hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: hermes:405ea616a5682258965a3fb6880d7a26b9a49b54
Branches Tags
hermes:jp
hermes:main
..
compare: hermes:5ca56a6c2e65ed6c857016726523a4c80808e45e
Branches Tags
hermes:main
hermes:jp

10 Commits
405ea616a5 ... 5ca56a6c2e

Author SHA1 Message Date
Svrnty
5ca56a6c2e Record CTO endgoal completion audit 2026-06-01 08:16:34 -04:00
Svrnty
de65c11f5f Record Hermes live smoke remote sync evidence 2026-06-01 08:12:53 -04:00
Svrnty
314579f91c Record Hermes consumed approval evidence 2026-06-01 08:09:36 -04:00
Svrnty
fbc3a08099 Clear CTO completed workboard owner 2026-06-01 08:08:43 -04:00
Svrnty
6f2c027519 Record governed execution evidence 2026-06-01 07:59:26 -04:00
Svrnty
30b488e1b9 Record governed execution approval 2026-06-01 07:55:25 -04:00
Svrnty
b7a7354f97 Record governed execution request 2026-06-01 07:51:09 -04:00
Svrnty
61b6cffa34 Record Hermes approval packet evidence 2026-06-01 07:46:58 -04:00
Svrnty
97a00a4fe6 Plan Hermes approval packet 2026-06-01 07:44:34 -04:00
Svrnty
ab35d2a145 Record Hermes approval state evidence 2026-06-01 07:42:40 -04:00
24 changed files with 2057 additions and 2 deletions
Show Stats Expand all files Collapse all files

70
.sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-CLOSEOUT.md Normal file
View File

@ -0,0 +1,70 @@
---
name: CTO Endgoal Completion Audit Closeout
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Endgoal Completion Audit Closeout
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-077`
## Result
- CTO endgoal completion audit
- status: validated
- completion_status: complete
- active goal completion evidence recorded
- transportability proof sufficient
- transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This audit does not authorize another Case run.
## Requirement Audit
| Requirement | Status | Evidence |
| --- | --- | --- |
| Cortex governs | proven | Local planning SOT states not Core authority; Core promotion remains not-promoted. |
| Hermes controls | proven | `CTO-WORK-075` records remote sync and temporary Hermes WebUI boot smoke. |
| CTO routes | proven | CTO workboard records validated route sequence through `CTO-WORK-075`. |
| Harness proves | proven | Stage 6 candidate-default evidence and `CTO-WORK-071` governed execution evidence reference Harness artifacts. |
| Case executes only after proof | proven | `CTO-WORK-069` approval and `CTO-WORK-071` consumed execution evidence bind one approved run. |
| Bounded code changes with evidence | proven | `CTO-WORK-071` records changed files, allowed paths passed, forbidden paths passed, and `3 passed`. |
| Target repos stay owned and protected | proven | `CTO-WORK-071` records owned target repo, clean start, clean end, and allowed paths. |
| Default status is earned not assumed | proven | Stage 6 candidate-default evidence exists and Runtime default activation remains false. |
| Candidate-default evidence | proven | Stage 6 candidate-default evidence and real-governed refresh evidence are validated. |
| Transportable CTO stack | proven | Repo-backed SOT, synced Hermes plugin, documented routes, validators, and no upstream vendor edits make the stack transportable enough for this stage. |
## Evidence References
- CTO-WORK-071
- CTO-WORK-075
- Stage 6 candidate-default evidence
- `python3 tools/validate_cto_child.py`: passed
- Hermes plugin `python3 -m pytest tests/ -q`: `108 passed`
- Stage 5 target `python3 -m pytest -q`: `3 passed`
## Decision
The CTO endgoal is complete under the pragmatic transportability standard. Next ROI is optional hardening, not required completion work.
## Validator Summary Phrases
- CTO-WORK-076
- Cortex governs: proven
- Hermes controls: proven
- CTO routes: proven
- Harness proves: proven
- Case executes only after proof: proven
- bounded code changes with evidence: proven
- target repos stay owned and protected: proven
- default status is earned not assumed: proven
- candidate-default evidence: proven

69
.sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-ISSUES.md Normal file
View File

@ -0,0 +1,69 @@
---
name: CTO Endgoal Completion Audit Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Endgoal Completion Audit Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-076 - CTO Endgoal Completion Audit PRD
Status: validated.
Acceptance:
- Define CTO endgoal completion audit.
- Require requirement-by-requirement evidence mapping.
- Require material gaps to become follow-up work.
- Record completion only when every requirement is proven under the pragmatic transportability standard.
- State: Do not activate Case as default backend.
- State: This audit does not authorize another Case run.
## Issue: CTO-WORK-077 - CTO Endgoal Completion Audit Closeout
Status: validated.
Acceptance:
- Record CTO endgoal completion audit.
- Record `completion_status: complete`.
- Record `transportability proof sufficient`.
- Record `transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits`.
- Reference `CTO-WORK-071`.
- Reference `CTO-WORK-075`.
- Reference Stage 6 candidate-default evidence.
- State active goal completion evidence recorded.
- State Runtime default activation remains false.
## Issue: CTO-WORK-078 - CTO Transportability Proof PRD
## Required Phrases
- CTO endgoal completion audit
- CTO-WORK-076
- CTO-WORK-077
- completion_status: complete
- transportability proof sufficient
- transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits
- active goal completion evidence recorded
- Cortex governs: proven
- Hermes controls: proven
- CTO routes: proven
- Harness proves: proven
- Case executes only after proof: proven
- bounded code changes with evidence: proven
- target repos stay owned and protected: proven
- default status is earned not assumed: proven
- candidate-default evidence: proven
- Runtime default activation remains false.
- CTO-WORK-071
- CTO-WORK-075
- Stage 6 candidate-default evidence
- Do not activate Case as default backend.
- This audit does not authorize another Case run.

86
.sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-PRD.md Normal file
View File

@ -0,0 +1,86 @@
---
name: CTO Endgoal Completion Audit PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Endgoal Completion Audit PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
The CTO product surface has strong local evidence: staged Case proof, governed Stage 5 execution, consumed approval display, Hermes WebUI smoke, and synced plugin state. The active endgoal includes a transportable CTO stack. Transportable means repo-backed SOT, synced plugin code, documented entrypoints, validators, and no hidden vendor-source edits; it does not require a separate packaging project in this slice.
## Solution
Record a requirement-by-requirement endgoal audit. Mark proven requirements as validated by existing evidence. Record pragmatic transportability evidence from repo-backed SOT, remote plugin sync, validators, and no vendor edits.
## Scope
- Audit Cortex governs.
- Audit Hermes controls.
- Audit CTO routes.
- Audit Harness proves.
- Audit Case executes only after proof.
- Audit bounded code changes with evidence.
- Audit target repositories stay owned and protected.
- Audit default status is earned, not assumed.
- Audit candidate-default evidence and runtime default separation.
- Audit transportable CTO stack proof.
## Non-goals
- Do not activate Case as default backend.
- Do not activate Case as default backend.
- Do not rerun Case.
- Do not mutate target repositories.
- Do not promote child-local CTO SOT into Core.
- Do not edit upstream `hermes-webui`.
- Do not edit upstream `hermes-agent`.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-076` and `CTO-WORK-077` as validated.
- The closeout states `completion_status: complete`.
- The closeout records `transportability proof sufficient`.
- The closeout records `transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits`.
- The closeout references `CTO-WORK-075` remote sync and live smoke evidence.
- The closeout references `CTO-WORK-071` governed execution evidence.
- The closeout references Stage 6 candidate-default evidence.
- The closeout states Runtime default activation remains false.
- The closeout states the active goal completion evidence recorded.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Required Evidence
- CTO endgoal completion audit
- CTO-WORK-076
- CTO-WORK-077
- completion_status: complete
- transportability proof sufficient
- transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits
- active goal completion evidence recorded
- Cortex governs: proven
- Hermes controls: proven
- CTO routes: proven
- Harness proves: proven
- Case executes only after proof: proven
- bounded code changes with evidence: proven
- target repos stay owned and protected: proven
- default status is earned not assumed: proven
- candidate-default evidence: proven
- Runtime default activation remains false.
- CTO-WORK-071
- CTO-WORK-075
- Stage 6 candidate-default evidence
- Do not activate Case as default backend.
- This audit does not authorize another Case run.

