hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b50e32ae74
cto/DISCLOSURE.md
Svrnty b50e32ae74 feat(disclosure): Wave 4 — cto-planb disclosure: block (3 skills + cortex_tools narrow) — sprint 2026-05-24 
Wave-4C apply of Wave-3 recommendations for cto-planb. cto is the cleanest
profile in the 5-profile fleet — minimal deltas by design (Karpathy Rules 2+3).

Active disclosure block:
- 3 skills (cto-agent orchestrator + cto-python-toolkit + cto-angular-toolkit)
- 0 MCP (deny-by-default; closes bte-MCP-leak risk seen on ceo/steev)
- 1 sovereign_api (bte-rest /api/export-design-md — documented pattern)
- 12 cortex_tools (13 minus PC-svrnty.tool-cortex-plugin orphan; 2 invoked
  at runtime: L6-svrnty.core-credentials + PG-svrnty.lib-quality-gates)
- 0 active credentials
- inherit_builtins: false, inherit_mcp_toolsets: false
- sovereign_only: false (INTENTIONAL — claudeCode lives INSIDE sandcastle
  isolation per CONTRACT.md §5; cto-agent itself runs sovereign qwen3.6)

Orphan removal: PC-svrnty.tool-cortex-plugin removed from external_tool_deps
(never cited in any cto skill body or lib — per RECOMMENDATIONS §4 C13).

Pending JP review (DISCLOSURE.md §12 — paused per Wave-3 hard rule):
- §12.1 ADD sandcastle as sovereign_api (governance-critical, may need
  DISCLOSURE-SCHEMA §4.6 amendment for external_orchestrators surface)
- §12.2 KEEP github-pat cred declaration (vault-absent; v2 PR-open needs it)
- §12.3 NOTE L6-svrnty.core-credentials runtime mode (cred-adjacent confirm)

Refs:
- sot/04-STANDARDS/DISCLOSURE-SCHEMA.md (schema_version 1)
- sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md
- sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md
- sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 15:59:55 -04:00

13 KiB
Raw Blame History

name tier status owner source last_reviewed review_by depends_on description auto_regen_cmd
disclosure-cto-planb T2 active jp generated 2026-05-24 2026-08-22
disclosure-schema
profile-distribution-protocol
cto-planb-contract
recommendations-cto-2026-05-24
audit-cto-2026-05-24
cortex-tooling
Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6. yq '.disclosure' manifest.yaml | <renderer-script>

cto-planb — Disclosure

Live as of 2026-05-24. Source: cto/manifest.yaml → disclosure: block (Wave-4 apply). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live hermes -p cto-planb runtime.

§1 Identity

Field Value
Profile ID cto-planb
Repo ~/workspaces/hermes/cto
Scope org
Org planb
Owner jp
Approval authority jp
Role type C-suite (instance #3)
State stateful (cto.db — work_queue, agent_runtime, invocations)
Version 1.0.0 (MVP shipped 2026-05-24)
North star reliable, evolving tech — sandcastle-orchestrated code work, JP-approved deploys, never bypass isolation
Chat-facing false (kanban-driven; JP chats with steev, not cto)
Delegates to none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9)
Sovereign-only false (intentional — see §2)

§2 Inheritance posture

Field Value Rationale
inherit_builtins false cto has zero builtins enabled — deny-by-default. Locks in clean posture.
inherit_mcp_toolsets false cto has zero MCP — deny-by-default. Closes potential bte-MCP-leak risk that hit ceo/steev.
inherit_dirs none no external_dirs — no bundled-skill exposure
sovereign_only false INTENTIONAL. cto-agent itself runs sovereign qwen3.6-35b-a3b. The claudeCode('claude-opus-4-7') literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting true would block the valid v1 design.

§3 Skills (3)

Per disclosure.skills enum. Pre-push check 6.a enforces declared == live hermes -p cto-planb skills list enabled set.

ID Source Role Sovereign-req Hosted-API Justification
cto-agent local orchestrator Loop operator (decompose → sandcastle → review → PR). CONTRACT.md §1 "thin orchestrator over sandcastle".
cto-python-toolkit local toolkit false Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py.
cto-angular-toolkit local toolkit false Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console.

Totals. 3 skills total. Source breakdown: 3 local, 0 hub, 0 builtin, 0 external_dir.

§4 MCP servers (0)

No MCP servers exposed — deny-by-default allowlist is empty. cto orchestrates via sandcastle + shell, not MCP. Matches PROFILE-CATALOG §cto-planb. Closes the bte-MCP-leak risk that hit ceo/steev.

§5 Sovereign APIs (1)

Per disclosure.sovereign_apis. Each entry is grep-verified against called_by paths.

Name Endpoint Transport Mode Called by Justification
bte-rest http://localhost:5000 http read-write skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md BTE REST /api/export-design-md cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would curl when a UI task triggers DESIGN.md export).

Sandcastle is NOT listed here in §5 — see §12 (Pending JP review). Per Wave-3 recommendations §3 A2 it is governance-critical and PAUSED awaiting JP's call on documenting it under sovereign_apis: with transport: cli vs. a schema §4.6 extension (external_orchestrators:).

§6 Cortex tools (12)

Per disclosure.cortex_tools. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.

