hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(disclosure): Wave 4 — cto-planb disclosure: block (3 skills + cortex_tools narrow) — sprint 2026-05-24

Browse Source 
Wave-4C apply of Wave-3 recommendations for cto-planb. cto is the cleanest
profile in the 5-profile fleet — minimal deltas by design (Karpathy Rules 2+3).

Active disclosure block:
- 3 skills (cto-agent orchestrator + cto-python-toolkit + cto-angular-toolkit)
- 0 MCP (deny-by-default; closes bte-MCP-leak risk seen on ceo/steev)
- 1 sovereign_api (bte-rest /api/export-design-md — documented pattern)
- 12 cortex_tools (13 minus PC-svrnty.tool-cortex-plugin orphan; 2 invoked
  at runtime: L6-svrnty.core-credentials + PG-svrnty.lib-quality-gates)
- 0 active credentials
- inherit_builtins: false, inherit_mcp_toolsets: false
- sovereign_only: false (INTENTIONAL — claudeCode lives INSIDE sandcastle
  isolation per CONTRACT.md §5; cto-agent itself runs sovereign qwen3.6)

Orphan removal: PC-svrnty.tool-cortex-plugin removed from external_tool_deps
(never cited in any cto skill body or lib — per RECOMMENDATIONS §4 C13).

Pending JP review (DISCLOSURE.md §12 — paused per Wave-3 hard rule):
- §12.1 ADD sandcastle as sovereign_api (governance-critical, may need
  DISCLOSURE-SCHEMA §4.6 amendment for external_orchestrators surface)
- §12.2 KEEP github-pat cred declaration (vault-absent; v2 PR-open needs it)
- §12.3 NOTE L6-svrnty.core-credentials runtime mode (cred-adjacent confirm)

Refs:
- sot/04-STANDARDS/DISCLOSURE-SCHEMA.md (schema_version 1)
- sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md
- sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md
- sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Svrnty 2026-05-24 15:59:55 -04:00
parent 31d6ef72a6
commit b50e32ae74
2 changed files with 321 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
DISCLOSURE.md Normal file
View File

