---
name: cto-case-stage6-real-governed-refresh-issues
tier: local
status: draft
owner: jp
source: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-PRD.md
created: 2026-06-01
last_reviewed: 2026-06-01
lifecycle_classification: planning
core_promotion_status: not-promoted
description: Child-local issue sequence for refreshing Stage 6 candidate-default evidence against real governed Stage 5 proof.
---

# CTO Case Stage 6 Real Governed Refresh Issues

Local planning SOT only. Not a Core Protocol. Not active Core authority.

## Issue Sequence

### CTO-WORK-054 - Stage 6 Real Governed Refresh PRD

Type: AFK

Status: validated.

Blocked by: CTO-WORK-049, CTO-WORK-043

What to build: Define the read-only evidence refresh route for comparing the first real governed Stage 5 pass against Stage 6 candidate-default criteria.

Acceptance criteria:

- [x] PRD requires `CTO-WORK-049` validated evidence.
- [x] PRD requires the real pass report and Stage 5 proof paths.
- [x] PRD requires report shape, event validity, allowed-path compliance, failure closure, artifact completeness, forbidden-action closure, and operator acceptance checks.
- [x] PRD keeps runtime default activation false.
- [x] PRD forbids target mutation, Core promotion, push, merge, deploy, close, PR open, issue close, public publication, vendor-source mutation, and unowned repository mutation.
- [x] Local CTO validator checks the PRD and issue artifact.

Allowed files: CTO child workspace planning docs and local validator only.

Validator: `python3 tools/validate_cto_child.py`

Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.

### CTO-WORK-055 - Stage 6 Real Governed Refresh Evidence Route

Type: HITL

Status: candidate.

Blocked by: CTO-WORK-054

What to build: In the Hermes CTO Harness, add a read-only Stage 6 refresh command that imports the real `CTO-WORK-049` pass report and Stage 5 proof, compares them against Stage 6 candidate-default criteria, and writes a refresh artifact.

Acceptance criteria:

- [ ] Command reads existing Harness Evidence Interface artifacts without mutating a Target Repository.
- [ ] Command verifies report shape, event validity, allowed-path compliance, failure closure, artifact completeness, forbidden-action closure, and operator acceptance.
- [ ] Command records fake, Codex, and Pi comparison status where applicable or blocked with rationale.
- [ ] Command records `runtime_default_activation: false`.
- [ ] Command records no target mutation, push, merge, deploy, close, PR open, issue close, public publication, vendor-source mutation, or unowned repository mutation.
- [ ] Focused validator passes before any aggregate Harness validation.
- [ ] Aggregate Harness validation runs once after focused validation passes and once after merge.

Allowed files: Hermes CTO Harness refresh validator, comparison code, and docs. Core, vendor source, Case source, target repositories, production repositories, external developer repositories, and WebUI behavior are forbidden.

Validator: future focused Hermes Stage 6 refresh validator, then `harness/evals/health.sh --json`.

Done evidence: Hermes sandcastle commit, focused validator output, refresh artifact path, aggregate Harness health output, clean merge, and CTO evidence update.

## Granularity Check

This is two slices because the planning route is now clear and cheap, while the executable Hermes refresh route touches a separate governed workspace and should use its own sandcastle.