131 lines
7.0 KiB
Markdown
131 lines
7.0 KiB
Markdown
---
|
|
title: CTO Case Provider Decision Packet PRD
|
|
status: draft
|
|
lifecycle_classification: sot
|
|
owner: jp
|
|
created: 2026-05-31
|
|
last_reviewed: 2026-05-31
|
|
core_promotion_status: not-promoted
|
|
route: cto
|
|
---
|
|
|
|
# CTO Case Provider Decision Packet PRD
|
|
|
|
Local planning SOT only. Not a Core Protocol. Not active Core authority.
|
|
|
|
## Problem Statement
|
|
|
|
`CTO-WORK-020` is blocked by a provider policy decision. The route has two valid branches: approve one exact external provider/model path, or require a Case-compatible local provider route. Without a compact decision packet, the next operator choice can become ambiguous and accidentally look like provider approval.
|
|
|
|
## Solution
|
|
|
|
Create a child-local decision packet that makes the `CTO-WORK-020` choice explicit, bounded, and auditable. The packet does not approve a provider/model and is not Stage 2 pass evidence. It only records the decision options, required evidence fields, consequences, and blocked next actions for JP or a governed Core route to resolve later.
|
|
|
|
## Scope
|
|
|
|
- Summarize the current `CTO-WORK-020` blocker.
|
|
- Present only two active decision branches: `external_provider_approved` and `local_provider_required`.
|
|
- Preserve `not_decided` as the current safe state.
|
|
- Require a structured decision record using only `not_decided`, `external_provider_approved`, or `local_provider_required`.
|
|
- Require exact provider/model, approval source, credential source class, allowed network class, review trigger, and evidence expectations before any admission.
|
|
- Reference existing evidence paths and commits; do not copy runtime evidence into the packet.
|
|
- Require no secret value in SOT, task file, argv, report, trace, backend logs, generated config, or commit.
|
|
- Keep `CTO-WORK-020` as the admission authority.
|
|
- Keep the `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` admission JSON gate as execution authority.
|
|
- Keep `CTO-WORK-022` blocked unless `decision_status=local_provider_required`.
|
|
- Keep real Case Stage 2 blocked unless a provider/model is admitted and a pass report exists through the Harness Evidence Interface.
|
|
- State that no Target Repository path may be inspected or copied.
|
|
|
|
## Non-Goals
|
|
|
|
- Do not approve Anthropic, Claude, local inference, or any other provider.
|
|
- Do not admit a provider/model.
|
|
- Do not implement a provider adapter.
|
|
- Do not run real Case Stage 2.
|
|
- Do not create a provider marketplace, registry, or scoring framework.
|
|
- Do not change Hermes runtime behavior.
|
|
- Do not mutate Cortex Core, Case source, vendor source, external developer repositories, or Target Repositories.
|
|
- Do not treat Case, Hermes, Pi, Codex, or any backend as Cortex authority.
|
|
|
|
## Decision Branches
|
|
|
|
### Branch A - External Provider Approved
|
|
|
|
Use only if JP or a governed Core route approves an external provider path.
|
|
|
|
Required decision fields:
|
|
|
|
- `decision_status`: `external_provider_approved`.
|
|
- `provider_class`: `external_anthropic`.
|
|
- `provider`: exact provider string.
|
|
- `model`: exact model string.
|
|
- `approval_source`: JP approval reference or governed Core route reference.
|
|
- `credential_source_class`: credential class only; no secret value.
|
|
- `allowed_network_class`: approved outbound network class.
|
|
- `review_trigger`: expiry, date, or condition that forces review.
|
|
- `evidence_sources`: existing admission/build evidence references.
|
|
- `effect`: `CTO-WORK-020 remains blocked until admitted provider/model and real Stage 2 pass report exist`.
|
|
|
|
Consequences:
|
|
|
|
- `CTO-WORK-022` stays blocked.
|
|
- Hermes may attempt real Case Stage 2 only after admission JSON exists and matches `CTO_HARNESS_CASE_MODEL_PROVIDER` and `CTO_HARNESS_CASE_MODEL`.
|
|
- Any fallback to `anthropic` or `claude-sonnet-4-6` without matching admission blocks before `case_process_started`.
|
|
|
|
### Branch B - Local Provider Required
|
|
|
|
Use only if external provider use is not approved.
|
|
|
|
Required decision fields:
|
|
|
|
- `decision_status`: `local_provider_required`.
|
|
- `provider_class`: `local_case_compatible`.
|
|
- `provider`: empty until a local provider is supplied and admitted.
|
|
- `model`: empty until a local model is supplied and admitted.
|
|
- `approval_source`: JP approval reference or governed Core route reference.
|
|
- `credential_source_class`: local credential or no-secret class only.
|
|
- `allowed_network_class`: local-only or explicitly bounded network class.
|
|
- `review_trigger`: expiry, date, or condition that forces review.
|
|
- `evidence_sources`: references to existing admission/local-provider-route evidence.
|
|
- `effect`: `CTO-WORK-020 remains blocked until local provider/model admission and real Stage 2 pass report exist`.
|
|
|
|
Consequences:
|
|
|
|
- `CTO-WORK-022` becomes the next implementation candidate.
|
|
- No external fallback to `anthropic` or `claude-sonnet-4-6` is allowed.
|
|
- Missing local adapter config blocks before `case_process_started`.
|
|
- Admission JSON mismatch blocks before `case_process_started`.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- Packet states `not_decided` is current safe state.
|
|
- Packet lists only `external_provider_approved` and `local_provider_required` as active branches.
|
|
- Packet says it does not approve or admit any provider/model.
|
|
- Packet says it is not Stage 2 pass evidence.
|
|
- Packet requires a structured decision record using only `not_decided`, `external_provider_approved`, or `local_provider_required`.
|
|
- Packet references existing evidence paths and commits instead of copying runtime evidence.
|
|
- Packet keeps `CTO-WORK-020` as the provider/model admission authority.
|
|
- Packet keeps `CTO_HARNESS_CASE_MODEL_ADMISSION_FILE` as the execution admission gate.
|
|
- Packet requires exact provider/model, approval source, credential source class, allowed network class, review trigger, and evidence expectations before admission.
|
|
- Packet requires no secrets in SOT, task file, argv, report, trace, backend logs, generated config, or commits.
|
|
- Packet states `CTO-WORK-022` stays blocked unless `decision_status=local_provider_required`.
|
|
- Packet states real Case Stage 2 remains blocked until admitted provider/model and Harness Evidence Interface pass report exist.
|
|
- Packet states no Target Repository path may be inspected or copied.
|
|
|
|
## Validation
|
|
|
|
- `python3 tools/validate_cto_child.py` validates this child-local route.
|
|
- Future branch execution must use existing Hermes focused validators for provider admission and local-provider adapter gates.
|
|
- Future real Case validation must use the Harness Evidence Interface, same-run fake baseline comparison, and copied artificial fixture Stage 2 only.
|
|
|
|
## Risks And Dependencies
|
|
|
|
- JP approval or governed Core approval remains required for external provider use.
|
|
- Local provider use may require a separate Case-compatible endpoint or adapter implementation.
|
|
- A decision packet can reduce ambiguity but cannot supply credentials, provider availability, or model quality.
|
|
- The WorkOS Case default provider behavior may change; actual run evidence remains authoritative.
|
|
|
|
## Success Definition
|
|
|
|
The `CTO-WORK-020` human-only blocker is represented as one precise decision packet: no provider/model is approved, no execution is authorized, and the next valid implementation path is unambiguous once JP chooses external provider approval or local provider requirement.
|