78
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md Normal file
View File

@ -0,0 +1,78 @@
---
name: CTO Governed Execution Approval Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Approval Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-068 - Governed Execution Approval PRD
Status: validated.
Acceptance:
- Define governed execution approval as a single-task approval capture.
- Preserve the exact approval packet.
- Record `approval_granted: true`.
- Record `execution_allowed: true`.
- Record `execution_scope: one approved Harness run only`.
- Preserve the admitted target repository.
- Preserve allowed paths.
- Preserve the Harness command.
- State: Runtime default activation remains false.
- State: Do not activate Case as default backend.
- State: Do not mutate any path outside the allowed paths.
- State: Do not edit upstream `hermes-agent`.
- State: Do not edit upstream `hermes-webui`.
- State: This record is not execution evidence.
## Issue: CTO-WORK-069 - Governed Execution Approval Record
Status: validated.
Acceptance:
- Create the governed execution approval record.
- Include the exact approval packet.
- Include `approval_granted: true`.
- Include `execution_allowed: true`.
- Include `execution_scope: one approved Harness run only`.
- Include `approval_source: JP chat approval`.
- Include the admitted target repository.
- Include allowed paths.
- Include the Harness command.
- State: Runtime default activation remains false.
- State: Do not activate Case as default backend.
- State: Do not mutate any path outside the allowed paths.
- State: Do not edit upstream `hermes-agent`.
- State: Do not edit upstream `hermes-webui`.
- State: This record is not execution evidence.
## Exact Approval Packet
```text
I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
```
- governed execution approval
- single-task approval capture
- exact approval packet
- approval_granted: true
- execution_allowed: true
- execution_scope: one approved Harness run only
- admitted target repository
- allowed paths
- Harness command
- Runtime default activation remains false.
- Do not activate Case as default backend.
- Do not mutate any path outside the allowed paths.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
- This record is not execution evidence.

85
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md Normal file
View File

@ -0,0 +1,85 @@
---
name: CTO Governed Execution Approval PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Approval PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
The governed execution request records the exact target, paths, and command, but it intentionally keeps approval closed. The CTO stack needs a governed execution approval record before the next Harness run can mutate an owned Target Repository.
## Solution
Create a single-task approval capture for the exact approval packet already issued by JP. This governed execution approval permits one approved Harness run only and does not make Case a default backend.
## Scope
- Record the exact approval packet.
- Record `approval_granted: true`.
- Record `execution_allowed: true`.
- Record `execution_scope: one approved Harness run only`.
- Preserve the admitted target repository.
- Preserve the allowed paths.
- Preserve the Harness command.
- Preserve that this record is not execution evidence.
## Non-goals
- Do not execute Case in this approval-capture slice.
- Do not activate Case as default backend.
- Do not mutate any path outside the allowed paths.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
- Do not promote this local record into Core authority.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-068` and `CTO-WORK-069` as validated.
- The governed execution approval includes the exact approval packet.
- The governed execution approval includes `approval_granted: true`.
- The governed execution approval includes `execution_allowed: true`.
- Runtime default activation remains false.
- The next execution is constrained to one approved Harness run only.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Risks
The main risk is approval scope creep. The record prevents that by making the approval single-task, path-bound, and Harness-bound. This record is not execution evidence.
## Success Definition
CTO has a durable approval capture that can unlock the next real Harness execution slice without changing Core authority, runtime default state, or upstream vendor source.
## Required Approval Packet
```text
I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
```
- governed execution approval
- single-task approval capture
- exact approval packet
- approval_granted: true
- execution_allowed: true
- execution_scope: one approved Harness run only
- admitted target repository
- allowed paths
- Harness command
- Runtime default activation remains false.
- Do not activate Case as default backend.
- Do not mutate any path outside the allowed paths.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
- This record is not execution evidence.

61
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md Normal file
View File

@ -0,0 +1,61 @@
---
name: CTO Governed Execution Approval Record
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Approval Record
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-069`
## Approval State
- governed execution approval
- single-task approval capture
- approval_source: JP chat approval
- approval_granted: true
- execution_allowed: true
- execution_scope: one approved Harness run only
- Runtime default activation remains false.
- This record is not execution evidence.
## Exact Approval Packet
- exact approval packet
```text
I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
```
## Admitted Target Repository
- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
## Allowed Paths
- allowed paths: `src/strings.py`
- allowed paths: `test_strings.py`
## Harness Command
- Harness command: `python3 -m pytest -q`
## Guardrails
- Do not activate Case as default backend.
- Do not mutate any path outside the allowed paths.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
- This record is not execution evidence.
## Next Allowed Action
The next allowed action is one approved Harness run against the admitted target repository for the approved `src/strings.py` slugify alignment task.

57
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md Normal file
View File

@ -0,0 +1,57 @@
---
name: CTO Governed Execution Evidence Closeout
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Evidence Closeout
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-071`
## Result
- governed execution evidence
- one approved Harness run consumed
- status: validated
- CTO-WORK-049
- CTO-WORK-069
- r1-src-string-slugify
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.
## Target
- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
- target commit: `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`
- target repo current state checked
- target repository start clean: true
- target repository ending clean: true
## Harness Evidence
- Harness report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`
- Stage 5 proof: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`
- case_process_started: true
- changed files: `src/strings.py`, `test_strings.py`
- allowed paths passed: true
- forbidden paths passed: true
- no forbidden actions: true
- operator outcome: `accepted`
## Current Target Validation
- command: `python3 -m pytest -q`
- result: `3 passed`
## Scope Guard
This closeout binds the prior approval to the single successful Harness run. It is not a new approval and does not authorize another Case run.

