cto/install.sh

#!/usr/bin/env bash
# install.sh — wire CTO profile distribution into Hermes.
# Idempotent. Creates ~/.hermes/$PROFILE_NAME symlink + registers skills in profile config.
# v0.1 scaffold: schema applied, skill registered, but cto-agent skill is a non-executable stub.
set -euo pipefail

REPO="$(cd "$(dirname "$0")" && pwd)"
PROFILE_NAME="cto-planb"   # Hermes profile name (org-scoped); matches distribution.yaml → name + manifest.yaml → profile
HERMES_HOME="${HERMES_HOME:-$HOME/.hermes}"
PROFILE_CFG="$HERMES_HOME/profiles/$PROFILE_NAME/config.yaml"

# --dry-run flag for preflight without mutations
DRY_RUN=0
for arg in "$@"; do
    case "$arg" in
        --dry-run) DRY_RUN=1 ;;
    esac
done

echo "== preflight =="
command -v hermes >/dev/null || { echo "ERROR: hermes CLI not on PATH"; exit 1; }
command -v python3 >/dev/null || { echo "ERROR: python3 not on PATH"; exit 1; }
command -v sqlite3 >/dev/null || { echo "ERROR: sqlite3 not on PATH"; exit 1; }
if [ ! -d "$HERMES_HOME" ]; then
    echo "ERROR: HERMES_HOME=$HERMES_HOME does not exist"
    exit 1
fi
echo "  hermes ✓  python3 ✓  sqlite3 ✓  HERMES_HOME ✓"

# Check sandcastle sibling exists (CTO's primary tool)
SANDCASTLE_REPO="${SANDCASTLE_REPO:-$REPO/../sandcastle}"
if [ ! -d "$SANDCASTLE_REPO" ]; then
    echo "ERROR: sandcastle sibling not found at $SANDCASTLE_REPO"
    echo "       CTO v1.0 requires it. Clone: git clone https://github.com/mattpocock/sandcastle.git $SANDCASTLE_REPO"
    exit 1
else
    echo "  sandcastle ✓ ($SANDCASTLE_REPO)"
fi

if [ "$DRY_RUN" -eq 1 ]; then
    echo "== DRY RUN — no mutations =="
    echo "  would: ln -sfn $REPO $HERMES_HOME/$PROFILE_NAME"
    echo "  would: append $REPO/skills to $PROFILE_CFG → skills.external_dirs"
    echo "  would: sqlite3 $HERMES_HOME/$PROFILE_NAME/cto.db < $REPO/schema.sql"
    echo "  would: hermes profile install '$REPO' --yes --force  (dispatch-readiness)"
    echo "  would: chmod +x $REPO/lib/cto-worker.sh"
    exit 0
fi

echo "== link repo → ~/.hermes/$PROFILE_NAME =="
ln -sfn "$REPO" "$HERMES_HOME/$PROFILE_NAME"

echo "== register skills in $PROFILE_NAME profile config =="
SKILL_DIR="$REPO/skills"
mkdir -p "$(dirname "$PROFILE_CFG")"
python3 - "$PROFILE_CFG" "$SKILL_DIR" <<'PY'
import sys, os, yaml
cfg, sk = sys.argv[1], sys.argv[2]
d = yaml.safe_load(open(cfg).read()) if os.path.exists(cfg) else {}
d = d or {}
d.setdefault('skills', {}).setdefault('external_dirs', [])
if sk not in d['skills']['external_dirs']:
    d['skills']['external_dirs'].append(sk)
    open(cfg, 'w').write(yaml.dump(d, sort_keys=False, allow_unicode=True))
    print("  +", sk)
else:
    print("  already registered:", sk)
PY

echo "== ${PROFILE_NAME}.db =="
sqlite3 "$HERMES_HOME/$PROFILE_NAME/cto.db" < "$REPO/schema.sql"

echo "== hermes-native profile install (dispatch-readiness) =="
if [ "$DRY_RUN" -eq 1 ]; then
    echo "DRY: hermes profile install '$REPO' --yes --force"
else
    hermes profile install "$REPO" --yes --force 2>&1 | tail -5 || \
      echo "  WARN: hermes profile install failed (legacy symlink still works)"
fi

echo "== ensure cto-worker.sh executable =="
chmod +x "$REPO/lib/cto-worker.sh" 2>/dev/null && echo "  ✓ lib/cto-worker.sh executable"

