--- name: cto-case-stage4-disposable-sandbox-prd tier: local status: draft owner: jp source: .sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md created: 2026-06-01 last_reviewed: 2026-06-01 lifecycle_classification: planning core_promotion_status: not-promoted description: Child-local PRD for Stage 4 Case disposable sandbox repository proof. --- # CTO Case Stage 4 Disposable Sandbox PRD Local planning SOT only. Not a Core Protocol. Not active Core authority. ## Problem Statement Stage 3 proves Case can change a copied local repository fixture without mutating the source repository. It does not prove branch policy, approval denial, sandbox disposal, or fail-closed behavior in a disposable repository. Stage 4 must prove the next narrow behavior before any owned repository is eligible. ## Solution Add a Stage 4 disposable sandbox repository route for the Hermes CTO Harness. The route creates or admits only a throwaway repository, runs Case behind the existing `case` seam, records approval events, and proves no push, merge, deploy, close, or source promotion occurs unless the task contract explicitly allows it. Stage 4 keeps all earlier gates. `case` remains disabled by default. `CTO_HARNESS_ALLOW_CASE=1` and `CTO_HARNESS_CASE_STAGE=4` are required. Missing gates mean blocked, not warning. Allowed mutation scope is `disposable repository only`. Writable roots are limited to `runtime_workspace_root`, `run_artifact_dir`, and the disposable repository copy created for the run. Target Repository, source repository, Case source, vendor source, external developer repositories, Hermes WebUI, and Cortex Core are forbidden. ## Scope - Define one disposable sandbox repository proof route. - Require Stage 3 validated evidence before Stage 4 execution. - Require disposable repository ownership, creation source, and disposal or retention policy. - Require approval requested/granted/denied event handling. - Require branch policy proof. - Require no push, merge, deploy, close, PR open, or public publication by default. - No push, merge, deploy, close, PR open, or public publication occurs by default. - Preserve full Harness Evidence Interface artifacts. - Add approval-denied, reviewer-reject, timeout, provider-unavailable, dirty-ending-tree, and disallowed-file failure fixtures. ## Non-Goals - Do not mutate an owned noncritical repository. - Do not mutate a production Target Repository. - Do not grant default backend status. - Do not push, merge, deploy, close, open a pull request, or publish. - Do not resolve Case license or source admission for broader real-repo work. - Do not approve Stage 5, Stage 6, WebUI Runtime behavior, or Core promotion. ## Acceptance Criteria - Stage 4 entry requires Stage 3 validated. - `CTO_HARNESS_ALLOW_CASE=1` remains required. - `CTO_HARNESS_CASE_STAGE=4` is required. - Missing Stage 4 gate blocks before Case starts. - Disposable repository is created or admitted under run artifact control. - Approval denied fails closed before mutation. - Approval granted is recorded before mutation. - Branch policy is recorded before Case starts. - Case mutates only the disposable repository. - No Target Repository path is inspected or copied. - No source repository is mutated. - No push, merge, deploy, close, PR open, or public publication occurs unless explicitly allowed by task contract. - `report.json` records `backend: case`, `case_process_started`, `allowed_mutation_scope: disposable repository only`, `approval_status`, `branch_policy`, `disposable_repository_dir`, `changed_files`, `blockers`, `artifact_digests`, and freshness proof. - Required artifacts include `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend logs, approval proof, branch proof, and sandbox disposal or retention note. - Fake remains the default validation lane. ## Validation - Focused validator: `python3 harness/runner/validate-case-stage4.py --harness-root harness --json`. - The Stage 4 validator must require Stage 3 validation first. - The validator must prove missing Stage 4 gate blocks before `case_process_started`. - The validator must prove approval denied fails closed. - The validator must prove approval granted records before mutation. - The validator must prove no Target Repository path is inspected or copied. - The validator must prove no push, merge, deploy, close, or PR open occurs by default. - Broader Hermes health must run once after focused Stage 4 validation passes. - CTO child validator must require this PRD and issue artifact before Stage 4 implementation is governed. ## Risks - Disposable sandbox proof can be mistaken for owned-repo approval. - Approval events can become ceremony if not tied to mutation gates. - Branch policy proof can miss side effects outside git. - Sandbox cleanup can destroy useful evidence if retention policy is weak. ## Dependencies - Stage 3 copied-repo fixture is validated. - Harness Evidence Interface Contract is validated. - Case Adapter Contract is validated. - Case Failure Fixture Matrix is validated. - Real Case Qwen Stage 3 evidence exists as supporting telemetry, not a new blocking gate. ## Success Definition Stage 4 is successful when Case changes only a disposable repository, records approval and branch policy evidence, preserves full Harness Evidence Interface proof, fails closed for required sandbox failure classes, and performs no push, merge, deploy, close, PR open, or broader repository mutation. ## Challenge Findings - Accepted: real Case Qwen Stage 3 evidence strengthens Stage 3 but should not become a new mandatory gate. - Accepted: approval denial must be a hard pre-mutation gate. - Accepted: Stage 4 must stay disposable and must not become owned-repo proof.