hermes/cto

Svrnty aaa1dbf3d0 feat(disclosure): Wave 7 D2 — cto schema v2 + sandcastle external_orchestrator — sprint 2026-05-25

Schema v2 bump (per sot/04-STANDARDS/DISCLOSURE-SCHEMA.md §4.6) adds the
external_orchestrators surface. Sandcastle was previously parked in
DISCLOSURE.md §12.1 "Pending JP review"; Wave-7 Q2 resolved the open
question in favor of (b) schema §4.6's dedicated external_orchestrators
taxonomy (cleaner separation from HTTP/gRPC sovereign_apis).

Changes:
- manifest.yaml: disclosure.schema_version 1 → 2; add external_orchestrators
  with sandcastle entry (transport=cli, mode=exec, version_pin=v0.5.11,
  sandboxed=true, hosted_api=anthropic, called_by lib/cto-worker.sh).
- DISCLOSURE.md: new canonical §6.5 External orchestrators (sandcastle row +
  governance/pin/check-6.e notes); §5 footer note updated (no longer pending);
  §9 drift table adds external_orchestrators row; §12.1 marked RESOLVED with
  audit-trail stub; last_reviewed bumped to 2026-05-25.

Pin v0.5.11 matches external_tool_deps[0].pin and the workspace CLAUDE.md
hard rule (sandcastle read-only; bumps human-only). sot-precommit clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 16:54:14 -04:00

14 KiB

Raw Blame History

name

tier

status

owner

source

last_reviewed

review_by

depends_on

description

auto_regen_cmd

disclosure-cto-planb

active

generated

2026-05-25

2026-08-23

disclosure-schema

profile-distribution-protocol

cto-planb-contract

recommendations-cto-2026-05-24

audit-cto-2026-05-24

cortex-tooling

Canonical disclosure of cto-planb — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.

yq '.disclosure' manifest.yaml | <renderer-script>

`cto-planb` — Disclosure

Live as of 2026-05-25. Source: cto/manifest.yaml → disclosure: block (Wave-7 D2 apply — schema v2 + sandcastle external_orchestrator promoted from §12 pending to canonical §6.5 per Wave-7 Q2 decision). Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live hermes -p cto-planb runtime.

§1 Identity

Field	Value
Profile ID	`cto-planb`
Repo	`~/workspaces/hermes/cto`
Scope	`org`
Org	`planb`
Owner	`jp`
Approval authority	`jp`
Role type	C-suite (instance #3)
State	stateful (`cto.db` — work_queue, agent_runtime, invocations)
Version	`1.0.0` (MVP shipped 2026-05-24)
North star	reliable, evolving tech — sandcastle-orchestrated code work, JP-approved deploys, never bypass isolation
Chat-facing	`false` (kanban-driven; JP chats with steev, not cto)
Delegates to	none (sandcastle is a tool, not a sub-agent — CONTRACT.md §1, §9)
Sovereign-only	`false` (intentional — see §2)

§2 Inheritance posture

Field	Value	Rationale
`inherit_builtins`	`false`	cto has zero builtins enabled — deny-by-default. Locks in clean posture.
`inherit_mcp_toolsets`	`false`	cto has zero MCP — deny-by-default. Closes potential bte-MCP-leak risk that hit ceo/steev.
`inherit_dirs`	none	no external_dirs — no bundled-skill exposure
`sovereign_only`	`false`	INTENTIONAL. cto-agent itself runs sovereign `qwen3.6-35b-a3b`. The `claudeCode('claude-opus-4-7')` literal in sandcastle invocations names the AGENT INSIDE THE SANDBOX — hosted Claude lives behind sandcastle's isolation boundary (CONTRACT.md §5 + AUDIT §6 sovereignty note). Setting `true` would block the valid v1 design.

§3 Skills (3)

Per disclosure.skills enum. Pre-push check 6.a enforces declared == live hermes -p cto-planb skills list enabled set.

