cto/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-ISSUES.md

name	tier	status	owner	source	created	last_reviewed	lifecycle_classification	core_promotion_status	description
cto-hermes-real-refresh-control-replay-issues	local	draft	jp	.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md	2026-06-01	2026-06-01	planning	not-promoted	Child-local issue sequence for exposing Stage 6 real-governed refresh evidence through Hermes CTO control replay.

CTO Hermes Real Refresh Control Replay Issues

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Issue Sequence

CTO-WORK-056 - Hermes Real Refresh Control Replay PRD

Type: AFK

Status: validated.

Blocked by: CTO-WORK-055

What to build: Define the planning route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path.

Acceptance criteria:

• PRD states Hermes displays and replays evidence but does not govern.
• PRD requires Harness Evidence Interface artifacts as the source of truth.
• PRD requires Stage 6 real-governed refresh status in the summary.
• PRD requires refresh comparison artifact path in the summary.
• PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
• PRD requires read-only target repository proof status in the summary.
• PRD separates candidate-default refresh eligibility from runtime default activation.
• PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
• PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
• Local CTO validator checks the PRD and issue artifact.

Allowed files: CTO child workspace planning docs and local validator only.

Validator: python3 tools/validate_cto_child.py

Done evidence: PRD, issue artifact, validator JSON, clean worktree, commit.

CTO-WORK-057 - Hermes Control Summary Real Refresh Replay Route

Type: AFK

Status: candidate.

Blocked by: CTO-WORK-056

What to build: In /home/svrnty/workspaces/hermes/cto/harness, extend the Harness-backed WebUI summary path so Hermes can consume and replay Stage 6 real-governed refresh evidence.

Acceptance criteria:

• Summary exposes case_stage6_real_governed_refresh status.
• Summary exposes stage6_real_governed_refresh_comparison_path.
• Summary exposes real Stage 5 pass report and Stage 5 proof replay paths.
• Summary exposes read-only target repository proof status.
• Summary exposes candidate-default refresh eligibility separately from runtime_default_activation.
• Summary exposes Codex/Pi blocked-lane rationale from the refresh artifact.
• Summary exposes next operator action after real-refresh validation.
• Summary does not expose secrets, endpoints, credential values, or raw Target Repository content.
• Summary does not mutate Target Repositories, vendor source, external developer repositories, unowned repositories, or Cortex Core.
• Focused summary validator passes before aggregate Harness validation.
• Aggregate Harness validation runs once after focused validation passes and once after merge.

Allowed files: Hermes CTO harness summary command, summary validator, summary contract/docs, and command index. WebUI Runtime code, Core, Case source, vendor source, Target Repositories, and external developer repositories are forbidden.

Validator: python3 harness/runner/validate-webui-summary.py --json, then ./harness/evals/health.sh --json.

Done evidence: Hermes sandcastle commit, focused summary validator output, summary JSON path, aggregate Harness health output, clean merge, and CTO evidence update.

Granularity Check

This is intentionally two slices: one child-local planning route and one Hermes Harness implementation route. It avoids overbuilding a WebUI panel while adding the exact replay surface needed after CTO-WORK-055.