---
name: cto-first-real-governed-workflow-issues
tier: local
status: draft
owner: jp
source: .sot/03-PROTOCOLS/CTO-FIRST-REAL-GOVERNED-WORKFLOW-PRD.md
created: 2026-06-01
last_reviewed: 2026-06-01
lifecycle_classification: planning
core_promotion_status: not-promoted
description: Child-local issue sequence for the first real governed CTO workflow delegation.
---

# CTO First Real Governed Workflow Issues

Local planning SOT only. Not a Core Protocol. Not active Core authority.

## Issue Sequence

### CTO-WORK-048 - First Real Governed Workflow PRD

Type: AFK

Status: validated.

Blocked by: CTO-WORK-047

What to build: Define the gated route for one real governed coding workflow without executing it or changing backend default status.

Acceptance criteria:

- [x] PRD requires precise brief or issue.
- [x] PRD requires current Target Repository admission.
- [x] PRD requires JP/Hermes approval before mutation.
- [x] PRD requires Case execution through CTO Harness only.
- [x] PRD requires Harness Evidence Interface artifacts for acceptance.
- [x] PRD requires Hermes Control Surface replay paths after execution.
- [x] PRD keeps runtime default activation false.
- [x] Local CTO validator checks the PRD.

Validator: `python3 tools/validate_cto_child.py`

### CTO-WORK-049 - First Real Governed Workflow Execution

Type: HITL

Status: candidate.

Blocked by: CTO-WORK-048

What to build: Execute one bounded real coding task through CTO, Hermes approval, CTO Harness, and Case, then record evidence without activating Case as default.

Acceptance criteria:

- [ ] A concrete owned low-risk Target Repository is selected.
- [ ] Target Repository admission is current and references no secrets.
- [ ] A precise task contract exists with allowed paths, forbidden actions, success criteria, validation command, and rollback expectation.
- [ ] JP/Hermes approval is recorded before mutation.
- [ ] Case runs only through CTO Harness.
- [ ] Runtime default activation remains false.
- [ ] Harness Evidence Interface artifacts exist and pass focused validation.
- [ ] Hermes Control Surface exposes replay paths for the run.
- [ ] Operator acceptance or rejection is recorded after verification.
- [ ] Aggregate Harness health passes once before merge and once after merge.

Validator: future focused real-workflow Harness validator, then `harness/evals/health.sh --json`.

Human gate: JP must approve the concrete Target Repository and task contract before execution.

## Granularity Check

This is intentionally two slices. `CTO-WORK-048` is planning and route definition. `CTO-WORK-049` is the first real execution and remains candidate because it needs JP approval and runtime target selection.