator must require this PRD and issue artifact before Stage 4 implementation is governed. + +## Risks + +- Disposable sandbox proof can be mistaken for owned-repo approval. +- Approval events can become ceremony if not tied to mutation gates. +- Branch policy proof can miss side effects outside git. +- Sandbox cleanup can destroy useful evidence if retention policy is weak. + +## Dependencies + +- Stage 3 copied-repo fixture is validated. +- Harness Evidence Interface Contract is validated. +- Case Adapter Contract is validated. +- Case Failure Fixture Matrix is validated. +- Real Case Qwen Stage 3 evidence exists as supporting telemetry, not a new blocking gate. + +## Success Definition + +Stage 4 is successful when Case changes only a disposable repository, records approval and branch policy evidence, preserves full Harness Evidence Interface proof, fails closed for required sandbox failure classes, and performs no push, merge, deploy, close, PR open, or broader repository mutation. + +## Challenge Findings + +- Accepted: real Case Qwen Stage 3 evidence strengthens Stage 3 but should not become a new mandatory gate. +- Accepted: approval denial must be a hard pre-mutation gate. +- Accepted: Stage 4 must stay disposable and must not become owned-repo proof. diff --git a/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md b/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md index 5a2ddce..80501d2 100644 --- a/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md +++ b/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md @@ -157,6 +157,7 @@ Validation evidence: - Hermes commit: `4edf5f1 Add Case Stage 3 copied repo harness proof`. - Stage 3 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T031903Z-r1-string-slugify-3018046`. +- Real Case Qwen Stage 3 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T032245Z-r1-string-slugify-3035256`. - Stage 3 pass report status: `pass`. - Source repository mutated: `false`. - Copied fixture starts clean: `true`. @@ -184,6 +185,8 @@ Promotion condition: ## Stage 4 - Disposable Sandbox Repo +Status: planned. Execution remains blocked until `CTO-WORK-036` produces Harness Evidence Interface pass evidence. + Entry gates: - Stage 3 is validated. @@ -200,6 +203,11 @@ Required artifacts: - sandbox disposal or retention note; - failure matrix coverage for sandbox mode. +Planning evidence: + +- Stage 4 PRD: `.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md`. +- Stage 4 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md`. + Validator expectation: - mutation occurs only in disposable repository; diff --git a/README.md b/README.md index 9318444..86ced06 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,8 @@ This workspace is registered as a child-local planning workspace. Registration d | |-- CTO-CASE-STAGE2-ARTIFICIAL-FIXTURE-ISSUES.md | |-- CTO-CASE-STAGE3-COPIED-REPO-PRD.md | |-- CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md +| |-- CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md +| |-- CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md | |-- CTO-CASE-PROVIDER-ADMISSION-PRD.md | |-- CTO-CASE-PROVIDER-ADMISSION-ISSUES.md | |-- CTO-CASE-PROVIDER-BUILD-PRD.md diff --git a/WORKBOARD.yaml b/WORKBOARD.yaml index 5993723..8d08d6f 100644 --- a/WORKBOARD.yaml +++ b/WORKBOARD.yaml @@ -170,3 +170,13 @@ items: status: validated source: .sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md owner: "" + - id: CTO-WORK-035 + title: Stage 4 Disposable Sandbox PRD + status: validated + source: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md + owner: "" + - id: CTO-WORK-036 + title: Stage 4 Harness Disposable Sandbox Route + status: blocked + source: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md + owner: jp diff --git a/tools/validate_cto_child.py b/tools/validate_cto_child.py index 87bb98f..3b2d296 100644 --- a/tools/validate_cto_child.py +++ b/tools/validate_cto_child.py @@ -30,6 +30,8 @@ REQUIRED_FILES = [ ".sot/03-PROTOCOLS/CTO-CASE-STAGE2-ARTIFICIAL-FIXTURE-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-PRD.md", ".sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md", + ".sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md", + ".sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-ISSUES.md", ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md", @@ -292,6 +294,25 @@ REQUIRED_STAGE3_ISSUE_IDS = [ "CTO-WORK-034", ] +REQUIRED_STAGE4_PRD_PHRASES = [ + "Local planning SOT only. Not a Core Protocol. Not active Core authority.", + "Stage 4 must prove the next narrow behavior", + "disposable repository only", + "CTO_HARNESS_ALLOW_CASE=1", + "CTO_HARNESS_CASE_STAGE=4", + "approval requested/granted/denied", + "branch policy proof", + "No push, merge, deploy, close, PR open, or public publication occurs by default.", + "approval-denied", + "reviewer-reject", + "Stage 4 is successful when Case changes only a disposable repository", +] + +REQUIRED_STAGE4_ISSUE_IDS = [ + "CTO-WORK-035", + "CTO-WORK-036", +] + REQUIRED_PROVIDER_ADMISSION_PRD_PHRASES = [ "Local planning SOT only. Not a Core Protocol. Not active Core authority.", "https://github.com/workos/case.git", @@ -910,6 +931,28 @@ def main() -> int: if issue_id not in text: errors.append(f"missing_stage3_issue_id:{issue_id}") + stage4_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md" + if stage4_prd.is_file(): + text = stage4_prd.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("stage4_prd_missing_not_promoted_frontmatter") + for phrase in REQUIRED_STAGE4_PRD_PHRASES: + checked.append(f"stage4_prd_phrase:{phrase}") + if phrase not in text: + errors.append(f"missing_stage4_prd_phrase:{phrase}") + + stage4_issues = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md" + if stage4_issues.is_file(): + text = stage4_issues.read_text(encoding="utf-8") + if "core_promotion_status: not-promoted" not in text: + errors.append("stage4_issues_missing_not_promoted_frontmatter") + if "Local planning SOT only. Not a Core Protocol. Not active Core authority." not in text: + errors.append("stage4_issues_missing_local_planning_notice") + for issue_id in REQUIRED_STAGE4_ISSUE_IDS: + checked.append(f"stage4_issue_id:{issue_id}") + if issue_id not in text: + errors.append(f"missing_stage4_issue_id:{issue_id}") + provider_admission_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-ADMISSION-PRD.md" if provider_admission_prd.is_file(): text = provider_admission_prd.read_text(encoding="utf-8") @@ -1160,6 +1203,8 @@ def main() -> int: "CTO-WORK-030": "validated", "CTO-WORK-033": "validated", "CTO-WORK-034": "validated", + "CTO-WORK-035": "validated", + "CTO-WORK-036": "blocked", } for issue_id, expected in expected_statuses.items(): checked.append(f"workboard_status:{issue_id}:{expected}") @@ -1190,6 +1235,10 @@ def main() -> int: errors.append("workboard_missing_stage3_prd_source") if "CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md" not in text: errors.append("workboard_missing_stage3_issues_source") + if "CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md" not in text: + errors.append("workboard_missing_stage4_prd_source") + if "CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md" not in text: + errors.append("workboard_missing_stage4_issues_source") if "CTO-CASE-PROVIDER-ADMISSION-PRD.md" not in text: errors.append("workboard_missing_provider_admission_prd_source") if "CTO-CASE-PROVIDER-ADMISSION-ISSUES.md" not in text: