hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
46b7296cb2
cto/.sot/03-PROTOCOLS/CTO-HERMES-REAL-REFRESH-CONTROL-REPLAY-PRD.md
Svrnty 6d3e10ace1 Plan Hermes real refresh control replay
2026-06-01 07:23:03 -04:00

5.7 KiB
Raw Blame History

name tier status owner source created last_reviewed lifecycle_classification core_promotion_status description
cto-hermes-real-refresh-control-replay-prd local draft jp .sot/03-PROTOCOLS/CTO-CASE-STAGE6-REAL-GOVERNED-REFRESH-EVIDENCE.md 2026-06-01 2026-06-01 planning not-promoted Child-local PRD for exposing Stage 6 real-governed refresh evidence through the Hermes CTO control summary and replay path.

CTO Hermes Real Refresh Control Replay PRD

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Problem Statement

Hermes already has a Harness-backed control summary, but that summary was validated before the Stage 6 real-governed refresh route existed. JP can now prove Case candidate-default readiness against the first real governed Stage 5 pass, but the Hermes-facing control surface does not yet expose that real-refresh status, artifact path, read-only target proof, or next operator action.

Solution

Add a bounded real-refresh control replay slice. The CTO Harness summary must consume the Stage 6 real-governed refresh comparison artifact and expose it as replayable Hermes control state. Hermes may display and replay evidence; it must not govern, mutate targets, activate Case by default, or reinterpret raw backend logs as authority.

Scope

  • Extend the Hermes-facing CTO Harness summary contract with Stage 6 real-governed refresh fields.
  • Expose the refresh comparison artifact path.
  • Expose real Stage 5 pass report and Stage 5 proof paths as replay inputs.
  • Expose read-only target repository proof status.
  • Expose candidate-default refresh eligibility separately from runtime default activation.
  • Expose blocked Codex/Pi lane rationale from the refresh artifact.
  • Expose next operator action after real-refresh validation.
  • Keep the source of truth as Harness Evidence Interface artifacts.

Non-Goals

  • Do not build a full Hermes WebUI panel in this slice.
  • Do not add approval mutation actions.
  • Do not activate Case as default backend.
  • Do not rerun or mutate the real Target Repository.
  • Do not promote child-local CTO artifacts into Core.
  • Do not mutate vendor source, external developer repositories, Cortex Core, or unowned repositories.
  • Do not expose secrets, endpoints, credentials, or raw Target Repository content.

User Stories

  1. As JP, I want the Hermes control summary to show Stage 6 real-refresh status, so that I can inspect candidate-default readiness without opening raw artifacts first.
  2. As Hermes, I want replay paths for the refresh artifact, Stage 5 pass report, and Stage 5 proof, so that a future panel can link evidence without recomputing it.
  3. As CTO, I want read-only target proof visible, so that real-repo safety is part of the operator surface.
  4. As Harness, I want the summary generated from validated artifacts, so that control state remains proof-backed.
  5. As Cortex, I want runtime default activation to remain explicit and false, so that candidate-default evidence cannot become authority by presentation.

Acceptance Criteria

  • PRD states Hermes displays and replays evidence but does not govern.
  • PRD requires Harness Evidence Interface artifacts as the source of truth.
  • PRD requires Stage 6 real-governed refresh status in the summary.
  • PRD requires refresh comparison artifact path in the summary.
  • PRD requires real Stage 5 pass report and Stage 5 proof paths in the summary.
  • PRD requires read-only target repository proof status in the summary.
  • PRD separates candidate-default refresh eligibility from runtime default activation.
  • PRD requires blocked Codex/Pi lane rationale from the refresh artifact.
  • PRD forbids target mutation, default activation, Core promotion, vendor-source mutation, external developer repository mutation, unowned repository mutation, and secret exposure.
  • Local CTO validator checks the PRD and issue artifact.

Validation

Planning validator: python3 tools/validate_cto_child.py.

Implementation validator planned for Hermes: python3 harness/runner/validate-webui-summary.py --json, then ./harness/evals/health.sh --json after focused validation passes.

Risks

  • A UI consumer may mistake candidate-default refresh eligibility for runtime default activation.
  • A summary may become stale if it does not consume the latest refresh artifact.
  • A replay path may expose too much target context if raw repository content is included instead of artifact paths.
  • Building WebUI runtime behavior now would overreach the stable summary contract.

Dependencies

  • CTO-WORK-055 Stage 6 real-governed refresh evidence is validated.
  • Hermes CTO Harness has validate-case-stage6-real-refresh.py.
  • Hermes CTO Harness aggregate health includes case_stage6_real_governed_refresh.
  • Existing Hermes control summary route remains Harness-backed.

Challenge Notes

Accepted feedback: This route is useful because the existing Hermes summary predates real-refresh evidence and therefore cannot yet be the operator replay surface for the strongest Case proof.

Accepted feedback: The slice must update the summary contract before any WebUI panel work, because the stable machine-readable surface is the real dependency.

Rejected feedback: Building a visual WebUI panel now is premature; proof-backed summary fields are the minimum useful control layer.

Rejected feedback: Activating Case as default is out of scope because runtime default remains earned by a later governed route.

Success Definition

This slice succeeds when CTO has a validated child-local PRD and issue route for exposing Stage 6 real-governed refresh evidence through the Hermes CTO Harness control summary and replay path, while preserving Cortex authority, Harness proof, target protection, and runtime default activation false.