Normalize Steev pickup posture

Align WorkBoard validator with closed-owner rule
Clear completed WorkBoard owners
2026-06-19 07:36:30 -04:00 · 2026-06-18 14:00:20 -04:00 · 2026-06-18 13:57:18 -04:00 · 2026-06-18 11:08:02 -04:00 · 2026-06-18 06:34:03 -04:00 · 2026-06-18 05:15:50 -04:00
29 changed files with 4292 additions and 76 deletions
@@ -3,3 +3,4 @@ steev.db
 .env
 __pycache__/
 *.pyc
 .sandcastles/
@@ -11,9 +11,11 @@ depends_on:
  - steev-contract
 ---
 > Supersession note, 2026-06-14: `personal-agent` is the canonical profile identity. Steev is the user-facing display name and current distribution alias. The active profile surface contract is `docs/contracts/personal-agent-profile-surface-contract.json`.
 # Steev — Agent Identity
-> The WHO of this profile distribution. Loaded conceptually before the orchestrator skill. For the full operating reference, see [`docs/STEEV-MASTER.md`](docs/STEEV-MASTER.md).
+> The WHO of this profile distribution. Loaded conceptually before the orchestrator skill. For profile surfaces and effects, use [`docs/contracts/personal-agent-profile-surface-contract.json`](docs/contracts/personal-agent-profile-surface-contract.json).
 | Field | Value |
 |---|---|
@@ -0,0 +1,51 @@
 # Steev Profile Endgoal
 Endgoal: keep `personal-agent`/Steev as the child-local JP personal assistant profile for briefing, triage, drafting, delegation, and governed personal-surface handoffs without autonomous sends, credential reads, Core authority, Runtime authority, Profile Exposure broadening, durable memory writes, or readiness claims.
 Route: `steev`.
 Stage: CLEAN.
 Clean score: 100.
 Validator: `python3 tools/validate_steev_child.py`.
 Current pickup: use this workspace for personal-agent profile identity, role and boundary docs, personal-surface contracts, redacted proof refs, proposal-only memory routing records, desktop exposure contracts, runtime-readiness snapshots, validators, and handoff references; do not send, read credentials, read raw personal payloads, or claim readiness.
 Authority boundary: child-local personal-agent profile workspace only; not Cortex OS Core authority, Runtime authority, Profile Exposure authority, credential authority, provider authority, send authority, memory-domain authority, browser-host authority, public product authority, release authority, production-readiness authority, or autonomous execution authority.
 Legacy-work relation: old Steev/personal-agent, BlueBubbles, Proton/rclone, Secondbrain, Conductor/Curator handoff, desktop exposure, and runtime-readiness work is classified in `docs/LEGACY-INGEST.md`; preserve redacted refs and never import personal payloads because they exist.
 ## Universal Cortex OS Agent Contract
 - Follow parent `AGENTS.md`; this file is route-local instruction before chat memory.
 - For broad work, run `cortex graph context` as Derived State, then read local files.
 - Before edits, read `AGENTS.md`, `README.md`, and `WORKBOARD.yaml`; keep writes route-local unless Core authorizes promotion.
 - Use Karpathy rules, small profile-boundary seams, real evals, and cartesian/pragmatic/efficient/elegant no-live execution; run the validator before handoff/done.
 - Keep compact refs-only proof and handoffs; do not write Hindsight memory, Core SOT, siblings, runtime state, or personal payloads without route approval.
 ## Repo-Custom Agent Contract
 Steev is a child-local personal-agent profile workspace. It owns profile identity, role and boundary docs, personal-surface contracts, redacted proof packets, proposal-only memory routing records, desktop exposure contracts, runtime-readiness snapshots, validators, and handoff references.
 Do not install or start Steev, mutate `~/.hermes`, run browser-host automation, read credentials, read raw messages, read mail bodies, read contacts, read calendar details, read drive names, send messages, write calendar/contact/drive data, write durable memory, broaden Profile Exposure, call providers, mutate Core/Seed/sibling/OpenDesign repos, or claim readiness without governed approval.
 ## Current Pickup
 Use this workspace for profile identity, role and boundary docs, personal-surface contracts, redacted proof packets, proposal-only memory routing records, desktop exposure contracts, runtime-readiness snapshots, validators, and handoff references.
 ## Allowed Writes
 Write inside this repo only: profile docs, contracts, redacted proof refs, proposal-only routing records, validators, workboard entries, and handoffs.
 ## Forbidden Effects
 Do not mutate `../core/`, sibling repos, `~/.hermes`, runtime state, browser hosts, credentials, raw personal payloads, send/write surfaces, Profile Exposure, Hindsight live memory, memory domains, or readiness/release claims without governed approval.
 ## Validation
 After edits run:
 ```bash
 python3 tools/validate_steev_child.py
 ```
 For governance text, use Core compact prose.
 ## Handoff
 Handoffs are refs-only: files, validator, avoided effects, deferred legacy intentions.
@@ -6,12 +6,14 @@ owner: jp
 source: hand
 last_reviewed: 2026-05-23
 review_by: 2026-08-21
-description: steev profile behavior contract — what Steev does, doesn't do, edge cases. Tier T1 — this file wins for the steev profile.
+description: personal-agent behavior contract for the Steev-named distribution; the PACR profile surface contract supersedes older v1 surface assumptions.
 depends_on:
  - profile-distribution-protocol
 note: legacy tier S remapped to T1 per FRONTMATTER-SPEC 2026-05-23. Required fields filled (name, last_reviewed, description) per §7 audit.
 ---
 > Supersession note, 2026-06-14: `personal-agent` is the canonical profile identity. Steev is the user-facing display name and current distribution alias. The active profile surface contract is `docs/contracts/personal-agent-profile-surface-contract.json`.
 # Steev — Source of Truth
 **Role:** Personal Assistant / Chief of Staff for JP (Mathias)
@@ -13,6 +13,8 @@ description: Canonical disclosure of steev — exposed skills + MCP + sovereign
 auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
 ---
 > Supersession note, 2026-06-14: this disclosure is historical runtime disclosure for the Steev-named distribution. `personal-agent` is the canonical profile identity. Steev is the display name and current distribution alias. Refresh this disclosure from `docs/contracts/personal-agent-profile-surface-contract.json` before claiming runtime readiness.
