Refine Steev profile disclosure and Proton tools

2026-05-30 23:35:53 -04:00 · 2026-05-30 23:35:53 -04:00 · 0487a3d8fd
commit 0487a3d8fd
parent fdc27aa92f
3 changed files with 52 additions and 10 deletions
--- a/install.sh
+++ b/install.sh
@ -358,6 +358,17 @@ else
  echo "  WARN: F6 yq/global config missing — skipping MCP materialization"
 fi

+echo ""
+echo "== model policy → Codex primary + Qwen fallback =="
+POLICY_SCRIPT="$(cd "$REPO/.." && pwd)/scripts/apply-hermes-model-policy.py"
+if [ "$DRY" = 1 ]; then
+  echo "DRY: python3 '$POLICY_SCRIPT' --config '$PROFILE_CFG'"
+elif [ -f "$POLICY_SCRIPT" ]; then
+  python3 "$POLICY_SCRIPT" --config "$PROFILE_CFG"
+else
+  echo "  WARN: policy script not found: $POLICY_SCRIPT"
+fi
+
 # F7 — macOS-only externals OS-gate (Wave 8 Q10)
 # Reads expected_external_skills entries with os_constraint: darwin and emits
 # an INFO line on non-Darwin hosts. No install action (these are external
--- a/manifest.yaml
+++ b/manifest.yaml
@ -153,13 +153,43 @@ disclosure:
      role: engine
      justification: "CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)"

-  mcp_servers: []                           # DENY-BY-DEFAULT. bte REMOVED (hard-rule fix).
-                                            # Wave 8 (2026-05-24): install.sh F6 wires the 3 proton MCPs
-                                            # (proton-calendar, proton-email, proton-contacts) into per-profile
-                                            # runtime config from manifest.optional_tools. mcp_perplexity is
-                                            # deferred — server not yet in `hermes mcp list`.
-                                            # Per-tool enumeration in disclosure.mcp_servers DEFERRED to
-                                            # Wave 8.5 (requires tool introspection per server).
+  mcp_servers:
+    - name: proton-calendar
+      description: "Proton Calendar facade"
+      tools:
+        - calendar_list
+        - calendar_events
+        - calendar_upcoming
+        - calendar_search
+        - calendar_event_get
+        - calendar_create
+        - calendar_update
+        - calendar_delete
+    - name: proton-email
+      description: "Proton Email facade"
+      tools:
+        - email_folders
+        - email_list
+        - email_read
+        - email_search
+        - email_send
+        - email_reply
+        - email_forward
+        - email_archive
+        - email_mark_read
+        - email_mark_unread
+    - name: proton-contacts
+      description: "Proton Contacts facade"
+      tools:
+        - contacts_list
+        - contacts_search
+        - contacts_get
+        - contacts_create
+        - contacts_update
+        - contacts_delete
+                                            # DENY-BY-DEFAULT: bte removed (hard-rule fix).
+                                            # mcp_perplexity intentionally omitted from disclosure until it is
+                                            # registered in the live Hermes MCP list and can be introspected.

  sovereign_apis: []                        # 0 direct HTTP/gRPC calls (per audit §3)

--- a/skills/proton-tools/SKILL.md
+++ b/skills/proton-tools/SKILL.md
@ -1,6 +1,6 @@
 ---
 name: proton-tools
-description: "When Steev needs to access JP's Proton account — Calendar, Mail, or Contacts. Use this skill to discover which tool answers the user's question, and how to call it. Covers all 24 Proton MCP tools across the three cortex MCP servers (proton-calendar, proton-email, proton-contacts). Triggers: any request involving JP's calendar (events, meetings, availability), mail (inbox, send, reply, search, folders), or contacts (lookup, add, search). Drive is NOT in scope — defer Drive requests."
+description: "When Steev needs to access JP's Proton account — Calendar, Mail, Contacts, or explicitly requested Proton Drive checks via rclone. Use this skill to discover which tool answers the user's question, and how to call it. Covers all 24 Proton MCP tools across the three cortex MCP servers (proton-calendar, proton-email, proton-contacts). Triggers: any request involving JP's calendar (events, meetings, availability), mail (inbox, send, reply, search, folders), contacts (lookup, add, search), or Drive via rclone."
 metadata:
  version: 1.0.0
  hermes:
@ -13,9 +13,9 @@ Authoritative reference for the 24 tools exposed by three cortex MCP servers —

 ## Hard rules

- **Drive is out of scope.** If the user asks about Proton Drive files/folders, say so and defer — there is no `drive_*` tool. Roadmap: `rclone-module` MCP wrap.
+- **Drive is out of scope for Proton MCP tools.** There is no `drive_*` MCP tool. If the user explicitly asks to check Drive via `rclone`, use the live Proton Drive rclone remote instead of claiming no access: this Steev/Hermes profile sets `HOME=/home/svrnty/.hermes/profiles/steev/home`, so plain `rclone` sees the profile config; the working Proton Drive config is `/home/svrnty/.config/rclone/rclone.conf` with remote `proton:`. Use read-only probes first (`rclone --config /home/svrnty/.config/rclone/rclone.conf about proton: --json`) and do not list file names unless JP asks.
 - **Destructive tools require explicit confirmation.** `email_send`, `email_reply`, `email_forward`, `calendar_delete`, `contacts_delete`. Never call these without quoting back the action + target + asking JP to confirm.
- **Date inputs are ISO 8601** (`2026-05-23T14:00:00-04:00`). Convert relative dates ("tomorrow", "next Tuesday") into ISO before tool call.
+- **Calendar date filters:** the MCP schema may advertise RFC3339, but `calendar_events`/underlying gate expects date-only filters (`YYYY-MM-DD`) for reliable results. RFC3339 ranges can return empty even when events exist. Convert relative dates ("tomorrow", "next Tuesday") into `YYYY-MM-DD` for list/search filters; keep event create/update timestamps RFC3339.
 - **Pagination**: `email_list`, `calendar_events`, `contacts_list` are paginated. Default page size is small (~20). Fetch additional pages only when the user asks for more.

 ## When to use which tool
@ -82,6 +82,7 @@ Run in parallel. Merge results. Group by source.
 - **"WaitReady timeout"** → proton connector still booting. Retry once after 2-3s. If still failing, say so + suggest JP check `hermes mcp test proton`.
 - **403 / scope error** → proton session expired. Tool handler should re-auth automatically; if not, JP needs to re-run setup.
 - **Network / 5xx** → transient. Retry once. If persistent, report and stop.
+- **`calendar_create` timeout** → do not retry blindly. First verify the target date range with `calendar_events` using `YYYY-MM-DD` filters to avoid duplicate events. If the event is still absent, one direct gate fallback may be attempted. If creates keep timing out while reads work, refresh `sdo-calendar-gate`: `docker restart sdo-calendar-gate`, wait for `connected to Proton` + `calendar-gate gRPC server listening`, then retry once. If restart fails with a bind-mount error because `/home/svrnty/workspaces/cortex/svrnty.sdo-agents/config/calendar-gate.toml` is a directory, replace it with a symlink to `../../L3-svrnty.agents-fleet/config/calendar-gate.toml`, then `docker start sdo-calendar-gate`.

 ## What NOT to do