---
name: disclosure-cto-planb
tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-25
review_by: 2026-08-23
depends_on:
  - disclosure-schema
  - profile-distribution-protocol
  - cto-planb-contract
  - recommendations-cto-2026-05-24
  - audit-cto-2026-05-24
  - cortex-tooling
description: Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.
auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
---

# `cto-planb` — Disclosure

> Live as of 2026-05-25. Source: `cto/manifest.yaml → disclosure:` block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p cto-planb` runtime.

## §1 Identity

| Field | Value |
|---|---|
| Profile ID | `cto-planb` |
| Repo | `~/workspaces/hermes/cto` |
| Scope | `org` |
| Org | `planb` |
| Owner | `jp` |
| Approval authority | `jp` |
| Role type | C-suite (instance #3) |
| State | stateful (`cto.db` — work_queue, agent_runtime, invocations) |
| Version | `2.0.0` (WebUI direct-coder migration in progress) |
| North star | reliable WebUI coding agent — direct scoped patches, verified commands, JP-gated risk, Sandcastle for background isolation |
| Chat-facing | `false` (kanban-driven; JP chats with steev, not cto) |
| Delegates to | none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9) |
| Sovereign-only | `false` (intentional — see §2) |

## §2 Inheritance posture

| Field | Value | Rationale |
|---|---|---|
| `inherit_builtins` | `false` | cto has zero builtins enabled — deny-by-default. Locks in clean posture. |
| `inherit_mcp_toolsets` | `false` | deny-by-default. CTO has one explicit MCP allowlist (`deep-research`); no inherited/global MCP bleed. |
| `inherit_dirs` | none | no external_dirs — no bundled-skill exposure |
| `sovereign_only` | `false` | INTENTIONAL. cto-agent itself runs sovereign `qwen3.6-35b-a3b`. The `claudeCode('claude-opus-4-7')` literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting `true` would block the valid v1 design. |

## §3 Skills (11)

Per `disclosure.skills` enum. Pre-push check 6.a enforces declared == live `hermes -p cto-planb skills list` enabled set.

| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
| `cto-agent` | local | supervisor | — | — | Profile-level boundaries, delegation, risk gates, and direct-coder operating protocol. |
| `cto-direct-coder` | local | direct-coder | false | — | Primary inspect-plan-patch-test-report loop for WebUI coding. |
| `cto-repo-contract` | local | contract | false | — | Workspace/repo ownership map, protected paths, and canonical verification commands. |
| `cto-python-toolkit` | local | toolkit | false | — | Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py. |
| `cto-angular-toolkit` | local | toolkit | false | — | Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console. |
| `cto-dotnet-toolkit` | local | toolkit | false | — | .NET/CQRS stack patterns anchored to L6-svrnty.lib-dotnet-cqrs, L5-svrnty.tool-cqrs-plugin, and pi-bte-plugin. |
| `cto-frontend-visual-qa` | local | verification | false | — | Browser, Playwright, screenshot, console, network, and responsive verification for UI work. |
| `cto-sandbox-job` | local | sandbox-backend | false | anthropic when configured inside Sandcastle | Sandcastle background job creation, branch strategy, event projection, and result ingestion. |
| `cto-reviewer` | local | reviewer | false | — | Diff review, test adequacy, security/risk assessment, and completion readiness. |
| `cto-evals` | local | evals | false | — | Promotion, regression, and Codex-comparative eval protocol. |
| `cto-capsule-writer` | local | memory | false | — | Converts meaningful failures and reusable workflows into capsule candidates. |

**Totals.** 11 skills total. Source breakdown: 11 local, 0 hub, 0 builtin, 0 external_dir.

## §4 MCP servers (1)

Per `disclosure.mcp_servers` allowlist. Deny-by-default; explicit tool enum (no `all`). `deep-research` is exposed for CTO source-grounding and current research per `CTO-WEBUI-CODING-AGENT-PRD.md` §8 and §23.

| Server | Transport | Endpoint | Tools | Hosted API | Data boundary |
|---|---|---|---:|---|---|
| `deep-research` | http | `http://127.0.0.1:3010/mcp` | 4 selected | conditional: hosted only when deep-research `INFERENCE_URL` routes through `llm-gateway` | Tailnet HTTP MCP; search/fetch reaches public web sources; LLM route disclosed by deep-research inference mode |