 # `steev` — Disclosure
 > Live as of `2026-05-25`. Disclosure schema v2 (manifest `disclosure.schema_version: 2` — adds `external_orchestrators` per DISCLOSURE-SCHEMA §4.6). Source: `steev/manifest.yaml → disclosure:` block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p steev` runtime.
@@ -76,17 +78,20 @@ No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (curr
 No `cortex/L6-*` or `cortex/PG-*` libraries consumed at runtime. `lib/` scripts (`credbridge.sh`, `validate_access.sh`) are repo-local utility shims, not cortex tools.
-## §7 Credentials (3 declared)
+## §7 Credentials (6 declared)
-Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match.
+Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match. **Wave 8 (2026-05-24): aligned with vault.**
 | Vault name | Status | Scope | Used by | Governance |
 |---|---|---|---|---|
-| `google-workspace` | required | read-write | `credbridge.sh` | JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage |
+| `proton-bridge-imap-user` | required | read | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP username (himalaya path) |
-| `proton-bridge-imap` | required | read-write | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP (himalaya path) |
+| `proton-bridge-imap-pass` | required | read | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP password (himalaya path) |
-| `perplexity-api` | optional | read | `credbridge.sh` | JP-personal; WebSearch fallback (MCP path preferred) |
+| `perplexity` | optional | read | `credbridge.sh` | JP-personal; WebSearch fallback (MCP path preferred) |
 | `proton-account-email` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton account email (consumed by proton-email MCP server) |
 | `proton-account-password` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton account password (consumed by proton-email MCP server) |
 | `proton-mailbox-password` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton mailbox E2E key for mail decryption |
-> **PENDING JP REVIEW** — Per Wave-3 recommendations §5a, all three declared names are reported by audit as not exact-matching the vault (`credctl list` shows `proton-bridge-imap-pass`/`-user` split, `perplexity` without `-api`, and `google-workspace` plausibly absent or composite). Cred-rename rows are governance-class W3.4 and require JP decision (manifest-rename vs vault-rename vs bundle-indirection) — surfaced in §12.
+> **google-workspace removed Wave 8** — Hermes builtin `google-workspace` skill manages its own OAuth flow via Hermes hub, not credctl vault. credbridge.sh google-workspace case dropped accordingly.
 ## §8 Cron (1)
@@ -118,20 +123,25 @@ Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pr
 - Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
 - Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org
-## §12 Open issues + next steps (PENDING JP REVIEW)
+## §12 Open issues + next steps
-Rows below are **PAUSED for JP** per W3.4 governance-class rule. Wave-4 applies auto-approved rows only (REMOVE bte MCP + DROP 17 builtins + scaffold disclosure block). JP must mark each PAUSE row approve/reject/edit before next apply wave.
+All 8 Wave-3 PAUSE rows resolved in **Wave 8 (2026-05-24)**. Audit trail retained below.
-| # | Topic | Recommended action | Why PAUSED |
+| # | Topic | Resolution | Wave |
 |---|---|---|---|
-| 1 | Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`) | Confirm values | New disclosure surface; JP confirms intent matches CLAUDE.md L7-L8 + CONTRACT delegation chain |
+| 1 | Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`) | **CONFIRMED** (Q4). Matches CLAUDE.md L7-L8 + CONTRACT delegation chain. | 8 |
-| 2 | Cred `google-workspace` not in vault | (a) add composite OAuth JSON to vault, OR (b) split manifest into per-cred entries matching vault | Cred binding (W3.4) |
+| 2 | Cred `google-workspace` not in vault | **REMOVED** (Q5 + scope-expansion). Builtin manages own OAuth via Hermes hub; no credctl vault entry needed. credbridge.sh google-workspace case dropped. | 8 |
-| 3 | Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user` | Rename manifest entry to TWO entries matching vault | Cred binding (W3.4) |
+| 3 | Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user` | **SPLIT** (Q6). Manifest split into 2 entries matching vault. credbridge.sh exports both `PROTON_BRIDGE_IMAP_USER` + `PROTON_BRIDGE_IMAP_PASSWORD`. | 8 |
-| 4 | Cred `perplexity-api` vs vault `perplexity` | Rename manifest declaration `perplexity-api` → `perplexity` (exact-match per schema §4.5) | Cred binding (W3.4) |
+| 4 | Cred `perplexity-api` vs vault `perplexity` | **RENAMED** (Q7). Manifest + credbridge.sh updated to `perplexity` (exact-match per schema §4.5). | 8 |
-| 5 | 5 vault entries plausibly steev-scope but undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`, `proton-bridge-imap-pass`, `proton-bridge-imap-user`) | ADD to `disclosure.credentials` after MCP install confirms which are consumed | Cred binding (W3.4); also depends on MCP install (row 6) |
+| 5 | 3 proton vault entries undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`) | **ADDED** (Q8). Declared in `disclosure.credentials` w/ `used_by: [credbridge.sh, mcp_proton_email]`. The other 2 (`proton-bridge-imap-pass/-user`) covered by row 3. | 8 |
-| 6 | 4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) | Confirm install order — Wave-4 install.sh patch, or deferred | Install gap; cred-adjacent |
+| 6 | 4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) | **MATERIALIZED 3/4** (Q9). install.sh F6 wires 3 proton MCPs into per-profile config from `optional_tools`. Also removed bte (hard-rule leak discovered Wave 8). mcp_perplexity DEFERRED (server not in global `hermes mcp list`). | 8 |
-| 7 | macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills` | Gate on OS in `install.sh`, or document as macOS-host-only | OS-platform decision |
+| 7 | macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills` | **OS-GATED** (Q10). Annotated `os_constraint: darwin`. install.sh F7 emits INFO on non-Darwin hosts that these are unavailable. | 8 |
-| 8 | Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+) | Wire check 6 per DISCLOSURE-SCHEMA §6 | Cross-profile rollup (Wave-5) |
+| 8 | Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+) | **WIRED** (Wave 7 D6). Subrepo pre-push hook installed via `install.sh F4`; main repo hook covers 6.a-6.f. | 7 |
 ### Wave 8 follow-ups (not PAUSE — separate work)
 - **mcp_perplexity install** — server doesn't exist in global `hermes mcp list`. When provisioned, install.sh F6 will materialize automatically (no code change).
