hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d69b6b9ad8
cto/.sot/03-PROTOCOLS/CTO-CORE-ROUTE-ADMISSION-GUARD-PRD.md
Svrnty d69b6b9ad8 Add CTO Core route admission guard
2026-06-02 07:11:41 -04:00

129 lines
6.8 KiB
Markdown
Raw Blame History

---
name: CTO Core Route Admission Guard PRD
status: validated
lifecycle_classification: sot
owner: jp
created: 2026-06-02
last_reviewed: 2026-06-02
core_promotion_status: not-promoted
source: .sot/03-PROTOCOLS/CTO-CORE-PROMOTION-DECISION-PACKET-CLOSEOUT.md
---
# CTO Core Route Admission Guard PRD
Local planning SOT only. Not a Core Protocol. Not active Core authority.
Core Route Admission Guard.
## Problem Statement
CTO has a validated Core Promotion Decision Packet that says Case candidate-default evidence is ready for Core review. Core currently also has independent active work. Without a child-local admission guard, CTO can accidentally treat a ready packet as permission to open or mutate a Core route while another Core route is active.
## Solution
Add a child-local Core Route Admission Guard. The guard records the checks required before CTO may request a Core review route. It blocks while any active or conflicting Core worktree, Core validation process, Core Sequence Protocol route, or dirty Core main state exists. It does not reserve Core, edit Core, merge Core, or authorize runtime default activation.
## Scope
- Register `CTO-WORK-089`, `CTO-WORK-090`, `CTO-WORK-091`, and `CTO-WORK-092`.
- Add Core Route Admission Guard to `CONTEXT.md`.
- Define `core_route_admission_status: not_admitted`.
- Define `guard_status: blocked`.
- Define `blocked_reason: active_or_conflicting_core_work_present`.
- Define `ready_for_core_route_review: true`.
- Define `recommended_next_decision: open_governed_core_prd_route`.
- Require that recommendation to be candidate-only until the Core Route Admission Guard passes.
- Require `idle_governed_core_route_required: true`.
- Require `no_active_conflicting_core_worktree_required: true`.
- Require S135 conflict avoidance when `core/worktrees/core-keyvault-authmd-promotion-135` or `CORE-WORK-172` is active.
- Require read-only checks before any future Core route request: Core worktree list, Core main status, Core active worktree status, Core Sequence Protocol route, and running Core validation processes.
- Require the guard to fail closed when ownership is uncertain.
- Require `do_not_touch_other_agent_work: true`.
- Require no Core mutation.
- Require no Core reservation.
- Require no Core promotion.
- Require Do not mutate `../core/`.
- Require Core validator coverage.
- No Core mutation occurs.
- No Core reservation occurs.
- No Core promotion occurs.
- Require runtime_default_activation: false.
- Require core_promotion_status: not-promoted.
- Require the next allowed action to be `wait_or_open_later_core_route_when_idle`.
## Non-Goals
- Do not mutate Core.
- Do not mutate another agent worktree.
- Do not stop another agent process.
- Do not reserve Core.
- Do not open a Core PRD.
- Do not promote CTO artifacts into Core.
- Do not activate Case as default backend.
- Do not run Case.
- Do not mutate target repositories.
- Do not push, merge, deploy, close, PR open, issue close, public publication, vendor-source mutation, external developer repository mutation, unowned repository mutation, endpoint exposure, secret exposure, credential exposure, or raw Target Repository content exposure.
## User Stories
1. As JP, I want CTO to refuse Core-route work when another agent owns the active Core lane, so other work is not disturbed.
2. As CTO, I want a fail-closed admission check, so a ready packet cannot become Core mutation authority.
3. As a future Core agent, I want explicit route prerequisites, so Core review starts only from a clean and selected route.
4. As Cortex OS Core, I want Core Sequence Protocol authority preserved, so child-local readiness cannot override current Core work.
## Implementation Decisions
- Use the existing CTO SOT plus validator seam; no runtime module is added.
- The guard status is `blocked` because active or conflicting Core work was observed during route selection.
- The guard records admission checks as requirements, not as a live lock or Core reservation.
- The guard may be superseded only by a later governed Core route or a later CTO record showing Core is idle and selected.
## Testing Decisions
- Test through `python3 tools/validate_cto_child.py`.
- Validator coverage must require guard files, Workboard statuses, fail-closed language, and no-Core-mutation language.
- Core caveman prose discipline remains required before final claim.
- No Core aggregate validation is required because this slice does not edit Core.
## Challenge Review
- `$zoom-out`: accepted. The guard sits between the CTO Core Promotion Decision Packet and any future Core PRD route.
- `$improve-codebase-architecture`: accepted. A SOT plus validator guard is the right seam; a live lock would create Core behavior from CTO.
- `$grill-with-docs`: accepted. The canonical term is Core Route Admission Guard.
- Rejected feedback: continue the active Core S135 worktree. JP explicitly said not to touch other agent work.
- Rejected feedback: create a Core reservation. CTO has no authority to reserve Core from child-local planning.
## Acceptance Criteria
- `WORKBOARD.yaml` records `CTO-WORK-089`, `CTO-WORK-090`, `CTO-WORK-091`, and `CTO-WORK-092` as validated.
- `CONTEXT.md` defines Core Route Admission Guard.
- Guard records `core_route_admission_status: not_admitted`.
- Guard records `guard_status: blocked`.
- Guard records `blocked_reason: active_or_conflicting_core_work_present`.
- Guard records `do_not_touch_other_agent_work: true`.
- Guard records `ready_for_core_route_review: true`.
- Guard records `runtime_default_activation: false`.
- Guard records `core_promotion_status: not-promoted`.
- Guard records `next_allowed_action: wait_or_open_later_core_route_when_idle`.
- Guard records `recommended_next_decision: open_governed_core_prd_route`.
- Guard records `idle_governed_core_route_required: true`.
- Guard records `no_active_conflicting_core_worktree_required: true`.
- Guard states no Core mutation, no Core reservation, no Core promotion, and no runtime default activation occur.
- Guard requires future read-only checks before any Core route request.
- CTO validator checks PRD, issues, guard, closeout, and Workboard statuses.
## Validation
- `python3 tools/validate_cto_child.py`
- `python3 /home/svrnty/workspaces/cortex-os/core/tools/check_s69_caveman_prose_discipline.py`
## Risks And Dependencies
- The guard can be mistaken for Core authority. Mitigation: validator requires not-promoted status and no Core reservation language.
- Core state can change after this record. Mitigation: future route requests must re-check Core state read-only.
- Another agent's process can be misidentified. Mitigation: ownership uncertainty blocks rather than authorizes action.
## Success Definition
CTO has a validated child-local guard that prevents the Core Promotion Decision Packet from becoming a Core route request while Core has active or conflicting work. Core promotion remains not-promoted and runtime default activation remains false.
Reference in New Issue View Git Blame Copy Permalink