hermes/cto
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d4dfff5584
cto/DISCLOSURE.md
Svrnty 4ed306928a Upgrade CTO webui coding profile
2026-05-25 12:57:33 -04:00

16 KiB
Raw Blame History

name tier status owner source last_reviewed review_by depends_on description auto_regen_cmd
disclosure-cto-planb T2 active jp generated 2026-05-25 2026-08-23
disclosure-schema
profile-distribution-protocol
cto-planb-contract
recommendations-cto-2026-05-24
audit-cto-2026-05-24
cortex-tooling
Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6. yq '.disclosure' manifest.yaml | <renderer-script>

cto-planb — Disclosure

Live as of 2026-05-25. Source: cto/manifest.yaml → disclosure: block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live hermes -p cto-planb runtime.

§1 Identity

Field Value
Profile ID cto-planb
Repo ~/workspaces/hermes/cto
Scope org
Org planb
Owner jp
Approval authority jp
Role type C-suite (instance #3)
State stateful (cto.db — work_queue, agent_runtime, invocations)
Version 2.0.0 (WebUI direct-coder migration in progress)
North star reliable WebUI coding agent — direct scoped patches, verified commands, JP-gated risk, Sandcastle for background isolation
Chat-facing false (kanban-driven; JP chats with steev, not cto)
Delegates to none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9)
Sovereign-only false (intentional — see §2)

§2 Inheritance posture

Field Value Rationale
inherit_builtins false cto has zero builtins enabled — deny-by-default. Locks in clean posture.
inherit_mcp_toolsets false deny-by-default. CTO has one explicit MCP allowlist (deep-research); no inherited/global MCP bleed.
inherit_dirs none no external_dirs — no bundled-skill exposure
sovereign_only false INTENTIONAL. cto-agent itself runs sovereign qwen3.6-35b-a3b. The claudeCode('claude-opus-4-7') literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting true would block the valid v1 design.

§3 Skills (11)

Per disclosure.skills enum. Pre-push check 6.a enforces declared == live hermes -p cto-planb skills list enabled set.

ID Source Role Sovereign-req Hosted-API Justification
cto-agent local supervisor Profile-level boundaries, delegation, risk gates, and direct-coder operating protocol.
cto-direct-coder local direct-coder false Primary inspect-plan-patch-test-report loop for WebUI coding.
cto-repo-contract local contract false Workspace/repo ownership map, protected paths, and canonical verification commands.
cto-python-toolkit local toolkit false Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py.
cto-angular-toolkit local toolkit false Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console.
cto-dotnet-toolkit local toolkit false .NET/CQRS stack patterns anchored to L6-svrnty.lib-dotnet-cqrs, L5-svrnty.tool-cqrs-plugin, and pi-bte-plugin.
cto-frontend-visual-qa local verification false Browser, Playwright, screenshot, console, network, and responsive verification for UI work.
cto-sandbox-job local sandbox-backend false anthropic when configured inside Sandcastle Sandcastle background job creation, branch strategy, event projection, and result ingestion.
cto-reviewer local reviewer false Diff review, test adequacy, security/risk assessment, and completion readiness.
cto-evals local evals false Promotion, regression, and Codex-comparative eval protocol.
cto-capsule-writer local memory false Converts meaningful failures and reusable workflows into capsule candidates.

Totals. 11 skills total. Source breakdown: 11 local, 0 hub, 0 builtin, 0 external_dir.

§4 MCP servers (1)

Per disclosure.mcp_servers allowlist. Deny-by-default; explicit tool enum (no all). deep-research is exposed for CTO source-grounding and current research per CTO-WEBUI-CODING-AGENT-PRD.md §8 and §23.

Server Transport Endpoint Tools Hosted API Data boundary
deep-research http http://127.0.0.1:3010/mcp 4 selected conditional: hosted only when deep-research INFERENCE_URL routes through llm-gateway Tailnet HTTP MCP; search/fetch reaches public web sources; LLM route disclosed by deep-research inference mode

§4.1 deep-research tool allowlist

Tool Mode Justification
mcp_deep_research_deep_research read Full source-grounded research artifact for architecture, standards, vendor behavior, dependency choices, and PRD work.
mcp_deep_research_web_search read Granular current-source search for CTO investigations when a full artifact is too heavy.
mcp_deep_research_fetch_page read Fetch source pages selected during CTO research; browsing/fetch capability disclosed explicitly.
mcp_deep_research_extract_pdf read Extract standards papers, vendor PDFs, and architecture docs during CTO research.

