diff --git a/DISCLOSURE.md b/DISCLOSURE.md new file mode 100644 index 0000000..e54a73c --- /dev/null +++ b/DISCLOSURE.md @@ -0,0 +1,144 @@ +--- +name: disclosure-steev +tier: T2 +status: active +owner: jp +source: generated +last_reviewed: 2026-05-24 +review_by: 2026-08-22 +depends_on: + - disclosure-schema + - profile-distribution-protocol +description: Canonical disclosure of steev — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6. +auto_regen_cmd: "yq '.disclosure' manifest.yaml | " +--- + +# `steev` — Disclosure + +> Live as of `2026-05-24`. Source: `steev/manifest.yaml → disclosure:` block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p steev` runtime. + +## §1 Identity + +| Field | Value | +|---|---| +| Profile ID | `steev` | +| Repo | `/home/svrnty/workspaces/hermes/steev/` | +| Scope | `personal` | +| Org | `personal` | +| Owner | `jp` | +| Approval authority | `jp` | +| Role type | `personal-assistant` (Chief of Staff) | +| State | `stateful` (`steev.db` runtime-only, never committed) | +| Version | `1.0.0` | +| North star | keep JP unblocked — surface what needs attention, draft in JP voice, delegate business work to CEO | +| Chat-facing | `true` | +| Delegates to | `ceo-planb` | +| Sovereign-only | `false` | + +## §2 Inheritance posture + +| Field | Value | Rationale | +|---|---|---| +| `inherit_builtins` | `false` | Closes Wave-1 finding: 18 silently-enabled builtins (only `kanban-worker` cited in steev/ code — kept via explicit allowlist) | +| `inherit_mcp_toolsets` | `false` | **CLAUDE.md hard-rule fix.** Closes Wave-1 finding: `bte` MCP silently leaked from host. `bte` = Plan B marketing platform — forbidden to steev per `steev/CLAUDE.md:14` ("No access to Plan B marketing platform credentials (CMO-only)") | +| `inherit_dirs` | none | No external-dir skill bundles narrowed in | +| `sovereign_only` | `false` | steev intentionally calls Perplexity (hosted) for lightweight WebSearch per `manifest.yaml:90` — disclosed honestly | + +## §3 Skills (6) + +Per `disclosure.skills` enum. Each row matches `hermes -p steev skills list` enabled set (pre-push check 6.a enforces). + +| ID | Source | Role | Sovereign-req | Hosted-API | Justification | +|---|---|---|---|---|---| +| `steev-agent` | local | orchestrator | — | — | Orchestrator — daily briefing, inbox triage, comms drafting, delegate-to-CEO | +| `proton-tools` | local | toolkit | — | — | 24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface | +| `google-workspace` | builtin | engine | — | — | Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46) | +| `obsidian` | builtin | engine | — | — | PKM vault at `~/vaults/steev` (CLAUDE.md L17) | +| `himalaya` | builtin | engine | — | — | IMAP/SMTP via proton-bridge (manifest L50) | +| `kanban-worker` | builtin | engine | — | — | CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83) | + +**Totals.** 6 skills total. Source breakdown: 2 local, 0 hub, 4 builtin, 0 external_dir. + +**Wave-1 → Wave-4 delta.** Live `hermes -p steev skills list` showed 21 enabled (2 local + 18 builtins +/- the 7 declared external set). Wave-4 narrows to 6 — drops 17 inherited builtins (15 uncited; 8 of the 17 are CONTRACT.md §9 v2+ REUSE candidates re-added when v2 lands). + +## §4 MCP servers (0) + +No MCP servers exposed — deny-by-default allowlist is empty. + +**Wave-1 → Wave-4 delta.** Live `hermes -p steev mcp list` showed `bte` registered + enabled (silently inherited via host-global `agent.inherit_mcp_toolsets: true`). Wave-4 sets `inherit_mcp_toolsets: false` and omits `bte` from the allowlist — **resolves CLAUDE.md hard-rule violation**. Four manifest-declared MCP installs (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) are NOT registered today; ADD-back deferred (see §12). + +## §5 Sovereign APIs (0) + +No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (currently unregistered) Proton/Perplexity MCP servers. + +## §6 Cortex tools (0) + +No `cortex/L6-*` or `cortex/PG-*` libraries