15 KiB
| name | tier | status | owner | source | last_reviewed | review_by | depends_on | description | auto_regen_cmd | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| disclosure-cto-planb | T2 | active | jp | generated | 2026-05-25 | 2026-08-23 |
|
Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6. | yq '.disclosure' manifest.yaml | <renderer-script> |
cto-planb — Disclosure
Live as of 2026-05-25. Source:
cto/manifest.yaml → disclosure:block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == livehermes -p cto-planbruntime.
§1 Identity
| Field | Value |
|---|---|
| Profile ID | cto-planb |
| Repo | ~/workspaces/hermes/cto |
| Scope | org |
| Org | planb |
| Owner | jp |
| Approval authority | jp |
| Role type | C-suite (instance #3) |
| State | stateful (cto.db — work_queue, agent_runtime, invocations) |
| Version | 1.0.0 (MVP shipped 2026-05-24) |
| North star | reliable, evolving tech — sandcastle-orchestrated code work, JP-approved deploys, never bypass isolation |
| Chat-facing | false (kanban-driven; JP chats with steev, not cto) |
| Delegates to | none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9) |
| Sovereign-only | false (intentional — see §2) |
§2 Inheritance posture
| Field | Value | Rationale |
|---|---|---|
inherit_builtins |
false |
cto has zero builtins enabled — deny-by-default. Locks in clean posture. |
inherit_mcp_toolsets |
false |
deny-by-default. CTO has one explicit MCP allowlist (deep-research); no inherited/global MCP bleed. |
inherit_dirs |
none | no external_dirs — no bundled-skill exposure |
sovereign_only |
false |
INTENTIONAL. cto-agent itself runs sovereign qwen3.6-35b-a3b. The claudeCode('claude-opus-4-7') literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting true would block the valid v1 design. |
§3 Skills (3)
Per disclosure.skills enum. Pre-push check 6.a enforces declared == live hermes -p cto-planb skills list enabled set.
| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
cto-agent |
local | orchestrator | — | — | Loop operator (decompose → sandcastle → review → PR). CONTRACT.md §1 "thin orchestrator over sandcastle". |
cto-python-toolkit |
local | toolkit | false | — | Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py. |
cto-angular-toolkit |
local | toolkit | false | — | Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console. |
Totals. 3 skills total. Source breakdown: 3 local, 0 hub, 0 builtin, 0 external_dir.
§4 MCP servers (1)
Per disclosure.mcp_servers allowlist. Deny-by-default; explicit tool enum (no all). deep-research is exposed for CTO source-grounding and current research per CTO-WEBUI-CODING-AGENT-PRD.md §8 and §23.
| Server | Transport | Endpoint | Tools | Hosted API | Data boundary |
|---|---|---|---|---|---|
deep-research |
http | http://127.0.0.1:3010/mcp |
4 selected | conditional: hosted only when deep-research INFERENCE_URL routes through llm-gateway |
Tailnet HTTP MCP; search/fetch reaches public web sources; LLM route disclosed by deep-research inference mode |
§4.1 deep-research tool allowlist
| Tool | Mode | Justification |
|---|---|---|
mcp_deep_research_deep_research |
read | Full source-grounded research artifact for architecture, standards, vendor behavior, dependency choices, and PRD work. |
mcp_deep_research_web_search |
read | Granular current-source search for CTO investigations when a full artifact is too heavy. |
mcp_deep_research_fetch_page |
read | Fetch source pages selected during CTO research; browsing/fetch capability disclosed explicitly. |
mcp_deep_research_extract_pdf |
read | Extract standards papers, vendor PDFs, and architecture docs during CTO research. |
§5 Sovereign APIs (1)
Per disclosure.sovereign_apis. Each entry is grep-verified against called_by paths.
| Name | Endpoint | Transport | Mode | Called by | Justification |
|---|---|---|---|---|---|
bte-rest |
http://localhost:5000 |
http | read-write | skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md |
BTE REST /api/export-design-md cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would curl when a UI task triggers DESIGN.md export). |
Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's
external_orchestrators:taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).