74
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md Normal file
View File

@ -0,0 +1,74 @@
---
name: CTO Governed Execution Evidence Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Evidence Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-070 - Governed Execution Evidence PRD
Status: validated.
Acceptance:
- Define governed execution evidence for the approved Stage 5 run.
- Bind `CTO-WORK-049` and `CTO-WORK-069`.
- Record that one approved Harness run consumed the approval.
- Require the Harness report and Stage 5 proof paths.
- Preserve Runtime default activation remains false.
- State: Do not activate Case as default backend.
- State: This closeout does not authorize another Case run.
## Issue: CTO-WORK-071 - Governed Execution Evidence Closeout
Status: validated.
Acceptance:
- Record governed execution evidence.
- Reference `r1-src-string-slugify`.
- Reference target commit `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`.
- Reference `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`.
- Reference `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`.
- Reference `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`.
- Record case_process_started: true.
- Record changed files: `src/strings.py`, `test_strings.py`.
- Record allowed paths passed: true.
- Record forbidden paths passed: true.
- Record target repository start clean: true.
- Record target repository ending clean: true.
- Record `python3 -m pytest -q`.
- Record `3 passed`.
- State: Runtime default activation remains false.
- State: Do not activate Case as default backend.
- State: This closeout does not authorize another Case run.
## Required Phrases
- governed execution evidence
- one approved Harness run consumed
- CTO-WORK-049
- CTO-WORK-069
- r1-src-string-slugify
- 7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741
- /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox
- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json
- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json
- case_process_started: true
- changed files: `src/strings.py`, `test_strings.py`
- allowed paths passed: true
- forbidden paths passed: true
- target repository start clean: true
- target repository ending clean: true
- python3 -m pytest -q
- 3 passed
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

78
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md Normal file
View File

@ -0,0 +1,78 @@
---
name: CTO Governed Execution Evidence PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Evidence PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
The governed execution approval exists, and the approved Stage 5 run already produced Harness evidence. CTO needs a closeout that binds the approval record to the actual Harness evidence and prevents accidental rerun under the same single-task approval.
## Solution
Record governed execution evidence for `CTO-WORK-049` and `CTO-WORK-069`. Mark the approval as consumed by the existing `r1-src-string-slugify` Harness pass report.
## Scope
- Reference the pass report and Stage 5 proof.
- Reference the admitted target repository.
- Reference target commit `7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741`.
- Record that one approved Harness run consumed the approval.
- Record the current target repo validation command and result.
- Preserve that Runtime default activation remains false.
## Non-goals
- Do not rerun Case.
- Do not activate Case as default backend.
- Do not authorize another Case run.
- Do not mutate target repositories in this closeout slice.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-070` and `CTO-WORK-071` as validated.
- The closeout references the Harness report.
- The closeout references the Stage 5 proof.
- The closeout states case_process_started: true.
- The closeout states changed files: `src/strings.py`, `test_strings.py`.
- The closeout states allowed paths passed: true and forbidden paths passed: true.
- The closeout records `python3 -m pytest -q` and `3 passed`.
- This closeout does not authorize another Case run.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Required Evidence
- governed execution evidence
- one approved Harness run consumed
- CTO-WORK-049
- CTO-WORK-069
- r1-src-string-slugify
- 7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741
- /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox
- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json
- /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json
- case_process_started: true
- changed files: `src/strings.py`, `test_strings.py`
- allowed paths passed: true
- forbidden paths passed: true
- target repository start clean: true
- target repository ending clean: true
- python3 -m pytest -q
- 3 passed
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

49
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md Normal file
View File

@ -0,0 +1,49 @@
---
name: CTO Governed Execution Request Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Request Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-066 - Governed Execution Request PRD
Status: validated.
Acceptance:
- Define the governed execution request scope.
- Require a non-mutating execution request record.
- Preserve the exact approval packet, admitted target repository, allowed paths, and Harness command.
- Record `approval_granted: false`.
- Record `execution_allowed: false`.
- State: Do not execute Case.
- State: Do not activate Case as default backend.
- State: Do not mutate target repositories.
- State: Runtime default activation remains false.
- State: JP approval is still required before execution.
## Issue: CTO-WORK-067 - Governed Execution Request Record
Status: validated.
Acceptance:
- Create the governed execution request record.
- Include the admitted target repository.
- Include allowed paths.
- Include the Harness command.
- Include proof pointers from prior Harness and Hermes evidence.
- Keep `approval_granted: false`.
- Keep `execution_allowed: false`.
- State: Do not execute Case.
- State: Do not activate Case as default backend.
- State: Do not mutate target repositories.
- State: Runtime default activation remains false.
- State: JP approval is still required before execution.

55
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md Normal file
View File

@ -0,0 +1,55 @@
---
name: CTO Governed Execution Request PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Request PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem
The CTO stack has an exact approval packet and Hermes can show it, but there is no durable governed execution request that records the proposed action before any backend runs.
The next useful step is a governed execution request that creates a non-mutating execution request record. The record must preserve the exact approval packet, admitted target repository, allowed paths, Harness command, proof pointers, and blocked actions.
## Scope
- Create a local CTO planning record for the approved candidate task shape.
- Keep `approval_granted: false`.
- Keep `execution_allowed: false`.
- Name the admitted target repository and allowed paths.
- Name the Harness command that would run only after approval.
- Preserve that JP approval is still required before execution.
## Non-goals
- Do not execute Case.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
- Do not change Core authority.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-066` and `CTO-WORK-067` as validated.
- The governed execution request includes `approval_granted: false`.
- The governed execution request includes `execution_allowed: false`.
- Runtime default activation remains false.
- JP approval is still required before execution.
- Local validation checks the new record and its guardrails.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Risk
The main risk is accidentally treating request creation as execution approval. The guardrail is explicit: Do not execute Case. Do not mutate target repositories. JP approval is still required before execution.

68
.sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md Normal file
View File

@ -0,0 +1,68 @@
---
name: CTO Governed Execution Request Record
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Governed Execution Request Record
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-067`
## Request State
- governed execution request
- non-mutating execution request record
- approval_granted: false
- execution_allowed: false
- Runtime default activation remains false.
- JP approval is still required before execution.
## Exact Approval Packet
The exact approval packet remains the prior text:
```text
I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
```
This record does not grant that approval. It preserves the exact approval packet for later JP action.
## Admitted Target Repository
- admitted target repository: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`
## Allowed Paths
- allowed paths: `src/strings.py`
- allowed paths: `test_strings.py`
## Harness Command
- Harness command: `python3 -m pytest -q`
## Required Evidence Pointers
- Approval packet evidence: `.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md`
- Stage 5 report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json`
- Stage 5 target proof: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json`
- Stage 6 replay comparison: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T112448Z-stage6-real-governed-refresh/stage6-real-governed-refresh-comparison.json`
## Blocked Actions
- Do not execute Case.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Do not edit upstream `hermes-agent`.
- Do not edit upstream `hermes-webui`.
## Next Allowed Action
The next allowed action is review of this governed execution request. Actual execution requires JP approval after this record is visible and validated.

57
.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md Normal file
View File

@ -0,0 +1,57 @@
---
name: CTO Hermes Approval Packet Evidence
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Approval Packet Evidence
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Scope
This evidence closes `CTO-WORK-065`.
The implementation adds a read-only JP approval packet to the Hermes WebUI CTO control panel. It prepares copy/paste approval text from Harness evidence but does not approve execution, activate Case, or mutate target repositories.
## Implementation Evidence
- Hermes plugin commit: `a109448 Add CTO approval packet surface`
- API field: `approval_packet`
- API field: `approval_command_text`
- API field: required evidence paths
- API field: allowed paths
- API field: blocked actions
- API invariant: not executable
- UI surface: `static/cto_control_panel.js`
- Route surface: `routes/cto_control_summary.py`
## Validation Evidence
- Focused validation: `python3 -m pytest tests/unit/test_cto_control_summary.py tests/unit/test_cto_control_panel_static.py -q`
- Focused result: `5 passed`
- Aggregate validation before commit: `python3 scripts/ast-connection-map.py --check`
- Aggregate result before commit: `CONNECTION-MAP.md is fresh`
- Aggregate validation before commit: `python3 -m pytest tests/ -q`
- Aggregate result before commit: `103 passed, 4 skipped`
- Aggregate validation after merge: `python3 scripts/ast-connection-map.py --check`
- Aggregate result after merge: `CONNECTION-MAP.md is fresh`
- Aggregate validation after merge: `python3 -m pytest tests/ -q`
- Aggregate result after merge: `107 passed`
## Governance Evidence
- Harness-backed summary data remains the source of truth.
- Hermes prepares approval text; JP remains the approver.
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
## Result
`CTO-WORK-065` is validated because Hermes can now prepare a JP approval packet while remaining read-only and non-executable.

