hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0996df1bf9
cto/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md

12 KiB
Raw Blame History

name tier status owner source created last_reviewed lifecycle_classification core_promotion_status description
cto-case-staged-proof-gates local draft jp .sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md 2026-05-31 2026-05-31 planning not-promoted Child-local staged proof gate records for Case candidate backend progression.

CTO Case Staged Proof Gates

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Purpose

Define the staged proof gates Case must pass before it can be discussed as a candidate default backend.

Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.

Gate Rules

  • Stages must be completed in order.
  • Each stage must preserve the CTO Harness Evidence Interface.
  • Each stage must respect the Case Source Admission Record.
  • Each stage must use the CTO Case Adapter Contract and Eligibility Decision.
  • Each stage must account for the CTO Case Failure Fixture Matrix.
  • Missing evidence means blocked, not partially accepted.
  • Later stages must not reinterpret earlier stage success as broader mutation permission.

Stage Summary

Stage Name Allowed mutation scope Promotion condition
1 Gated Case engine none Harness accepts --engine case only when explicitly enabled and default-deny proof passes.
2 Artificial fixture copied artificial case only Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.
3 Copied repo fixture copied local repository fixture only No source repository mutation; clean start/end and failure fixtures pass.
4 Disposable sandbox repo disposable repository only Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository.
5 Owned noncritical repo explicitly owned low-risk repository only Operator accepts bounded proof with source admission, approval, and allowed paths.
6 Candidate default scoped real-repo use only Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.

Stage 1 - Gated Case Engine

Entry gates:

  • Harness Evidence Interface Contract is validated.
  • Case Adapter Contract is validated.
  • Case Source Admission Record exists.
  • Case Failure Fixture Matrix exists.

Allowed mutation scope: none.

Required artifacts:

  • report.json;
  • events.normalized.jsonl;
  • trace.jsonl;
  • no-op patch.diff;
  • no-op test.log;
  • backend raw logs showing default-deny preflight.

Validator expectation:

  • case is registered as a gated engine;
  • --engine case is rejected unless explicitly enabled;
  • no source files are changed;
  • missing gate produces blocked status.

Required failure classes:

  • provider unavailable;
  • missing required event;
  • artifact write failure.

Promotion condition:

  • Harness accepts --engine case only when explicitly enabled and default-deny proof passes.

Stage 2 - Artificial Fixture

Status: validated for Case/Qwen Stage 2 artificial fixture on 2026-06-01.

Entry gates:

  • Stage 1 is validated.
  • Artificial fixture task contract exists.
  • Allowed paths and verification command are explicit.

Allowed mutation scope: copied artificial case only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • changed files list;
  • allowed-write proof;
  • verification log;
  • digest and freshness proof.

Validator expectation:

  • artificial fixture can pass through the Case adapter;
  • fake lane remains default validation lane;
  • Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures.

Required failure classes:

  • no diff;
  • disallowed file;
  • failed tests;
  • missing test command;
  • missing required event.

Promotion condition:

  • Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.

Validation evidence:

  • Hermes commit: fc54680 Complete Case lifecycle after committed proof.
  • Real Case Qwen Stage 2 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T025817Z-r1-string-slugify-2907822.
  • Report status: pass.
  • Changed files: strings.py.
  • Tests passed: true.
  • Required events passed: true.
  • No Target Repository path was inspected or copied.
  • This validates Stage 2 only. Stage 3 copied-repo fixture remains the next proof gate.

Stage 3 - Copied Repo Fixture

Status: validated for copied-repo fixture proof on 2026-06-01.

Entry gates:

  • Stage 2 is validated.
  • Copied repository fixture is created from an owned local source.
  • Source repository remains read-only during fixture creation.

Allowed mutation scope: copied local repository fixture only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • clean starting tree proof for copied fixture;
  • clean ending tree proof;
  • source repository non-mutation proof;
  • failure fixture results.

Planning evidence:

  • Stage 3 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-PRD.md.
  • Stage 3 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md.

Validation evidence:

  • Hermes commit: 4edf5f1 Add Case Stage 3 copied repo harness proof.
  • Stage 3 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T031903Z-r1-string-slugify-3018046.
  • Real Case Qwen Stage 3 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T032245Z-r1-string-slugify-3035256.
  • Stage 3 pass report status: pass.
  • Source repository mutated: false.
  • Copied fixture starts clean: true.
  • Copied fixture ends clean: true.
  • Required events passed: true.
  • Aggregate harness health status: pass.
  • This validates Stage 3 only. Stage 4 disposable sandbox repo remains the next proof gate.

Validator expectation:

  • all changes occur inside copied fixture;
  • no hidden mutation occurs in source repository;
  • dirty-starting-tree and dirty-ending-tree failures are detected.

Required failure classes:

  • dirty starting tree;
  • dirty ending tree;
  • timeout;
  • artifact write failure.