ID	Source	Role	Sovereign-req	Hosted-API	Justification
`cto-agent`	local	orchestrator	—	—	Loop operator (decompose → sandcastle → review → PR). CONTRACT.md §1 "thin orchestrator over sandcastle".
`cto-python-toolkit`	local	toolkit	false	—	Python stack patterns — closes CONTRACT.md §6 "Python = skill-only" gap. Anchored to bte-mcp, svrnty-hermes-webui-plugin, curator/sweep.py, scripts/sot-precommit.py.
`cto-angular-toolkit`	local	toolkit	false	—	Angular stack patterns — closes CONTRACT.md §6 "Angular = skill-only" gap. Anchored to adwright/adwright-console.

Totals. 3 skills total. Source breakdown: 3 local, 0 hub, 0 builtin, 0 external_dir.

§4 MCP servers (0)

No MCP servers exposed — deny-by-default allowlist is empty. cto orchestrates via sandcastle + shell, not MCP. Matches PROFILE-CATALOG §cto-planb. Closes the bte-MCP-leak risk that hit ceo/steev.

§5 Sovereign APIs (1)

Per disclosure.sovereign_apis. Each entry is grep-verified against called_by paths.

Name	Endpoint	Transport	Mode	Called by	Justification
`bte-rest`	`http://localhost:5000`	http	read-write	`skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md`	BTE REST `/api/export-design-md` cited as the DESIGN.md emit path for UI tasks; not auto-invoked at v1.0 (documented pattern only — CTO would `curl` when a UI task triggers DESIGN.md export).

Sandcastle is NOT listed here in §5 — it has its own dedicated surface type. See §6.5 (External orchestrators). Wave-7 Q2 resolved the §12.1 open question in favor of schema §4.6's external_orchestrators: taxonomy (cleaner separation from HTTP/gRPC sovereign APIs).

§6 Cortex tools (12)

Per disclosure.cortex_tools. 2 invoked at runtime; 10 mount-and-cite routing targets the sandcastle sub-agent reads when cto mounts them in a prompt.

ID	Stack	Invoked at runtime	Mode	Referenced in	Justification
`L6-svrnty.lib-dotnet-cqrs`	dotnet	false	read	`skills/cto-agent/SKILL.md`	.NET CQRS routing target — sandcastle sub-agent reads patterns when mounted
`L5-svrnty.tool-cqrs-plugin`	dotnet	false	read	`skills/cto-agent/SKILL.md`	.NET scaffolding plugin — routing target
`pi-bte-plugin`	dotnet	false	read	`skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md`	DTCG validation + voice schema lint + DESIGN.md export — routing target + DESIGN.md emit path
`L6-svrnty.lib-cqrs-datasource`	dart	false	read	`skills/cto-agent/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md`	Flutter gRPC client + Angular gRPC-web reference — routing target
`L6-svrnty.lib-llm`	go	false	read	`skills/cto-agent/SKILL.md`	Go multi-provider LLM interface — routing target for Go tasks
`L6-svrnty.core-credentials`	go	true	read+exec	`credbridge.sh`	Runtime-invoked via `credctl` CLI from `credbridge.sh` — every `cmd_open_pr` resolves github-pat through this lib
`L6-svrnty.core-memory`	go	false	read	`skills/cto-agent/SKILL.md`	Go memory lib — routing target; `requires_tools: memory_tool` is Hermes-side, not direct call
`PG-svrnty.tool-qa`	go	false	read	`skills/cto-agent/SKILL.md`	QA orchestrator — routing target for Go QA work
`L6-svrnty.core-runtime`	rust	false	read	`skills/cto-agent/SKILL.md`	zeroclaw runtime — routing target for Rust tasks
`PG-svrnty.lib-quality-gates`	multi	true	read+exec	`skills/cto-python-toolkit/SKILL.md`, `skills/cto-angular-toolkit/SKILL.md`	Runtime-invoked post-sandcastle via `$QG/bin/run-gates --stack python
`L5-svrnty.lib-skills-engineering`	multi	false	read	`skills/cto-agent/SKILL.md`	28-pattern engineering reference — routing target
`L5-svrnty.tool-bash-plugin`	bash	false	read	`skills/cto-agent/SKILL.md`	Bash scripting plugin — routing target for Bash tasks

Removed (Wave-4): PC-svrnty.tool-cortex-plugin — declared in legacy external_tool_deps but never cited in any cto skill body or lib (orphan). Removed per Wave-3 recommendations §4 C13. Reversible by re-adding the entry to external_tool_deps.