55
.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md Normal file
View File

@ -0,0 +1,55 @@
---
name: CTO Hermes Approval Packet Issues
status: candidate
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Approval Packet Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## CTO-WORK-064: Hermes WebUI JP Approval Packet PRD
Status: validated.
Acceptance criteria:
- PRD defines the JP approval packet scope.
- PRD keeps packet generation read-only.
- PRD includes `approval_packet`.
- PRD includes `approval_command_text`.
- PRD forbids executable approval buttons.
- PRD states Hermes prepares approval text; JP remains the approver.
## CTO-WORK-065: Hermes WebUI JP Approval Packet Surface
Status: candidate.
Implementation route:
- Add `approval_packet` to `/api/cto/control-summary`.
- Add `approval_command_text`.
- Add copy/paste approval packet text for JP.
- Include required evidence paths.
- Include allowed paths.
- Include blocked actions.
- Render copy/paste packet text in `cto_control_panel.js`.
- Add focused plugin tests.
- Record evidence after implementation.
Acceptance criteria:
- CTO control summary includes `approval_packet`.
- CTO control summary includes `approval_command_text`.
- CTO control summary includes required evidence paths.
- CTO control summary includes allowed paths.
- CTO control summary includes blocked actions.
- Do not add executable approval buttons.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Harness-backed summary data remains the source of truth.
- Hermes prepares approval text; JP remains the approver.

63
.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md Normal file
View File

@ -0,0 +1,63 @@
---
name: CTO Hermes Approval Packet PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Approval Packet PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem
Hermes now shows read-only JP approval state, but JP still needs a precise copy/paste approval packet that includes evidence paths, allowed paths, blocked actions, and the exact approval text. Without that, the handoff from proof to human approval is still manual and easy to distort.
## Scope
Add a read-only JP approval packet to the CTO control summary and panel:
- `approval_packet`
- `approval_command_text`
- required evidence paths
- allowed paths
- blocked actions
- proof-ready state
The packet prepares text for JP to copy/paste. It must not approve anything by itself.
## Non-goals
- Do not add executable approval buttons.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Do not edit upstream `hermes-webui`.
- Do not edit upstream `hermes-agent`.
- Do not change Cortex Core authority.
- Do not infer missing target repository admission beyond Harness evidence.
## Acceptance Criteria
- CTO control summary includes `approval_packet`.
- Approval packet includes `approval_command_text`.
- Approval packet includes required evidence paths.
- Approval packet includes allowed paths.
- Approval packet includes blocked actions.
- Approval packet is marked not executable.
- Hermes panel renders copy/paste approval text.
- Harness-backed summary data remains the source of truth.
- Hermes prepares approval text; JP remains the approver.
## Validation
- Focused plugin tests prove packet fields, fail-closed state, and static rendering hooks.
- Plugin aggregate tests pass before commit and after merge.
- CTO child validator records planning and evidence.
- S69 prose validator passes before report.
## Success Definition
Hermes can prepare a precise JP approval packet from Harness evidence without gaining approval authority or execution authority.

56
.sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-EVIDENCE.md Normal file
View File

@ -0,0 +1,56 @@
---
name: CTO Hermes Approval State Evidence
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Approval State Evidence
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Scope
This evidence closes `CTO-WORK-063`.
The implementation adds read-only JP approval state and next-action visibility to the Hermes WebUI CTO control panel. It does not add executable approval buttons, mutate target repositories, activate Case as default backend, or change Cortex authority.
## Implementation Evidence
- Hermes plugin commit: `154d835 Add CTO approval state surface`
- API field: `approval_required`
- API field: `approval_granted`
- API field: `execution_allowed`
- API field: allowed next actions
- API field: blocked next actions
- UI surface: `static/cto_control_panel.js`
- Route surface: `routes/cto_control_summary.py`
## Validation Evidence
- Focused validation: `python3 -m pytest tests/unit/test_cto_control_summary.py tests/unit/test_cto_control_panel_static.py -q`
- Focused result: `5 passed`
- Aggregate validation before commit: `python3 scripts/ast-connection-map.py --check`
- Aggregate result before commit: `CONNECTION-MAP.md is fresh`
- Aggregate validation before commit: `python3 -m pytest tests/ -q`
- Aggregate result before commit: `103 passed, 4 skipped`
- Aggregate validation after merge: `python3 scripts/ast-connection-map.py --check`
- Aggregate result after merge: `CONNECTION-MAP.md is fresh`
- Aggregate validation after merge: `python3 -m pytest tests/ -q`
- Aggregate result after merge: `107 passed`
## Governance Evidence
- Harness-backed summary data remains the source of truth.
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- Hermes visualizes control state; CTO and Harness remain the gates.
## Result
`CTO-WORK-063` is validated because Hermes now exposes JP approval posture and next-action visibility without gaining execution authority.

67
.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md Normal file
View File

@ -0,0 +1,67 @@
---
name: CTO Hermes Consumed Approval Evidence Closeout
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Consumed Approval Evidence Closeout
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-073`
## Result
- Hermes consumed approval evidence
- status: validated
- CTO-WORK-072
- CTO-WORK-073
- governed_execution
- approval_consumed
- consumed_by_pass_evidence
- approval_required: true
- approval_granted: true
- execution_allowed: false
- Case runtime default active: false
- target repository mutation: false
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.
## Hermes Plugin Evidence
- plugin commit: `6f694b4 feat(plugin): surface consumed CTO approval evidence`
- route: `/api/cto/control-summary`
- backend file: `routes/cto_control_summary.py`
- panel file: `cto_control_panel.js`
- schema_version: `0.2.0`
- approval packet status: `consumed_by_pass_evidence`
- Stage 5 pass replay path
- Stage 5 proof replay path
- consumed pass path shown: true
- consumed proof path shown: true
## Validation Evidence
- command: `python3 -m pytest tests/ -q`
- result: `108 passed`
- command: `python3 scripts/ast-connection-map.py --check`
- result: `CONNECTION-MAP.md is fresh`
## Boundary Evidence
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- plugin-only change: true
- Harness-backed summary data remains the source of truth.
- Hermes visualizes control state; CTO and Harness remain the gates.
## Scope Guard
This closeout records a UI/control-surface reflection of already-consumed approval evidence. It is not a new approval and does not authorize another Case run.