§5 Sovereign APIs (1)

Per disclosure.sovereign_apis. Each entry is grep-verified against called_by paths.

Name Endpoint Transport Mode Called by Justification
bte-rest http://localhost:5000 http read-write skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md BTE REST /api/export-design-md cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would curl when a UI task triggers DESIGN.md export).

Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's external_orchestrators: taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).

§6 Cortex tools (12)

Per disclosure.cortex_tools. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.

ID Stack Invoked at runtime Mode Referenced in Justification
L6-svrnty.lib-dotnet-cqrs dotnet false read skills/cto-agent/SKILL.md, skills/cto-dotnet-toolkit/SKILL.md .NET CQRS routing target — sandcastle sub-agent reads patterns when mounted
L5-svrnty.tool-cqrs-plugin dotnet false read skills/cto-agent/SKILL.md, skills/cto-dotnet-toolkit/SKILL.md .NET scaffolding plugin — routing target
pi-bte-plugin dotnet false read skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md, skills/cto-dotnet-toolkit/SKILL.md DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path
L6-svrnty.lib-cqrs-datasource dart false read skills/cto-agent/SKILL.md, skills/cto-angular-toolkit/SKILL.md Flutter gRPC client + Angular gRPC-web reference — routing target
L6-svrnty.lib-llm go false read skills/cto-agent/SKILL.md Go multi-provider LLM interface — routing target for Go tasks
L6-svrnty.core-credentials go true read+exec credbridge.sh Runtime-invoked via credctl CLI from credbridge.sh — every cmd_open_pr resolves github-pat through this lib
L6-svrnty.core-memory go false read skills/cto-agent/SKILL.md Go memory lib — routing target; requires_tools: memory_tool is Hermes-side, not direct call
PG-svrnty.tool-qa go false read skills/cto-agent/SKILL.md QA orchestrator — routing target for Go QA work
L6-svrnty.core-runtime rust false read skills/cto-agent/SKILL.md zeroclaw runtime — routing target for Rust tasks
PG-svrnty.lib-quality-gates multi true read+exec skills/cto-python-toolkit/SKILL.md, skills/cto-angular-toolkit/SKILL.md Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python
L5-svrnty.lib-skills-engineering multi false read skills/cto-agent/SKILL.md 28-pattern engineering reference — routing target
L5-svrnty.tool-bash-plugin bash false read skills/cto-agent/SKILL.md Bash scripting plugin — routing target for Bash tasks

Removed (Wave-4): PC-svrnty.tool-cortex-plugin — declared in legacy external_tool_deps but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to external_tool_deps.

§6.5 External orchestrators (1)

Per disclosure.external_orchestrators (schema v2, added Wave-7 D2). Sandcastle is the background isolation backend for broad, risky, long-running, AFK, or parallel branch attempts.

ID Transport Mode Version pin Sandboxed Hosted API Called by Justification
sandcastle cli exec v0.5.11 true anthropic lib/cto-worker.sh Isolated claudeCode('claude-opus-4-7') exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under sovereign_only: false; if profile were sovereign_only: true, schema §6 6.e v2 permits this entry IFF sandboxed: true.

Governance. sandboxed: true is the load-bearing field — it declares isolation. hosted_api: anthropic is surfaced honestly because sandcastle wraps claudeCode('claude-opus-4-7') (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign qwen3.6-35b-a3b; hosted Claude lives inside sandcastle's sandbox, never on cto's own surface.

Pin enforcement. version_pin: v0.5.11 matches manifest.yaml → external_tool_deps[0].pin and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via git fetch upstream && git checkout <tag>". Sandcastle dir is read-only — never edited from cto.

