Add Stage 5 target repository admission template

.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md

@@ -55,7 +55,7 @@ Type: HITL
 
 Status: blocked.
 
-Blocked by: CTO-WORK-037 and explicit JP selection or approval of an owned low-risk noncritical Target Repository.
+Blocked by: CTO-WORK-037, CTO-WORK-039, and explicit JP selection or approval of an owned low-risk noncritical Target Repository.
 
 User stories covered: CTO Case Candidate Backend PRD stories 4, 5, 7, 8, 9, 10, 11, 13.
 
@@ -84,6 +84,34 @@ Validator: `python3 harness/runner/validate-case-stage5.py --harness-root harnes
 
 Done evidence: Stage 5 pass report, failure fixture reports, Target Repository admission proof, approval proof, allowed-path proof, forbidden-action proof, operator outcome, artifact digests, clean worktree, commit.
 
+
+### CTO-WORK-039 - Stage 5 Target Repository Admission Template
+
+Type: AFK
+
+Status: validated.
+
+Blocked by: CTO-WORK-037
+
+User stories covered: CTO Case Candidate Backend PRD stories 4, 5, 7, 8, 9, 10, 11, 13.
+
+What to build: Define the validator-readable Target Repository admission template required before Stage 5 can execute against any owned noncritical repository.
+
+Acceptance criteria:
+
+- [x] Template states it does not admit any repository.
+- [x] Template requires `admission_status`, `target_repository_path`, `repository_owner`, `ownership_evidence`, `risk_classification`, `noncritical_rationale`, `allowed_paths`, `forbidden_paths`, `forbidden_actions`, `approval_source`, `approval_timestamp`, `operator_outcome_required`, and `review_trigger`.
+- [x] Template requires `risk_classification` to be `low_risk_noncritical`.
+- [x] Template requires missing admission, missing ownership evidence, critical classification, empty allowed paths, missing forbidden actions, missing approval, and missing operator outcome requirement to block before `case_process_started`.
+- [x] Template forbids treating the template as Case execution authority.
+- [x] Local CTO validator checks the template artifact.
+
+Allowed files: CTO child workspace planning docs and local validator only.
+
+Validator: `python3 tools/validate_cto_child.py`
+
+Done evidence: template artifact, issue reference, validator JSON, clean worktree, commit.
+
 ## Granularity Check
 
 This is intentionally two slices: one planning route and one executable harness route. Stage 5 is not over-granular because it is the first proof involving an admitted owned repository and must separate repository ownership, approval, allowed paths, verification, and operator outcome before default candidacy.

.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION-TEMPLATE.md

@@ -0,0 +1,94 @@
+---
+name: cto-case-stage5-target-repository-admission-template
+tier: local
+status: draft
+owner: jp
+source: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-PRD.md
+created: 2026-06-01
+last_reviewed: 2026-06-01
+lifecycle_classification: planning
+core_promotion_status: not-promoted
+description: Child-local Stage 5 Target Repository admission template. This template does not admit any repository.
+---
+
+# CTO Case Stage 5 Target Repository Admission Template
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Status
+
+This artifact is a template only. No Target Repository is admitted by this file. Stage 5 execution remains blocked until JP records a concrete admission record using this template and the Harness validates it.
+
+## Purpose
+
+Stage 5 needs a precise human decision before Case may touch an owned repository. This template converts that decision into validator-readable fields without storing secrets, credentials, or broad repository authority.
+
+## Required Admission Fields
+
+- `admission_status`: `admitted` or `not_admitted`.
+- `target_repository_path`: absolute local path, recorded only in the concrete admission record.
+- `repository_owner`: human or organization owner.
+- `ownership_evidence`: compact reference proving JP controls or is authorized to mutate the repository.
+- `risk_classification`: must be `low_risk_noncritical`.
+- `noncritical_rationale`: why this repository is safe for Stage 5.
+- `allowed_paths`: explicit file or directory paths Case may mutate.
+- `forbidden_paths`: explicit paths Case must not mutate.
+- `forbidden_actions`: must include push, merge, deploy, close, PR open, issue close, public publication, credential change, vendor-source mutation, and Cortex Core mutation.
+- `approval_source`: JP approval reference.
+- `approval_timestamp`: timestamp or date of approval.
+- `operator_outcome_required`: must be `true`.
+- `review_trigger`: condition that invalidates the admission.
+
+## Required Negative Gates
+
+- Missing admission record blocks before `case_process_started`.
+- `admission_status != admitted` blocks before `case_process_started`.
+- Missing ownership evidence blocks before `case_process_started`.
+- `risk_classification != low_risk_noncritical` blocks before `case_process_started`.
+- Empty `allowed_paths` blocks before `case_process_started`.
+- Missing forbidden action blocks before `case_process_started`.
+- Missing approval source blocks before `case_process_started`.
+- Missing operator outcome requirement blocks before `case_process_started`.
+
+## Concrete Record Skeleton
+
+```json
+{
+  "admission_status": "not_admitted",
+  "target_repository_path": "",
+  "repository_owner": "",
+  "ownership_evidence": "",
+  "risk_classification": "",
+  "noncritical_rationale": "",
+  "allowed_paths": [],
+  "forbidden_paths": [],
+  "forbidden_actions": [
+    "push",
+    "merge",
+    "deploy",
+    "close",
+    "pr_open",
+    "issue_close",
+    "public_publication",
+    "credential_change",
+    "vendor_source_mutation",
+    "cortex_core_mutation"
+  ],
+  "approval_source": "",
+  "approval_timestamp": "",
+  "operator_outcome_required": true,
+  "review_trigger": ""
+}
+```
+
+## Non-Admission Rules
+
+- This template does not admit a Target Repository.
+- This template does not authorize Case execution.
+- This template does not authorize owned repository mutation.
+- This template does not authorize default backend candidacy.
+- This template does not authorize push, merge, deploy, close, PR open, issue close, or public publication.
+
+## Validator Expectation
+
+The local CTO validator must require this template before Stage 5 execution planning can proceed. Hermes Stage 5 implementation must later validate a concrete admission record separately.