hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
272ff4550e
cto/sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-PRD.md
Svrnty 272ff4550e Add CTO Case provider build route
2026-05-31 19:36:00 -04:00

4.3 KiB
Raw Blame History

title status lifecycle_classification owner created last_reviewed core_promotion_status route
CTO Case Provider Build PRD draft sot jp 2026-05-31 2026-05-31 not-promoted cto

CTO Case Provider Build PRD

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Problem Statement

Stage 2 now has a validated Case task adapter, but it still cannot complete with real WorkOS Case because no durable admitted ca executable exists. Discovery found Node v20.19.5, no local bun executable, no dist/ca, no PATH ca, and a pinned WorkOS Case source checkout at commit 7959ac917cdeb0983b4aaa20bb9f42021747fed8 under /tmp, which is discovery evidence only.

Solution

Create a governed provider build and admission route that can produce or accept a durable WorkOS Case ca executable, record its source pin and SHA-256 digest, and then allow the Hermes CTO harness to run Stage 2 with CTO_HARNESS_CASE_BIN only after identity and command-shape checks pass.

Scope

  • Build or admit WorkOS Case from https://github.com/workos/case.git at pinned commit 7959ac917cdeb0983b4aaa20bb9f42021747fed8 or a later recorded pin.
  • Require Bun before bun install or bun run build:binary can run.
  • Record the resulting dist/ca path and SHA-256 digest.
  • Prove the executable is WorkOS Case, not the unrelated npm case package.
  • Run Stage 2 through the existing Hermes CTO Harness Evidence Interface.
  • Preserve ca run --task <task-file> --mode unattended as the only Stage 2 command shape.
  • Require the task file to expose only copied artificial fixture inputs, allowed paths, forbidden actions, verification command, and evidence expectations.

Non-Goals

  • Do not vendor Case source into Cortex OS Core.
  • Do not install or use the unrelated public npm case package.
  • Do not mutate vendor source.
  • Do not skip Stage 2.
  • Do not authorize copied repo, sandbox repo, owned repo, default backend, WebUI product, or Core promotion behavior.
  • Do not treat Case as CTO authority.

Acceptance Criteria

  • Provider build report records source URL, pinned commit, build command, dist/ca path, binary digest, Node version, Bun version, and build timestamp.
  • Missing Bun blocks before build; it does not degrade to warning.
  • Missing dist/ca, wrong source commit, wrong provider identity, non-executable binary, missing credentials, wrong command shape, or wrong task contract blocks.
  • Current Hermes source admission status remains not_admitted until the provider build report is recorded.
  • Stage 2 with CTO_HARNESS_CASE_BIN=<admitted-ca> produces a pass report only through real Case execution.
  • Stage 2 without provider continues to fail closed as provider unavailable.
  • Fake remains the default validation lane.
  • Same-run fake baseline comparison remains required.
  • Stage 2 records report.json, report.md, events.normalized.jsonl, trace.jsonl, patch.diff, test.log, backend raw logs, artifact digests, and freshness proof.
  • Stage 2 records source_admission_status, case_process_started, backend_exit_code, allowed_writes_passed, changed_files, and blockers.
  • No Cortex Core, Case source, vendor source, or Target Repository file is mutated by admission.

Validation

  • python3 tools/validate_cto_child.py validates this child-local route.
  • Hermes provider validation must include python3 harness/runner/validate-case-provider-adapter.py --harness-root harness --json.
  • Real provider validation must include CTO_HARNESS_ALLOW_CASE=1 CTO_HARNESS_CASE_STAGE=2 CTO_HARNESS_CASE_BIN=<admitted-ca> harness/evals/run-case.sh r1-string-slugify --engine case --json.
  • Aggregate validation remains harness/evals/health.sh --json after focused gates pass.

Risks And Dependencies

  • Bun is not currently available on this host; provider build is blocked until Bun is installed or an admitted dist/ca is supplied.
  • WorkOS Case is private: true; public npm case is unrelated.
  • License status remains unresolved for broader execution modes.
  • Case may need model credentials for real execution; no secrets may be placed in docs, argv, logs, or task files.

Success Definition

Stage 2 moves from provider-unavailable blocked status to a real Case pass report while preserving the same harness evidence shape, allowed-write control, artifact digests, no-target-inspection proof, and fail-closed behavior.