hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(disclosure): Wave 7 D2 — cto schema v2 + sandcastle external_orchestrator — sprint 2026-05-25

Browse Source 
Schema v2 bump (per sot/04-STANDARDS/DISCLOSURE-SCHEMA.md §4.6) adds the
external_orchestrators surface. Sandcastle was previously parked in
DISCLOSURE.md §12.1 "Pending JP review"; Wave-7 Q2 resolved the open
question in favor of (b) schema §4.6's dedicated external_orchestrators
taxonomy (cleaner separation from HTTP/gRPC sovereign_apis).

Changes:
- manifest.yaml: disclosure.schema_version 1 → 2; add external_orchestrators
  with sandcastle entry (transport=cli, mode=exec, version_pin=v0.5.11,
  sandboxed=true, hosted_api=anthropic, called_by lib/cto-worker.sh).
- DISCLOSURE.md: new canonical §6.5 External orchestrators (sandcastle row +
  governance/pin/check-6.e notes); §5 footer note updated (no longer pending);
  §9 drift table adds external_orchestrators row; §12.1 marked RESOLVED with
  audit-trail stub; last_reviewed bumped to 2026-05-25.

Pin v0.5.11 matches external_tool_deps[0].pin and the workspace CLAUDE.md
hard rule (sandcastle read-only; bumps human-only). sot-precommit clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Svrnty 2026-05-24 16:54:14 -04:00
parent b50e32ae74
commit aaa1dbf3d0
2 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
DISCLOSURE.md
View File