75
.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md Normal file
View File

@ -0,0 +1,75 @@
---
name: CTO Hermes Consumed Approval Evidence Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Consumed Approval Evidence Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-072 - Hermes Consumed Approval Evidence PRD
Status: validated.
Acceptance:
- Define Hermes consumed approval evidence.
- Record `governed_execution`.
- Record `approval_consumed`.
- Record `consumed_by_pass_evidence`.
- Require execution_allowed: false after approval consumption.
- Preserve Case runtime default active: false.
- Preserve target repository mutation: false.
- State: Do not activate Case as default backend.
- State: This closeout does not authorize another Case run.
## Issue: CTO-WORK-073 - Hermes Consumed Approval Evidence Closeout
Status: validated.
Acceptance:
- Record Hermes consumed approval evidence.
- Reference `6f694b4 feat(plugin): surface consumed CTO approval evidence`.
- Reference `/api/cto/control-summary`.
- Reference `cto_control_panel.js`.
- Reference `routes/cto_control_summary.py`.
- Record `python3 -m pytest tests/ -q`.
- Record `108 passed`.
- Record `python3 scripts/ast-connection-map.py --check`.
- Record `CONNECTION-MAP.md is fresh`.
- Record upstream `hermes-webui` edited: false.
- Record upstream `hermes-agent` edited: false.
## Required Phrases
- Hermes consumed approval evidence
- CTO-WORK-072
- CTO-WORK-073
- 6f694b4 feat(plugin): surface consumed CTO approval evidence
- /api/cto/control-summary
- governed_execution
- approval_consumed
- consumed_by_pass_evidence
- execution_allowed: false
- approval_granted: true
- approval_required: true
- Stage 5 pass replay path
- Stage 5 proof replay path
- cto_control_panel.js
- routes/cto_control_summary.py
- python3 -m pytest tests/ -q
- 108 passed
- python3 scripts/ast-connection-map.py --check
- CONNECTION-MAP.md is fresh
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

87
.sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md Normal file
View File

@ -0,0 +1,87 @@
---
name: CTO Hermes Consumed Approval Evidence PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Consumed Approval Evidence PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
Hermes already exposes approval state and approval packet data, and the approved Stage 5 Case run already has pass evidence. The WebUI needs to show that this approval is consumed, not still available for rerun.
## Solution
Record the Hermes plugin closeout for consumed approval evidence. The `/api/cto/control-summary` route now exposes `governed_execution`, `approval_consumed`, and `consumed_by_pass_evidence`. The CTO panel shows consumed pass and consumed proof paths.
## Scope
- Record Hermes plugin commit `6f694b4 feat(plugin): surface consumed CTO approval evidence`.
- Record the governed execution consumed approval state.
- Record that execution_allowed remains false after consumption.
- Record Stage 5 pass and Stage 5 proof replay paths.
- Record that Case runtime default active remains false.
- Record that target repository mutation remains false.
- Record that upstream `hermes-webui` edited: false.
- Record that upstream `hermes-agent` edited: false.
## Non-goals
- Do not rerun Case.
- Do not create a new JP approval.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Do not edit upstream `hermes-webui`.
- Do not edit upstream `hermes-agent`.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-072` and `CTO-WORK-073` as validated.
- The PRD records `governed_execution`.
- The PRD records `approval_consumed`.
- The PRD records `consumed_by_pass_evidence`.
- The closeout references plugin commit `6f694b4 feat(plugin): surface consumed CTO approval evidence`.
- The closeout records `/api/cto/control-summary`.
- The closeout records `cto_control_panel.js`.
- The closeout records `routes/cto_control_summary.py`.
- The closeout records `python3 -m pytest tests/ -q` and `108 passed`.
- The closeout records `python3 scripts/ast-connection-map.py --check` and `CONNECTION-MAP.md is fresh`.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Required Evidence
- Hermes consumed approval evidence
- CTO-WORK-072
- CTO-WORK-073
- 6f694b4 feat(plugin): surface consumed CTO approval evidence
- /api/cto/control-summary
- governed_execution
- approval_consumed
- consumed_by_pass_evidence
- execution_allowed: false
- approval_granted: true
- approval_required: true
- Stage 5 pass replay path
- Stage 5 proof replay path
- cto_control_panel.js
- routes/cto_control_summary.py
- python3 -m pytest tests/ -q
- 108 passed
- python3 scripts/ast-connection-map.py --check
- CONNECTION-MAP.md is fresh
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

58
.sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-CLOSEOUT.md Normal file
View File

@ -0,0 +1,58 @@
---
name: CTO Hermes Live Smoke Remote Sync Closeout
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Live Smoke Remote Sync Closeout
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Workboard
- `CTO-WORK-075`
## Result
- Hermes live smoke remote sync evidence
- status: validated
- CTO-WORK-074
- CTO-WORK-075
- openharbor/jp synced
- Case runtime default active: false
- target repository mutation: false
- Runtime default activation remains false.
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.
## Remote Sync Evidence
- command: `git push openharbor jp`
- result: `d302321..6f694b4 jp -> jp`
- plugin commit: `6f694b4 feat(plugin): surface consumed CTO approval evidence`
## Temporary Hermes WebUI Boot Smoke Evidence
- command: `python3 scripts/boot-smoke.py`
- result: `failed: 0`
- temporary Hermes WebUI boot smoke
- `/api/cto/control-summary`: status accepted: true
- `/plugins/svrnty/cto_control_panel.js`: status accepted: true
- `/plugins/svrnty/cto_control_panel.css`: status accepted: true
- authentication-gated `401` and redirect `302` statuses were accepted by the existing plugin smoke contract.
## Boundary Evidence
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- plugin-only change already recorded by `CTO-WORK-073`.
- Harness-backed summary data remains the source of truth.
- Hermes visualizes control state; CTO and Harness remain the gates.
## Scope Guard
This closeout records remote sync and smoke evidence only. It is not a new approval and does not authorize another Case run.

69
.sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-ISSUES.md Normal file
View File

@ -0,0 +1,69 @@
---
name: CTO Hermes Live Smoke Remote Sync Issues
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Live Smoke Remote Sync Issues
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Issue: CTO-WORK-074 - Hermes Live Smoke Remote Sync PRD
Status: validated.
Acceptance:
- Define Hermes live smoke remote sync evidence.
- Require remote push evidence for `openharbor/jp`.
- Require temporary Hermes WebUI boot smoke evidence.
- Require CTO endpoint and panel asset smoke rows.
- Preserve Case runtime default active: false.
- Preserve target repository mutation: false.
- State: Do not activate Case as default backend.
- State: This closeout does not authorize another Case run.
## Issue: CTO-WORK-075 - Hermes Live Smoke Remote Sync Closeout
Status: validated.
Acceptance:
- Record Hermes live smoke remote sync evidence.
- Reference `git push openharbor jp`.
- Reference `d302321..6f694b4 jp -> jp`.
- Reference `6f694b4 feat(plugin): surface consumed CTO approval evidence`.
- Reference `python3 scripts/boot-smoke.py`.
- Reference `failed: 0`.
- Reference `/api/cto/control-summary`.
- Reference `/plugins/svrnty/cto_control_panel.js`.
- Reference `/plugins/svrnty/cto_control_panel.css`.
- Record upstream `hermes-webui` edited: false.
- Record upstream `hermes-agent` edited: false.
## Required Phrases
- Hermes live smoke remote sync evidence
- CTO-WORK-074
- CTO-WORK-075
- git push openharbor jp
- d302321..6f694b4 jp -> jp
- 6f694b4 feat(plugin): surface consumed CTO approval evidence
- python3 scripts/boot-smoke.py
- failed: 0
- /api/cto/control-summary
- /plugins/svrnty/cto_control_panel.js
- /plugins/svrnty/cto_control_panel.css
- status accepted: true
- temporary Hermes WebUI boot smoke
- openharbor/jp synced
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

82
.sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-PRD.md Normal file
View File

