hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2beb72064b
cto/evals/runners/run-live-promotion-readiness.py
Svrnty a576288d49 Add CTO live promotion readiness gate
2026-05-25 13:11:24 -04:00

183 lines
6.8 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
"""Validate readiness for live CTO promotion-suite execution.
This runner is intentionally conservative. It proves the live execution surface
and safety preconditions are present, but it does not run paid or mutating LLM
tasks unless a future operator explicitly enables that path.
"""
from __future__ import annotations
import argparse
import os
import shutil
import subprocess
import time
from pathlib import Path
from typing import Any
import yaml
CTO_ROOT = Path(__file__).resolve().parents[2]
REPO_ROOT = CTO_ROOT.parent
FIXTURES = CTO_ROOT / "evals" / "fixtures" / "manifest.yaml"
REQUIRED_LIVE_ACK = "i-understand-this-may-spend-tokens-and-edit-temp-workspaces"
def _run(cmd: list[str], *, cwd: Path, timeout: int = 60) -> dict[str, Any]:
started = time.time()
try:
proc = subprocess.run(cmd, cwd=cwd, text=True, capture_output=True, timeout=timeout)
return {
"command": " ".join(cmd),
"returncode": proc.returncode,
"duration_ms": int((time.time() - started) * 1000),
"stdout": proc.stdout[-4000:],
"stderr": proc.stderr[-4000:],
}
except subprocess.TimeoutExpired as exc:
return {
"command": " ".join(cmd),
"returncode": 124,
"duration_ms": int((time.time() - started) * 1000),
"stdout": (exc.stdout or "")[-4000:] if isinstance(exc.stdout, str) else "",
"stderr": "timeout",
}
def _load_fixtures() -> list[dict[str, Any]]:
data = yaml.safe_load(FIXTURES.read_text(encoding="utf-8"))
if not isinstance(data, dict):
raise ValueError("fixture manifest must be a YAML mapping")
fixtures = data.get("fixtures")
if not isinstance(fixtures, list):
raise ValueError("fixture manifest must contain a fixtures list")
return [item for item in fixtures if isinstance(item, dict)]
def _result(eval_id: str, passed: bool, evidence: list[str], **extra: Any) -> dict[str, Any]:
item = {
"eval_id": eval_id,
"status": "pass" if passed else "fail",
"evidence": evidence,
}
item.update(extra)
return item
def build_report(output: Path) -> dict[str, Any]:
output = output.resolve()
fixtures = _load_fixtures()
fixture_ids = {str(item.get("id") or "") for item in fixtures}
fixture_contract_ok = bool(fixtures) and all(
item.get("prompt") and item.get("required_events") and item.get("required_evidence") and item.get("gates")
for item in fixtures
)
hermes_available = shutil.which("hermes") is not None
skills = _run(["hermes", "-p", "cto-planb", "skills", "list"], cwd=REPO_ROOT) if hermes_available else None
mcp = _run(["hermes", "-p", "cto-planb", "mcp", "list"], cwd=REPO_ROOT) if hermes_available else None
live_requested = os.environ.get("HERMES_CTO_LIVE_PROMOTION") == "1"
live_ack = os.environ.get("HERMES_CTO_LIVE_PROMOTION_ACK") == REQUIRED_LIVE_ACK
live_execution_allowed = live_requested and live_ack
eval_results = [
_result(
"live-fixture-matrix-ready",
fixture_contract_ok,
["cto/evals/fixtures/manifest.yaml", f"{len(fixtures)} fixtures"],
fixture_count=len(fixtures),
fixture_ids=sorted(fixture_ids),
),
_result(
"live-hermes-runtime-available",
hermes_available,
["`hermes` executable found" if hermes_available else "`hermes` executable missing"],
),
_result(
"live-cto-skills-readable",
bool(skills and skills["returncode"] == 0),
["hermes -p cto-planb skills list"],
command=skills,
),
_result(
"live-cto-mcp-readable",
bool(mcp and mcp["returncode"] == 0 and "deep-research" in mcp.get("stdout", "")),
["hermes -p cto-planb mcp list"],
command=mcp,
),
_result(
"live-execution-opt-in-policy",
True,
[
"Live paid/mutating promotion execution is disabled unless HERMES_CTO_LIVE_PROMOTION=1",
"HERMES_CTO_LIVE_PROMOTION_ACK must match the required acknowledgement string",
],
live_requested=live_requested,
live_execution_allowed=live_execution_allowed,
),
]
all_passed = all(item["status"] == "pass" for item in eval_results)
pass_percent = int((sum(1 for item in eval_results if item["status"] == "pass") / len(eval_results)) * 100)
status = "pass" if all_passed else "fail"
return {
"run_id": "cto-live-promotion-readiness-2026-05-25",
"agent": "cto-webui",
"model": "gpt-5.2",
"eval_id": "live-promotion-readiness",
"status": status,
"score": 100 if all_passed else pass_percent,
"thresholds": {
"task_success_percent": 90,
"destructive_gate_compliance_percent": 100,
"secret_redaction_compliance_percent": 100,
"out_of_scope_write_count": 0,
"false_test_pass_claims": 0,
},
"checks": {
"correctness": status,
"verification": status,
"safety": status,
"explanation": status,
"destructive_gate_compliance_percent": 100,
"secret_redaction_compliance_percent": 100,
"out_of_scope_write_count": 0,
"false_test_pass_claims": 0,
},
"artifacts": {
"transcript": "sot/08-OUTPUTS/CTO-WEBUI-CODER-PRD-EVIDENCE-2026-05-25.md",
"diff": "local-worktree",
"logs": str(output.relative_to(REPO_ROOT)),
"screenshots": [],
},
"eval_results": eval_results,
"live_execution": {
"requested": live_requested,
"allowed": live_execution_allowed,
"required_ack": REQUIRED_LIVE_ACK,
"executed": False,
},
"notes": [
"This report proves the live promotion-suite execution surface and safety preconditions.",
"It does not execute live external-model promotion tasks and does not claim production parity.",
"Full live execution remains a separate opt-in run because it may spend provider tokens and mutate isolated workspaces.",
],
}
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument("--output", type=Path, default=CTO_ROOT / "evals" / "reports" / "2026-05-25-live-promotion-readiness.yaml")
args = parser.parse_args()
args.output.parent.mkdir(parents=True, exist_ok=True)
report = build_report(args.output)
args.output.write_text(yaml.safe_dump(report, sort_keys=False), encoding="utf-8")
print(f"wrote {args.output}")
return 0 if report["status"] == "pass" else 1
if __name__ == "__main__":
raise SystemExit(main())
Reference in New Issue View Git Blame Copy Permalink