cto/sot/03-PROTOCOLS/CTO-CASE-ADAPTER-CONTRACT.md

---
name: cto-case-adapter-contract
tier: local
status: draft
owner: jp
source: sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md
created: 2026-05-31
last_reviewed: 2026-05-31
lifecycle_classification: planning
core_promotion_status: not-promoted
description: Child-local contract for the future gated Case adapter and CTO Eligibility Decision.
---

# CTO Case Adapter Contract

Local planning SOT only. Not a Core Protocol. Not active Core authority.

## Purpose

Define the future Case adapter seam and CTO Eligibility Decision before any executable Case integration exists.

This contract keeps Case behind the CTO Harness seam. Case may become a backend adapter only after source admission, evidence interface conformance, explicit gating, and staged proof.

## Non-Authority Notice

This contract does not authorize Runtime behavior, WebUI Product behavior, Case execution, real-repo mutation, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.

## Adapter Boundary

The Case adapter must live behind the existing CTO Harness engine seam.

Required boundary rules:

- register backend id `case` as a gated engine before execution;
- require the harness to accept `--engine case` only when explicitly enabled;
- prevent a parallel runner path outside the existing harness seam;
- keep Case lifecycle details behind the adapter unless a later contract promotes normalized events;
- emit the CTO Harness Evidence Interface, not raw Case success claims;
- default-deny all execution until explicit gates pass.

## Gating Rule

`case` must be disabled by default.

Minimum future gates:

- source admission is validated;
- license note is resolved;
- evidence interface contract is validated;
- adapter contract is validated;
- mutation mode is explicitly selected;
- operator approval is recorded when mutation mode requires approval;
- allowed paths and forbidden actions are provided by the task contract.

No missing gate may degrade to a warning. Missing gate means blocked.

## Adapter Input Contract

The future adapter input must be derived from existing PRD, SOT Issue, task contract, and case contract language until Candidate Cortex Work Packet is promoted.

Minimum input fields:

| Field | Meaning |
| --- | --- |
| `task_id` | Stable task or issue identifier. |
| `target_repository` | Target Repository path or URL. |
| `authority_basis` | Local planning, Core route, or task contract reference. |
| `risk_class` | Risk class used for eligibility. |
| `allowed_paths` | Paths the backend may change. |
| `forbidden_actions` | Actions the backend must not perform. |
| `mutation_mode` | `none`, `copied-fixture`, `sandbox-repo`, `owned-noncritical-repo`, or `candidate-default`. |
| `approval_required` | Whether human approval is required before mutation. |
| `verification_commands` | Commands expected to prove the change. |
| `evidence_expectations` | Required artifacts and validation results. |

## Adapter Output Contract

The future adapter output must be the CTO Harness Evidence Interface.

Minimum output:

- `report.json`;
- `report.md`;
- `events.normalized.jsonl`;
- `patch.diff`;
- `test.log`;
- `trace.jsonl`;
- backend raw logs under `backend/`;
- pass, fail, or blocked status;
- blocker reasons for any fail-closed result.

Raw Case lifecycle output is allowed only as backend raw logs unless normalized by this or a later contract.

## CTO Eligibility Decision

Before selecting Case or any backend, CTO must emit an Eligibility Decision.

Required fields:

| Field | Meaning |
| --- | --- |
| `decision_id` | Stable decision identifier. |
| `task_id` | Task or issue identifier. |
| `selected_backend` | Backend selected, or `none`. |
| `denied_backends` | Backends denied with reasons. |
| `risk_class` | Risk classification used for the decision. |
| `required_gates` | Gates that must pass before execution. |
| `passed_gates` | Gates already proven. |
| `missing_gates` | Gates that block execution. |
| `allowed_mutation_mode` | Maximum mutation mode allowed. |
| `approval_required` | Whether human approval is required. |
| `reasons` | Human-readable decision reasons. |
| `escalation_path` | JP, Core route, Hermes/operator, or blocked. |

Case must not create or override the Eligibility Decision. Case may recommend, but CTO decides eligibility and the harness records evidence.

## Backend Selection Rules

Case is ineligible when:

- source admission is not validated;
- license note is unresolved for the requested execution mode;
- Harness Evidence Interface cannot be produced;
- allowed paths are missing;
- forbidden actions are missing;
- approval is required but not granted;
- mutation mode exceeds the current staged proof gate;
- target repository ownership is unclear;
- starting worktree state is dirty when clean start is required.

Case may be eligible only when every required gate is proven and the allowed mutation mode is no broader than the current staged proof gate.

## Approval Rule

Case may recommend. Case must not approve itself or select its own authority.

Approval must be represented by normalized events:

- `approval.requested`;
- `approval.granted`;
- `approval.denied`.

No merge, push, deploy, close, or real-repo mutation is allowed without explicit task-contract permission.

## Implementation Guard

This contract deliberately does not create `case-engine.sh`.

The first future implementation slice may create a no-op gated adapter only after the staged proof gate record exists. The no-op adapter must prove default-deny behavior before it can attempt artificial fixture execution.

## Validation Expectations

Current validation is planning-only and checks this contract exists.

Later adapter validation must verify engine registration, explicit gate behavior, input shape, Eligibility Decision shape, output evidence shape, approval events, and fail-closed ineligibility.