consumed at runtime. `lib/` scripts (`credbridge.sh`, `validate_access.sh`) are repo-local utility shims, not cortex tools. + +## §7 Credentials (3 declared) + +Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match. + +| Vault name | Status | Scope | Used by | Governance | +|---|---|---|---|---| +| `google-workspace` | required | read-write | `credbridge.sh` | JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage | +| `proton-bridge-imap` | required | read-write | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP (himalaya path) | +| `perplexity-api` | optional | read | `credbridge.sh` | JP-personal; WebSearch fallback (MCP path preferred) | + +> **PENDING JP REVIEW** — Per Wave-3 recommendations §5a, all three declared names are reported by audit as not exact-matching the vault (`credctl list` shows `proton-bridge-imap-pass`/`-user` split, `perplexity` without `-api`, and `google-workspace` plausibly absent or composite). Cred-rename rows are governance-class W3.4 and require JP decision (manifest-rename vs vault-rename vs bundle-indirection) — surfaced in §12. + +## §8 Cron (1) + +| Job | Schedule | Skill | Disabled on install | +|---|---|---|---| +| `steev-daily-briefing` | `30 6 * * *` (06:30 local) | `steev-agent` | `true` (per §6 Safety) | + +## §9 Drift status + +| Surface | Declared | Live (Wave-1) | Status | +|---|---|---|---| +| Skills | 6 | 21 enabled | drift expected post-Wave-4 reinstall → in-sync | +| MCP servers | 0 | 1 (`bte`) | drift — Wave-4 reinstall removes `bte`; pending install.sh patch + reinstall | +| MCP tools (total) | 0 | n/a (`bte` is `all`-tools) | n/a after MCP removal | +| Credentials | 3 | 3 declared, 3 vault-name mismatches | name-canonicalization drift (PENDING JP, §12) | + +> Pre-push hook check 6 last run: not yet — Wave-4 inserts the check; first run validates this disclosure after `install.sh` reapplies `disclosure.*` to `~/.hermes/profiles/steev/config.yaml`. + +## §10 Sovereign-purity audit + +- Steev's owned code (`steev/skills/`, `steev/lib/`): **CLEAN** — only Proton + Google Workspace + Perplexity (last is hosted but `sovereign_only: false` discloses honestly). +- Bundled-skill exposure layer: **CLEAN post-Wave-4** — 17 builtins removed; only 4 builtins allowlisted (google-workspace, obsidian, himalaya, kanban-worker), none hosted-API. +- `sovereign_only: false` — validator rule 6.e does not apply. + +## §11 Governance refs + +- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md` +- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md` +- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md` +- Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org + +## §12 Open issues + next steps (PENDING JP REVIEW) + +Rows below are **PAUSED for JP** per W3.4 governance-class rule. Wave-4 applies auto-approved rows only (REMOVE bte MCP + DROP 17 builtins + scaffold disclosure block). JP must mark each PAUSE row approve/reject/edit before next apply wave. + +| # | Topic | Recommended action | Why PAUSED | +|---|---|---|---| +| 1 | Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`) | Confirm values | New disclosure surface; JP confirms intent matches CLAUDE.md L7-L8 + CONTRACT delegation chain | +| 2 | Cred `google-workspace` not in vault | (a) add composite OAuth JSON to vault, OR (b) split manifest into per-cred entries matching vault | Cred binding (W3.4) | +| 3 | Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user` | Rename manifest entry to TWO entries matching vault | Cred binding (W3.4) | +| 4 | Cred `perplexity-api` vs vault `perplexity` | Rename manifest declaration `perplexity-api` → `perplexity` (exact-match per schema §4.5) | Cred binding (W3.4) | +| 5 | 5 vault entries plausibly steev-scope but undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`, `proton-bridge-imap-pass`, `proton-bridge-imap-user`) | ADD to `disclosure.credentials` after MCP install confirms which are consumed | Cred binding (W3.4); also depends