# cto (repo) · cto-planb (Hermes profile) A **Chief Technology Officer** agent for [Hermes](https://git.openharbor.io/hermes/hermes), built for Plan B (Québec fresh prepared-meals). **Thin orchestrator:** decomposes JP/CEO tech goals, invokes [`sandcastle`](../sandcastle/) to run code-modifying agents in isolated Docker/Podman/Vercel sandboxes, judges resulting diffs, opens PRs for human review, and requests JP approval for any deploy. Never deploys directly. **Instance #3 of the C-suite profile distribution family** (CMO = #1, CEO = #2, CTO = #3). This repo is `cto/`; the deployed Hermes profile is `cto-planb`. Built to the canonical protocol at [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md). > **Status:** v0.1 — **scaffold only**. Orchestrator skill stub exists; sandcastle integration not yet wired. v1.0 milestone = ship executable `cto-agent` skill that drives `sandcastle.run()` per task. - **Identity:** [`AGENT.md`](AGENT.md) — role, mission, boundaries - **Behavior contract:** [`CONTRACT.md`](CONTRACT.md) — what CTO does, does NOT do, edge cases (tier T1) - **Protocol:** [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) - **Primary tool:** [`../sandcastle/`](../sandcastle/) — Matt Pocock's sandboxed agent orchestrator (MIT, pinned v0.5.11; read-only) ## Layout ``` cto/ ├── AGENT.md CONTRACT.md CLAUDE.md README.md ├── manifest.yaml distribution.yaml install.sh credbridge.sh ├── skills/cto-agent/SKILL.md # orchestrator stub (v1.0 implements) └── schema.sql # cto.db built from this; never committed ``` ## Install (v0.1 — scaffold only) ```bash git clone https://git.openharbor.io/hermes/cto && cd cto ./install.sh # symlinks repo → ~/.hermes/cto-planb (idempotent) hermes -p cto-planb skills list | grep cto-agent ``` Default install **symlinks** `~/.hermes/cto-planb` → this repo (repo is canonical, edits land live). ## Key invariants (v1) - CTO orchestrates via sandcastle, never edits host code directly - No deploy without JP approval (merge-to-main = deploy gate) - No infrastructure changes without JP approval (DNS, certs, secrets, cron, cloud) - No edits to `../sandcastle/` (read-only mirror) - Thin orchestrator (1 skill: `cto-agent`), NOT a 40-skill library ## v0.1 scope vs v1.0 milestone | Component | v0.1 | v1.0 (next) | v2 (deferred) | |---|---|---|---| | Scaffold files | ✅ | — | — | | `cto-agent/SKILL.md` body | stub | executable orchestrator | — | | Sandcastle invocation | — | wired | provider-swap (docker → vercel for parallel) | | Approval gate enforcement | — | wired (merge gate) | deploy gate (CI/CD) | | Sub-agent profiles | — | — | coder, reviewer, deployer | | Observability MCPs | — | — | Grafana, Prometheus | | IaC | — | — | Terraform/Pulumi | ## Related - [`../sandcastle/CONTEXT.md`](../sandcastle/CONTEXT.md) — sandcastle terminology (read before writing any invocation) - [`../cmo/`](../cmo/) — C-suite reference impl #1 (thick capability pattern) - [`../ceo/`](../ceo/) — C-suite reference impl #2 (thin orchestrator pattern — CTO follows this)