hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d2f574802f
cto/.sot/03-PROTOCOLS/CTO-CASE-STAGED-PROOF-GATES.md

13 KiB
Raw Blame History

name tier status owner source created last_reviewed lifecycle_classification core_promotion_status description
cto-case-staged-proof-gates local draft jp .sot/03-PROTOCOLS/CTO-CASE-CANDIDATE-BACKEND-PRD.md 2026-05-31 2026-05-31 planning not-promoted Child-local staged proof gate records for Case candidate backend progression.

CTO Case Staged Proof Gates

Local planning SOT only. Not a Core Protocol. Not active Core authority.

Purpose

Define the staged proof gates Case must pass before it can be discussed as a candidate default backend.

Default status is earned, not assumed. No stage grants Core authority, WebUI Runtime behavior, real-repo mutation outside its stated scope, merge, deploy, push, close, vendor-source mutation, external developer repository mutation, or Core promotion.

Gate Rules

  • Stages must be completed in order.
  • Each stage must preserve the CTO Harness Evidence Interface.
  • Each stage must respect the Case Source Admission Record.
  • Each stage must use the CTO Case Adapter Contract and Eligibility Decision.
  • Each stage must account for the CTO Case Failure Fixture Matrix.
  • Missing evidence means blocked, not partially accepted.
  • Later stages must not reinterpret earlier stage success as broader mutation permission.

Stage Summary

Stage Name Allowed mutation scope Promotion condition
1 Gated Case engine none Harness accepts --engine case only when explicitly enabled and default-deny proof passes.
2 Artificial fixture copied artificial case only Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.
3 Copied repo fixture copied local repository fixture only No source repository mutation; clean start/end and failure fixtures pass.
4 Disposable sandbox repo disposable repository only Approval, branch, fail-closed, and artifact behavior pass in a throwaway repository.
5 Owned noncritical repo explicitly owned low-risk repository only Operator accepts bounded proof with source admission, approval, and allowed paths.
6 Candidate default scoped real-repo use only Case matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.

Stage 1 - Gated Case Engine

Entry gates:

  • Harness Evidence Interface Contract is validated.
  • Case Adapter Contract is validated.
  • Case Source Admission Record exists.
  • Case Failure Fixture Matrix exists.

Allowed mutation scope: none.

Required artifacts:

  • report.json;
  • events.normalized.jsonl;
  • trace.jsonl;
  • no-op patch.diff;
  • no-op test.log;
  • backend raw logs showing default-deny preflight.

Validator expectation:

  • case is registered as a gated engine;
  • --engine case is rejected unless explicitly enabled;
  • no source files are changed;
  • missing gate produces blocked status.

Required failure classes:

  • provider unavailable;
  • missing required event;
  • artifact write failure.

Promotion condition:

  • Harness accepts --engine case only when explicitly enabled and default-deny proof passes.

Stage 2 - Artificial Fixture

Status: validated for Case/Qwen Stage 2 artificial fixture on 2026-06-01.

Entry gates:

  • Stage 1 is validated.
  • Artificial fixture task contract exists.
  • Allowed paths and verification command are explicit.

Allowed mutation scope: copied artificial case only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • changed files list;
  • allowed-write proof;
  • verification log;
  • digest and freshness proof.

Validator expectation:

  • artificial fixture can pass through the Case adapter;
  • fake lane remains default validation lane;
  • Case output matches report shape, event validity, allowed-path compliance, failure closure, and artifact completeness expected from fake fixtures.

Required failure classes:

  • no diff;
  • disallowed file;
  • failed tests;
  • missing test command;
  • missing required event.

Promotion condition:

  • Case adapter matches existing fake fixture behavior through the Harness Evidence Interface.

Validation evidence:

  • Hermes commit: fc54680 Complete Case lifecycle after committed proof.
  • Real Case Qwen Stage 2 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T025817Z-r1-string-slugify-2907822.
  • Report status: pass.
  • Changed files: strings.py.
  • Tests passed: true.
  • Required events passed: true.
  • No Target Repository path was inspected or copied.
  • This validates Stage 2 only. Stage 3 copied-repo fixture remains the next proof gate.