§6 Cortex tools (12)
Per disclosure.cortex_tools. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.
| ID | Stack | Invoked at runtime | Mode | Referenced in | Justification |
|---|---|---|---|---|---|
L6-svrnty.lib-dotnet-cqrs |
dotnet | false | read | skills/cto-agent/SKILL.md |
.NET CQRS routing target — sandcastle sub-agent reads patterns when mounted |
L5-svrnty.tool-cqrs-plugin |
dotnet | false | read | skills/cto-agent/SKILL.md |
.NET scaffolding plugin — routing target |
pi-bte-plugin |
dotnet | false | read | skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md |
DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path |
L6-svrnty.lib-cqrs-datasource |
dart | false | read | skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md |
Flutter gRPC client + Angular gRPC-web reference — routing target |
L6-svrnty.lib-llm |
go | false | read | skills/cto-agent/SKILL.md |
Go multi-provider LLM interface — routing target for Go tasks |
L6-svrnty.core-credentials |
go | true | read+exec | credbridge.sh |
Runtime-invoked via credctl CLI from credbridge.sh — every cmd_open_pr resolves github-pat through this lib |
L6-svrnty.core-memory |
go | false | read | skills/cto-agent/SKILL.md |
Go memory lib — routing target; requires_tools: memory_tool is Hermes-side, not direct call |
PG-svrnty.tool-qa |
go | false | read | skills/cto-agent/SKILL.md |
QA orchestrator — routing target for Go QA work |
L6-svrnty.core-runtime |
rust | false | read | skills/cto-agent/SKILL.md |
zeroclaw runtime — routing target for Rust tasks |
PG-svrnty.lib-quality-gates |
multi | true | read+exec | skills/cto-python-toolkit/SKILL.md, skills/cto-angular-toolkit/SKILL.md |
Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python |
L5-svrnty.lib-skills-engineering |
multi | false | read | skills/cto-agent/SKILL.md |
28-pattern engineering reference — routing target |
L5-svrnty.tool-bash-plugin |
bash | false | read | skills/cto-agent/SKILL.md |
Bash scripting plugin — routing target for Bash tasks |
Removed (Wave-4): PC-svrnty.tool-cortex-plugin — declared in legacy external_tool_deps but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to external_tool_deps.
§6.5 External orchestrators (1)
Per disclosure.external_orchestrators (schema v2, added Wave-7 D2). cto's primary execution mechanism — every code-modifying task routes through sandcastle's isolation boundary (CONTRACT.md §5 + §11 anti-pattern: "CTO never edits host code directly").
| ID | Transport | Mode | Version pin | Sandboxed | Hosted API | Called by | Justification |
|---|---|---|---|---|---|---|---|
sandcastle |
cli | exec | v0.5.11 |
true | anthropic |
lib/cto-worker.sh |
Isolated claudeCode('claude-opus-4-7') exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under sovereign_only: false; if profile were sovereign_only: true, schema §6 6.e v2 permits this entry IFF sandboxed: true. |
Governance. sandboxed: true is the load-bearing field — it declares isolation. hosted_api: anthropic is surfaced honestly because sandcastle wraps claudeCode('claude-opus-4-7') (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign qwen3.6-35b-a3b; hosted Claude lives inside sandcastle's sandbox, never on cto's own surface.
Pin enforcement. version_pin: v0.5.11 matches manifest.yaml → external_tool_deps[0].pin and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via git fetch upstream && git checkout <tag>". Sandcastle dir is read-only — never edited from cto.
Pre-push check 6.e (v2). With sovereign_only: false, no special enforcement triggers. If the profile ever flips to sovereign_only: true, the check 6.e v2 amendment requires sandboxed: true for any orchestrator declaring hosted_api — which this row satisfies.
§7 Credentials (0)
No active credential declarations in this disclosure block. github-pat (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy credentials.optional: [github-pat] block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).
§8 Cron (0)
No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest cron: []).
§9 Drift status
| Surface | Declared | Live | Status |
|---|---|---|---|
| Skills | 3 | 3 | in-sync (live verified by AUDIT-cto-2026-05-24.md §1) |
| MCP servers | 1 | 1 | in-sync (deep-research, 4 selected; verified 2026-05-25) |
| MCP tools (total) | 4 | 4 | in-sync (deep_research, web_search, fetch_page, extract_pdf) |
| External orchestrators | 1 (sandcastle) | 1 (sandcastle invoked by lib/cto-worker.sh:50-62) |
in-sync (Wave-7 D2) |
| Credentials | 0 | 1 vault-absent declared in legacy block | acceptable (Pending JP — see §12) |
Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.