 - **Per-tool enumeration in `disclosure.mcp_servers`** — currently `[]` w/ install.sh F6 driven from `optional_tools`. Wave 8.5: introspect each MCP server, populate `disclosure.mcp_servers[*].tools[]` per DISCLOSURE-SCHEMA §4.2.
 ## §13 Related
@@ -0,0 +1,30 @@
 # Steev Index
 Route: `steev`.
 Path: `/home/svrnty/workspaces/cortex-os/steev`.
 Category: child-local `personal-agent` profile workspace for the Steev display/distribution alias.
 Validator: `python3 tools/validate_steev_child.py`.
 ## Read Order
 1. `AGENTS.md` for profile authority, forbidden effects, and validator rules.
 2. `README.md` for profile boundary and current contract map.
 3. `AGENT.md`, `CONTRACT.md`, and `DISCLOSURE.md` for visible profile identity and distribution constraints.
 4. `docs/contracts/` and `docs/evidence/` only for the specific profile surface or proof being changed.
 5. `WORKBOARD.yaml` for child-local work state.
 ## Local Authority
 Steev owns child-local profile identity, role and boundary docs, personal-surface contracts, redacted proof packets, proposal-only memory routing records, desktop exposure contracts, runtime-readiness snapshots, validators, and handoff references.
 Steev is not Core authority, Runtime authority, Profile Exposure authority, credential authority, provider authority, send authority, memory-domain authority, browser-host authority, public product authority, release authority, production-readiness authority, or autonomous execution authority.
 ## Legacy Relation
 Old Steev/personal-agent, BlueBubbles, Proton/rclone, Secondbrain, Conductor/Curator handoff, desktop exposure, and runtime-readiness work is reference-only unless a governed route admits it. Preserve redacted refs and current contracts. Do not import raw messages, mail bodies, contacts, calendar details, drive names, credentials, browser state, provider payloads, or implementation mass because they exist.
 ## Completion State
 Stage: CLEAN.
 Clean score: 100.
 Current next pass: keep Steev as a child-local profile workspace with proposal-only memory routing, no autonomous sends, no credential reads, no durable memory writes, no Profile Exposure broadening, and no readiness claim from local validation alone.
@@ -1,9 +1,39 @@
-# Steev — Hermes profile distribution
+# Steev — Personal-Agent Profile Distribution
 `personal-agent` is the canonical profile identity. Steev is the user-facing display name and current distribution alias.
 JP's personal assistant / chief of staff. Daily briefing, inbox triage, comms in JP's voice, business delegation to CEO. French/English bilingual.
 ## Cortex OS Boundary
 Steev is a child-local personal-agent profile workspace. It owns profile
 identity, role and boundary docs, personal-surface contracts, redacted proof
 packets, proposal-only memory routing records, desktop exposure contracts,
 runtime-readiness snapshots, validators, and handoff references, but it does not
 own Core truth, Runtime authority, Profile Exposure authority, credential
 authority, provider authority, send authority, memory-domain authority,
 browser-host authority, public product authority, release authority, production
 readiness, or autonomous execution authority.
 Do not install or start Steev, mutate `~/.hermes`, run browser-host automation,
 read credentials, read raw messages, read mail bodies, read contacts, read
 calendar details, read drive names, send messages, write durable memory,
 broaden Profile Exposure, call providers, or claim readiness from this cleanup
 route without explicit governed approval.
 - **Identity:** [`AGENT.md`](AGENT.md) — role, mission, boundaries.
- **Full reference (source of truth):** [`docs/STEEV-MASTER.md`](docs/STEEV-MASTER.md).
+- **Profile surface contract:** [`docs/contracts/personal-agent-profile-surface-contract.json`](docs/contracts/personal-agent-profile-surface-contract.json) — canonical surfaces, effects, memory route, and proof policy.
 - **BlueBubbles binding:** [`docs/contracts/personal-agent-bluebubbles-binding.json`](docs/contracts/personal-agent-bluebubbles-binding.json) — `imessage.read` binds to the existing BlueBubbles package without a duplicate connector.
 - **Proton/rclone package:** [`docs/contracts/personal-agent-proton-rclone-package.json`](docs/contracts/personal-agent-proton-rclone-package.json) — Mail, Calendar, Contacts, and Drive surfaces linked to Core S606 child-local `proton-rclone`; provider smokes and runtime readiness remain blocked.
 - **Proton/rclone runtime reconciliation:** [`docs/evidence/2026-06-14-personal-agent-proton-rclone-runtime-reconciliation.md`](docs/evidence/2026-06-14-personal-agent-proton-rclone-runtime-reconciliation.md) — live redacted probe aligning systemd, Docker, MCP, and rclone posture.
 - **Secondbrain proposal/apply route:** [`docs/contracts/personal-agent-secondbrain-proposal-route.json`](docs/contracts/personal-agent-secondbrain-proposal-route.json) — proposal-only personal memory intake plus governed apply-route reference; live durable apply remains approval-gated in Secondbrain.
 - **Conductor/Curator service handoff:** [`docs/contracts/personal-agent-conductor-curator-service-handoff.json`](docs/contracts/personal-agent-conductor-curator-service-handoff.json) — redacted service map for future route selection and hygiene review pickup.
 - **Runtime readiness snapshot:** [`docs/contracts/personal-agent-runtime-readiness-snapshot.json`](docs/contracts/personal-agent-runtime-readiness-snapshot.json) — redacted per-surface runtime state and gaps; Seed-local acceptance is proven, while broader readiness remains degraded.
 - **Desktop exposure contract:** [`docs/contracts/personal-agent-desktop-exposure-contract.json`](docs/contracts/personal-agent-desktop-exposure-contract.json) — adapter-facing state rows for Desktop/Dashboard display; no UI wiring from this route.
 - **Current Core/Seed pickup:** [`docs/evidence/2026-06-15-personal-agent-core-seed-readiness-reconciliation.md`](docs/evidence/2026-06-15-personal-agent-core-seed-readiness-reconciliation.md) — source-locks current Core S641/S642/S643, Seed final acceptance, and remaining broader gaps.
 - **Current governed boundary:** [`docs/evidence/2026-06-15-personal-agent-current-governed-boundary.md`](docs/evidence/2026-06-15-personal-agent-current-governed-boundary.md) — pins Core S654 branch-authority approval status, stale S653 approval risk, and Proton Suite health-panel as future Keyvault successor context only.