on MCP install (row 6) | +| 6 | 4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) | Confirm install order — Wave-4 install.sh patch, or deferred | Install gap; cred-adjacent | +| 7 | macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills` | Gate on OS in `install.sh`, or document as macOS-host-only | OS-platform decision | +| 8 | Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+) | Wire check 6 per DISCLOSURE-SCHEMA §6 | Cross-profile rollup (Wave-5) | + +## §13 Related + +- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition +- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends +- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup (aggregates this doc + 4 siblings) +- [`../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md) — Wave-1 discovery +- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md) — Wave-3 recommendations +- `./manifest.yaml` — machine-readable `disclosure:` block +- `./AGENT.md` — identity (T2) +- `./CONTRACT.md` — behavior contract (T1) diff --git a/manifest.yaml b/manifest.yaml index 55f05e0..8bea183 100644 --- a/manifest.yaml +++ b/manifest.yaml @@ -88,3 +88,77 @@ sovereignty: host: dgx-spark external_api_dependencies: - perplexity # WebSearch only; build-time research path. Daily briefing scan uses 1-2 items. + +# Disclosure block — runtime-truth contract per sot/04-STANDARDS/DISCLOSURE-SCHEMA.md. +# Wave-4 apply (2026-05-24). Closes Wave-1 audit findings: +# - HARD-RULE FIX: REMOVE bte MCP (Plan B marketing infra; CLAUDE.md:14 forbids +# access — steev is JP-personal-scope). +# - DENY 17 silently-inherited builtin skills (only kanban-worker kept for CEO +# delegation transport). +# - Personal-scope discriminator fields (scope/chat_facing/delegates_to) populated. +# Pre-push hook check 6 enforces this == live `hermes -p steev …` runtime. +disclosure: + scope: personal + schema_version: 1 + chat_facing: true # sole JP chat touchpoint per CLAUDE.md L7-L8 + delegates_to: [ceo-planb] # business work routed to CEO via kanban + inherit_builtins: false # deny Hermes 84-builtin default; allowlist below + inherit_mcp_toolsets: false # deny host MCP propagation (closes bte leak) + sovereign_only: false # perplexity (hosted) intentionally called for WebSearch + inherit_dirs: [] + + skills: + - id: steev-agent + source: local + path: skills/steev-agent + role: orchestrator + - id: proton-tools + source: local + path: skills/proton-tools + role: toolkit + justification: "24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface" + - id: google-workspace + source: builtin + path: productivity/google-workspace + role: engine + justification: "Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46)" + - id: obsidian + source: builtin + path: note-taking/obsidian + role: engine + justification: "PKM vault at ~/vaults/steev (CLAUDE.md L17)" + - id: himalaya + source: builtin + path: email/himalaya + role: engine + justification: "IMAP/SMTP via proton-bridge (manifest L50)" + - id: kanban-worker + source: builtin + path: devops/kanban-worker + role: engine + justification: "CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)" + + mcp_servers: [] # DENY-BY-DEFAULT. bte REMOVED (hard-rule fix). + # proton-* + perplexity MCP installs PENDING JP review + # (install-gap row in DISCLOSURE.md §12). + + sovereign_apis: [] # 0 direct HTTP/gRPC calls (per audit §3) + + cortex_tools: [] # steev does not consume cortex/L6-* or cortex/PG-* + + credentials: + - vault_name: google-workspace + status: required + scope: read-write + used_by: [credbridge.sh] + governance: "JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage" + - vault_name: proton-bridge-imap + status: required + scope: read-write + used_by: [credbridge.sh] + governance: "JP-personal; local Proton Bridge IMAP/SMTP (himalaya path)" + - vault_name: perplexity-api + status: optional + scope: read + used_by: [credbridge.sh] + governance: "JP-personal; WebSearch fallback (MCP path preferred)"