Promotion condition:

  • copied repo fixture proves no source repo mutation and clean start/end behavior.

Stage 4 - Disposable Sandbox Repo

Status: validated for disposable sandbox repository proof on 2026-06-01.

Entry gates:

  • Stage 3 is validated.
  • Disposable repository ownership and disposal policy are explicit.
  • Approval events are enabled for mutation mode.

Allowed mutation scope: disposable repository only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • approval event proof;
  • branch policy proof;
  • sandbox disposal or retention note;
  • failure matrix coverage for sandbox mode.

Planning evidence:

  • Stage 4 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md.
  • Stage 4 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md.

Validation evidence:

  • Hermes commit: 033fec8 Add Case Stage 4 disposable sandbox proof.
  • Focused Stage 4 validator: python3 harness/runner/validate-case-stage4.py --harness-root harness --json.
  • Focused Stage 4 validator status: ok: true.
  • Stage 4 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348.
  • Stage 4 proof artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348/stage4-disposable-sandbox-proof.json.
  • Approval denied failure fixture blocked before Case execution.
  • Missing Stage 4 gate failure fixture blocked before Case execution.
  • Aggregate harness health status: pass.
  • This validates Stage 4 only. Stage 5 owned noncritical repository remains the next proof gate.

Validator expectation:

  • mutation occurs only in disposable repository;
  • approval denied fails closed;
  • branch policy is recorded;
  • no merge, push, deploy, or close occurs unless explicitly allowed by the task contract.

Required failure classes:

  • approval denied;
  • reviewer reject;
  • timeout;
  • provider unavailable.

Promotion condition:

  • disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior.

Stage 5 - Owned Noncritical Repo

Status: validated for owned noncritical repository proof on 2026-06-01.

Entry gates:

  • Stage 4 is validated.
  • Target Repository ownership is explicit.
  • Repository is low risk and noncritical.
  • Human approval is recorded before mutation.
  • Source license note is resolved for the requested execution mode.

Allowed mutation scope: explicitly owned low-risk repository only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • Target Repository ownership proof;
  • approval event proof;
  • allowed paths and forbidden actions;
  • post-run operator acceptance or rejection.

Planning evidence:

  • Stage 5 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-PRD.md.
  • Stage 5 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md.
  • Stage 5 admission preflight evidence: Hermes commit 6e68a1a Add Case Stage 5 target admission preflight; focused validator ok: true; aggregate harness health pass. This validates admission preflight only, not owned repository execution.

Validation evidence:

  • Hermes commit: 084ac70 Add Case Stage 5 owned repo proof.
  • Focused Stage 5 validator on Hermes main: python3 harness/runner/validate-case-stage5.py --harness-root harness --json.
  • Focused Stage 5 validator status: ok: true.
  • Focused validator pass report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json.
  • Actual admitted Target Repository proof report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json.
  • Actual admitted Target Repository proof artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json.
  • Target repo: /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox.
  • Target repo proof commit: 155b442 stage5 case result.
  • Changed files: strings.py.
  • Allowed paths passed: true.
  • Forbidden paths passed: true.
  • Required events passed: true.
  • Tests passed: true.
  • Operator outcome: accepted.
  • Target repository started clean and ended clean.
  • This validates Stage 5 only. Stage 6 candidate default remains blocked until comparison evidence exists.

Validator expectation:

  • mutation stays inside allowed paths;
  • no direct push, merge, deploy, or close occurs unless task contract explicitly allows it;
  • operator approval and outcome are replayable.

Required failure classes:

  • disallowed file;
  • failed tests;
  • approval denied;
  • dirty ending tree.

Promotion condition:

  • operator accepts bounded proof with source admission, approval, and allowed paths.

Stage 6 - Candidate Default

Status: planned. Execution remains candidate until CTO-WORK-043 produces Harness comparison evidence after Stage 6 PRD validation.

Entry gates:

  • Stage 5 is validated.
  • Comparison fixtures exist for fake, Codex, and Pi where applicable.
  • Case source admission is current.
  • Failure matrix coverage is complete or explicitly blocked with rationale.

Allowed mutation scope: scoped real-repo use only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • comparative evidence against fake, Codex, and Pi where applicable;
  • failure closure evidence;
  • source admission freshness;
  • operator acceptance.

Validator expectation:

  • Case matches or beats existing lanes on report shape;
  • Case matches or beats existing lanes on event validity;
  • Case matches or beats existing lanes on allowed-path compliance;
  • Case matches or beats existing lanes on failure closure;
  • Case matches or beats existing lanes on artifact completeness.

Required failure classes:

  • all failure matrix rows, unless a row is explicitly blocked by a governed stage record.

Promotion condition:

  • Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.

Planning evidence:

  • Stage 6 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-PRD.md.
  • Stage 6 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md.

Final Guard

These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation.

Any future implementation must start with Stage 1 and must not skip to real-repo execution.