hermes/steev
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(disclosure): Wave 4 — steev disclosure: block (CLAUDE.md hard-rule fix: REMOVE bte MCP) — sprint 2026-05-24

Browse Source 
Applies Wave-3 auto-approved recommendations per
sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md.

HARD-RULE FIX:
  - REMOVE bte MCP (inherit_mcp_toolsets: false + mcp_servers: []).
    bte = Plan B marketing platform; steev/CLAUDE.md:14 forbids access.

Auto-approved REMOVE/DROP:
  - 17 silently-inherited builtin skills denied (inherit_builtins: false).
  - Skills allowlist narrowed to 6: steev-agent, proton-tools, google-workspace,
    obsidian, himalaya, kanban-worker.

ADD (auto-approved):
  - schema_version: 1
  - inherit_builtins: false, inherit_mcp_toolsets: false

ADD (PAUSED-for-JP rows surfaced in DISCLOSURE.md §12):
  - Personal-scope discriminators (scope/chat_facing/delegates_to/sovereign_only)
    populated per audit §7d; values confirmation pending JP.
  - 3 cred name-mismatches kept as-declared in manifest; rename decision deferred
    (manifest vs vault vs bundle-indirection — W3.4 governance class).
  - 4 manifest-declared MCP installs (mcp_proton_*, mcp_perplexity) not registered;
    install ordering deferred.

Surface: 2 files only — steev/manifest.yaml + steev/DISCLOSURE.md.
sot-precommit --full-tree: EXIT 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Svrnty 2026-05-24 15:59:58 -04:00
parent ff2b88a088
commit 8e8ced470b
2 changed files with 218 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
DISCLOSURE.md Normal file
View File