Pre-push check 6.e (v2). With sovereign_only: false, no special enforcement triggers. If the profile ever flips to sovereign_only: true, the check 6.e v2 amendment requires sandboxed: true for any orchestrator declaring hosted_api — which this row satisfies.

§7 Credentials (0)

No active credential declarations in this disclosure block. github-pat (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy credentials.optional: [github-pat] block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).

§8 Cron (0)

No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest cron: []).

§9 Drift status

Surface Declared Live Status
Skills 11 11 in-sync (live verified 2026-05-25 by hermes -p cto-planb skills list)
MCP servers 1 1 in-sync (deep-research, 4 selected; verified 2026-05-25)
MCP tools (total) 4 4 in-sync (deep_research, web_search, fetch_page, extract_pdf)
External orchestrators 1 (sandcastle) 1 (sandcastle invoked by lib/cto-worker.sh:50-62) in-sync (Wave-7 D2)
Credentials 0 1 vault-absent declared in legacy block acceptable (Pending JP — see §12)

Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.

§10 Sovereign-purity audit

  • cto-owned code layer (cto/skills/, cto/lib/): CLEAN — orchestrator runs sovereign qwen3.6-35b-a3b; no hosted-API calls from cto's own surface.
  • Bundled-skill exposure layer: N/Ainherit_dirs: [], inherit_builtins: false, no bundled skills exposed.
  • sovereign_only: false is INTENTIONAL — claudeCode('claude-opus-4-7') lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).

§11 Governance refs

  • Vision: ../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md, ../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md
  • Governing protocols: ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md
  • Standards: ../sot/04-STANDARDS/FRONTMATTER-SPEC.md, ../sot/04-STANDARDS/SOT-ENFORCEMENT.md, ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
  • Brand master ref: ../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md

§12 Pending JP review

Rows surfaced by Wave-3 audit/recommendations. All 3 rows resolved in Wave-8 PAUSE-walk (2026-05-24). Retained for audit trail.

§12.1 RESOLVED (Wave-7 D2 / Q2, confirmed Wave 8) — sandcastle promoted to canonical §6.5

Per Wave-7 Q2 decision (2026-05-25): the open question on (a) sovereign_apis: cli vs (b) schema §4.6 external_orchestrators: was resolved in favor of (b) — schema v2 added the external_orchestrators: surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).

Sandcastle now lives in:

  • manifest.yaml → disclosure.external_orchestrators[0] (schema v2)
  • §6.5 above (canonical disclosure section)

§12.2 RESOLVED (Wave 8) — github-pat credential declaration: KEEP declared, defer vault provision

Per RECOMMENDATIONS-cto-2026-05-24.md §5 K1. JP decision Wave 8 (2026-05-24): KEEP declared, defer vault provision until v2 PR-open path lands.

Field Value
vault_name github-pat
status optional
scope read
used_by credbridge.sh (case gh)), lib/cto-worker.sh (open-pr command)
governance required for v2 PR-open path (gh pr create via credbridge). Currently absent from vault — cto-worker.sh open-pr fails-fast with documented error. JP materializes via credctl set github-pat <PAT> before first v2 PR task.

Materialization state: declared in legacy manifest.credentials.optional: [github-pat] (line 134) for documentation. NOT yet in disclosure.credentials: active block (which is [] on line 267) — would trigger pre-push check 6.d failure since vault-absent. Row promotes from legacy → active disclosure once JP runs credctl set github-pat <PAT>.

§12.3 RESOLVED (Wave 8) — L6-svrnty.core-credentials runtime mode: CONFIRM as-is

Already KEEP at invoked_at_runtime: true, mode: read+exec in §6 above. JP decision Wave 8 (2026-05-24): CONFIRM as-is. No change.

§13 Open issues + next steps

  • Runtime drift check current: manifest/disclosure declare the v2 direct-coder surface; installed cto-planb was compared with live hermes -p cto-planb skills list on 2026-05-25 and matched.
  • Promotion eval reports pending: cto/evals/manifest.yaml defines the suite; passing reports are required before parity claims.
  • JP sign-off still required for push/PR/deploy/secrets/cron/infra/production-data operations.

§14 Related