@ -4,8 +4,8 @@ tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-24
review_by: 2026-08-22
last_reviewed: 2026-05-25
review_by: 2026-08-23
depends_on:
- disclosure-schema
- profile-distribution-protocol
@ -19,7 +19,7 @@ auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
# `cto-planb` — Disclosure
> Live as of 2026-05-24. Source: `cto/manifest.yaml → disclosure:` block (Wave-4 apply). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p cto-planb` runtime.
> Live as of 2026-05-25. Source: `cto/manifest.yaml → disclosure:` block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p cto-planb` runtime.
## §1 Identity
@ -72,7 +72,7 @@ Per `disclosure.sovereign_apis`. Each entry is grep-verified against `called_by`
|---|---|---|---|---|---|
| `bte-rest` | `http://localhost:5000` | http | read-write | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | BTE REST `/api/export-design-md` cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would `curl` when a UI task triggers DESIGN.md export). |
> Sandcastle is NOT listed here in §5 — see §12 (Pending JP review). Per Wave-3 recommendations §3 A2 it is governance-critical and PAUSED awaiting JP's call on documenting it under `sovereign_apis:` with `transport: cli` vs. a schema §4.6 extension (`external_orchestrators:`).
> Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's `external_orchestrators:` taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).
## §6 Cortex tools (12)
@ -95,6 +95,20 @@ Per `disclosure.cortex_tools`. 2 invoked at runtime; 10 mount-and-cite routing t
**Removed (Wave-4):** `PC-svrnty.tool-cortex-plugin` — declared in legacy `external_tool_deps` but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to `external_tool_deps`.
## §6.5 External orchestrators (1)
Per `disclosure.external_orchestrators` (schema v2, added Wave-7 D2). cto's **primary execution mechanism** — every code-modifying task routes through sandcastle's isolation boundary (CONTRACT.md §5 + §11 anti-pattern: "CTO never edits host code directly").
| ID | Transport | Mode | Version pin | Sandboxed | Hosted API | Called by | Justification |
|---|---|---|---|---|---|---|---|
| `sandcastle` | cli | exec | `v0.5.11` | **true** | `anthropic` | `lib/cto-worker.sh` | Isolated `claudeCode('claude-opus-4-7')` exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under `sovereign_only: false`; if profile were `sovereign_only: true`, schema §6 6.e v2 permits this entry IFF `sandboxed: true`. |
**Governance.** `sandboxed: true` is the load-bearing field — it declares isolation. `hosted_api: anthropic` is surfaced honestly because sandcastle wraps `claudeCode('claude-opus-4-7')` (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign `qwen3.6-35b-a3b`; hosted Claude lives **inside** sandcastle's sandbox, never on cto's own surface.
**Pin enforcement.** `version_pin: v0.5.11` matches `manifest.yaml → external_tool_deps[0].pin` and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via `git fetch upstream && git checkout <tag>`". Sandcastle dir is read-only — never edited from cto.
**Pre-push check 6.e (v2).** With `sovereign_only: false`, no special enforcement triggers. If the profile ever flips to `sovereign_only: true`, the check 6.e v2 amendment requires `sandboxed: true` for any orchestrator declaring `hosted_api` — which this row satisfies.
## §7 Credentials (0)
No active credential declarations in this disclosure block. `github-pat` (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy `credentials.optional: [github-pat]` block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).
@ -110,6 +124,7 @@ No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `
| Skills | 3 | 3 | in-sync (live verified by AUDIT-cto-2026-05-24.md §1) |
| MCP servers | 0 | 0 | in-sync (live verified by AUDIT §2) |
| MCP tools (total) | 0 | 0 | in-sync |
| External orchestrators | 1 (sandcastle) | 1 (sandcastle invoked by `lib/cto-worker.sh:50-62`) | in-sync (Wave-7 D2) |
| Credentials | 0 | 1 vault-absent declared in legacy block | acceptable (Pending JP — see §12) |
> Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.
@ -131,20 +146,15 @@ No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `
Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active `disclosure:` block yet.
### §12.1 ADD — sandcastle as `sovereign_api` (governance-critical)
### §12.1 RESOLVED (Wave-7 D2 / Q2) — sandcastle promoted to canonical §6.5
Per `RECOMMENDATIONS-cto-2026-05-24.md §3 A2` and `AUDIT-cto-2026-05-24.md §8`.
Per Wave-7 Q2 decision (2026-05-25): the open question on (a) `sovereign_apis: cli` vs (b) schema §4.6 `external_orchestrators:` was resolved in favor of **(b)** — schema v2 added the `external_orchestrators:` surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).
| Field | Proposed value |
|---|---|
| name | `sandcastle` |
| transport | `cli` (via `npx tsx -e "..."` per `lib/cto-worker.sh:50-62`) |
| endpoint | `../sandcastle` (read-only sibling, pinned v0.5.11) |
| mode | `exec` |
| called_by | `lib/cto-worker.sh` (one actual runtime invocation at lines 50-62 + 3 env/wrapper refs) |
| justification | sandcastle is cto's **primary execution mechanism** (CONTRACT.md §5 + §11 anti-patterns: "CTO never edits host code directly — always via sandcastle"). Currently only present in legacy `external_tool_deps`. DISCLOSURE-SCHEMA §4 has no `sandcastle` surface type; closest fit = `sovereign_apis` with `transport: cli` + governance note. |
Sandcastle now lives in:
- `manifest.yaml → disclosure.external_orchestrators[0]` (schema v2)
- §6.5 above (canonical disclosure section)
**Open question for JP:** prefer (a) document under `sovereign_apis:` with `transport: cli` (zero schema churn — Karpathy Rule 2 default) OR (b) DISCLOSURE-SCHEMA §4.6 amendment adding `external_orchestrators:` surface (cleaner taxonomy, defers this row to a future wave)? Recommendation: (a).
Row retained here for audit trail only. No JP action required.
### §12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE)

17
manifest.yaml
View File

@ -138,7 +138,7 @@ credentials: # provisioned via `credctl set <name>` — never
# Derived from Wave-3 recommendations: sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md
disclosure:
scope: org
schema_version: 1
schema_version: 2 # bumped Wave-7 D2 (2026-05-25) — adds external_orchestrators surface per DISCLOSURE-SCHEMA §4.6
chat_facing: false # cto is kanban-driven; JP chats with steev, not cto (CONTRACT.md §3)
delegates_to: [] # cto consumes sandcastle as a tool, not a sub-agent (CONTRACT.md §1, §9)
inherit_builtins: false # deny-by-default; cto has zero builtins enabled
@ -266,3 +266,18 @@ disclosure:
credentials: [] # github-pat declaration parked under Pending JP review in DISCLOSURE.md §12
# (cred-adjacent PAUSE per Wave-3 recommendations §5 K1)
# External orchestrators (schema v2+ — Wave-7 D2). Sandcastle is cto's primary
# execution mechanism (CONTRACT.md §5). sandboxed=true + sovereign_only=false
# = the 4-layer safety stack (sandbox isolation + git branch + PR + JP approval).
external_orchestrators:
- id: sandcastle
transport: cli
mode: exec
called_by:
- lib/cto-worker.sh
version_pin: v0.5.11
sandboxed: true
sovereign_required: false
hosted_api: anthropic
justification: "isolated claudeCode exec per CONTRACT.md §5 (escape valve under sovereign_only=false)"