@ -0,0 +1,185 @@
---
name: disclosure-cto-planb
tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-24
review_by: 2026-08-22
depends_on:
- disclosure-schema
- profile-distribution-protocol
- cto-planb-contract
- recommendations-cto-2026-05-24
- audit-cto-2026-05-24
- cortex-tooling
description: Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.
auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
---
# `cto-planb` — Disclosure
> Live as of 2026-05-24. Source: `cto/manifest.yaml → disclosure:` block (Wave-4 apply). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p cto-planb` runtime.
## §1 Identity
| Field | Value |
|---|---|
| Profile ID | `cto-planb` |
| Repo | `~/workspaces/hermes/cto` |
| Scope | `org` |
| Org | `planb` |
| Owner | `jp` |
| Approval authority | `jp` |
| Role type | C-suite (instance #3) |
| State | stateful (`cto.db` — work_queue, agent_runtime, invocations) |
| Version | `1.0.0` (MVP shipped 2026-05-24) |
| North star | reliable, evolving tech — sandcastle-orchestrated code work, JP-approved deploys, never bypass isolation |
| Chat-facing | `false` (kanban-driven; JP chats with steev, not cto) |
| Delegates to | none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9) |
| Sovereign-only | `false` (intentional — see §2) |
## §2 Inheritance posture
| Field | Value | Rationale |
|---|---|---|
| `inherit_builtins` | `false` | cto has zero builtins enabled — deny-by-default. Locks in clean posture. |
| `inherit_mcp_toolsets` | `false` | cto has zero MCP — deny-by-default. Closes potential bte-MCP-leak risk that hit ceo/steev. |
| `inherit_dirs` | none | no external_dirs — no bundled-skill exposure |
| `sovereign_only` | `false` | INTENTIONAL. cto-agent itself runs sovereign `qwen3.6-35b-a3b`. The `claudeCode('claude-opus-4-7')` literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting `true` would block the valid v1 design. |
## §3 Skills (3)
Per `disclosure.skills` enum. Pre-push check 6.a enforces declared == live `hermes -p cto-planb skills list` enabled set.
| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
| `cto-agent` | local | orchestrator | — | — | Loop operator (decompose → sandcastle → review → PR). CONTRACT.md §1 "thin orchestrator over sandcastle". |
| `cto-python-toolkit` | local | toolkit | false | — | Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py. |
| `cto-angular-toolkit` | local | toolkit | false | — | Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console. |
**Totals.** 3 skills total. Source breakdown: 3 local, 0 hub, 0 builtin, 0 external_dir.
## §4 MCP servers (0)
No MCP servers exposed — deny-by-default allowlist is empty. cto orchestrates via sandcastle + shell, not MCP. Matches PROFILE-CATALOG §cto-planb. Closes the bte-MCP-leak risk that hit ceo/steev.
## §5 Sovereign APIs (1)
Per `disclosure.sovereign_apis`. Each entry is grep-verified against `called_by` paths.
| Name | Endpoint | Transport | Mode | Called by | Justification |
|---|---|---|---|---|---|
| `bte-rest` | `http://localhost:5000` | http | read-write | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | BTE REST `/api/export-design-md` cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would `curl` when a UI task triggers DESIGN.md export). |
> Sandcastle is NOT listed here in §5 — see §12 (Pending JP review). Per Wave-3 recommendations §3 A2 it is governance-critical and PAUSED awaiting JP's call on documenting it under `sovereign_apis:` with `transport: cli` vs. a schema §4.6 extension (`external_orchestrators:`).
## §6 Cortex tools (12)
Per `disclosure.cortex_tools`. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.
| ID | Stack | Invoked at runtime | Mode | Referenced in | Justification |
|---|---|---|---|---|---|
| `L6-svrnty.lib-dotnet-cqrs` | dotnet | false | read | `skills/cto-agent/SKILL.md` | .NET CQRS routing target — sandcastle sub-agent reads patterns when mounted |
| `L5-svrnty.tool-cqrs-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md` | .NET scaffolding plugin — routing target |
| `pi-bte-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path |
| `L6-svrnty.lib-cqrs-datasource` | dart | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Flutter gRPC client + Angular gRPC-web reference — routing target |
| `L6-svrnty.lib-llm` | go | false | read | `skills/cto-agent/SKILL.md` | Go multi-provider LLM interface — routing target for Go tasks |
| `L6-svrnty.core-credentials` | go | **true** | read+exec | `credbridge.sh` | Runtime-invoked via `credctl` CLI from `credbridge.sh` — every `cmd_open_pr` resolves github-pat through this lib |
| `L6-svrnty.core-memory` | go | false | read | `skills/cto-agent/SKILL.md` | Go memory lib — routing target; `requires_tools: memory_tool` is Hermes-side, not direct call |
| `PG-svrnty.tool-qa` | go | false | read | `skills/cto-agent/SKILL.md` | QA orchestrator — routing target for Go QA work |
| `L6-svrnty.core-runtime` | rust | false | read | `skills/cto-agent/SKILL.md` | zeroclaw runtime — routing target for Rust tasks |
| `PG-svrnty.lib-quality-gates` | multi | **true** | read+exec | `skills/cto-python-toolkit/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python|typescript --repo X --branch Y` |
| `L5-svrnty.lib-skills-engineering` | multi | false | read | `skills/cto-agent/SKILL.md` | 28-pattern engineering reference — routing target |