§10 Sovereign-purity audit
- cto-owned code layer (
cto/skills/,cto/lib/): CLEAN — orchestrator runs sovereignqwen3.6-35b-a3b; no hosted-API calls from cto's own surface. - Bundled-skill exposure layer: N/A —
inherit_dirs: [],inherit_builtins: false, no bundled skills exposed. sovereign_only: falseis INTENTIONAL —claudeCode('claude-opus-4-7')lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).
§11 Governance refs
- Vision:
../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md,../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md - Governing protocols:
../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md - Standards:
../sot/04-STANDARDS/FRONTMATTER-SPEC.md,../sot/04-STANDARDS/SOT-ENFORCEMENT.md,../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md - Brand master ref:
../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md
§12 Pending JP review
Rows surfaced by Wave-3 audit/recommendations. All 3 rows resolved in Wave-8 PAUSE-walk (2026-05-24). Retained for audit trail.
§12.1 RESOLVED (Wave-7 D2 / Q2, confirmed Wave 8) — sandcastle promoted to canonical §6.5
Per Wave-7 Q2 decision (2026-05-25): the open question on (a) sovereign_apis: cli vs (b) schema §4.6 external_orchestrators: was resolved in favor of (b) — schema v2 added the external_orchestrators: surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).
Sandcastle now lives in:
manifest.yaml → disclosure.external_orchestrators[0](schema v2)- §6.5 above (canonical disclosure section)
§12.2 RESOLVED (Wave 8) — github-pat credential declaration: KEEP declared, defer vault provision
Per RECOMMENDATIONS-cto-2026-05-24.md §5 K1. JP decision Wave 8 (2026-05-24): KEEP declared, defer vault provision until v2 PR-open path lands.
| Field | Value |
|---|---|
| vault_name | github-pat |
| status | optional |
| scope | read |
| used_by | credbridge.sh (case gh)), lib/cto-worker.sh (open-pr command) |
| governance | required for v2 PR-open path (gh pr create via credbridge). Currently absent from vault — cto-worker.sh open-pr fails-fast with documented error. JP materializes via credctl set github-pat <PAT> before first v2 PR task. |
Materialization state: declared in legacy manifest.credentials.optional: [github-pat] (line 134) for documentation. NOT yet in disclosure.credentials: active block (which is [] on line 267) — would trigger pre-push check 6.d failure since vault-absent. Row promotes from legacy → active disclosure once JP runs credctl set github-pat <PAT>.
§12.3 RESOLVED (Wave 8) — L6-svrnty.core-credentials runtime mode: CONFIRM as-is
Already KEEP at invoked_at_runtime: true, mode: read+exec in §6 above. JP decision Wave 8 (2026-05-24): CONFIRM as-is. No change.
§13 Open issues + next steps
- Catalog drift (Wave-5 rollup): PROFILE-CATALOG.md §cto-planb row says "v0.1 scaffold"; live = v1.0 (manifest version 1.0.0). Deferred to Wave-5 per
RECOMMENDATIONS-cto-2026-05-24.md §10. .cto/work dir convention:cto-agent/SKILL.md:75references${CTO_HOME}/work/${WORK_ID}/prompt.mdbutinstall.shdoes notmkdir -pthat path. Soft gap; first sandcastle run will need to mkdir. Note for Wave-4 cleanup.- JP sign-off needed on §12.1, §12.2, §12.3 before next-wave disclosure refresh.
§14 Related
../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md— schema definition../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md— template this doc instantiates../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md— protocol disclosure extends../sot/06-REGISTRY/PROFILE-CATALOG.md— fleet rollup../sot/06-REGISTRY/CORTEX-TOOLING.md— 13-tool catalog (12 cited in §6; orphan removed)../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md— Wave-1 live inventory../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md— Wave-3 KEEP/REMOVE/ADD/NARROW decisions../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md— sandcastle registry entry (§12.1 governance ref)./manifest.yaml— machine-readabledisclosure:block./AGENT.md— identity (T2)./CONTRACT.md— behavior contract (T1)