Stage 3 - Copied Repo Fixture

Status: validated for copied-repo fixture proof on 2026-06-01.

Entry gates:

  • Stage 2 is validated.
  • Copied repository fixture is created from an owned local source.
  • Source repository remains read-only during fixture creation.

Allowed mutation scope: copied local repository fixture only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • clean starting tree proof for copied fixture;
  • clean ending tree proof;
  • source repository non-mutation proof;
  • failure fixture results.

Planning evidence:

  • Stage 3 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-PRD.md.
  • Stage 3 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE3-COPIED-REPO-ISSUES.md.

Validation evidence:

  • Hermes commit: 4edf5f1 Add Case Stage 3 copied repo harness proof.
  • Stage 3 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T031903Z-r1-string-slugify-3018046.
  • Real Case Qwen Stage 3 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T032245Z-r1-string-slugify-3035256.
  • Stage 3 pass report status: pass.
  • Source repository mutated: false.
  • Copied fixture starts clean: true.
  • Copied fixture ends clean: true.
  • Required events passed: true.
  • Aggregate harness health status: pass.
  • This validates Stage 3 only. Stage 4 disposable sandbox repo remains the next proof gate.

Validator expectation:

  • all changes occur inside copied fixture;
  • no hidden mutation occurs in source repository;
  • dirty-starting-tree and dirty-ending-tree failures are detected.

Required failure classes:

  • dirty starting tree;
  • dirty ending tree;
  • timeout;
  • artifact write failure.

Promotion condition:

  • copied repo fixture proves no source repo mutation and clean start/end behavior.

Stage 4 - Disposable Sandbox Repo

Status: validated for disposable sandbox repository proof on 2026-06-01.

Entry gates:

  • Stage 3 is validated.
  • Disposable repository ownership and disposal policy are explicit.
  • Approval events are enabled for mutation mode.

Allowed mutation scope: disposable repository only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • approval event proof;
  • branch policy proof;
  • sandbox disposal or retention note;
  • failure matrix coverage for sandbox mode.

Planning evidence:

  • Stage 4 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-PRD.md.
  • Stage 4 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE4-DISPOSABLE-SANDBOX-ISSUES.md.

Validation evidence:

  • Hermes commit: 033fec8 Add Case Stage 4 disposable sandbox proof.
  • Focused Stage 4 validator: python3 harness/runner/validate-case-stage4.py --harness-root harness --json.
  • Focused Stage 4 validator status: ok: true.
  • Stage 4 pass artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348.
  • Stage 4 proof artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T033647Z-r1-string-slugify-3113348/stage4-disposable-sandbox-proof.json.
  • Approval denied failure fixture blocked before Case execution.
  • Missing Stage 4 gate failure fixture blocked before Case execution.
  • Aggregate harness health status: pass.
  • This validates Stage 4 only. Stage 5 owned noncritical repository remains the next proof gate.

Validator expectation:

  • mutation occurs only in disposable repository;
  • approval denied fails closed;
  • branch policy is recorded;
  • no merge, push, deploy, or close occurs unless explicitly allowed by the task contract.

Required failure classes:

  • approval denied;
  • reviewer reject;
  • timeout;
  • provider unavailable.

Promotion condition:

  • disposable sandbox repo proves approval, branch, fail-closed, and artifact behavior.

Stage 5 - Owned Noncritical Repo

Status: validated for owned noncritical repository proof on 2026-06-01.

Entry gates:

  • Stage 4 is validated.
  • Target Repository ownership is explicit.
  • Repository is low risk and noncritical.
  • Human approval is recorded before mutation.
  • Source license note is resolved for the requested execution mode.

Allowed mutation scope: explicitly owned low-risk repository only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • Target Repository ownership proof;
  • approval event proof;
  • allowed paths and forbidden actions;
  • post-run operator acceptance or rejection.

Planning evidence:

  • Stage 5 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-PRD.md.
  • Stage 5 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE5-OWNED-NONCRITICAL-REPO-ISSUES.md.
  • Stage 5 admission preflight evidence: Hermes commit 6e68a1a Add Case Stage 5 target admission preflight; focused validator ok: true; aggregate harness health pass. This validates admission preflight only, not owned repository execution.

