--- name: CTO Governed Execution Approval Issues status: validated lifecycle_classification: sot owner: jp created: 2026-06-01 last_reviewed: 2026-06-01 core_promotion_status: not-promoted --- # CTO Governed Execution Approval Issues Local planning SOT only. Not a Core Protocol. Not active Core authority. ## Issue: CTO-WORK-068 - Governed Execution Approval PRD Status: validated. Acceptance: - Define governed execution approval as a single-task approval capture. - Preserve the exact approval packet. - Record `approval_granted: true`. - Record `execution_allowed: true`. - Record `execution_scope: one approved Harness run only`. - Preserve the admitted target repository. - Preserve allowed paths. - Preserve the Harness command. - State: Runtime default activation remains false. - State: Do not activate Case as default backend. - State: Do not mutate any path outside the allowed paths. - State: Do not edit upstream `hermes-agent`. - State: Do not edit upstream `hermes-webui`. - State: This record is not execution evidence. ## Issue: CTO-WORK-069 - Governed Execution Approval Record Status: validated. Acceptance: - Create the governed execution approval record. - Include the exact approval packet. - Include `approval_granted: true`. - Include `execution_allowed: true`. - Include `execution_scope: one approved Harness run only`. - Include `approval_source: JP chat approval`. - Include the admitted target repository. - Include allowed paths. - Include the Harness command. - State: Runtime default activation remains false. - State: Do not activate Case as default backend. - State: Do not mutate any path outside the allowed paths. - State: Do not edit upstream `hermes-agent`. - State: Do not edit upstream `hermes-webui`. - State: This record is not execution evidence. ## Exact Approval Packet ```text I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task. ``` - governed execution approval - single-task approval capture - exact approval packet - approval_granted: true - execution_allowed: true - execution_scope: one approved Harness run only - admitted target repository - allowed paths - Harness command - Runtime default activation remains false. - Do not activate Case as default backend. - Do not mutate any path outside the allowed paths. - Do not edit upstream `hermes-agent`. - Do not edit upstream `hermes-webui`. - This record is not execution evidence.