ID Stack Invoked at runtime Mode Referenced in Justification
L6-svrnty.lib-dotnet-cqrs dotnet false read skills/cto-agent/SKILL.md .NET CQRS routing target — sandcastle sub-agent reads patterns when mounted
L5-svrnty.tool-cqrs-plugin dotnet false read skills/cto-agent/SKILL.md .NET scaffolding plugin — routing target
pi-bte-plugin dotnet false read skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path
L6-svrnty.lib-cqrs-datasource dart false read skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md Flutter gRPC client + Angular gRPC-web reference — routing target
L6-svrnty.lib-llm go false read skills/cto-agent/SKILL.md Go multi-provider LLM interface — routing target for Go tasks
L6-svrnty.core-credentials go true read+exec credbridge.sh Runtime-invoked via credctl CLI from credbridge.sh — every cmd_open_pr resolves github-pat through this lib
L6-svrnty.core-memory go false read skills/cto-agent/SKILL.md Go memory lib — routing target; requires_tools: memory_tool is Hermes-side, not direct call
PG-svrnty.tool-qa go false read skills/cto-agent/SKILL.md QA orchestrator — routing target for Go QA work
L6-svrnty.core-runtime rust false read skills/cto-agent/SKILL.md zeroclaw runtime — routing target for Rust tasks
PG-svrnty.lib-quality-gates multi true read+exec skills/cto-python-toolkit/SKILL.md, skills/cto-angular-toolkit/SKILL.md Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python
L5-svrnty.lib-skills-engineering multi false read skills/cto-agent/SKILL.md 28-pattern engineering reference — routing target
L5-svrnty.tool-bash-plugin bash false read skills/cto-agent/SKILL.md Bash scripting plugin — routing target for Bash tasks

Removed (Wave-4): PC-svrnty.tool-cortex-plugin — declared in legacy external_tool_deps but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to external_tool_deps.

§7 Credentials (0)

No active credential declarations in this disclosure block. github-pat (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy credentials.optional: [github-pat] block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).

§8 Cron (0)

No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest cron: []).

§9 Drift status

Surface Declared Live Status
Skills 3 3 in-sync (live verified by AUDIT-cto-2026-05-24.md §1)
MCP servers 0 0 in-sync (live verified by AUDIT §2)
MCP tools (total) 0 0 in-sync
Credentials 0 1 vault-absent declared in legacy block acceptable (Pending JP — see §12)

Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.

§10 Sovereign-purity audit

  • cto-owned code layer (cto/skills/, cto/lib/): CLEAN — orchestrator runs sovereign qwen3.6-35b-a3b; no hosted-API calls from cto's own surface.
  • Bundled-skill exposure layer: N/Ainherit_dirs: [], inherit_builtins: false, no bundled skills exposed.
  • sovereign_only: false is INTENTIONAL — claudeCode('claude-opus-4-7') lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).

§11 Governance refs

  • Vision: ../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md, ../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md
  • Governing protocols: ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md
  • Standards: ../sot/04-STANDARDS/FRONTMATTER-SPEC.md, ../sot/04-STANDARDS/SOT-ENFORCEMENT.md, ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
  • Brand master ref: ../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md

§12 Pending JP review

Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active disclosure: block yet.

§12.1 ADD — sandcastle as sovereign_api (governance-critical)

Per RECOMMENDATIONS-cto-2026-05-24.md §3 A2 and AUDIT-cto-2026-05-24.md §8.

Field Proposed value
name sandcastle
transport cli (via npx tsx -e "..." per lib/cto-worker.sh:50-62)
endpoint ../sandcastle (read-only sibling, pinned v0.5.11)
mode exec
called_by lib/cto-worker.sh (one actual runtime invocation at lines 50-62 + 3 env/wrapper refs)
justification sandcastle is cto's primary execution mechanism (CONTRACT.md §5 + §11 anti-patterns: "CTO never edits host code directly — always via sandcastle"). Currently only present in legacy external_tool_deps. DISCLOSURE-SCHEMA §4 has no sandcastle surface type; closest fit = sovereign_apis with transport: cli + governance note.

Open question for JP: prefer (a) document under sovereign_apis: with transport: cli (zero schema churn — Karpathy Rule 2 default) OR (b) DISCLOSURE-SCHEMA §4.6 amendment adding external_orchestrators: surface (cleaner taxonomy, defers this row to a future wave)? Recommendation: (a).

§12.2 KEEP — github-pat credential declaration (cred-adjacent PAUSE)

Per RECOMMENDATIONS-cto-2026-05-24.md §5 K1.

Field Proposed value
vault_name github-pat
status optional
scope read
used_by credbridge.sh (case gh)), lib/cto-worker.sh (open-pr command)
governance required for v2 PR-open path (gh pr create via credbridge). Currently absent from vault — cto-worker.sh open-pr fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task.

Open question for JP: confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active disclosure.credentials: block. Pre-push check 6.d will then enforce credctl list exact-match.

§12.3 NOTE — L6-svrnty.core-credentials runtime mode

Already KEEP at invoked_at_runtime: true, mode: read+exec in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only.

§13 Open issues + next steps

  • Catalog drift (Wave-5 rollup): PROFILE-CATALOG.md §cto-planb row says "v0.1 scaffold"; live = v1.0 (manifest version 1.0.0). Deferred to Wave-5 per RECOMMENDATIONS-cto-2026-05-24.md §10.
  • .cto/ work dir convention: cto-agent/SKILL.md:75 references ${CTO_HOME}/work/${WORK_ID}/prompt.md but install.sh does not mkdir -p that path. Soft gap; first sandcastle run will need to mkdir. Note for Wave-4 cleanup.
  • JP sign-off needed on §12.1, §12.2, §12.3 before next-wave disclosure refresh.

§14 Related