@ -0,0 +1,82 @@
---
name: CTO Hermes Live Smoke Remote Sync PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-01
last_reviewed: 2026-06-01
core_promotion_status: not-promoted
---
# CTO Hermes Live Smoke Remote Sync PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
## Problem Statement
Hermes consumed approval evidence is implemented and recorded locally. CTO needs a closeout that proves the plugin branch was synced to its remote and that a temporary Hermes WebUI boot smoke reached the CTO control endpoint and assets.
## Solution
Record remote sync and live boot smoke evidence for the Hermes CTO control surface. This proves the plugin can boot under the WebUI smoke path and expose `/api/cto/control-summary`, `cto_control_panel.js`, and `cto_control_panel.css` without editing upstream source.
## Scope
- Record remote push to `openharbor/jp`.
- Record Hermes plugin commit `6f694b4 feat(plugin): surface consumed CTO approval evidence`.
- Record boot smoke command `python3 scripts/boot-smoke.py`.
- Record `failed: 0`.
- Record `/api/cto/control-summary` smoke status accepted.
- Record `/plugins/svrnty/cto_control_panel.js` smoke status accepted.
- Record `/plugins/svrnty/cto_control_panel.css` smoke status accepted.
- Preserve that authentication redirects or 401 responses are acceptable smoke statuses under the plugin smoke contract.
## Non-goals
- Do not create a new JP approval.
- Do not rerun Case.
- Do not activate Case as default backend.
- Do not mutate target repositories.
- Do not edit upstream `hermes-webui`.
- Do not edit upstream `hermes-agent`.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-074` and `CTO-WORK-075` as validated.
- The closeout records `git push openharbor jp`.
- The closeout records `d302321..6f694b4 jp -> jp`.
- The closeout records `python3 scripts/boot-smoke.py`.
- The closeout records `failed: 0`.
- The closeout records `/api/cto/control-summary`.
- The closeout records `/plugins/svrnty/cto_control_panel.js`.
- The closeout records `/plugins/svrnty/cto_control_panel.css`.
- The closeout states upstream `hermes-webui` edited: false.
- The closeout states upstream `hermes-agent` edited: false.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Required Evidence
- Hermes live smoke remote sync evidence
- CTO-WORK-074
- CTO-WORK-075
- git push openharbor jp
- d302321..6f694b4 jp -> jp
- 6f694b4 feat(plugin): surface consumed CTO approval evidence
- python3 scripts/boot-smoke.py
- failed: 0
- /api/cto/control-summary
- /plugins/svrnty/cto_control_panel.js
- /plugins/svrnty/cto_control_panel.css
- status accepted: true
- temporary Hermes WebUI boot smoke
- openharbor/jp synced
- Case runtime default active: false
- target repository mutation: false
- upstream `hermes-webui` edited: false
- upstream `hermes-agent` edited: false
- Do not activate Case as default backend.
- This closeout does not authorize another Case run.

72
WORKBOARD.yaml
View File

@ -313,6 +313,76 @@ items:
owner: ""
- id: CTO-WORK-063
title: Hermes WebUI JP Approval State Surface
status: candidate
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-ISSUES.md
owner: ""
- id: CTO-WORK-064
title: Hermes WebUI JP Approval Packet PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md
owner: ""
- id: CTO-WORK-065
title: Hermes WebUI JP Approval Packet Surface
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md
owner: ""
- id: CTO-WORK-066
title: Governed Execution Request PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md
owner: ""
- id: CTO-WORK-067
title: Governed Execution Request Record
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md
owner: ""
- id: CTO-WORK-068
title: Governed Execution Approval PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md
owner: ""
- id: CTO-WORK-069
title: Governed Execution Approval Record
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md
owner: ""
- id: CTO-WORK-070
title: Governed Execution Evidence PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md
owner: ""
- id: CTO-WORK-071
title: Governed Execution Evidence Closeout
status: validated
source: .sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md
owner: ""
- id: CTO-WORK-072
title: Hermes Consumed Approval Evidence PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md
owner: ""
- id: CTO-WORK-073
title: Hermes Consumed Approval Evidence Closeout
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md
owner: ""
- id: CTO-WORK-074
title: Hermes Live Smoke Remote Sync PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-PRD.md
owner: ""
- id: CTO-WORK-075
title: Hermes Live Smoke Remote Sync Closeout
status: validated
source: .sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-CLOSEOUT.md
owner: ""
- id: CTO-WORK-076
title: CTO Endgoal Completion Audit PRD
status: validated
source: .sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-PRD.md
owner: ""
- id: CTO-WORK-077
title: CTO Endgoal Completion Audit Closeout
status: validated
source: .sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-CLOSEOUT.md
owner: ""

