---
name: cto-repo-contract
description: Workspace and repository contract for CTO direct coding. Use at the start of every CTO coding run to identify ownership, protected paths, allowed write scope, and canonical verification commands.
metadata:
  version: 0.1.0
  hermes:
    requires_toolsets: [file_tools, terminal_tools]
  tier: T2
  status: active
  owner: jp
  source: hand
  last_reviewed: 2026-05-25
---

# CTO Repo Contract

## Karpathy 4 Rules

1. **Think Before Coding** — identify repo, ownership, protected paths, and open assumptions first.
2. **Simplicity First** — use existing repo commands and helpers instead of adding new infrastructure.
3. **Surgical Changes** — restrict edits to the declared repo and paths; do not clean adjacent code.
4. **Goal-Driven Execution** — each repo action must map to a verification command or explicit skipped-check reason.

## Workspace Roots

- Active umbrella: `/home/svrnty/workspaces/hermes`.
- CTO-owned profile: `/home/svrnty/workspaces/hermes/cto`.
- Hermes-owned repos may be edited when task-scoped and risk-gated.
- External mirrors and upstream references are read-only unless JP explicitly approves a branch/fork patch.

## Protected Patterns

- Secrets and credentials: `.env`, `secrets/`, vault dumps, unredacted tokens.
- Generated SOT indexes/graphs: use Curator generators instead of hand editing.
- Vendor/upstream mirrors: read-only by default.
- Production configs, deploy scripts, cron, DNS/certs, billing, auth/session code: high-risk gated.
- User dirty work: never reset, checkout, overwrite, or reformat without explicit approval.

## Canonical Checks

- SOT/docs: `python3 scripts/sot-precommit.py --full-tree`.
- Root E2E slice: `pytest -q tests/e2e/test_j_cto_webui_prd.py`.
- WebUI Python tests: use targeted `pytest -q hermes-webui/tests/<test>.py`.
- Python repos: prefer existing `pytest`, lint, and type commands from local docs/config.
- Frontend/UI: build plus Playwright/screenshot checks when visual behavior changes.