§6.5 External orchestrators (1)

Per disclosure.external_orchestrators (schema v2, added Wave-7 D2). cto's primary execution mechanism — every code-modifying task routes through sandcastle's isolation boundary (CONTRACT.md §5 + §11 anti-pattern: "CTO never edits host code directly").

ID	Transport	Mode	Version pin	Sandboxed	Hosted API	Called by	Justification
`sandcastle`	cli	exec	`v0.5.11`	true	`anthropic`	`lib/cto-worker.sh`	Isolated `claudeCode('claude-opus-4-7')` exec per CONTRACT.md §5 — the 4-layer safety stack (sandbox + git branch + PR + JP approval). Escape valve under `sovereign_only: false`; if profile were `sovereign_only: true`, schema §6 6.e v2 permits this entry IFF `sandboxed: true`.

Governance. sandboxed: true is the load-bearing field — it declares isolation. hosted_api: anthropic is surfaced honestly because sandcastle wraps claudeCode('claude-opus-4-7') (CONTRACT.md §5 invocation pattern). cto-agent itself runs sovereign qwen3.6-35b-a3b; hosted Claude lives inside sandcastle's sandbox, never on cto's own surface.

Pin enforcement. version_pin: v0.5.11 matches manifest.yaml → external_tool_deps[0].pin and the workspace CLAUDE.md hard rule "sandcastle pinned v0.5.11; bumps human-only via git fetch upstream && git checkout <tag>". Sandcastle dir is read-only — never edited from cto.

Pre-push check 6.e (v2). With sovereign_only: false, no special enforcement triggers. If the profile ever flips to sovereign_only: true, the check 6.e v2 amendment requires sandboxed: true for any orchestrator declaring hosted_api — which this row satisfies.

§7 Credentials (0)

No active credential declarations in this disclosure block. github-pat (optional, vault-absent) is parked under §12 Pending JP review per Wave-3 recommendations §5 K1 — cred-adjacent rows require JP sign-off before joining the active allowlist. Legacy credentials.optional: [github-pat] block remains for installer back-compat (per DISCLOSURE-SCHEMA §7).

§8 Cron (0)

No cron jobs. cto runs on-demand or on kanban tick (CONTRACT.md §3 + manifest cron: []).

§9 Drift status

Surface	Declared	Live	Status
Skills	3	3	in-sync (live verified by AUDIT-cto-2026-05-24.md §1)
MCP servers	0	0	in-sync (live verified by AUDIT §2)
MCP tools (total)	0	0	in-sync
External orchestrators	1 (sandcastle)	1 (sandcastle invoked by `lib/cto-worker.sh:50-62`)	in-sync (Wave-7 D2)
Credentials	0	1 vault-absent declared in legacy block	acceptable (Pending JP — see §12)

Pre-push hook check 6 last run: pending (Wave-4 first apply, 2026-05-24). Curator sweep will populate.

§10 Sovereign-purity audit

cto-owned code layer (cto/skills/, cto/lib/): CLEAN — orchestrator runs sovereign qwen3.6-35b-a3b; no hosted-API calls from cto's own surface.
Bundled-skill exposure layer: N/A — inherit_dirs: [], inherit_builtins: false, no bundled skills exposed.
sovereign_only: false is INTENTIONAL — claudeCode('claude-opus-4-7') lives inside the sandcastle isolation boundary, not on cto's own surface. The sandcastle sandbox + git branch + PR + JP approval gate = the 4-layer safety stack (AUDIT §8.3).

