--- title: CTO Case Provider Build PRD status: draft lifecycle_classification: sot owner: jp created: 2026-05-31 last_reviewed: 2026-05-31 core_promotion_status: not-promoted route: cto --- # CTO Case Provider Build PRD Local planning SOT only. Not a Core Protocol. Not active Core authority. ## Problem Statement Stage 2 now has a validated Case task adapter, but it still cannot complete with real WorkOS Case because no durable admitted `ca` executable exists. Discovery found Node `v20.19.5`, no local `bun` executable, no `dist/ca`, no PATH `ca`, and a pinned WorkOS Case source checkout at commit `7959ac917cdeb0983b4aaa20bb9f42021747fed8` under `/tmp`, which is discovery evidence only. ## Solution Create a governed provider build and admission route that can produce or accept a durable WorkOS Case `ca` executable, record its source pin and SHA-256 digest, and then allow the Hermes CTO harness to run Stage 2 with `CTO_HARNESS_CASE_BIN` only after identity and command-shape checks pass. ## Scope - Build or admit WorkOS Case from `https://github.com/workos/case.git` at pinned commit `7959ac917cdeb0983b4aaa20bb9f42021747fed8` or a later recorded pin. - Require Bun before `bun install` or `bun run build:binary` can run. - Record the resulting `dist/ca` path and SHA-256 digest. - Prove the executable is WorkOS Case, not the unrelated npm `case` package. - Run Stage 2 through the existing Hermes CTO Harness Evidence Interface. - Preserve `ca run --task --mode unattended` as the only Stage 2 command shape. - Require the task file to expose only copied artificial fixture inputs, allowed paths, forbidden actions, verification command, and evidence expectations. ## Non-Goals - Do not vendor Case source into Cortex OS Core. - Do not install or use the unrelated public npm `case` package. - Do not mutate vendor source. - Do not skip Stage 2. - Do not authorize copied repo, sandbox repo, owned repo, default backend, WebUI product, or Core promotion behavior. - Do not treat Case as CTO authority. ## Acceptance Criteria - Provider build report records source URL, pinned commit, build command, `dist/ca` path, binary digest, Node version, Bun version, and build timestamp. - Missing Bun blocks before build; it does not degrade to warning. - Missing `dist/ca`, wrong source commit, wrong provider identity, non-executable binary, missing credentials, wrong command shape, or wrong task contract blocks. - Current Hermes source admission status remains `not_admitted` until the provider build report is recorded. - Stage 2 with `CTO_HARNESS_CASE_BIN=` produces a pass report only through real Case execution. - Stage 2 without provider continues to fail closed as `provider unavailable`. - Fake remains the default validation lane. - Same-run fake baseline comparison remains required. - Stage 2 records `report.json`, `report.md`, `events.normalized.jsonl`, `trace.jsonl`, `patch.diff`, `test.log`, backend raw logs, artifact digests, and freshness proof. - Stage 2 records `source_admission_status`, `case_process_started`, `backend_exit_code`, `allowed_writes_passed`, `changed_files`, and `blockers`. - No Cortex Core, Case source, vendor source, or Target Repository file is mutated by admission. ## Validation - `python3 tools/validate_cto_child.py` validates this child-local route. - Hermes provider validation must include `python3 harness/runner/validate-case-provider-adapter.py --harness-root harness --json`. - Real provider validation must include `CTO_HARNESS_ALLOW_CASE=1 CTO_HARNESS_CASE_STAGE=2 CTO_HARNESS_CASE_BIN= harness/evals/run-case.sh r1-string-slugify --engine case --json`. - Aggregate validation remains `harness/evals/health.sh --json` after focused gates pass. ## Risks And Dependencies - Bun is not currently available on this host; provider build is blocked until Bun is installed or an admitted `dist/ca` is supplied. - WorkOS Case is `private: true`; public npm `case` is unrelated. - License status remains unresolved for broader execution modes. - Case may need model credentials for real execution; no secrets may be placed in docs, argv, logs, or task files. ## Success Definition Stage 2 moves from provider-unavailable blocked status to a real Case pass report while preserving the same harness evidence shape, allowed-write control, artifact digests, no-target-inspection proof, and fail-closed behavior. ## Current Provider Evidence Addendum - 2026-05-31 - Built binary digest observed: `9811f870af2f85616e359d42ba70566c9af08ca20d8660456929a56ec761513f`. - Hung real-provider artifact directory: `20260531T233721Z-r1-string-slugify-1814067`. - `CTO-WORK-016` remains blocked because no real Case Stage 2 pass report exists. - `CTO-WORK-017 - Case Provider Timeout Fail-Closed Route` records the harness hardening response. - Timeout control: `CTO_HARNESS_CASE_TIMEOUT_SECONDS`. - Timeout marker: `backend/provider-timeout.txt`. - Timeout validator check: `provider_timeout_fail_closed`. - Hermes evidence commit: `d23c492 Fail closed on Case provider timeout`.