echo ""
# ----------------------------------------------------------------------------
# Wave 7 D6+D4 — disclosure → runtime config wiring (F1-F5)
# Materializes manifest.disclosure (schema v2) into the live Hermes runtime:
#   F1 resolve $HERMES_WORKSPACE in inherit_dirs   → skills.external_dirs
#   F2 compute denylist from disclosure.skills     → skills.disabled
#   F3 propagate inherit_mcp_toolsets              → agent.inherit_mcp_toolsets
#   F4 install subrepo pre-push disclosure-drift gate
#   F5 (D4) write sovereign vllm model block       → model.{default,provider,base_url,…}
# Per-profile config lives at ~/.hermes/profiles/$PROFILE_NAME/config.yaml.
# cto inherit_dirs is empty by design (CONTRACT.md §1, §9) — F1 stays for template
# consistency w/ cmo/ceo workers. Per CONTRACT.md §5: cto-agent itself runs sovereign
# qwen3.6; claudeCode hosted lives only inside sandcastle isolation boundary.
# All steps idempotent + graceful (WARN + skip on missing tooling).
# ----------------------------------------------------------------------------
echo "== disclosure → runtime config (Wave 7 D6+D4) =="
HERMES_WORKSPACE="${HERMES_WORKSPACE:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"

# F1 — resolve $HERMES_WORKSPACE in disclosure.inherit_dirs → skills.external_dirs (global config)
GLOBAL_CFG="$HERMES_HOME/config.yaml"
if [ "$DRY_RUN" -eq 1 ]; then
  echo "DRY: F1 expand inherit_dirs (HERMES_WORKSPACE=$HERMES_WORKSPACE) → $GLOBAL_CFG"
elif command -v yq >/dev/null 2>&1; then
  INHERIT_DIRS=$(yq -r '.disclosure.inherit_dirs[]?' "$REPO/manifest.yaml" 2>/dev/null || true)
  if [ -n "$INHERIT_DIRS" ]; then
    while IFS= read -r raw; do
      [ -z "$raw" ] && continue
      resolved="${raw//\$HERMES_WORKSPACE/$HERMES_WORKSPACE}"
      if [ ! -d "$resolved" ]; then
        echo "  WARN: F1 inherit_dir not found: $resolved (declared: $raw) — skipping"
        continue
      fi
      python3 - "$GLOBAL_CFG" "$resolved" <<'PY'
import sys, os, yaml
cfg, sk = sys.argv[1], sys.argv[2]
d = yaml.safe_load(open(cfg).read()) if os.path.exists(cfg) else {}
d = d or {}
d.setdefault('skills', {}).setdefault('external_dirs', [])
if sk not in d['skills']['external_dirs']:
    d['skills']['external_dirs'].append(sk)
    open(cfg, 'w').write(yaml.safe_dump(d, sort_keys=False, allow_unicode=True))
    print(f"  F1 + {sk}")
else:
    print(f"  F1 = {sk} (already present)")
PY
    done <<< "$INHERIT_DIRS"
  else
    echo "  F1: no disclosure.inherit_dirs declared — skip (cto is correct-by-design)"
  fi
else
  echo "  WARN: F1 yq not on PATH — skipping inherit_dirs resolution"
fi

# F2 — compute denylist (all builtins NOT in disclosure.skills allowlist) → profile config
if [ "$DRY_RUN" -eq 1 ]; then
  echo "DRY: F2 compute builtin denylist → $PROFILE_CFG (skills.disabled)"
elif command -v hermes >/dev/null 2>&1 && command -v yq >/dev/null 2>&1; then
  # Try --json first; fall back to table parse w/ box-draw chars.
  ALL_BUILTINS=$(hermes skills list --json 2>/dev/null | jq -r '.[] | select(.source=="builtin") | .name' 2>/dev/null || true)
  if [ -z "$ALL_BUILTINS" ]; then
    ALL_BUILTINS=$(hermes skills list 2>/dev/null | awk -F'│' 'NR>3 && /builtin/ {gsub(/^ +| +$/, "", $2); print $2}' || true)
  fi
  ALLOWLIST_BUILTIN=$(yq -r '.disclosure.skills[] | select(.source=="builtin") | .id' "$REPO/manifest.yaml" 2>/dev/null | sort -u)
  if [ -z "$ALL_BUILTINS" ]; then
    echo "  WARN: F2 could not enumerate live builtins — skipping denylist"
  else
    SORTED_BUILTINS=$(echo "$ALL_BUILTINS" | sort -u)
    DENYLIST=$(comm -23 <(echo "$SORTED_BUILTINS") <(echo "${ALLOWLIST_BUILTIN:-}") | grep -v '^$' || true)
    mkdir -p "$(dirname "$PROFILE_CFG")"
    [ -f "$PROFILE_CFG" ] || : > "$PROFILE_CFG"
    python3 - "$PROFILE_CFG" <<PY
import sys, yaml
cfg = sys.argv[1]
denylist = [s for s in """$DENYLIST""".splitlines() if s.strip()]
d = yaml.safe_load(open(cfg).read()) or {}
d.setdefault('skills', {})['disabled'] = sorted(set(denylist))
open(cfg, 'w').write(yaml.safe_dump(d, sort_keys=False, allow_unicode=True))
print(f"  F2 wrote skills.disabled: {len(denylist)} entr{'y' if len(denylist)==1 else 'ies'}")
PY
  fi
else
  echo "  WARN: F2 hermes/yq missing — skipping denylist"
fi