 - **Legacy ingest:** [`docs/LEGACY-INGEST.md`](docs/LEGACY-INGEST.md) — compact intention map for old Steev/personal-agent work.
 - **Historical Steev reference redirect:** [`docs/STEEV-MASTER.md`](docs/STEEV-MASTER.md).
 ## Structure
@@ -0,0 +1,96 @@
 items:
  - id: STEEV-WORK-001
    title: Centralized Legacy Workspace Review
    status: validated
    source: README.md
    owner: ""
  - id: STEEV-WORK-002
    title: Personal-Agent Context Runtime PRD And Sandcastle
    status: complete
    source: docs/prd/2026-06-14-personal-agent-context-runtime-prd.md
    owner: ""
  - id: PACR-001
    title: Personal-Agent Profile Authority And Surface Contract
    status: complete
    source: docs/contracts/personal-agent-profile-surface-contract.json
    owner: ""
  - id: PACR-002
    title: Supersession And Graph Hygiene Register Validator Gate
    status: complete
    source: docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md
    owner: ""
  - id: PACR-003
    title: BlueBubbles Capability Binding Into Personal-Agent
    status: complete
    source: docs/contracts/personal-agent-bluebubbles-binding.json
    owner: ""
  - id: PACR-004
    title: Proton And Rclone Capability Standardization
    status: complete
    source: docs/contracts/personal-agent-proton-rclone-package.json
    owner: ""
  - id: PACR-005
    title: Personal Secondbrain Proposal And Apply Route
    status: complete
    source: docs/contracts/personal-agent-secondbrain-proposal-route.json
    owner: ""
  - id: PACR-006
    title: Conductor And Curator Service Handoff
    status: complete
    source: docs/contracts/personal-agent-conductor-curator-service-handoff.json
    owner: ""
  - id: PACR-007
    title: Runtime Readiness And Always-On Proof
    status: complete
    source: docs/contracts/personal-agent-runtime-readiness-snapshot.json
    owner: ""
  - id: PACR-008
    title: Desktop Adapter Exposure Contract
    status: complete
    source: docs/contracts/personal-agent-desktop-exposure-contract.json
    owner: ""
  - id: PACR-009
    title: Proton And Rclone Runtime Reconciliation
    status: complete
    source: docs/evidence/2026-06-14-personal-agent-proton-rclone-runtime-reconciliation.md
    owner: ""
  - id: PACR-010
    title: Secondbrain Governed Apply Route Reconciliation
    status: complete
    source: docs/contracts/personal-agent-secondbrain-proposal-route.json
    owner: ""
  - id: PACR-011
    title: Proton/rclone Child Candidate Reconciliation
    status: complete
    source: docs/contracts/personal-agent-proton-rclone-package.json
    owner: ""
  - id: PACR-012
    title: Proton/rclone Runtime Gate Repair Pickup
    status: complete
    source: docs/contracts/personal-agent-proton-rclone-package.json
    owner: ""
  - id: PACR-013
    title: Proton/rclone Bridge Unit Convergence Pickup
    status: complete
    source: docs/contracts/personal-agent-proton-rclone-package.json
    owner: ""
  - id: PACR-014
    title: Current Core Seed Readiness Reconciliation
    status: complete
    source: docs/evidence/2026-06-15-personal-agent-core-seed-readiness-reconciliation.md
    owner: ""
  - id: PACR-015
    title: Current Governed Boundary Reconciliation
    status: complete
    source: docs/evidence/2026-06-15-personal-agent-current-governed-boundary.md
    owner: ""
  - id: STEEV-WORK-003
    title: Steev Agent Contract Enforcement
    status: validated
    source: AGENTS.md
    owner: ""
  - id: STEEV-WORK-004
    title: Steev Navigation Index
    status: validated
    source: INDEX.md
    owner: ""
@@ -4,7 +4,7 @@
 # written to disk.
 #
 # Usage:  credbridge.sh <tool> [args...]
-#   tools: google-workspace | proton-bridge | perplexity
+#   tools: proton-bridge | perplexity
 #
 # Per PROFILE-DISTRIBUTION-PROTOCOL §3 (shared core, "credbridge" row) and §6
 # (Conventions → Secrets), every profile distribution exposes credentials via
@@ -13,13 +13,16 @@
 # This is the personal-assistant variant of the credbridge pattern. Steev's
 # cred surface is narrow by design:
 #
-#   - google-workspace:  Gmail + Calendar + Contacts (OAuth blob from credctl)
+#   - proton-bridge:     IMAP/SMTP user + password for the local Proton Bridge
-#   - proton-bridge:     IMAP/SMTP password for the local Proton Bridge T6
+#                        T6 sidecar — gives Steev access to JP's Proton mail
-#                        sidecar — gives Steev access to JP's Proton mail via
+#                        via himalaya (cleartext on 127.0.0.1 only)
 #                        himalaya (cleartext on 127.0.0.1 only)
 #   - perplexity:        Perplexity API key for WebSearch toolset (lightweight
 #                        — most Steev work uses the perplexity MCP instead)
 #
 # Wave 8 (2026-05-24): google-workspace case REMOVED — Hermes builtin
 # google-workspace skill manages its own OAuth flow via the Hermes hub, not
 # the credctl vault. Vault contains no google-workspace-* entries.
 #
 # Plan B marketing platforms (WooCommerce, Mailchimp, Meta, GA4, etc.) are OUT
 # OF SCOPE here — that's cmo-planb's credbridge. Steev MUST NEVER resolve a
 # marketing platform credential. The CLAUDE.md "no access to Plan B marketing
@@ -27,8 +30,6 @@
 #
 # Design notes (same as cmo/credbridge.sh — shared core):
 #   - credctl values read into local vars, exported straight to the child env
 #   - JSON-valued creds (google-workspace OAuth) parsed via `node -e` reading
 #     from stdin so the value never lands on argv / process list
 #   - No `echo $secret`. set +x stays off.
 set -euo pipefail
@@ -39,7 +40,7 @@ STEEV_LIB="${STEEV_LIB:-/home/svrnty/.hermes/steev}"
 die() { printf '{"error":"%s"}\n' "$1" >&2; exit 1; }
-[ $# -ge 1 ] || die "usage: credbridge.sh <google-workspace|proton-bridge|perplexity> [args...]"