@ -0,0 +1,144 @@
---
name: disclosure-steev
tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-24
review_by: 2026-08-22
depends_on:
- disclosure-schema
- profile-distribution-protocol
description: Canonical disclosure of steev — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.
auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
---
# `steev` — Disclosure
> Live as of `2026-05-24`. Source: `steev/manifest.yaml → disclosure:` block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p steev` runtime.
## §1 Identity
| Field | Value |
|---|---|
| Profile ID | `steev` |
| Repo | `/home/svrnty/workspaces/hermes/steev/` |
| Scope | `personal` |
| Org | `personal` |
| Owner | `jp` |
| Approval authority | `jp` |
| Role type | `personal-assistant` (Chief of Staff) |
| State | `stateful` (`steev.db` runtime-only, never committed) |
| Version | `1.0.0` |
| North star | keep JP unblocked — surface what needs attention, draft in JP voice, delegate business work to CEO |
| Chat-facing | `true` |
| Delegates to | `ceo-planb` |
| Sovereign-only | `false` |
## §2 Inheritance posture
| Field | Value | Rationale |
|---|---|---|
| `inherit_builtins` | `false` | Closes Wave-1 finding: 18 silently-enabled builtins (only `kanban-worker` cited in steev/ code — kept via explicit allowlist) |
| `inherit_mcp_toolsets` | `false` | **CLAUDE.md hard-rule fix.** Closes Wave-1 finding: `bte` MCP silently leaked from host. `bte` = Plan B marketing platform — forbidden to steev per `steev/CLAUDE.md:14` ("No access to Plan B marketing platform credentials (CMO-only)") |
| `inherit_dirs` | none | No external-dir skill bundles narrowed in |
| `sovereign_only` | `false` | steev intentionally calls Perplexity (hosted) for lightweight WebSearch per `manifest.yaml:90` — disclosed honestly |
## §3 Skills (6)
Per `disclosure.skills` enum. Each row matches `hermes -p steev skills list` enabled set (pre-push check 6.a enforces).
| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
| `steev-agent` | local | orchestrator | — | — | Orchestrator — daily briefing, inbox triage, comms drafting, delegate-to-CEO |
| `proton-tools` | local | toolkit | — | — | 24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface |
| `google-workspace` | builtin | engine | — | — | Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46) |
| `obsidian` | builtin | engine | — | — | PKM vault at `~/vaults/steev` (CLAUDE.md L17) |
| `himalaya` | builtin | engine | — | — | IMAP/SMTP via proton-bridge (manifest L50) |
| `kanban-worker` | builtin | engine | — | — | CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83) |
**Totals.** 6 skills total. Source breakdown: 2 local, 0 hub, 4 builtin, 0 external_dir.
**Wave-1 → Wave-4 delta.** Live `hermes -p steev skills list` showed 21 enabled (2 local + 18 builtins +/- the 7 declared external set). Wave-4 narrows to 6 — drops 17 inherited builtins (15 uncited; 8 of the 17 are CONTRACT.md §9 v2+ REUSE candidates re-added when v2 lands).
## §4 MCP servers (0)
No MCP servers exposed — deny-by-default allowlist is empty.
**Wave-1 → Wave-4 delta.** Live `hermes -p steev mcp list` showed `bte` registered + enabled (silently inherited via host-global `agent.inherit_mcp_toolsets: true`). Wave-4 sets `inherit_mcp_toolsets: false` and omits `bte` from the allowlist — **resolves CLAUDE.md hard-rule violation**. Four manifest-declared MCP installs (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) are NOT registered today; ADD-back deferred (see §12).
## §5 Sovereign APIs (0)
No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (currently unregistered) Proton/Perplexity MCP servers.
## §6 Cortex tools (0)
No `cortex/L6-*` or `cortex/PG-*` libraries consumed at runtime. `lib/` scripts (`credbridge.sh`, `validate_access.sh`) are repo-local utility shims, not cortex tools.
## §7 Credentials (3 declared)
Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match.
| Vault name | Status | Scope | Used by | Governance |
|---|---|---|---|---|
| `google-workspace` | required | read-write | `credbridge.sh` | JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage |
| `proton-bridge-imap` | required | read-write | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP (himalaya path) |
| `perplexity-api` | optional | read | `credbridge.sh` | JP-personal; WebSearch fallback (MCP path preferred) |
> **PENDING JP REVIEW** — Per Wave-3 recommendations §5a, all three declared names are reported by audit as not exact-matching the vault (`credctl list` shows `proton-bridge-imap-pass`/`-user` split, `perplexity` without `-api`, and `google-workspace` plausibly absent or composite). Cred-rename rows are governance-class W3.4 and require JP decision (manifest-rename vs vault-rename vs bundle-indirection) — surfaced in §12.
## §8 Cron (1)
| Job | Schedule | Skill | Disabled on install |
|---|---|---|---|
| `steev-daily-briefing` | `30 6 * * *` (06:30 local) | `steev-agent` | `true` (per §6 Safety) |
## §9 Drift status
| Surface | Declared | Live (Wave-1) | Status |
|---|---|---|---|
| Skills | 6 | 21 enabled | drift expected post-Wave-4 reinstall → in-sync |
| MCP servers | 0 | 1 (`bte`) | drift — Wave-4 reinstall removes `bte`; pending install.sh patch + reinstall |
| MCP tools (total) | 0 | n/a (`bte` is `all`-tools) | n/a after MCP removal |
| Credentials | 3 | 3 declared, 3 vault-name mismatches | name-canonicalization drift (PENDING JP, §12) |
> Pre-push hook check 6 last run: not yet — Wave-4 inserts the check; first run validates this disclosure after `install.sh` reapplies `disclosure.*` to `~/.hermes/profiles/steev/config.yaml`.
## §10 Sovereign-purity audit
- Steev's owned code (`steev/skills/`, `steev/lib/`): **CLEAN** — only Proton + Google Workspace + Perplexity (last is hosted but `sovereign_only: false` discloses honestly).
- Bundled-skill exposure layer: **CLEAN post-Wave-4** — 17 builtins removed; only 4 builtins allowlisted (google-workspace, obsidian, himalaya, kanban-worker), none hosted-API.
- `sovereign_only: false` — validator rule 6.e does not apply.
## §11 Governance refs
- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md`
- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`
- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
- Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org
## §12 Open issues + next steps (PENDING JP REVIEW)
Rows below are **PAUSED for JP** per W3.4 governance-class rule. Wave-4 applies auto-approved rows only (REMOVE bte MCP + DROP 17 builtins + scaffold disclosure block). JP must mark each PAUSE row approve/reject/edit before next apply wave.
| # | Topic | Recommended action | Why PAUSED |
|---|---|---|---|
| 1 | Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`) | Confirm values | New disclosure surface; JP confirms intent matches CLAUDE.md L7-L8 + CONTRACT delegation chain |
| 2 | Cred `google-workspace` not in vault | (a) add composite OAuth JSON to vault, OR (b) split manifest into per-cred entries matching vault | Cred binding (W3.4) |
| 3 | Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user` | Rename manifest entry to TWO entries matching vault | Cred binding (W3.4) |
| 4 | Cred `perplexity-api` vs vault `perplexity` | Rename manifest declaration `perplexity-api``perplexity` (exact-match per schema §4.5) | Cred binding (W3.4) |
| 5 | 5 vault entries plausibly steev-scope but undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`, `proton-bridge-imap-pass`, `proton-bridge-imap-user`) | ADD to `disclosure.credentials` after MCP install confirms which are consumed | Cred binding (W3.4); also depends on MCP install (row 6) |
| 6 | 4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) | Confirm install order — Wave-4 install.sh patch, or deferred | Install gap; cred-adjacent |
| 7 | macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills` | Gate on OS in `install.sh`, or document as macOS-host-only | OS-platform decision |
| 8 | Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+) | Wire check 6 per DISCLOSURE-SCHEMA §6 | Cross-profile rollup (Wave-5) |
## §13 Related
- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition
- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends
- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup (aggregates this doc + 4 siblings)
- [`../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md) — Wave-1 discovery
- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md) — Wave-3 recommendations
- `./manifest.yaml` — machine-readable `disclosure:` block
- `./AGENT.md` — identity (T2)
- `./CONTRACT.md` — behavior contract (T1)