488
tools/validate_cto_child.py
View File

@ -56,6 +56,28 @@ REQUIRED_FILES = [
".sot/03-PROTOCOLS/CTO-HERMES-WEBUI-LIVE-SMOKE-EVIDENCE.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-ISSUES.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-EVIDENCE.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md",
".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md",
".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md",
".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md",
".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md",
".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-PRD.md",
".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-ISSUES.md",
".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-CLOSEOUT.md",
".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-PRD.md",
".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-ISSUES.md",
".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-CLOSEOUT.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-ISSUES.md",
".sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-APPROVAL-PACKET.md",
@ -222,6 +244,198 @@ REQUIRED_HERMES_APPROVAL_STATE_PHRASES = [
"Hermes visualizes control state; CTO and Harness remain the gates.",
]
REQUIRED_HERMES_APPROVAL_STATE_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"CTO-WORK-063",
"154d835 Add CTO approval state surface",
"approval_required",
"approval_granted",
"execution_allowed",
"allowed next actions",
"blocked next actions",
"5 passed",
"107 passed",
"CONNECTION-MAP.md is fresh",
"Case runtime default active: false",
"target repository mutation: false",
"upstream `hermes-webui` edited: false",
"upstream `hermes-agent` edited: false",
]
REQUIRED_HERMES_APPROVAL_PACKET_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"JP approval packet",
"copy/paste approval packet",
"approval_packet",
"approval_command_text",
"required evidence paths",
"allowed paths",
"blocked actions",
"Do not add executable approval buttons.",
"Do not activate Case as default backend.",
"Do not mutate target repositories.",
"Harness-backed summary data remains the source of truth.",
"Hermes prepares approval text; JP remains the approver.",
]
REQUIRED_HERMES_APPROVAL_PACKET_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"CTO-WORK-065",
"a109448 Add CTO approval packet surface",
"approval_packet",
"approval_command_text",
"required evidence paths",
"allowed paths",
"blocked actions",
"not executable",
"5 passed",
"107 passed",
"CONNECTION-MAP.md is fresh",
"Case runtime default active: false",
"target repository mutation: false",
"Hermes prepares approval text; JP remains the approver.",
]
REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"governed execution request",
"non-mutating execution request record",
"exact approval packet",
"admitted target repository",
"allowed paths",
"Harness command",
"approval_granted: false",
"execution_allowed: false",
"Do not execute Case.",
"Do not activate Case as default backend.",
"Do not mutate target repositories.",
"Runtime default activation remains false.",
"JP approval is still required before execution.",
]
REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"governed execution approval",
"single-task approval capture",
"exact approval packet",
"I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.",
"approval_granted: true",
"execution_allowed: true",
"execution_scope: one approved Harness run only",
"admitted target repository",
"allowed paths",
"Harness command",
"Runtime default activation remains false.",
"Do not activate Case as default backend.",
"Do not mutate any path outside the allowed paths.",
"Do not edit upstream `hermes-agent`.",
"Do not edit upstream `hermes-webui`.",
"This record is not execution evidence.",
]
REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"governed execution evidence",
"one approved Harness run consumed",
"CTO-WORK-049",
"CTO-WORK-069",
"r1-src-string-slugify",
"7706f99b4ca4f1bd8c2d4e0a6d498f94f418b741",
"/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
"/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/report.json",
"/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T105222Z-r1-src-string-slugify-180161/stage5-owned-repo-proof.json",
"case_process_started: true",
"changed files: `src/strings.py`, `test_strings.py`",
"allowed paths passed: true",
"forbidden paths passed: true",
"target repository start clean: true",
"target repository ending clean: true",
"python3 -m pytest -q",
"3 passed",
"Runtime default activation remains false.",
"Do not activate Case as default backend.",
"This closeout does not authorize another Case run.",
]
REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"Hermes consumed approval evidence",
"CTO-WORK-072",
"CTO-WORK-073",
"6f694b4 feat(plugin): surface consumed CTO approval evidence",
"/api/cto/control-summary",
"governed_execution",
"approval_consumed",
"consumed_by_pass_evidence",
"execution_allowed: false",
"approval_granted: true",
"approval_required: true",
"Stage 5 pass replay path",
"Stage 5 proof replay path",
"cto_control_panel.js",
"routes/cto_control_summary.py",
"python3 -m pytest tests/ -q",
"108 passed",
"python3 scripts/ast-connection-map.py --check",
"CONNECTION-MAP.md is fresh",
"Case runtime default active: false",
"target repository mutation: false",
"upstream `hermes-webui` edited: false",
"upstream `hermes-agent` edited: false",
"Do not activate Case as default backend.",
"This closeout does not authorize another Case run.",
]
REQUIRED_HERMES_LIVE_SMOKE_REMOTE_SYNC_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"Hermes live smoke remote sync evidence",
"CTO-WORK-074",
"CTO-WORK-075",
"git push openharbor jp",
"d302321..6f694b4 jp -> jp",
"6f694b4 feat(plugin): surface consumed CTO approval evidence",
"python3 scripts/boot-smoke.py",
"failed: 0",
"/api/cto/control-summary",
"/plugins/svrnty/cto_control_panel.js",
"/plugins/svrnty/cto_control_panel.css",
"status accepted: true",
"temporary Hermes WebUI boot smoke",
"openharbor/jp synced",
"Case runtime default active: false",
"target repository mutation: false",
"upstream `hermes-webui` edited: false",
"upstream `hermes-agent` edited: false",
"Do not activate Case as default backend.",
"This closeout does not authorize another Case run.",
]
REQUIRED_ENDGOAL_COMPLETION_AUDIT_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"CTO endgoal completion audit",
"CTO-WORK-076",
"CTO-WORK-077",
"completion_status: complete",
"transportability proof sufficient",
"transportability evidence: repo-backed routes, remote plugin sync, validators, and no vendor edits",
"active goal completion evidence recorded",
"Cortex governs: proven",
"Hermes controls: proven",
"CTO routes: proven",
"Harness proves: proven",
"Case executes only after proof: proven",
"bounded code changes with evidence: proven",
"target repos stay owned and protected: proven",
"default status is earned not assumed: proven",
"candidate-default evidence: proven",
"Runtime default activation remains false.",
"CTO-WORK-071",
"CTO-WORK-075",
"Stage 6 candidate-default evidence",
"Do not activate Case as default backend.",
"This audit does not authorize another Case run.",
]
REQUIRED_HERMES_REAL_REFRESH_CONTROL_REPLAY_EVIDENCE_PHRASES = [
"Local planning SOT only. Not a Core Protocol. Not active Core authority.",
"CTO-WORK-057",
@ -1295,6 +1509,264 @@ def main() -> int:
if phrase not in text:
errors.append(f"missing_hermes_approval_state_issue_phrase:{phrase}")
hermes_approval_state_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-STATE-EVIDENCE.md"
if hermes_approval_state_evidence.is_file():
text = hermes_approval_state_evidence.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_approval_state_evidence_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_APPROVAL_STATE_EVIDENCE_PHRASES:
checked.append(f"hermes_approval_state_evidence_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_approval_state_evidence_phrase:{phrase}")
hermes_approval_packet_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-PRD.md"
if hermes_approval_packet_prd.is_file():
text = hermes_approval_packet_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_approval_packet_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_APPROVAL_PACKET_PHRASES:
checked.append(f"hermes_approval_packet_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_approval_packet_prd_phrase:{phrase}")
hermes_approval_packet_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-ISSUES.md"
if hermes_approval_packet_issues.is_file():
text = hermes_approval_packet_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_approval_packet_issues_missing_not_promoted_frontmatter")
for phrase in ["CTO-WORK-064", "CTO-WORK-065", *REQUIRED_HERMES_APPROVAL_PACKET_PHRASES]:
checked.append(f"hermes_approval_packet_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_approval_packet_issue_phrase:{phrase}")
hermes_approval_packet_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-APPROVAL-PACKET-EVIDENCE.md"
if hermes_approval_packet_evidence.is_file():
text = hermes_approval_packet_evidence.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_approval_packet_evidence_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_APPROVAL_PACKET_EVIDENCE_PHRASES:
checked.append(f"hermes_approval_packet_evidence_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_approval_packet_evidence_phrase:{phrase}")
governed_execution_request_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-PRD.md"
if governed_execution_request_prd.is_file():
text = governed_execution_request_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_request_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES:
checked.append(f"governed_execution_request_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_request_prd_phrase:{phrase}")
governed_execution_request_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-ISSUES.md"
if governed_execution_request_issues.is_file():
text = governed_execution_request_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_request_issues_missing_not_promoted_frontmatter")
for phrase in ["CTO-WORK-066", "CTO-WORK-067", *REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES]:
checked.append(f"governed_execution_request_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_request_issue_phrase:{phrase}")
governed_execution_request_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-REQUEST-RECORD.md"
if governed_execution_request_record.is_file():
text = governed_execution_request_record.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_request_record_missing_not_promoted_frontmatter")
for phrase in [
"CTO-WORK-067",
"/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
"src/strings.py",
"test_strings.py",
"python3 -m pytest -q",
*REQUIRED_GOVERNED_EXECUTION_REQUEST_PHRASES,
]:
checked.append(f"governed_execution_request_record_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_request_record_phrase:{phrase}")
governed_execution_approval_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-PRD.md"
if governed_execution_approval_prd.is_file():
text = governed_execution_approval_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_approval_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES:
checked.append(f"governed_execution_approval_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_approval_prd_phrase:{phrase}")
governed_execution_approval_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-ISSUES.md"
if governed_execution_approval_issues.is_file():
text = governed_execution_approval_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_approval_issues_missing_not_promoted_frontmatter")
for phrase in ["CTO-WORK-068", "CTO-WORK-069", *REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES]:
checked.append(f"governed_execution_approval_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_approval_issue_phrase:{phrase}")
governed_execution_approval_record = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-APPROVAL-RECORD.md"
if governed_execution_approval_record.is_file():
text = governed_execution_approval_record.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_approval_record_missing_not_promoted_frontmatter")
for phrase in [
"CTO-WORK-069",
"/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox",
"src/strings.py",
"test_strings.py",
"python3 -m pytest -q",
"approval_source: JP chat approval",
*REQUIRED_GOVERNED_EXECUTION_APPROVAL_PHRASES,
]:
checked.append(f"governed_execution_approval_record_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_approval_record_phrase:{phrase}")
governed_execution_evidence_prd = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-PRD.md"
if governed_execution_evidence_prd.is_file():
text = governed_execution_evidence_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_evidence_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES:
checked.append(f"governed_execution_evidence_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_evidence_prd_phrase:{phrase}")
governed_execution_evidence_issues = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-ISSUES.md"
if governed_execution_evidence_issues.is_file():
text = governed_execution_evidence_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_evidence_issues_missing_not_promoted_frontmatter")
for phrase in ["CTO-WORK-070", "CTO-WORK-071", *REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES]:
checked.append(f"governed_execution_evidence_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_evidence_issue_phrase:{phrase}")
governed_execution_evidence_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-GOVERNED-EXECUTION-EVIDENCE-CLOSEOUT.md"
if governed_execution_evidence_closeout.is_file():
text = governed_execution_evidence_closeout.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("governed_execution_evidence_closeout_missing_not_promoted_frontmatter")
for phrase in [
"CTO-WORK-071",
"status: validated",
"target repo current state checked",
*REQUIRED_GOVERNED_EXECUTION_EVIDENCE_PHRASES,
]:
checked.append(f"governed_execution_evidence_closeout_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_governed_execution_evidence_closeout_phrase:{phrase}")
hermes_consumed_approval_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-PRD.md"
if hermes_consumed_approval_prd.is_file():
text = hermes_consumed_approval_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_consumed_approval_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES:
checked.append(f"hermes_consumed_approval_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_consumed_approval_prd_phrase:{phrase}")
hermes_consumed_approval_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-ISSUES.md"
if hermes_consumed_approval_issues.is_file():
text = hermes_consumed_approval_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_consumed_approval_issues_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES:
checked.append(f"hermes_consumed_approval_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_consumed_approval_issue_phrase:{phrase}")
hermes_consumed_approval_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-CONSUMED-APPROVAL-EVIDENCE-CLOSEOUT.md"
if hermes_consumed_approval_closeout.is_file():
text = hermes_consumed_approval_closeout.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_consumed_approval_closeout_missing_not_promoted_frontmatter")
for phrase in [
"status: validated",
"schema_version: `0.2.0`",
"plugin-only change: true",
"Harness-backed summary data remains the source of truth.",
"Hermes visualizes control state; CTO and Harness remain the gates.",
*REQUIRED_HERMES_CONSUMED_APPROVAL_EVIDENCE_PHRASES,
]:
checked.append(f"hermes_consumed_approval_closeout_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_consumed_approval_closeout_phrase:{phrase}")
hermes_live_smoke_remote_sync_prd = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-PRD.md"
if hermes_live_smoke_remote_sync_prd.is_file():
text = hermes_live_smoke_remote_sync_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_live_smoke_remote_sync_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_LIVE_SMOKE_REMOTE_SYNC_PHRASES:
checked.append(f"hermes_live_smoke_remote_sync_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_live_smoke_remote_sync_prd_phrase:{phrase}")
hermes_live_smoke_remote_sync_issues = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-ISSUES.md"
if hermes_live_smoke_remote_sync_issues.is_file():
text = hermes_live_smoke_remote_sync_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_live_smoke_remote_sync_issues_missing_not_promoted_frontmatter")
for phrase in REQUIRED_HERMES_LIVE_SMOKE_REMOTE_SYNC_PHRASES:
checked.append(f"hermes_live_smoke_remote_sync_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_live_smoke_remote_sync_issue_phrase:{phrase}")
hermes_live_smoke_remote_sync_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-LIVE-SMOKE-REMOTE-SYNC-CLOSEOUT.md"
if hermes_live_smoke_remote_sync_closeout.is_file():
text = hermes_live_smoke_remote_sync_closeout.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("hermes_live_smoke_remote_sync_closeout_missing_not_promoted_frontmatter")
for phrase in [
"status: validated",
"authentication-gated `401` and redirect `302` statuses were accepted",
"Harness-backed summary data remains the source of truth.",
"Hermes visualizes control state; CTO and Harness remain the gates.",
*REQUIRED_HERMES_LIVE_SMOKE_REMOTE_SYNC_PHRASES,
]:
checked.append(f"hermes_live_smoke_remote_sync_closeout_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_hermes_live_smoke_remote_sync_closeout_phrase:{phrase}")
endgoal_completion_audit_prd = ROOT / ".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-PRD.md"
if endgoal_completion_audit_prd.is_file():
text = endgoal_completion_audit_prd.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("endgoal_completion_audit_prd_missing_not_promoted_frontmatter")
for phrase in REQUIRED_ENDGOAL_COMPLETION_AUDIT_PHRASES:
checked.append(f"endgoal_completion_audit_prd_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_endgoal_completion_audit_prd_phrase:{phrase}")
endgoal_completion_audit_issues = ROOT / ".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-ISSUES.md"
if endgoal_completion_audit_issues.is_file():
text = endgoal_completion_audit_issues.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("endgoal_completion_audit_issues_missing_not_promoted_frontmatter")
for phrase in REQUIRED_ENDGOAL_COMPLETION_AUDIT_PHRASES:
checked.append(f"endgoal_completion_audit_issue_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_endgoal_completion_audit_issue_phrase:{phrase}")
endgoal_completion_audit_closeout = ROOT / ".sot/03-PROTOCOLS/CTO-ENDGOAL-COMPLETION-AUDIT-CLOSEOUT.md"
if endgoal_completion_audit_closeout.is_file():
text = endgoal_completion_audit_closeout.read_text(encoding="utf-8")
if "core_promotion_status: not-promoted" not in text:
errors.append("endgoal_completion_audit_closeout_missing_not_promoted_frontmatter")
for phrase in [
"status: validated",
"Transportable CTO stack | proven",
"The CTO endgoal is complete under the pragmatic transportability standard.",
*REQUIRED_ENDGOAL_COMPLETION_AUDIT_PHRASES,
]:
checked.append(f"endgoal_completion_audit_closeout_phrase:{phrase}")
if phrase not in text:
errors.append(f"missing_endgoal_completion_audit_closeout_phrase:{phrase}")
hermes_real_refresh_control_replay_evidence = ROOT / ".sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-EVIDENCE.md"
if hermes_real_refresh_control_replay_evidence.is_file():
text = hermes_real_refresh_control_replay_evidence.read_text(encoding="utf-8")
@ -1908,7 +2380,21 @@ def main() -> int:
"CTO-WORK-060": "validated",
"CTO-WORK-061": "validated",
"CTO-WORK-062": "validated",
"CTO-WORK-063": "candidate",
"CTO-WORK-063": "validated",
"CTO-WORK-064": "validated",
"CTO-WORK-065": "validated",
"CTO-WORK-066": "validated",
"CTO-WORK-067": "validated",
"CTO-WORK-068": "validated",
"CTO-WORK-069": "validated",
"CTO-WORK-070": "validated",
"CTO-WORK-071": "validated",
"CTO-WORK-072": "validated",
"CTO-WORK-073": "validated",
"CTO-WORK-074": "validated",
"CTO-WORK-075": "validated",
"CTO-WORK-076": "validated",
"CTO-WORK-077": "validated",
}
for issue_id, expected in expected_statuses.items():
checked.append(f"workboard_status:{issue_id}:{expected}")