# cto (repo) · cto-planb (Hermes profile)

**Hermes classification:** profile distribution (C-suite, instance #3, Plan B-scoped)
*Inherits Karpathy 4 rules from `~/.claude/CLAUDE.md` — read them before coding.*

## What this is

CTO agent for Plan B — thin orchestrator. Decomposes JP/CEO tech goals, invokes sandcastle to run code-modifying agents in isolated sandboxes, judges resulting diffs, opens PRs, requests JP approval for any deploy. Never deploys directly. Instance #3 of the C-suite profile distribution family.

**Naming:** the repo dir is `cto/` (generic). The deployed Hermes profile is `cto-planb` (Plan B-scoped, driven by `distribution.yaml → name`). Future orgs would clone this repo and set `name: cto-<org>` in their `distribution.yaml`.

**Status:** v0.1 — **scaffold only**. Orchestrator skill stub exists but is not executable. v1.0 milestone = wire `sandcastle.run()` into `skills/cto-agent/`.

## Hard rules

- CTO NEVER edits host repo code directly — always via sandcastle in an isolated sandbox
- CTO NEVER merges to main without JP `approve` (definition of "deploy" per CONTRACT.md §3)
- CTO NEVER touches infrastructure (DNS, certs, secrets, cron, cloud) — escalate always
- CTO NEVER edits `../sandcastle/` — read-only workspace hard rule (mattpocock/sandcastle pinned v0.5.11)
- `cto.db` never committed — created by `install.sh`, managed at runtime
- The CTO's "skill" is judgment + sandcastle invocation, not execution — do NOT add large skill libraries here (CEO precedent)
- Structural changes follow `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`

## Structure

```
cto/
├── manifest.yaml                    # profile: cto-planb, kind: profile-distribution
├── distribution.yaml                # Hermes native install contract
├── AGENT.md                         # CTO identity (role, mission, boundaries)
├── CONTRACT.md                      # CTO behavior contract — tier T1 (this file wins)
├── install.sh                       # idempotent installer → ~/.hermes/cto-planb symlink (skeleton)
├── credbridge.sh                    # secrets bridge (skeleton — github-pat only in v1)
├── schema.sql                       # cto.db schema (work_queue, agent_runtime, invocations)
├── skills/
│   └── cto-agent/                   # orchestrator skill (SKILL.md = stub until v1.0)
└── cron/                            # empty for v1 (CEO precedent — on-demand only)
```

## Gotchas

- Sandcastle is at `../sandcastle/` (sibling). Read its `CONTEXT.md` before writing any sandcastle.run() invocation — the terminology (sandbox provider, branch strategy, agent provider) matters
- `cto/` does NOT inherit `cmo/`'s 40-skill complexity — keep it thin like `ceo/` (1 skill: cto-agent)
- v0.1 has NO executable orchestrator — running `hermes -p cto-planb skills list` will show cto-agent but invocations will no-op gracefully
- credbridge in v1 resolves only `github-pat`; other creds (deploy, cloud) deferred to v2 per CONTRACT.md §4
- When v1.0 work starts: write `skills/cto-agent/SKILL.md` body (currently stub), test sandcastle.run() against a throwaway repo, then wire kanban dispatch

## When to update this CLAUDE.md vs other docs

- This file: gotchas, hard rules, structure overview — what a Claude session needs to navigate the repo
- `AGENT.md`: identity (role, mission, principal) — what CTO IS
- `CONTRACT.md`: behavior contract — what CTO DOES and does NOT do, decisions, anti-patterns (tier T1)
- `manifest.yaml`: machine-readable identity + install hooks
- `distribution.yaml`: Hermes native install contract (separate from manifest by design)
- `README.md`: human-facing intro + install instructions