+[ $# -ge 1 ] || die "usage: credbridge.sh <proton-bridge|perplexity> [args...]"
 TOOL="$1"; shift
 [ -x "$CREDCTL" ] || die "credctl not found/executable at $CREDCTL"
@@ -51,44 +52,30 @@ cred_raw() {
    | sed -n '/^Value:/,$p' | sed '1s/^Value:[[:space:]]*//'
 }
 # json_field <json> <key> — extract a string field via node; value never on argv.
 json_field() {
  printf '%s' "$1" | node -e '
    let s="";process.stdin.on("data",d=>s+=d);
    process.stdin.on("end",()=>{try{const o=JSON.parse(s);
      const v=o[process.argv[1]];process.stdout.write(v==null?"":String(v));
    }catch(e){process.stdout.write("");}});' "$2"
 }
 case "$TOOL" in
  google-workspace)
    # Gmail Data API + Calendar API + People API all expect a bearer token
    # minted from this service-account / OAuth blob. The blob is JSON; we
    # export the whole document so the child CLI can introspect scope.
    GW_JSON="$(cred_raw google-workspace)"
    [ -n "$GW_JSON" ] || die "credctl: google-workspace not set"
    export GOOGLE_WORKSPACE_CREDENTIALS_JSON="$GW_JSON"
    exec "$@"
    ;;
  proton-bridge)
    # Steev reads JP's Proton inbox via the local Proton Bridge IMAP daemon
    # (T6 sidecar — see PROFILE-DISTRIBUTION-PROTOCOL §4.T6). credctl stores
-    # the bridge password (rotates when JP rotates the bridge).
+    # user + password as separate vault entries (Wave 8 aligned to vault).
-    PB_PASS="$(cred_raw proton-bridge-imap)"
+    PB_USER="$(cred_raw proton-bridge-imap-user)"
-    [ -n "$PB_PASS" ] || die "credctl: proton-bridge-imap not set"
+    [ -n "$PB_USER" ] || die "credctl: proton-bridge-imap-user not set"
    PB_PASS="$(cred_raw proton-bridge-imap-pass)"
    [ -n "$PB_PASS" ] || die "credctl: proton-bridge-imap-pass not set"
    export PROTON_BRIDGE_IMAP_USER="$PB_USER"
    export PROTON_BRIDGE_IMAP_PASSWORD="$PB_PASS"
    exec "$@"
    ;;
  perplexity)
    # Lightweight WebSearch path. Most Steev research goes through the
    # perplexity MCP server (which holds its own key); this credbridge entry
-    # exists for scripts that need a raw key (rare).
+    # exists for scripts that need a raw key (rare). Wave 8 renamed
-    PPL_KEY="$(cred_raw perplexity-api)"
+    # vault entry `perplexity-api` → `perplexity`.
-    [ -n "$PPL_KEY" ] || die "credctl: perplexity-api not set"
+    PPL_KEY="$(cred_raw perplexity)"
    [ -n "$PPL_KEY" ] || die "credctl: perplexity not set"
    export PERPLEXITY_API_KEY="$PPL_KEY"
    exec "$@"
    ;;
  *)
-    die "unknown tool: $TOOL (allowed: google-workspace|proton-bridge|perplexity)"
+    die "unknown tool: $TOOL (allowed: proton-bridge|perplexity)"
    ;;
 esac
@@ -0,0 +1,84 @@
 # Steev Legacy Ingest
 Schema: `cortex.steev.legacy-ingest.v1`
 Last reviewed: `2026-06-18`
 This file is Steev child-local operator state. It is not Cortex OS Core SOT,
 not Runtime authority, not Profile Exposure approval, not send approval, not
 credential access, not Memory Domain approval, and not product readiness.
 Steev legacy work is assessed by intention first. Old work is kept, ported,
 archived outside the umbrella, deferred, or rejected only after the useful
 intention is identified and compared against current Steev main.
 ## Rules
 - Do not import raw messages, mail bodies, contacts, calendar details, drive
  names, endpoint payloads, cookies, credentials, or secret values.
 - Do not install or start Steev, mutate `~/.hermes`, broaden Profile Exposure,
  send messages, write personal surfaces, call providers, or write durable
  Hindsight memory from this route.
 - Keep legacy records compact: refs, intention, current coverage, decision,
  closure gate, and forbidden effects.
 ## Local Ignored State Classification
 These ignored local paths are not cleanup targets for blind archive moves:
 - `steev.db`: local personal-agent runtime database created from `schema.sql`.
  It is not committed and may contain briefing, inbox, delegation, or runtime
  state.
 Decision: leave this path local and ignored. Do not inspect payload contents
 from umbrella cleanup. Future movement needs a Steev-owned route that names the
 exact path, proves no validator or install depends on it, avoids personal
 payload reads, and records a custody manifest without installing or starting
 Steev, mutating `~/.hermes`, broadening Profile Exposure, sending messages,
 writing personal surfaces, calling providers, promoting Core or Seed, writing
 Hindsight memory, or claiming readiness.
 ## Current Gates
 ### Steev Identity And Master Reference
 - Source refs: `AGENT.md`, `docs/STEEV-MASTER.md`, `CONTRACT.md`,
  `DISCLOSURE.md`, and `manifest.yaml`.
 - Intention: preserve JP's personal-agent identity, role, mission, boundaries,
  bilingual posture, delegation rules, and no-autonomous-send policy.
 - Current coverage: met by current profile docs, manifest, disclosure, and
  validator.
 - Decision: keep as canonical child-local profile reference.
 - Closure gate: any identity change needs Steev route validation and must not
  alter Core truth, Profile Exposure, Runtime, send authority, or memory access.
 ### Personal-Agent Context Runtime Package
 - Source refs: `docs/prd/2026-06-14-personal-agent-context-runtime-prd.md`,
  `docs/issues/2026-06-14-personal-agent-context-runtime-work-orders.md`,
  `docs/sandcastles/2026-06-14-personal-agent-context-runtime-sandcastle.md`,
  `docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md`,
  and `docs/contracts/*.json`.
 - Intention: standardize personal-agent surfaces for BlueBubbles, Proton/rclone,
  Secondbrain proposal/apply routing, Conductor/Curator handoff, runtime
  readiness snapshots, and Desktop exposure without creating duplicate live
  connectors.
