86 lines
3.0 KiB
Markdown
86 lines
3.0 KiB
Markdown
---
|
|
name: CTO Governed Execution Approval PRD
|
|
status: validated
|
|
lifecycle_classification: sot
|
|
owner: jp
|
|
created: 2026-06-01
|
|
last_reviewed: 2026-06-01
|
|
core_promotion_status: not-promoted
|
|
---
|
|
|
|
# CTO Governed Execution Approval PRD
|
|
|
|
Local planning SOT only. Not a Core Protocol. Not active Core authority.
|
|
|
|
## Problem Statement
|
|
|
|
The governed execution request records the exact target, paths, and command, but it intentionally keeps approval closed. The CTO stack needs a governed execution approval record before the next Harness run can mutate an owned Target Repository.
|
|
|
|
## Solution
|
|
|
|
Create a single-task approval capture for the exact approval packet already issued by JP. This governed execution approval permits one approved Harness run only and does not make Case a default backend.
|
|
|
|
## Scope
|
|
|
|
- Record the exact approval packet.
|
|
- Record `approval_granted: true`.
|
|
- Record `execution_allowed: true`.
|
|
- Record `execution_scope: one approved Harness run only`.
|
|
- Preserve the admitted target repository.
|
|
- Preserve the allowed paths.
|
|
- Preserve the Harness command.
|
|
- Preserve that this record is not execution evidence.
|
|
|
|
## Non-goals
|
|
|
|
- Do not execute Case in this approval-capture slice.
|
|
- Do not activate Case as default backend.
|
|
- Do not mutate any path outside the allowed paths.
|
|
- Do not edit upstream `hermes-agent`.
|
|
- Do not edit upstream `hermes-webui`.
|
|
- Do not promote this local record into Core authority.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- `WORKBOARD.yaml` records `CTO-WORK-068` and `CTO-WORK-069` as validated.
|
|
- The governed execution approval includes the exact approval packet.
|
|
- The governed execution approval includes `approval_granted: true`.
|
|
- The governed execution approval includes `execution_allowed: true`.
|
|
- Runtime default activation remains false.
|
|
- The next execution is constrained to one approved Harness run only.
|
|
|
|
## Validation
|
|
|
|
- `python3 tools/validate_cto_child.py`
|
|
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
|
|
|
|
## Risks
|
|
|
|
The main risk is approval scope creep. The record prevents that by making the approval single-task, path-bound, and Harness-bound. This record is not execution evidence.
|
|
|
|
## Success Definition
|
|
|
|
CTO has a durable approval capture that can unlock the next real Harness execution slice without changing Core authority, runtime default state, or upstream vendor source.
|
|
|
|
## Required Approval Packet
|
|
|
|
```text
|
|
I approve CTO-WORK-049 against /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox for the src/strings.py slugify alignment task.
|
|
```
|
|
|
|
- governed execution approval
|
|
- single-task approval capture
|
|
- exact approval packet
|
|
- approval_granted: true
|
|
- execution_allowed: true
|
|
- execution_scope: one approved Harness run only
|
|
- admitted target repository
|
|
- allowed paths
|
|
- Harness command
|
|
- Runtime default activation remains false.
|
|
- Do not activate Case as default backend.
|
|
- Do not mutate any path outside the allowed paths.
|
|
- Do not edit upstream `hermes-agent`.
|
|
- Do not edit upstream `hermes-webui`.
|
|
- This record is not execution evidence.
|