--- name: cto-case-staged-proof-gates tier: local status: draft owner: jp source: .sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md created: 2026-05-31 last_reviewed: 2026-05-31 lifecycle_classification: planning core_promotion_status: not-promoted description: Child-local staged proof gate records for Case candidate backend progression. --- # CTO Case Staged Proof Gates Local planning SOT only. Not a Core Protocol. Not active Core authority. ## Purpose Define the staged proof gates Case must pass before it can be discussed as a candidate default backend. Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion. ## Gate Rules - Stages must be completed in order. - Each stage must preserve the CTO Harness Evidence Interface. - Each stage must respect the Case Source Admission Record. - Each stage must use the CTO Case Adapter Contract and Eligibility Decision. - Each stage must account for the CTO Case Failure Fixture Matrix. - Missing evidence means blocked, not partially accepted. - Later stages must not reinterpret earlier stage success as broader mutation permission. ## Stage Summary | Stage | Name | Allowed mutation scope | Promotion condition | | --- | --- | --- | --- | | 1 | Gated Case engine | none | Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. | | 2 | Artificial fixture | copied artificial case only | Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. | | 3 | Copied repo fixture | copied local repository fixture only | No source repository mutation; clean start/end and failure fixtures pass. | | 4 | Disposable sandbox repo | disposable repository only | Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository. | | 5 | Owned noncritical repo | explicitly owned low-risk repository only | Operator accepts bounded proof with source admission, approval, and allowed paths. | | 6 | Candidate default | scoped real-repo use only | Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. | ## Stage 1 - Gated Case Engine Entry gates: - Harness Evidence Interface Contract is validated. - Case Adapter Contract is validated. - Case Source Admission Record exists. - Case Failure Fixture Matrix exists. Allowed mutation scope: none. Required artifacts: - `report.json`; - `events.normalized.jsonl`; - `trace.jsonl`; - no-op `patch.diff`; - no-op `test.log`; - backend raw logs showing default-deny preflight. Validator expectation: - `case` is registered as a gated engine; - `--engine case` is rejected unless explicitly enabled; - no source files are changed; - missing gate produces blocked status. Required failure classes: - provider unavailable; - missing required event; - artifact write failure. Promotion condition: - Harness accepts `--engine case` only when explicitly enabled and default-deny proof passes. ## Stage 2 - Artificial Fixture Status: validated for Case/Qwen Stage 2 artificial fixture on 2026-06-01. Entry gates: - Stage 1 is validated. - Artificial fixture task contract exists. - Allowed paths and verification command are explicit. Allowed mutation scope: copied artificial case only. Required artifacts: - full Harness Evidence Interface artifact set; - changed files list; - allowed-write proof; - verification log; - digest and freshness proof. Validator expectation: - artificial fixture can pass through the Case adapter; - fake lane remains default validation lane; - Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures. Required failure classes: - no diff; - disallowed file; - failed tests; - missing test command; - missing required event. Promotion condition: - Case adapter matches existing fake fixture behavior through the Harness Evidence Interface. Validation evidence: - Hermes commit: `fc54680 Complete Case lifecycle after committed proof`. - Real Case Qwen Stage 2 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T025817Z-r1-string-slugify-2907822`. - Report status: `pass`. - Changed files: `strings.py`. - Tests passed: `true`. - Required events passed: `true`. - No Target Repository path was inspected or copied. - This validates Stage 2 only. Stage 3 copied-repo fixture remains the next proof gate. ## Stage 3 - Copied Repo Fixture Status: validated for copied-repo fixture proof on 2026-06-01. Entry gates: - Stage 2 is validated. - Copied repository fixture is created from an owned local source. - Source repository remains read-only during fixture creation. Allowed mutation scope: copied local repository fixture only. Required artifacts: - full Harness Evidence Interface artifact set; - clean starting tree proof for copied fixture; - clean ending tree proof; - source repository non-mutation proof; - failure fixture results. Planning evidence: - Stage 3 PRD: `.sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-PRD.md`. - Stage 3 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md`. Validation evidence: - Hermes commit: `4edf5f1 Add Case Stage 3 copied repo harness proof`. - Stage 3 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T031903Z-r1-string-slugify-3018046`. - Real Case Qwen Stage 3 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T032245Z-r1-string-slugify-3035256`. - Stage 3 pass report status: `pass`. - Source repository mutated: `false`. - Copied fixture starts clean: `true`. - Copied fixture ends clean: `true`. - Required events passed: `true`. - Aggregate harness health status: `pass`. - This validates Stage 3 only. Stage 4 disposable sandbox repo remains the next proof gate. Validator expectation: - all changes occur inside copied fixture; - no hidden mutation occurs in source repository; - dirty-starting-tree and dirty-ending-tree failures are detected. Required failure classes: - dirty starting tree; - dirty ending tree; - timeout; - artifact write failure. Promotion condition: - copied repo fixture proves no source repo mutation and clean start/end behavior. ## Stage 4 - Disposable Sandbox Repo Status: validated for disposable sandbox repository proof on 2026-06-01. Entry gates: - Stage 3 is validated. - Disposable repository ownership and disposal policy are explicit. - Approval events are enabled for mutation mode. Allowed mutation scope: disposable repository only. Required artifacts: - full Harness Evidence Interface artifact set; - approval event proof; - branch policy proof; - sandbox disposal or retention note; - failure matrix coverage for sandbox mode. Planning evidence: - Stage 4 PRD: `.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md`. - Stage 4 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md`. Validation evidence: - Hermes commit: `033fec8 Add Case Stage 4 disposable sandbox proof`. - Focused Stage 4 validator: `python3 harness/runner/validate-case-stage4.py --harness-root harness --json`. - Focused Stage 4 validator status: `ok: true`. - Stage 4 pass artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348`. - Stage 4 proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348/stage4-disposable-sandbox-proof.json`. - Approval denied failure fixture blocked before Case execution. - Missing Stage 4 gate failure fixture blocked before Case execution. - Aggregate harness health status: `pass`. - This validates Stage 4 only. Stage 5 owned noncritical repository remains the next proof gate. Validator expectation: - mutation occurs only in disposable repository; - approval denied fails closed; - branch policy is recorded; - no merge, push, deploy, or close occurs unless explicitly allowed by the task contract. Required failure classes: - approval denied; - reviewer reject; - timeout; - provider unavailable. Promotion condition: - disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior. ## Stage 5 - Owned Noncritical Repo Status: validated for owned noncritical repository proof on 2026-06-01. Entry gates: - Stage 4 is validated. - Target Repository ownership is explicit. - Repository is low risk and noncritical. - Human approval is recorded before mutation. - Source license note is resolved for the requested execution mode. Allowed mutation scope: explicitly owned low-risk repository only. Required artifacts: - full Harness Evidence Interface artifact set; - Target Repository ownership proof; - approval event proof; - allowed paths and forbidden actions; - post-run operator acceptance or rejection. Planning evidence: - Stage 5 PRD: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-PRD.md`. - Stage 5 issues: `.sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md`. - Stage 5 admission preflight evidence: Hermes commit `6e68a1a Add Case Stage 5 target admission preflight`; focused validator `ok: true`; aggregate harness health `pass`. This validates admission preflight only, not owned repository execution. Validation evidence: - Hermes commit: `084ac70 Add Case Stage 5 owned repo proof`. - Focused Stage 5 validator on Hermes main: `python3 harness/runner/validate-case-stage5.py --harness-root harness --json`. - Focused Stage 5 validator status: `ok: true`. - Focused validator pass report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json`. - Actual admitted Target Repository proof report: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json`. - Actual admitted Target Repository proof artifact: `/home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json`. - Target repo: `/home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox`. - Target repo proof commit: `155b442 stage5 case result`. - Changed files: `strings.py`. - Allowed paths passed: `true`. - Forbidden paths passed: `true`. - Required events passed: `true`. - Tests passed: `true`. - Operator outcome: `accepted`. - Target repository started clean and ended clean. - This validates Stage 5 only. Stage 6 candidate default remains blocked until comparison evidence exists. Validator expectation: - mutation stays inside allowed paths; - no direct push, merge, deploy, or close occurs unless task contract explicitly allows it; - operator approval and outcome are replayable. Required failure classes: - disallowed file; - failed tests; - approval denied; - dirty ending tree. Promotion condition: - operator accepts bounded proof with source admission, approval, and allowed paths. ## Stage 6 - Candidate Default Entry gates: - Stage 5 is validated. - Comparison fixtures exist for fake, Codex, and Pi where applicable. - Case source admission is current. - Failure matrix coverage is complete or explicitly blocked with rationale. Allowed mutation scope: scoped real-repo use only. Required artifacts: - full Harness Evidence Interface artifact set; - comparative evidence against fake, Codex, and Pi where applicable; - failure closure evidence; - source admission freshness; - operator acceptance. Validator expectation: - Case matches or beats existing lanes on report shape; - Case matches or beats existing lanes on event validity; - Case matches or beats existing lanes on allowed-path compliance; - Case matches or beats existing lanes on failure closure; - Case matches or beats existing lanes on artifact completeness. Required failure classes: - all failure matrix rows, unless a row is explicitly blocked by a governed stage record. Promotion condition: - Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure. ## Final Guard These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation. Any future implementation must start with Stage 1 and must not skip to real-repo execution.