---
name: disclosure-cto-planb
tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-25
review_by: 2026-08-23
depends_on:
  - disclosure-schema
  - profile-distribution-protocol
  - cto-planb-contract
  - recommendations-cto-2026-05-24
  - audit-cto-2026-05-24
  - cortex-tooling
description: Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.
auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
---

# `cto-planb` — Disclosure

> Live as of 2026-05-25. Source: `cto/manifest.yaml → disclosure:` block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p cto-planb` runtime.

## §1 Identity

| Field | Value |
|---|---|
| Profile ID | `cto-planb` |
| Repo | `~/workspaces/hermes/cto` |
| Scope | `org` |
| Org | `planb` |
| Owner | `jp` |
| Approval authority | `jp` |
| Role type | C-suite (instance #3) |
| State | stateful (`cto.db` — work_queue, agent_runtime, invocations) |
| Version | `1.0.0` (MVP shipped 2026-05-24) |
| North star | reliable, evolving tech — sandcastle-orchestrated code work, JP-approved deploys, never bypass isolation |
| Chat-facing | `false` (kanban-driven; JP chats with steev, not cto) |
| Delegates to | none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9) |
| Sovereign-only | `false` (intentional — see §2) |

## §2 Inheritance posture

| Field | Value | Rationale |
|---|---|---|
| `inherit_builtins` | `false` | cto has zero builtins enabled — deny-by-default. Locks in clean posture. |
| `inherit_mcp_toolsets` | `false` | cto has zero MCP — deny-by-default. Closes potential bte-MCP-leak risk that hit ceo/steev. |
| `inherit_dirs` | none | no external_dirs — no bundled-skill exposure |
| `sovereign_only` | `false` | INTENTIONAL. cto-agent itself runs sovereign `qwen3.6-35b-a3b`. The `claudeCode('claude-opus-4-7')` literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting `true` would block the valid v1 design. |

## §3 Skills (3)

Per `disclosure.skills` enum. Pre-push check 6.a enforces declared == live `hermes -p cto-planb skills list` enabled set.

| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
| `cto-agent` | local | orchestrator | — | — | Loop operator (decompose → sandcastle → review → PR). CONTRACT.md §1 "thin orchestrator over sandcastle". |
| `cto-python-toolkit` | local | toolkit | false | — | Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py. |
| `cto-angular-toolkit` | local | toolkit | false | — | Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console. |

**Totals.** 3 skills total. Source breakdown: 3 local, 0 hub, 0 builtin, 0 external_dir.

## §4 MCP servers (0)

No MCP servers exposed — deny-by-default allowlist is empty. cto orchestrates via sandcastle + shell, not MCP. Matches PROFILE-CATALOG §cto-planb. Closes the bte-MCP-leak risk that hit ceo/steev.

## §5 Sovereign APIs (1)

Per `disclosure.sovereign_apis`. Each entry is grep-verified against `called_by` paths.

| Name | Endpoint | Transport | Mode | Called by | Justification |
|---|---|---|---|---|---|
| `bte-rest` | `http://localhost:5000` | http | read-write | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | BTE REST `/api/export-design-md` cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would `curl` when a UI task triggers DESIGN.md export). |

> Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's `external_orchestrators:` taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).

## §6 Cortex tools (12)

Per `disclosure.cortex_tools`. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.

| ID | Stack | Invoked at runtime | Mode | Referenced in | Justification |
|---|---|---|---|---|---|
| `L6-svrnty.lib-dotnet-cqrs` | dotnet | false | read | `skills/cto-agent/SKILL.md` | .NET CQRS routing target — sandcastle sub-agent reads patterns when mounted |
| `L5-svrnty.tool-cqrs-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md` | .NET scaffolding plugin — routing target |
| `pi-bte-plugin` | dotnet | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path |
| `L6-svrnty.lib-cqrs-datasource` | dart | false | read | `skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Flutter gRPC client + Angular gRPC-web reference — routing target |
| `L6-svrnty.lib-llm` | go | false | read | `skills/cto-agent/SKILL.md` | Go multi-provider LLM interface — routing target for Go tasks |
| `L6-svrnty.core-credentials` | go | **true** | read+exec | `credbridge.sh` | Runtime-invoked via `credctl` CLI from `credbridge.sh` — every `cmd_open_pr` resolves github-pat through this lib |
| `L6-svrnty.core-memory` | go | false | read | `skills/cto-agent/SKILL.md` | Go memory lib — routing target; `requires_tools: memory_tool` is Hermes-side, not direct call |
| `PG-svrnty.tool-qa` | go | false | read | `skills/cto-agent/SKILL.md` | QA orchestrator — routing target for Go QA work |
| `L6-svrnty.core-runtime` | rust | false | read | `skills/cto-agent/SKILL.md` | zeroclaw runtime — routing target for Rust tasks |
| `PG-svrnty.lib-quality-gates` | multi | **true** | read+exec | `skills/cto-python-toolkit/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md` | Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python|typescript --repo X --branch Y` |
| `L5-svrnty.lib-skills-engineering` | multi | false | read | `skills/cto-agent/SKILL.md` | 28-pattern engineering reference — routing target |
| `L5-svrnty.tool-bash-plugin` | bash | false | read | `skills/cto-agent/SKILL.md` | Bash scripting plugin — routing target for Bash tasks |

**Removed (Wave-4):** `PC-svrnty.tool-cortex-plugin` — declared in legacy `external_tool_deps` but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to `external_tool_deps`.