 - Current coverage: met as contracts, redacted refs, supersession register, and
  validator-backed route-local evidence.
 - Decision: keep as accepted Steev package material; do not import raw personal
  data or old sandcastle mass.
 - Closure gate: live Runtime, browser host, provider, send, write, Profile
  Exposure, or durable memory behavior requires explicit governed approval.
 ### Core/Seed Readiness Boundary
 - Source refs:
  `docs/evidence/2026-06-15-personal-agent-core-seed-readiness-reconciliation.md`
  and `docs/evidence/2026-06-15-personal-agent-current-governed-boundary.md`.
 - Intention: pin what Core/Seed/Proton evidence can inform Steev without letting
  Steev claim branch authority, product readiness, or runtime readiness.
 - Current coverage: met as redacted reconciliation evidence and governed
  boundary notes.
 - Decision: keep as reference-only; do not mutate Core, Seed, Proton, Keyvault,
  OpenDesign, or sibling repos from Steev.
 - Closure gate: future productization or broader readiness must enter Core/Seed
  through exact source-lock refs, focused validators, and explicit approval.
@@ -0,0 +1,26 @@
 ---
 name: steev-master-supersession-redirect
 status: superseded
 owner: jp
 source: personal-agent-context-runtime
 last_reviewed: 2026-06-14
 description: Redirect from the historical Steev master reference to the active personal-agent profile surface contract.
 ---
 # Steev Master Supersession
 `personal-agent` is the canonical profile identity. Steev is the user-facing display name and current distribution alias.
 Active authority:
 - `docs/contracts/personal-agent-profile-surface-contract.json`
 - `docs/contracts/personal-agent-bluebubbles-binding.json`
 - `docs/contracts/personal-agent-proton-rclone-package.json`
 - `docs/contracts/personal-agent-secondbrain-proposal-route.json`
 - `docs/contracts/personal-agent-conductor-curator-service-handoff.json`
 - `docs/contracts/personal-agent-runtime-readiness-snapshot.json`
 - `docs/contracts/personal-agent-desktop-exposure-contract.json`
 - `docs/prd/2026-06-14-personal-agent-context-runtime-prd.md`
 - `docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md`
 This file exists so older references do not become graph ambiguity.
@@ -0,0 +1,91 @@
 {
  "schema_version": "personal-agent-bluebubbles-binding/v1",
  "status": "active-profile-binding",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "surface": "imessage.read",
  "capability_package": {
    "id": "bluebubbles",
    "workspace": "../bluebubbles",
    "package_surface": "bluebubbles.imessage.readonly",
    "authority": "active-capability-package",
    "live_connector": "hermes-agent",
    "profile_local_connector_allowed": false,
    "duplicate_connector_allowed": false
  },
  "binding_policy": {
    "profile_consumes_package": true,
    "package_owns_runtime_wrapper": true,
    "package_owns_readonly_adapter": true,
    "package_owns_redacted_health": true,
    "package_owns_seed_candidate": true,
    "profile_owns_surface_exposure": true,
    "profile_runtime_readiness_claimed": false,
    "reason": "BlueBubbles is already the governed iMessage package. personal-agent binds to it as imessage.read without implementing another connector."
  },
  "memory_policy": {
    "target": "secondbrain-personal",
    "forbidden": [
      "orgbrain"
    ],
    "durable_write_policy": "proposal-only; governed Secondbrain apply route is defined but live apply remains approval-gated"
  },
  "allowed_effects": [
    "read_message_stream",
    "read_conversation_history",
    "read_attachment_metadata",
    "emit_redacted_health",
    "emit_secondbrain_personal_proposal"
  ],
  "denied_effects": [
    "send_message",
    "send_tapback",
    "typing_indicator",
    "delete_message",
    "mark_read",
    "read_receipt",
    "contact_mutation",
    "chat_mutation",
    "attachment_content_download",
    "credential_mutation",
    "secondbrain_durable_write",
    "orgbrain_write",
    "browser_full_control"
  ],
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "message_text",
      "sender_address",
      "contact_details",
      "attachment_content",
      "endpoint_payloads",
      "credentials",
      "secret_values"
    ]
  },
  "bluebubbles_package_evidence": {
    "validator_command": "python3 tools/validate_bluebubbles_child.py",
    "validator_result_observed": "ok",
    "validator_observed_date": "2026-06-14",
    "runtime_claims_from_validator": false,
    "referenced_artifacts": [
      "contracts/personal-agent-imessage-readonly-contract.json",
      "contracts/runtime-compliance-boundary.json",
      "contracts/secondbrain-proposal-envelope-contract.json",
      "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md",
      ".sot/08-OUTPUTS/bluebubbles-live-service-package-proof.json",
      ".sot/08-OUTPUTS/bluebubbles-always-on-resilience-proof.json",
      "runtime/steev/hermes-personal-agent-bluebubbles.service",
      "runtime/steev/hermes-personal-agent-bluebubbles-watchdog.timer"
    ]
  },
  "remaining_gates": {
    "seed_package_pickup": "blocked-follow-up",
    "secondbrain_governed_apply_route": "defined-no-live-apply",
    "secondbrain_durable_apply": "blocked-follow-up",
    "desktop_adapter_exposure": "blocked-follow-up",
    "browser_webwright_host_runtime": "separate-hitl-approval"
  }
 }
@@ -0,0 +1,209 @@
 {
  "schema_version": "personal-agent-conductor-curator-service-handoff/v1",
  "status": "active-profile-service-handoff",
  "handoff_id": "personal-agent-conductor-curator-service-handoff",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "observed_date": "2026-06-14",
  "core_promotion_claimed": false,
  "seed_readiness_claimed": false,
  "runtime_readiness_claimed": false,
  "desktop_integration_claimed": false,
  "authority_boundary": {
    "profile_owns_capability_surface_contract": true,
    "conductor_owns_future_route_selection_and_worker_contracts": true,
    "curator_owns_future_hygiene_review_queue": true,
    "secondbrain_owns_personal_memory_domain_apply": true,
    "capability_packages_own_runtime_health": true,
    "notes": "This handoff gives Conductor and Curator a redacted service map. It does not mutate those workspaces or claim they have adopted it."