74
manifest.yaml
View File

@ -88,3 +88,77 @@ sovereignty:
host: dgx-spark host: dgx-spark
external_api_dependencies: external_api_dependencies:
- perplexity # WebSearch only; build-time research path. Daily briefing scan uses 1-2 items. - perplexity # WebSearch only; build-time research path. Daily briefing scan uses 1-2 items.
# Disclosure block — runtime-truth contract per sot/04-STANDARDS/DISCLOSURE-SCHEMA.md.
# Wave-4 apply (2026-05-24). Closes Wave-1 audit findings:
# - HARD-RULE FIX: REMOVE bte MCP (Plan B marketing infra; CLAUDE.md:14 forbids
# access — steev is JP-personal-scope).
# - DENY 17 silently-inherited builtin skills (only kanban-worker kept for CEO
# delegation transport).
# - Personal-scope discriminator fields (scope/chat_facing/delegates_to) populated.
# Pre-push hook check 6 enforces this == live `hermes -p steev …` runtime.
disclosure:
scope: personal
schema_version: 1
chat_facing: true # sole JP chat touchpoint per CLAUDE.md L7-L8
delegates_to: [ceo-planb] # business work routed to CEO via kanban
inherit_builtins: false # deny Hermes 84-builtin default; allowlist below
inherit_mcp_toolsets: false # deny host MCP propagation (closes bte leak)
sovereign_only: false # perplexity (hosted) intentionally called for WebSearch
inherit_dirs: []
skills:
- id: steev-agent
source: local
path: skills/steev-agent
role: orchestrator
- id: proton-tools
source: local
path: skills/proton-tools
role: toolkit
justification: "24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface"
- id: google-workspace
source: builtin
path: productivity/google-workspace
role: engine
justification: "Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46)"
- id: obsidian
source: builtin
path: note-taking/obsidian
role: engine
justification: "PKM vault at ~/vaults/steev (CLAUDE.md L17)"
- id: himalaya
source: builtin
path: email/himalaya
role: engine
justification: "IMAP/SMTP via proton-bridge (manifest L50)"
- id: kanban-worker
source: builtin
path: devops/kanban-worker
role: engine
justification: "CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)"
mcp_servers: [] # DENY-BY-DEFAULT. bte REMOVED (hard-rule fix).
# proton-* + perplexity MCP installs PENDING JP review
# (install-gap row in DISCLOSURE.md §12).
sovereign_apis: [] # 0 direct HTTP/gRPC calls (per audit §3)
cortex_tools: [] # steev does not consume cortex/L6-* or cortex/PG-*
credentials:
- vault_name: google-workspace
status: required
scope: read-write
used_by: [credbridge.sh]
governance: "JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage"
- vault_name: proton-bridge-imap
status: required
scope: read-write
used_by: [credbridge.sh]
governance: "JP-personal; local Proton Bridge IMAP/SMTP (himalaya path)"
- vault_name: perplexity-api
status: optional
scope: read
used_by: [credbridge.sh]
governance: "JP-personal; WebSearch fallback (MCP path preferred)"