# F3 — propagate disclosure.inherit_mcp_toolsets to per-profile config.yaml
if [ "$DRY_RUN" -eq 1 ]; then
  echo "DRY: F3 write agent.inherit_mcp_toolsets → $PROFILE_CFG"
elif command -v yq >/dev/null 2>&1; then
  INHERIT_MCP=$(yq -r '.disclosure.inherit_mcp_toolsets' "$REPO/manifest.yaml" 2>/dev/null || echo "null")
  if [ "$INHERIT_MCP" = "null" ] || [ -z "$INHERIT_MCP" ]; then
    echo "  F3: disclosure.inherit_mcp_toolsets undeclared — skip"
  else
    mkdir -p "$(dirname "$PROFILE_CFG")"
    [ -f "$PROFILE_CFG" ] || : > "$PROFILE_CFG"
    python3 - "$PROFILE_CFG" "$INHERIT_MCP" <<'PY'
import sys, yaml
cfg, val = sys.argv[1], sys.argv[2]
b = {"true": True, "false": False}.get(val.lower(), val)
d = yaml.safe_load(open(cfg).read()) or {}
d.setdefault('agent', {})['inherit_mcp_toolsets'] = b
open(cfg, 'w').write(yaml.safe_dump(d, sort_keys=False, allow_unicode=True))
print(f"  F3 wrote agent.inherit_mcp_toolsets: {b}")
PY
  fi
else
  echo "  WARN: F3 yq not on PATH — skipping inherit_mcp_toolsets"
fi

# F5 (D4) — sovereign vllm model block → per-profile config.yaml
# Per CONTRACT.md §5: cto-agent runs sovereign qwen3.6 (this block).
# claudeCode hosted is constrained INSIDE sandcastle isolation only.
# Matches ceo-planb/curator-planb pattern at http://100.90.54.40:8000/v1.
if [ "$DRY_RUN" -eq 1 ]; then
  echo "DRY: F5 write sovereign vllm model block → $PROFILE_CFG"
elif command -v yq >/dev/null 2>&1; then
  mkdir -p "$(dirname "$PROFILE_CFG")"
  [ -f "$PROFILE_CFG" ] || : > "$PROFILE_CFG"
  MODEL_BLOCK=$(cat <<'YAML'
model:
  default: qwen3.6-35b-a3b
  provider: vllm
  api_key: dummy
  base_url: http://100.90.54.40:8000/v1
  context_length: 262144
YAML
)
  # yq eval-all merge: existing config wins on non-model keys; model block overwrites.
  TMP_CFG=$(mktemp)
  echo "$MODEL_BLOCK" | yq eval-all '. as $item ireduce ({}; . * $item)' "$PROFILE_CFG" - > "$TMP_CFG"
  mv "$TMP_CFG" "$PROFILE_CFG"
  echo "  F5 wrote model block (qwen3.6-35b-a3b @ http://100.90.54.40:8000/v1)"
else
  echo "  WARN: F5 yq not on PATH — skipping model block (cto-agent will fall back to global default)"
fi

# F4 — install subrepo pre-push hook (disclosure-drift gate)
HOOK_DST="$REPO/.git/hooks/pre-push"
if [ "$DRY_RUN" -eq 1 ]; then
  echo "DRY: F4 install pre-push hook → $HOOK_DST"
elif [ ! -d "$REPO/.git" ]; then
  echo "  WARN: F4 $REPO/.git missing — not a git checkout, skip"
else
  cat > "$HOOK_DST" <<'HOOK_EOF'
#!/usr/bin/env bash
# pre-push.sh — Wave 7 D6 subrepo disclosure-drift gate
# Schema v2 ref: ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
set -euo pipefail

REPO_ROOT="$(git rev-parse --show-toplevel)"
PROFILE_DIR_NAME="$(basename "$REPO_ROOT")"  # e.g., cmo, ceo, cto
PROFILE_NAME="${PROFILE_DIR_NAME}-planb"
VIOLATIONS=0
emit() { echo "[pre-push:$PROFILE_DIR_NAME] $*" >&2; }
fail() { emit "BLOCK: $*"; VIOLATIONS=$((VIOLATIONS + 1)); }

while read -r local_ref local_sha remote_ref remote_sha; do
  [ "$local_sha" = "0000000000000000000000000000000000000000" ] && continue
  if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
    base=$(git merge-base "$local_sha" jp 2>/dev/null || git rev-parse "$local_sha^" 2>/dev/null || echo "$local_sha")
  else
    base="$remote_sha"
  fi
  DELTA=$(git diff --name-only "$base..$local_sha" 2>/dev/null || true)
  [ -z "$DELTA" ] && continue