Validation evidence:

  • Hermes commit: 084ac70 Add Case Stage 5 owned repo proof.
  • Focused Stage 5 validator on Hermes main: python3 harness/runner/validate-case-stage5.py --harness-root harness --json.
  • Focused Stage 5 validator status: ok: true.
  • Focused validator pass report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100039Z-r1-string-slugify-37603/report.json.
  • Actual admitted Target Repository proof report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/report.json.
  • Actual admitted Target Repository proof artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T100335Z-r1-string-slugify-43237/stage5-owned-repo-proof.json.
  • Target repo: /home/svrnty/workspaces/cortex-os/cto-stage5-target-sandbox.
  • Target repo proof commit: 155b442 stage5 case result.
  • Changed files: strings.py.
  • Allowed paths passed: true.
  • Forbidden paths passed: true.
  • Required events passed: true.
  • Tests passed: true.
  • Operator outcome: accepted.
  • Target repository started clean and ended clean.
  • This validates Stage 5 only. Stage 6 candidate default remains blocked until comparison evidence exists.

Validator expectation:

  • mutation stays inside allowed paths;
  • no direct push, merge, deploy, or close occurs unless task contract explicitly allows it;
  • operator approval and outcome are replayable.

Required failure classes:

  • disallowed file;
  • failed tests;
  • approval denied;
  • dirty ending tree.

Promotion condition:

  • operator accepts bounded proof with source admission, approval, and allowed paths.

Stage 6 - Candidate Default

Status: validated for candidate-default comparison proof on 2026-06-01. Candidate-default activation remains false; this is evidence for candidacy discussion, not runtime default authority.

Entry gates:

  • Stage 5 is validated.
  • Comparison fixtures exist for fake, Codex, and Pi where applicable.
  • Case source admission is current.
  • Failure matrix coverage is complete or explicitly blocked with rationale.

Allowed mutation scope: scoped real-repo use only.

Required artifacts:

  • full Harness Evidence Interface artifact set;
  • comparative evidence against fake, Codex, and Pi where applicable;
  • failure closure evidence;
  • source admission freshness;
  • operator acceptance.

Validator expectation:

  • Case matches or beats existing lanes on report shape;
  • Case matches or beats existing lanes on event validity;
  • Case matches or beats existing lanes on allowed-path compliance;
  • Case matches or beats existing lanes on failure closure;
  • Case matches or beats existing lanes on artifact completeness.

Required failure classes:

  • all failure matrix rows, unless a row is explicitly blocked by a governed stage record.

Promotion condition:

  • Case may be discussed as candidate default only after comparison evidence shows it matches or beats fake, Codex, and Pi where applicable on evidence completeness and failure closure.

Planning evidence:

  • Stage 6 PRD: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-PRD.md.
  • Stage 6 issues: .sot/03-PROTOCOLS/CTO-CASE-STAGE6-CANDIDATE-DEFAULT-ISSUES.md.

Validation evidence:

  • Hermes commit: ff0a008 Add Case Stage 6 candidate default comparison.
  • Focused Stage 6 validator on Hermes main: python3 harness/runner/validate-case-stage6.py --harness-root harness --json.
  • Focused Stage 6 validator status: ok: true.
  • Focused Stage 6 comparison report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T101308Z-stage6-candidate-default-70246/stage6-candidate-default-comparison.json.
  • Post-merge aggregate Harness health: harness/evals/health.sh --json, status pass.
  • Post-merge Stage 6 comparison report: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T101357Z-stage6-candidate-default-76795/stage6-candidate-default-comparison.json.
  • Post-merge aggregate matrix artifact: /home/svrnty/.hermes/profiles/cto-planb/harness-runs/20260601T101338Z-run-all-fake-74797/report.json.
  • Candidate-default activation remains false.

Final Guard

These staged proof gates do not implement Case and do not authorize execution. They define the minimum route for later implementation.

Any future implementation must start with Stage 1 and must not skip to real-repo execution.