hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
46b7296cb2
cto/.sot/03-PROTOCOLS/CTO-CASE-STAGE5-TARGET-REPOSITORY-ADMISSION-TEMPLATE.md

3.7 KiB
Raw Blame History

name tier status owner source created last_reviewed lifecycle_classification core_promotion_status description
cto-case-stage5-target-repository-admission-template local draft jp .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-PRD.md 2026-06-01 2026-06-01 planning not-promoted Child-local Stage 5 Target Repository admission template. This template does not admit any repository.

CTO Case Stage 5 Target Repository Admission Template

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Status

This artifact is a template only. No Target Repository is admitted by this file. Stage 5 execution remains blocked until JP records a concrete admission record using this template and the Harness validates it.

Purpose

Stage 5 needs a precise human decision before Case may touch an owned repository. This template converts that decision into validator-readable fields without storing secrets, credentials, or broad repository authority.

Required Admission Fields

  • admission_status: admitted or not_admitted.
  • target_repository_path: absolute local path, recorded only in the concrete admission record.
  • repository_owner: human or organization owner.
  • ownership_evidence: compact reference proving JP controls or is authorized to mutate the repository.
  • risk_classification: must be low_risk_noncritical.
  • noncritical_rationale: why this repository is safe for Stage 5.
  • allowed_paths: explicit file or directory paths Case may mutate.
  • forbidden_paths: explicit paths Case must not mutate.
  • forbidden_actions: must include push, merge, deploy, close, PR open, issue close, public publication, credential change, vendor-source mutation, and Cortex Core mutation.
  • approval_source: JP approval reference.
  • approval_timestamp: timestamp or date of approval.
  • operator_outcome_required: must be true.
  • review_trigger: condition that invalidates the admission.

Required Negative Gates

  • Missing admission record blocks before case_process_started.
  • admission_status != admitted blocks before case_process_started.
  • Missing ownership evidence blocks before case_process_started.
  • risk_classification != low_risk_noncritical blocks before case_process_started.
  • Empty allowed_paths blocks before case_process_started.
  • Missing forbidden action blocks before case_process_started.
  • Missing approval source blocks before case_process_started.
  • Missing operator outcome requirement blocks before case_process_started.

Concrete Record Skeleton

{
  "admission_status": "not_admitted",
  "target_repository_path": "",
  "repository_owner": "",
  "ownership_evidence": "",
  "risk_classification": "",
  "noncritical_rationale": "",
  "allowed_paths": [],
  "forbidden_paths": [],
  "forbidden_actions": [
    "push",
    "merge",
    "deploy",
    "close",
    "pr_open",
    "issue_close",
    "public_publication",
    "credential_change",
    "vendor_source_mutation",
    "cortex_core_mutation"
  ],
  "approval_source": "",
  "approval_timestamp": "",
  "operator_outcome_required": true,
  "review_trigger": ""
}

Non-Admission Rules

  • This template does not admit a Target Repository.
  • This template does not authorize Case execution.
  • This template does not authorize owned repository mutation.
  • This template does not authorize default backend candidacy.
  • This template does not authorize push, merge, deploy, close, PR open, issue close, or public publication.

Validator Expectation

The local CTO validator must require this template before Stage 5 execution planning can proceed. Hermes Stage 5 implementation must later validate a concrete admission record separately.