  # check 2: manifest governance block
  if echo "$DELTA" | grep -q '^manifest\.yaml$'; then
    emit "check 2: validating governance block…"
    python3 - "$REPO_ROOT/manifest.yaml" <<'PY' || fail "manifest.yaml: governance block invalid"
import sys, yaml
data = yaml.safe_load(open(sys.argv[1]).read()) or {}
gov = data.get("governance")
if not isinstance(gov, dict):
    print(f"missing governance: block", file=sys.stderr); sys.exit(1)
req = ["org", "owner", "approval_authority", "vision_refs", "governing_protocols", "standards", "north_star"]
missing = [k for k in req if k not in gov]
if missing:
    print(f"governance missing: {', '.join(missing)}", file=sys.stderr); sys.exit(1)
PY
  fi

  # check 3: identity doc frontmatter
  CHANGED_IDENTITY=$(echo "$DELTA" | grep -E '^(AGENT|CONTRACT|DISCLOSURE)\.md$' || true)
  if [ -n "$CHANGED_IDENTITY" ]; then
    emit "check 3: validating frontmatter…"
    for f in $CHANGED_IDENTITY; do
      python3 - "$REPO_ROOT/$f" <<'PY' || fail "$f: frontmatter invalid"
import sys, re, yaml
content = open(sys.argv[1]).read()
m = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
if not m: print(f"missing YAML frontmatter", file=sys.stderr); sys.exit(1)
fm = yaml.safe_load(m.group(1)) or {}
req = {"name", "tier", "status", "owner", "source", "last_reviewed", "description"}
missing = req - set(fm.keys())
if missing: print(f"frontmatter missing: {', '.join(missing)}", file=sys.stderr); sys.exit(1)
PY
    done
  fi

  # check 6: disclosure drift (only if manifest changed)
  if echo "$DELTA" | grep -q '^manifest\.yaml$'; then
    emit "check 6: disclosure drift…"
    # 6.a skills drift
    if command -v hermes >/dev/null 2>&1; then
      declared=$(yq -r '.disclosure.skills[].id' "$REPO_ROOT/manifest.yaml" 2>/dev/null | sort -u)
      live=$(hermes -p "$PROFILE_NAME" skills list 2>/dev/null | awk 'NR>3 && /enabled|│ *enabled/ {for (i=1; i<=NF; i++) if ($i != "│" && $i != "enabled") {print $i; break}}' | sort -u || echo "")
      if [ -n "$live" ]; then
        drift=$(diff <(echo "$declared") <(echo "$live") 2>/dev/null || true)
        [ -n "$drift" ] && fail "skills drift: $drift"
      else
        emit "  (skip 6.a — hermes CLI live-skill query returned empty; WARN)"
      fi
    else
      emit "  (skip 6.a — hermes CLI not on PATH; WARN)"
    fi
    # 6.b/6.c/6.d/6.e simplified: just confirm manifest yq parses + sovereign_only invariant
    if [ "$(yq '.disclosure.sovereign_only' "$REPO_ROOT/manifest.yaml")" = "true" ]; then
      bad=$(yq -r '.disclosure.skills[] | select(.hosted_api != null) | .id' "$REPO_ROOT/manifest.yaml" 2>/dev/null)
      [ -n "$bad" ] && fail "sovereign_only=true but skills declare hosted_api: $bad"
    fi
  fi

  # bypass marker categorization
  for sha in $(git rev-list "$base..$local_sha"); do
    MSG=$(git log -1 --format=%B "$sha")
    bypass_line=$(echo "$MSG" | grep -E '^enforcement-bypass:' || true)
    if [ -n "$bypass_line" ]; then
      if ! echo "$bypass_line" | grep -qE '^enforcement-bypass: (emergency|upstream-blocker|schema-migration|hermes-bug|third-party-bug) — '; then
        fail "$sha: bypass marker uncategorized — required: 'enforcement-bypass: <CATEGORY> — <line>'"
      fi
    fi
  done
done

if [ "$VIOLATIONS" -gt 0 ]; then
  emit "✗ $VIOLATIONS violation(s) — push blocked"
  exit 1
fi
emit "✓ subrepo pre-push gate passed"
exit 0
HOOK_EOF
  chmod +x "$HOOK_DST"
  echo "  F4 installed: $HOOK_DST"
fi

echo ""
echo "== done. canonical install: hermes profile install $REPO =="
echo "  verify:                       hermes -p $PROFILE_NAME skills list | grep cto-agent"
echo "  verify assignee registered:   hermes kanban assignees | grep $PROFILE_NAME"
echo "  start gateway (when ready):   hermes profile gateway start $PROFILE_NAME"