### §4.1 `deep-research` tool allowlist

| Tool | Mode | Justification |
|---|---|---|
| `mcp_deep_research_deep_research` | read | Full source-grounded research artifact for architecture, standards, vendor behavior, dependency choices, and PRD work. |
| `mcp_deep_research_web_search` | read | Granular current-source search for CTO investigations when a full artifact is too heavy. |
| `mcp_deep_research_fetch_page` | read | Fetch source pages selected during CTO research; browsing/fetch capability disclosed explicitly. |
| `mcp_deep_research_extract_pdf` | read | Extract standards papers, vendor PDFs, and architecture docs during CTO research. |

## §5 Sovereign APIs (1)

Per `disclosure.sovereign_apis`. Each entry is grep-verified against `called_by` paths.

| Name | Endpoint | Transport | Mode | Called by | Justification |
|---|---|---|---|---|---|
| `bte-rest` | `http://localhost:5000` | http | read-write | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | BTE REST `/api/export-design-md` cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would `curl` when a UI task triggers DESIGN.md export). |

> Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's `external_orchestrators:` taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).

## §6 Cortex tools (12)

Per `disclosure.cortex_tools`. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.

| ID | Stack | Invoked at runtime | Mode | Referenced in | Justification |
|---|---|---|---|---|---|
| `L6-svrnty.lib-dotnet-cqrs` | dotnet | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-dotnet-toolkit/SKILL.md` | .NET CQRS routing target — sandcastle sub-agent reads patterns when mounted |
| `L5-svrnty.tool-cqrs-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-dotnet-toolkit/SKILL.md` | .NET scaffolding plugin — routing target |
| `pi-bte-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md`, `skills/cto-dotnet-toolkit/SKILL.md` | DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path |
| `L6-svrnty.lib-cqrs-datasource` | dart | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Flutter gRPC client + Angular gRPC-web reference — routing target |
| `L6-svrnty.lib-llm` | go | false | read | `skills/cto-agent/SKILL.md` | Go multi-provider LLM interface — routing target for Go tasks |
| `L6-svrnty.core-credentials` | go | **true** | read+exec | `credbridge.sh` | Runtime-invoked via `credctl` CLI from `credbridge.sh` — every `cmd_open_pr` resolves github-pat through this lib |
| `L6-svrnty.core-memory` | go | false | read | `skills/cto-agent/SKILL.md` | Go memory lib — routing target; `requires_tools: memory_tool` is Hermes-side, not direct call |
| `PG-svrnty.tool-qa` | go | false | read | `skills/cto-agent/SKILL.md` | QA orchestrator — routing target for Go QA work |
| `L6-svrnty.core-runtime` | rust | false | read | `skills/cto-agent/SKILL.md` | zeroclaw runtime — routing target for Rust tasks |
| `PG-svrnty.lib-quality-gates` | multi | **true** | read+exec | `skills/cto-python-toolkit/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python|typescript --repo X --branch Y` |
| `L5-svrnty.lib-skills-engineering` | multi | false | read | `skills/cto-agent/SKILL.md` | 28-pattern engineering reference — routing target |
| `L5-svrnty.tool-bash-plugin` | bash | false | read | `skills/cto-agent/SKILL.md` | Bash scripting plugin — routing target for Bash tasks |

**Removed (Wave-4):** `PC-svrnty.tool-cortex-plugin` — declared in legacy `external_tool_deps` but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to `external_tool_deps`.

## §6.5 External orchestrators (1)

Per `disclosure.external_orchestrators` (schema v2, added Wave-7 D2). Sandcastle is the background isolation backend for broad, risky, long-running, AFK, or parallel branch attempts.

| ID | Transport | Mode | Version pin | Sandboxed | Hosted API | Called by | Justification |
|---|---|---|---|---|---|---|---|
| `sandcastle` | cli | exec | `v0.5.11` | **true** | `anthropic` | `lib/cto-worker.sh` | Isolated `claudeCode('claude-opus-4-7')` exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under `sovereign_only: false`; if profile were `sovereign_only: true`, schema §6 6.e v2 permits this entry IFF `sandboxed: true`. |

**Governance.** `sandboxed: true` is the load-bearing field — it declares isolation. `hosted_api: anthropic` is surfaced honestly because sandcastle wraps `claudeCode('claude-opus-4-7')` (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign `qwen3.6-35b-a3b`; hosted Claude lives **inside** sandcastle's sandbox, never on cto's own surface.

**Pin enforcement.** `version_pin: v0.5.11` matches `manifest.yaml → external_tool_deps[0].pin` and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via `git fetch upstream && git checkout <tag>`". Sandcastle dir is read-only — never edited from cto.

**Pre-push check 6.e (v2).** With `sovereign_only: false`, no special enforcement triggers. If the profile ever flips to `sovereign_only: true`, the check 6.e v2 amendment requires `sandboxed: true` for any orchestrator declaring `hosted_api` — which this row satisfies.