§11 Governance refs

Vision: ../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md, ../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md
Governing protocols: ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md
Standards: ../sot/04-STANDARDS/FRONTMATTER-SPEC.md, ../sot/04-STANDARDS/SOT-ENFORCEMENT.md, ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
Brand master ref: ../sot/07-BRAND/PLANB-BRAND-SYNTHESIS.md

§12 Pending JP review

Rows surfaced by Wave-3 audit/recommendations but paused awaiting JP sign-off. These are NOT in the active disclosure: block yet.

§12.1 RESOLVED (Wave-7 D2 / Q2) — sandcastle promoted to canonical §6.5

Per Wave-7 Q2 decision (2026-05-25): the open question on (a) sovereign_apis: cli vs (b) schema §4.6 external_orchestrators: was resolved in favor of (b) — schema v2 added the external_orchestrators: surface (cleaner taxonomy, separates HTTP/gRPC sovereign APIs from CLI orchestrators with isolation semantics).

Sandcastle now lives in:

manifest.yaml → disclosure.external_orchestrators[0] (schema v2)
§6.5 above (canonical disclosure section)

Row retained here for audit trail only. No JP action required.

§12.2 KEEP — `github-pat` credential declaration (cred-adjacent PAUSE)

Per RECOMMENDATIONS-cto-2026-05-24.md §5 K1.

Field	Proposed value
vault_name	`github-pat`
status	`optional`
scope	`read`
used_by	`credbridge.sh` (case `gh)`), `lib/cto-worker.sh` (open-pr command)
governance	required for v2 PR-open path (`gh pr create` via credbridge). Currently absent from vault — `cto-worker.sh open-pr` fails-fast with documented error. Vault provisioning is JP's responsibility before first real PR-opening task.

Open question for JP: confirm KEEP declaration even though vault-absent? Recommendation: YES — v2 needs it; cto-worker.sh fails fast with a clear error if missing. Once approved, the cred row moves from §7 (empty) into the active disclosure.credentials: block. Pre-push check 6.d will then enforce credctl list exact-match.

§12.3 NOTE — `L6-svrnty.core-credentials` runtime mode

Already KEEP at invoked_at_runtime: true, mode: read+exec in §6 above — but JP sign-off requested per Wave-3 audit hard rule (credential-adjacent). No change pending; confirm-only.

§13 Open issues + next steps

Catalog drift (Wave-5 rollup): PROFILE-CATALOG.md §cto-planb row says "v0.1 scaffold"; live = v1.0 (manifest version 1.0.0). Deferred to Wave-5 per RECOMMENDATIONS-cto-2026-05-24.md §10.
.cto/ work dir convention: cto-agent/SKILL.md:75 references ${CTO_HOME}/work/${WORK_ID}/prompt.md but install.sh does not mkdir -p that path. Soft gap; first sandcastle run will need to mkdir. Note for Wave-4 cleanup.
JP sign-off needed on §12.1, §12.2, §12.3 before next-wave disclosure refresh.

../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md — schema definition
../sot/04-STANDARDS/DISCLOSURE-TEMPLATE.md — template this doc instantiates
../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md — protocol disclosure extends
../sot/06-REGISTRY/PROFILE-CATALOG.md — fleet rollup
../sot/06-REGISTRY/CORTEX-TOOLING.md — 13-tool catalog (12 cited in §6; orphan removed)
../sot/06-REGISTRY/audits/AUDIT-cto-2026-05-24.md — Wave-1 live inventory
../sot/06-REGISTRY/audits/RECOMMENDATIONS-cto-2026-05-24.md — Wave-3 KEEP/REMOVE/ADD/NARROW decisions
../sot/06-REGISTRY/EXTERNAL-REFS/SANDCASTLE.md — sandcastle registry entry (§12.1 governance ref)
./manifest.yaml — machine-readable disclosure: block
./AGENT.md — identity (T2)
./CONTRACT.md — behavior contract (T1)

14 KiB Raw Blame History

cto-planb — Disclosure