| `L5-svrnty.tool-bash-plugin` | bash | false | read | `skills/cto-agent/SKILL.md` | Bash scripting plugin — routing target for Bash tasks |
**Removed (Wave-4):** `PC-svrnty.tool-cortex-plugin` — declared in legacy `external_tool_deps` but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to `external_tool_deps`.
## §7 Credentials (0)
No active credential declarations in this disclosure block. `github-pat` (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy `credentials.optional: [github-pat]` block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).
## §8 Cron (0)
No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `cron: []`).
## §9 Drift status
| Surface | Declared | Live | Status |
|---|---|---|---|
| Skills | 3 | 3 | in-sync (live verified by AUDIT-cto-2026-05-24.md §1) |
| MCP servers | 0 | 0 | in-sync (live verified by AUDIT §2) |
| MCP tools (total) | 0 | 0 | in-sync |
| Credentials | 0 | 1 vault-absent declared in legacy block | acceptable (Pending JP — see §12) |
> Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.
## §10 Sovereign-purity audit
- cto-owned code layer (`cto/skills/`, `cto/lib/`): **CLEAN** — orchestrator runs sovereign `qwen3.6-35b-a3b`; no hosted-API calls from cto's own surface.
- Bundled-skill exposure layer: **N/A**`inherit_dirs: []`, `inherit_builtins: false`, no bundled skills exposed.
- `sovereign_only: false` is INTENTIONAL — `claudeCode('claude-opus-4-7')` lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).
## §11 Governance refs
- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md`
- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`
- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
- Brand master ref: `../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md`
## §12 Pending JP review
Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active `disclosure:` block yet.
### §12.1 ADD — sandcastle as `sovereign_api` (governance-critical)
Per `RECOMMENDATIONS-cto-2026-05-24.md §3 A2` and `AUDIT-cto-2026-05-24.md §8`.
| Field | Proposed value |
|---|---|
| name | `sandcastle` |
| transport | `cli` (via `npx tsx -e "..."` per `lib/cto-worker.sh:50-62`) |
| endpoint | `../sandcastle` (read-only sibling, pinned v0.5.11) |
| mode | `exec` |
| called_by | `lib/cto-worker.sh` (one actual runtime invocation at lines 50-62 + 3 env/wrapper refs) |
| justification | sandcastle is cto's **primary execution mechanism** (CONTRACT.md §5 + §11 anti-patterns: "CTO never edits host code directly — always via sandcastle"). Currently only present in legacy `external_tool_deps`. DISCLOSURE-SCHEMA §4 has no `sandcastle` surface type; closest fit = `sovereign_apis` with `transport: cli` + governance note. |
**Open question for JP:** prefer (a) document under `sovereign_apis:` with `transport: cli` (zero schema churn — Karpathy Rule 2 default) OR (b) DISCLOSURE-SCHEMA §4.6 amendment adding `external_orchestrators:` surface (cleaner taxonomy, defers this row to a future wave)? Recommendation: (a).
### §12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE)
Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`.
| Field | Proposed value |
|---|---|
| vault_name | `github-pat` |
| status | `optional` |
| scope | `read` |
| used_by | `credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command) |
| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task. |
**Open question for JP:** confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active `disclosure.credentials:` block. Pre-push check 6.d will then enforce `credctl list` exact-match.
### §12.3 NOTE — `L6-svrnty.core-credentials` runtime mode
Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only.
## §13 Open issues + next steps
- **Catalog drift (Wave-5 rollup):** PROFILE-CATALOG.md §cto-planb row says "v0.1 scaffold"; live = v1.0 (manifest version 1.0.0). Deferred to Wave-5 per `RECOMMENDATIONS-cto-2026-05-24.md §10`.
- **`.cto/` work dir convention:** `cto-agent/SKILL.md:75` references `${CTO_HOME}/work/${WORK_ID}/prompt.md` but `install.sh` does not `mkdir -p` that path. Soft gap; first sandcastle run will need to mkdir. Note for Wave-4 cleanup.
- **JP sign-off needed** on §12.1, §12.2, §12.3 before next-wave disclosure refresh.
## §14 Related
- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition
- [`../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md`](../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md) — template this doc instantiates
- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends
- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup
- [`../sot/06-REGISTRY/CORTEX-TOOLING.md`](../sot/06-REGISTRY/CORTEX-TOOLING.md) — 13-tool catalog (12 cited in §6; orphan removed)
- [`../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md) — Wave-1 live inventory
- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md) — Wave-3 KEEP/REMOVE/ADD/NARROW decisions
- [`../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md`](../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md) — sandcastle registry entry (§12.1 governance ref)
- [`./manifest.yaml`](./manifest.yaml) — machine-readable `disclosure:` block
- [`./AGENT.md`](./AGENT.md) — identity (T2)
- [`./CONTRACT.md`](./CONTRACT.md) — behavior contract (T1)