  },
  "memory_policy": {
    "target": "secondbrain-personal",
    "target_domain_term": "Personal Memory Domain",
    "forbidden": [
      "orgbrain"
    ],
    "durable_write_policy": "proposal-only-until-governed-secondbrain-curator-apply-route"
  },
  "service_identities": [
    {
      "service_id": "personal-agent.imessage.bluebubbles.readonly",
      "capability_package": "bluebubbles",
      "owner_route": "bluebubbles",
      "surface": "imessage.read",
      "health_shape": "redacted-readonly-runtime-health",
      "readiness_state": "package-ready-profile-bound",
      "allowed_effects": [
        "read_message_stream",
        "read_conversation_history",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "send_message",
        "delete_message",
        "mark_read",
        "read_receipt",
        "attachment_download",
        "orgbrain_write",
        "durable_memory_write"
      ]
    },
    {
      "service_id": "personal-agent.proton-rclone.package-candidate",
      "capability_package": "proton-rclone",
      "owner_route": "proton-rclone",
      "surface": "mail.calendar.contacts.drive",
      "health_shape": "child-local-redacted-runtime-health",
      "readiness_state": "degraded-child-candidate-core-registration-pending",
      "allowed_effects": [
        "emit_mail_health",
        "emit_calendar_health",
        "emit_contacts_health",
        "emit_drive_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "send_without_confirmation",
        "calendar_write_without_confirmation",
        "contact_mutation_without_confirmation",
        "drive_write_without_confirmation",
        "drive_delete",
        "orgbrain_write",
        "durable_memory_write"
      ]
    },
    {
      "service_id": "personal-agent.secondbrain.proposal-route",
      "capability_package": "personal-agent-profile",
      "owner_route": "steev",
      "surface": "secondbrain.memory.proposal",
      "health_shape": "redacted-proposal-envelope-contract",
      "readiness_state": "profile-contract-ready-governed-apply-defined",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest",
        "reference_governed_apply_route"
      ],
      "denied_effects": [
        "secondbrain_apply",
        "direct_memory_write",
        "orgbrain_write",
        "raw_payload_in_proof"
      ]
    }
  ],
  "conductor_handoff": {
    "target_workspace": "../conductor",
    "target_role": "future-route-selection-and-worker-contract-owner",
    "adoption_status": "pending-conductor-lane-pickup",
    "validator_command": "python3 tools/validate_conductor_child.py",
    "validator_result_observed": "ok",
    "required_route_decision_inputs": [
      "profile_identity",
      "requested_surface",
      "capability_package",
      "owner_route",
      "allowed_effects",
      "denied_effects",
      "validator_command",
      "evidence_expectation",
      "approval_required"
    ],
    "forbidden_conductor_effects": [
      "runtime_start",
      "runtime_stop",
      "desktop_integration",
      "core_mutation",
      "seed_completion_claim",
      "secret_read",
      "raw_payload_import",
      "sibling_mutation_without_worker_route"
    ],
    "worker_contract_expectations": [
      "one route per worker",
      "one bounded goal",
      "workspace-local validator",
      "redacted evidence",
      "no raw personal payloads",
      "no unapproved runtime lifecycle"
    ]
  },
  "curator_handoff": {
    "target_workspace": "../curator",
    "target_role": "future-personal-memory-hygiene-review-queue",
    "adoption_status": "pending-curator-lane-pickup",
    "validator_command": "python3 tools/validate_curator_child.py",
    "validator_result_observed": "ok",
    "allowed_future_reviews": [
      "novelty_candidate",
      "stale_candidate",
      "duplicate_candidate",
      "supersession_candidate",
      "archive_candidate",
      "provenance_gap",
      "contradiction_candidate"
    ],
    "forbidden_curator_effects": [
      "direct_memory_write",
      "raw_payload_import",
      "orgbrain_write",
      "profile_exposure_broadening",
      "runtime_activation",
      "secret_read",
      "core_mutation",
      "seed_mutation"
    ]
  },
  "apply_expectations": {
    "target": "secondbrain-personal",
    "apply_owner": "secondbrain",
    "hygiene_owner": "curator",
    "apply_route_defined": true,
    "apply_route_contract": "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md",
    "apply_allowed_now": false,
    "live_apply_executed": false,
    "durable_apply_without_approval": false,
    "requires_proposal_envelope": true,
    "requires_approval": true,
    "requires_secondbrain_validator": "python3 tools/validate_secondbrain_child.py",
    "requires_redacted_evidence": true,
    "forbidden_targets": [
      "orgbrain"
    ]
  },
  "source_contracts": [
    "docs/contracts/personal-agent-profile-surface-contract.json",
    "docs/contracts/personal-agent-bluebubbles-binding.json",
    "docs/contracts/personal-agent-proton-rclone-package.json",
    "docs/contracts/personal-agent-secondbrain-proposal-route.json",
    "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md"
  ],
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "message_text",
      "mail_bodies",
      "mail_subjects",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "drive_file_contents",
      "endpoint_payloads",
      "credentials",
      "secret_values",
      "raw_transcripts"
    ]
  },
  "remaining_gates": {
    "conductor_lane_pickup": "blocked-follow-up",
    "curator_personal_memory_hygiene_lane_pickup": "blocked-follow-up",
    "secondbrain_governed_apply_route": "defined-no-live-apply",
    "secondbrain_durable_apply": "blocked-follow-up",
    "runtime_health_proof": "complete-child-local",
    "desktop_adapter_exposure": "blocked-follow-up",
    "seed_package_pickup": "blocked-follow-up"
  }
 }
@@ -0,0 +1,189 @@
 {
  "schema_version": "personal-agent-desktop-exposure-contract/v1",
  "status": "active-profile-desktop-exposure-contract",
  "contract_id": "personal-agent-desktop-exposure-contract",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "observed_date": "2026-06-15",
  "desktop_integration_claimed": false,
  "runtime_readiness_claimed": false,
  "seed_readiness_claimed": false,
  "seed_local_acceptance_claimed": true,
  "core_promotion_claimed": false,
  "adapter_workspace": "../cortex-hermes-adapter",
  "adapter_validator_command": "python3 tools/validate_cortex_hermes_adapter_child.py",
  "adapter_validator_result_observed": "ok",
  "adapter_reference_contracts": [
    "../cortex-hermes-adapter/contracts/desktop-dashboard-host-surface.md",
    "../cortex-hermes-adapter/contracts/personal-agent-s518-runtime-host-surface-intake.json",
    "../cortex-hermes-adapter/contracts/first-open-evidence.schema.json",
    "../cortex-hermes-adapter/dashboard/package-view.sample.json"
  ],
  "authority_boundary": {
    "profile_owns_desktop_exposure_contract": true,
    "adapter_owns_desktop_rendering": true,
    "seed_owns_package_first_open_proof": true,
    "core_owns_acceptance": true,
    "profile_mutates_adapter": false,
    "notes": "This contract is a profile-side handoff for desktop-visible readiness. It does not wire UI or mutate the adapter workspace."
