hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
19e7766c1a
cto/.sot/03-PROTOCOLS/CTO-CASE-ADAPTER-CONTRACT.md
Svrnty 19e7766c1a Migrate CTO SOT route to dotpath
2026-05-31 20:34:10 -04:00

5.8 KiB
Raw Blame History

name tier status owner source created last_reviewed lifecycle_classification core_promotion_status description
cto-case-adapter-contract local draft jp .sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md 2026-05-31 2026-05-31 planning not-promoted Child-local contract for the future gated Case adapter and CTO Eligibility Decision.

CTO Case Adapter Contract

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Purpose

Define the future Case adapter seam and CTO Eligibility Decision before any executable Case integration exists.

This contract keeps Case behind the CTO Harness seam. Case may become a backend adapter only after source admission, evidence interface conformance, explicit gating, and staged proof.

Non-Authority Notice

This contract does not authorize Runtime behavior, WebUI Product behavior, Case execution, real-repo mutation, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.

Adapter Boundary

The Case adapter must live behind the existing CTO Harness engine seam.

Required boundary rules:

  • register backend id case as a gated engine before execution;
  • require the harness to accept --engine case only when explicitly enabled;
  • prevent a parallel runner path outside the existing harness seam;
  • keep Case lifecycle details behind the adapter unless a later contract promotes normalized events;
  • emit the CTO Harness Evidence Interface, not raw Case success claims;
  • default-deny all execution until explicit gates pass.

Gating Rule

case must be disabled by default.

Minimum future gates:

  • source admission is validated;
  • license note is resolved;
  • evidence interface contract is validated;
  • adapter contract is validated;
  • mutation mode is explicitly selected;
  • operator approval is recorded when mutation mode requires approval;
  • allowed paths and forbidden actions are provided by the task contract.

No missing gate may degrade to a warning. Missing gate means blocked.

Adapter Input Contract

The future adapter input must be derived from existing PRD, SOT Issue, task contract, and case contract language until Candidate Cortex Work Packet is promoted.

Minimum input fields:

Field Meaning
task_id Stable task or issue identifier.
target_repository Target Repository path or URL.
authority_basis Local planning, Core route, or task contract reference.
risk_class Risk class used for eligibility.
allowed_paths Paths the backend may change.
forbidden_actions Actions the backend must not perform.
mutation_mode none, copied-fixture, sandbox-repo, owned-noncritical-repo, or candidate-default.
approval_required Whether human approval is required before mutation.
verification_commands Commands expected to prove the change.
evidence_expectations Required artifacts and validation results.

Adapter Output Contract

The future adapter output must be the CTO Harness Evidence Interface.

Minimum output:

  • report.json;
  • report.md;
  • events.normalized.jsonl;
  • patch.diff;
  • test.log;
  • trace.jsonl;
  • backend raw logs under backend/;
  • pass, fail, or blocked status;
  • blocker reasons for any fail-closed result.

Raw Case lifecycle output is allowed only as backend raw logs unless normalized by this or a later contract.

CTO Eligibility Decision

Before selecting Case or any backend, CTO must emit an Eligibility Decision.

Required fields:

Field Meaning
decision_id Stable decision identifier.
task_id Task or issue identifier.
selected_backend Backend selected, or none.
denied_backends Backends denied with reasons.
risk_class Risk classification used for the decision.
required_gates Gates that must pass before execution.
passed_gates Gates already proven.
missing_gates Gates that block execution.
allowed_mutation_mode Maximum mutation mode allowed.
approval_required Whether human approval is required.
reasons Human-readable decision reasons.
escalation_path JP, Core route, Hermes/operator, or blocked.

Case must not create or override the Eligibility Decision. Case may recommend, but CTO decides eligibility and the harness records evidence.

Backend Selection Rules

Case is ineligible when:

  • source admission is not validated;
  • license note is unresolved for the requested execution mode;
  • Harness Evidence Interface cannot be produced;
  • allowed paths are missing;
  • forbidden actions are missing;
  • approval is required but not granted;
  • mutation mode exceeds the current staged proof gate;
  • target repository ownership is unclear;
  • starting worktree state is dirty when clean start is required.

Case may be eligible only when every required gate is proven and the allowed mutation mode is no broader than the current staged proof gate.

Approval Rule

Case may recommend. Case must not approve itself or select its own authority.

Approval must be represented by normalized events:

  • approval.requested;
  • approval.granted;
  • approval.denied.

No merge, push, deploy, close, or real-repo mutation is allowed without explicit task-contract permission.

Implementation Guard

This contract deliberately does not create case-engine.sh.

The first future implementation slice may create a no-op gated adapter only after the staged proof gate record exists. The no-op adapter must prove default-deny behavior before it can attempt artificial fixture execution.

Validation Expectations

Current validation is planning-only and checks this contract exists.

Later adapter validation must verify engine registration, explicit gate behavior, input shape, Eligibility Decision shape, output evidence shape, approval events, and fail-closed ineligibility.