140
manifest.yaml
View File

@ -105,10 +105,8 @@ external_tool_deps:
path: ../../cortex/L5-svrnty.tool-bash-plugin
stack: bash
role: Bash script engineering plugin (9 categories — init/gate/hook/cron/probe/seal/deploy/test/orchestrate)
- repo: PC-svrnty.tool-cortex-plugin
path: ../../cortex/PC-svrnty.tool-cortex-plugin
stack: cortex-os
role: Cortex sovereign OS installer — identity/sectors/detection/activation bootstrap
# PC-svrnty.tool-cortex-plugin REMOVED 2026-05-24 (Wave-4 orphan cleanup) — never cited in any cto skill body
# See sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md §0.2 + §4 C13
# Stacks NOT yet covered by dedicated cortex/ tooling:
# - Python: handled via sandcastle generic Claude Code path; no Python framework lib
@ -134,3 +132,137 @@ config: # portable per-install settings
credentials: # provisioned via `credctl set <name>` — never shipped
required: [] # v1 has no required creds (no deploy/cloud yet)
optional: [github-pat] # for opening PRs via gh CLI when CTO ships v2
# Disclosure block (Wave-4 — per sot/04-STANDARDS/DISCLOSURE-SCHEMA.md schema_version 1).
# Authoritative runtime-truth contract; pre-push hook check 6 verifies declared == live.
# Derived from Wave-3 recommendations: sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md
disclosure:
scope: org
schema_version: 1
chat_facing: false # cto is kanban-driven; JP chats with steev, not cto (CONTRACT.md §3)
delegates_to: [] # cto consumes sandcastle as a tool, not a sub-agent (CONTRACT.md §1, §9)
inherit_builtins: false # deny-by-default; cto has zero builtins enabled
inherit_mcp_toolsets: false # deny-by-default; closes the bte-MCP-leak risk seen on ceo/steev
sovereign_only: false # INTENTIONAL — cto uses claudeCode('claude-opus-4-7') INSIDE sandcastle
# isolation (CONTRACT.md §5). cto-agent itself runs sovereign qwen3.6.
inherit_dirs: [] # no external_dirs
skills:
- id: cto-agent
source: local
path: skills/cto-agent
role: orchestrator
- id: cto-python-toolkit
source: local
path: skills/cto-python-toolkit
role: toolkit
justification: "Python stack patterns — closes CONTRACT.md §6 'Python = skill-only' gap; anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py"
- id: cto-angular-toolkit
source: local
path: skills/cto-angular-toolkit
role: toolkit
justification: "Angular stack patterns — closes CONTRACT.md §6 'Angular = skill-only' gap; anchored to adwright/adwright-console"
mcp_servers: [] # cto orchestrates via sandcastle + shell, not MCP
sovereign_apis:
- name: bte-rest
endpoint: "http://localhost:5000"
transport: http
mode: read-write
called_by:
- skills/cto-agent/SKILL.md
- skills/cto-angular-toolkit/SKILL.md
justification: "BTE REST endpoint /api/export-design-md — cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only)"
cortex_tools:
- id: L6-svrnty.lib-dotnet-cqrs
stack: dotnet
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: ".NET CQRS routing target — sandcastle sub-agent reads patterns when mounted"
- id: L5-svrnty.tool-cqrs-plugin
stack: dotnet
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: ".NET scaffolding plugin — routing target"
- id: pi-bte-plugin
stack: dotnet
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
- skills/cto-angular-toolkit/SKILL.md
justification: "DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path"
- id: L6-svrnty.lib-cqrs-datasource
stack: dart
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
- skills/cto-angular-toolkit/SKILL.md
justification: "Flutter gRPC client + Angular gRPC-web reference — routing target"
- id: L6-svrnty.lib-llm
stack: go
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "Go multi-provider LLM interface — routing target for Go tasks"
- id: L6-svrnty.core-credentials
stack: go
invoked_at_runtime: true
mode: read+exec
referenced_in:
- credbridge.sh
justification: "Runtime-invoked via credctl CLI from credbridge.sh — every cmd_open_pr resolves github-pat through this lib"
- id: L6-svrnty.core-memory
stack: go
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "Go memory lib — routing target; requires_tools memory_tool is Hermes-side, not direct call"
- id: PG-svrnty.tool-qa
stack: go
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "QA orchestrator — routing target for Go QA work"
- id: L6-svrnty.core-runtime
stack: rust
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "zeroclaw runtime — routing target for Rust tasks"
- id: PG-svrnty.lib-quality-gates
stack: multi
invoked_at_runtime: true
mode: read+exec
referenced_in:
- skills/cto-python-toolkit/SKILL.md
- skills/cto-angular-toolkit/SKILL.md
justification: "Runtime-invoked post-sandcastle via $QG/bin/run-gates --stack python|typescript --repo X --branch Y"
- id: L5-svrnty.lib-skills-engineering
stack: multi
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "28-pattern engineering reference — routing target"
- id: L5-svrnty.tool-bash-plugin
stack: bash
invoked_at_runtime: false
mode: read
referenced_in:
- skills/cto-agent/SKILL.md
justification: "Bash scripting plugin — routing target for Bash tasks"
credentials: [] # github-pat declaration parked under Pending JP review in DISCLOSURE.md §12
# (cred-adjacent PAUSE per Wave-3 recommendations §5 K1)