## §7 Credentials (0)

No active credential declarations in this disclosure block. `github-pat` (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy `credentials.optional: [github-pat]` block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).

## §8 Cron (0)

No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `cron: []`).

## §9 Drift status

| Surface | Declared | Live | Status |
|---|---|---|---|
| Skills | 11 | 11 | in-sync (live verified 2026-05-25 by `hermes -p cto-planb skills list`) |
| MCP servers | 1 | 1 | in-sync (`deep-research`, 4 selected; verified 2026-05-25) |
| MCP tools (total) | 4 | 4 | in-sync (`deep_research`, `web_search`, `fetch_page`, `extract_pdf`) |
| External orchestrators | 1 (sandcastle) | 1 (sandcastle invoked by `lib/cto-worker.sh:50-62`) | in-sync (Wave-7 D2) |
| Credentials | 0 | 1 vault-absent declared in legacy block | acceptable (Pending JP — see §12) |

> Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.

## §10 Sovereign-purity audit

- cto-owned code layer (`cto/skills/`, `cto/lib/`): **CLEAN** — orchestrator runs sovereign `qwen3.6-35b-a3b`; no hosted-API calls from cto's own surface.
- Bundled-skill exposure layer: **N/A** — `inherit_dirs: []`, `inherit_builtins: false`, no bundled skills exposed.
- `sovereign_only: false` is INTENTIONAL — `claudeCode('claude-opus-4-7')` lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).

## §11 Governance refs

- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md`
- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`
- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
- Brand master ref: `../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md`

## §12 Pending JP review

Rows surfaced by Wave-3 audit/recommendations. All 3 rows resolved in **Wave-8 PAUSE-walk (2026-05-24)**. Retained for audit trail.

### §12.1 RESOLVED (Wave-7 D2 / Q2, confirmed Wave 8) — sandcastle promoted to canonical §6.5

Per Wave-7 Q2 decision (2026-05-25): the open question on (a) `sovereign_apis: cli` vs (b) schema §4.6 `external_orchestrators:` was resolved in favor of **(b)** — schema v2 added the `external_orchestrators:` surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).

Sandcastle now lives in:
- `manifest.yaml → disclosure.external_orchestrators[0]` (schema v2)
- §6.5 above (canonical disclosure section)

### §12.2 RESOLVED (Wave 8) — `github-pat` credential declaration: **KEEP declared, defer vault provision**

Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`. **JP decision Wave 8 (2026-05-24): KEEP declared, defer vault provision until v2 PR-open path lands.**

| Field | Value |
|---|---|
| vault_name | `github-pat` |
| status | `optional` |
| scope | `read` |
| used_by | `credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command) |
| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. JP materializes via `credctl set github-pat <PAT>` before first v2 PR task. |

**Materialization state:** declared in legacy `manifest.credentials.optional: [github-pat]` (line 134) for documentation. NOT yet in `disclosure.credentials:` active block (which is `[]` on line 267) — would trigger pre-push check 6.d failure since vault-absent. Row promotes from legacy → active disclosure once JP runs `credctl set github-pat <PAT>`.

### §12.3 RESOLVED (Wave 8) — `L6-svrnty.core-credentials` runtime mode: **CONFIRM as-is**

Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above. **JP decision Wave 8 (2026-05-24): CONFIRM as-is.** No change.

## §13 Open issues + next steps

- **Runtime drift check current:** manifest/disclosure declare the v2 direct-coder surface; installed `cto-planb` was compared with live `hermes -p cto-planb skills list` on 2026-05-25 and matched.
- **Promotion eval reports pending:** `cto/evals/manifest.yaml` defines the suite; passing reports are required before parity claims.
- **JP sign-off still required** for push/PR/deploy/secrets/cron/infra/production-data operations.

## §14 Related

- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition
- [`../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md`](../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md) — template this doc instantiates
- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends
- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup
- [`../sot/06-REGISTRY/CORTEX-TOOLING.md`](../sot/06-REGISTRY/CORTEX-TOOLING.md) — 13-tool catalog (12 cited in §6; orphan removed)
- [`../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md) — Wave-1 live inventory
- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md) — Wave-3 KEEP/REMOVE/ADD/NARROW decisions
- [`../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md`](../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md) — sandcastle registry entry (§12.1 governance ref)
- [`./manifest.yaml`](./manifest.yaml) — machine-readable `disclosure:` block
- [`./AGENT.md`](./AGENT.md) — identity (T2)
- [`./CONTRACT.md`](./CONTRACT.md) — behavior contract (T1)