## §6.5 External orchestrators (1)

Per `disclosure.external_orchestrators` (schema v2, added Wave-7 D2). cto's **primary execution mechanism** — every code-modifying task routes through sandcastle's isolation boundary (CONTRACT.md §5 + §11 anti-pattern: "CTO never edits host code directly").

| ID | Transport | Mode | Version pin | Sandboxed | Hosted API | Called by | Justification |
|---|---|---|---|---|---|---|---|
| `sandcastle` | cli | exec | `v0.5.11` | **true** | `anthropic` | `lib/cto-worker.sh` | Isolated `claudeCode('claude-opus-4-7')` exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under `sovereign_only: false`; if profile were `sovereign_only: true`, schema §6 6.e v2 permits this entry IFF `sandboxed: true`. |

**Governance.** `sandboxed: true` is the load-bearing field — it declares isolation. `hosted_api: anthropic` is surfaced honestly because sandcastle wraps `claudeCode('claude-opus-4-7')` (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign `qwen3.6-35b-a3b`; hosted Claude lives **inside** sandcastle's sandbox, never on cto's own surface.

**Pin enforcement.** `version_pin: v0.5.11` matches `manifest.yaml → external_tool_deps[0].pin` and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via `git fetch upstream && git checkout <tag>`". Sandcastle dir is read-only — never edited from cto.

**Pre-push check 6.e (v2).** With `sovereign_only: false`, no special enforcement triggers. If the profile ever flips to `sovereign_only: true`, the check 6.e v2 amendment requires `sandboxed: true` for any orchestrator declaring `hosted_api` — which this row satisfies.

## §7 Credentials (0)

No active credential declarations in this disclosure block. `github-pat` (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy `credentials.optional: [github-pat]` block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).

## §8 Cron (0)

No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest `cron: []`).

## §9 Drift status

| Surface | Declared | Live | Status |
|---|---|---|---|
| Skills | 3 | 3 | in-sync (live verified by AUDIT-cto-2026-05-24.md §1) |
| MCP servers | 0 | 0 | in-sync (live verified by AUDIT §2) |
| MCP tools (total) | 0 | 0 | in-sync |
| External orchestrators | 1 (sandcastle) | 1 (sandcastle invoked by `lib/cto-worker.sh:50-62`) | in-sync (Wave-7 D2) |
| Credentials | 0 | 1 vault-absent declared in legacy block | acceptable (Pending JP — see §12) |

> Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.

## §10 Sovereign-purity audit

- cto-owned code layer (`cto/skills/`, `cto/lib/`): **CLEAN** — orchestrator runs sovereign `qwen3.6-35b-a3b`; no hosted-API calls from cto's own surface.
- Bundled-skill exposure layer: **N/A** — `inherit_dirs: []`, `inherit_builtins: false`, no bundled skills exposed.
- `sovereign_only: false` is INTENTIONAL — `claudeCode('claude-opus-4-7')` lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).

## §11 Governance refs

- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md`
- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`
- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
- Brand master ref: `../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md`

## §12 Pending JP review

Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active `disclosure:` block yet.

### §12.1 RESOLVED (Wave-7 D2 / Q2) — sandcastle promoted to canonical §6.5

Per Wave-7 Q2 decision (2026-05-25): the open question on (a) `sovereign_apis: cli` vs (b) schema §4.6 `external_orchestrators:` was resolved in favor of **(b)** — schema v2 added the `external_orchestrators:` surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).

Sandcastle now lives in:
- `manifest.yaml → disclosure.external_orchestrators[0]` (schema v2)
- §6.5 above (canonical disclosure section)

Row retained here for audit trail only. No JP action required.

### §12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE)

Per `RECOMMENDATIONS-cto-2026-05-24.md §5 K1`.

| Field | Proposed value |
|---|---|
| vault_name | `github-pat` |
| status | `optional` |
| scope | `read` |
| used_by | `credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command) |
| governance | required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task. |

**Open question for JP:** confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active `disclosure.credentials:` block. Pre-push check 6.d will then enforce `credctl list` exact-match.

### §12.3 NOTE — `L6-svrnty.core-credentials` runtime mode

Already KEEP at `invoked_at_runtime: true`, `mode: read+exec` in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only.

## §13 Open issues + next steps

- **Catalog drift (Wave-5 rollup):** PROFILE-CATALOG.md §cto-planb row says "v0.1 scaffold"; live = v1.0 (manifest version 1.0.0). Deferred to Wave-5 per `RECOMMENDATIONS-cto-2026-05-24.md §10`.
- **`.cto/` work dir convention:** `cto-agent/SKILL.md:75` references `${CTO_HOME}/work/${WORK_ID}/prompt.md` but `install.sh` does not `mkdir -p` that path. Soft gap; first sandcastle run will need to mkdir. Note for Wave-4 cleanup.
- **JP sign-off needed** on §12.1, §12.2, §12.3 before next-wave disclosure refresh.

## §14 Related

- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition
- [`../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md`](../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md) — template this doc instantiates
- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends
- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup
- [`../sot/06-REGISTRY/CORTEX-TOOLING.md`](../sot/06-REGISTRY/CORTEX-TOOLING.md) — 13-tool catalog (12 cited in §6; orphan removed)
- [`../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md) — Wave-1 live inventory
- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md) — Wave-3 KEEP/REMOVE/ADD/NARROW decisions
- [`../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md`](../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md) — sandcastle registry entry (§12.1 governance ref)
- [`./manifest.yaml`](./manifest.yaml) — machine-readable `disclosure:` block
- [`./AGENT.md`](./AGENT.md) — identity (T2)
- [`./CONTRACT.md`](./CONTRACT.md) — behavior contract (T1)