  },
  "allowed_adapter_surfaces": [
    "package.status",
    "runtime.health",
    "onboarding.state",
    "profile.distribution",
    "capability.catalog"
  ],
  "state_vocabulary": [
    "ready",
    "degraded",
    "pending",
    "blocked",
    "disabled"
  ],
  "desktop_rows": [
    {
      "row_id": "personal-agent.profile",
      "label": "personal-agent",
      "display_name": "Steev",
      "surface": "profile.distribution",
      "state": "degraded",
      "source_contract": "docs/contracts/personal-agent-runtime-readiness-snapshot.json",
      "visible_reason": "Profile exists, capability contracts are present, and Seed-local acceptance is proven; broader runtime and product readiness remain degraded."
    },
    {
      "row_id": "personal-agent.imessage.read",
      "label": "iMessage read",
      "surface": "runtime.health",
      "state": "ready",
      "source_contract": "docs/contracts/personal-agent-bluebubbles-binding.json",
      "visible_reason": "BlueBubbles package validator is OK, read-only, secondbrain-personal, and orgbrain-forbidden."
    },
    {
      "row_id": "personal-agent.mail.read",
      "label": "Proton Mail read",
      "surface": "runtime.health",
      "state": "degraded",
      "source_contract": "docs/contracts/personal-agent-runtime-readiness-snapshot.json",
      "visible_reason": "Proton MCP is enabled and email gate is repaired child-local; provider-smoke and canonical runtime gates remain blocked."
    },
    {
      "row_id": "personal-agent.calendar.read",
      "label": "Proton Calendar read",
      "surface": "runtime.health",
      "state": "degraded",
      "source_contract": "docs/contracts/personal-agent-runtime-readiness-snapshot.json",
      "visible_reason": "Calendar gate is running and Proton/rclone is Core-registered child-local; provider-smoke and canonical runtime gates remain blocked."
    },
    {
      "row_id": "personal-agent.contacts.read",
      "label": "Proton Contacts read",
      "surface": "runtime.health",
      "state": "degraded",
      "source_contract": "docs/contracts/personal-agent-runtime-readiness-snapshot.json",
      "visible_reason": "Proton MCP is enabled and contacts gate is repaired child-local; provider-smoke and canonical runtime gates remain blocked."
    },
    {
      "row_id": "personal-agent.drive.read",
      "label": "Proton Drive read",
      "surface": "runtime.health",
      "state": "degraded",
      "source_contract": "docs/contracts/personal-agent-runtime-readiness-snapshot.json",
      "visible_reason": "rclone about probe is redacted-ok and Core S606 registered the child; governed wrapper and provider-smoke gates remain blocked."
    },
    {
      "row_id": "personal-agent.seed-local-acceptance",
      "label": "Seed local acceptance",
      "surface": "package.status",
      "state": "ready",
      "source_contract": "../seed/outputs/research/2026-06-14-cortex-os-seed-personal-agent-final-full-tool-acceptance-gate.json",
      "visible_reason": "Seed final full-tool acceptance is complete for governed local JP scope only."
    },
    {
      "row_id": "personal-agent.proton-suite.provider-smoke",
      "label": "Proton Suite provider gate",
      "surface": "runtime.health",
      "state": "blocked",
      "source_contract": "../proton-rclone/.sot/08-OUTPUTS/proton-suite-provider-smoke-gate-proof.json",
      "visible_reason": "Provider smokes remain blocked on Proton Pass Agncy access, Keyvault parity, migration, rollback, and Conductor disclosure review."
    },
    {
      "row_id": "personal-agent.secondbrain.proposal",
      "label": "Personal memory proposals",
      "surface": "capability.catalog",
      "state": "pending",
      "source_contract": "docs/contracts/personal-agent-secondbrain-proposal-route.json",
      "visible_reason": "Proposal envelope route and governed apply route exist; live durable Secondbrain apply remains approval-gated."
    },
    {
      "row_id": "personal-agent.browser.host-runtime",
      "label": "Browser host runtime",
      "surface": "capability.catalog",
      "state": "blocked",
      "source_contract": "docs/prd/2026-06-14-personal-agent-context-runtime-prd.md",
      "visible_reason": "Full desktop/browser control requires separate PACR-009 approval packet."
    },
    {
      "row_id": "personal-agent.write-actions",
      "label": "Writes and sends",
      "surface": "capability.catalog",
      "state": "disabled",
      "source_contract": "docs/contracts/personal-agent-profile-surface-contract.json",
      "visible_reason": "Silent sends, deletes, mark-read/read receipts, contact/calendar/file mutation, and durable writes are denied unless a confirmation surface is explicitly approved."
    }
  ],
  "desktop_false_effects": {
    "adapter_mutated_by_profile": false,
    "desktop_or_dashboard_opened": false,
    "runtime_started": false,
    "runtime_stopped": false,
    "docker_started": false,
    "profile_exposure_changed": false,
    "memory_domain_access_granted": false,
    "provider_call": false,
    "secret_value_read": false,
    "raw_payload_imported": false,
    "seed_release_claim": false,
    "runtime_readiness_claim": false,
    "public_release_claim": false
  },
  "memory_policy": {
    "target": "secondbrain-personal",
    "forbidden": [
      "orgbrain"
    ],
    "desktop_displays_memory_content": false,
    "desktop_displays_redacted_state_only": true
  },
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "message_text",
      "mail_bodies",
      "mail_subjects",
      "sender_address",
      "recipient_address",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "drive_file_contents",
      "attachment_content",
      "endpoint_payloads",
      "credentials",
      "secret_values"
    ]
  },
  "remaining_gates": {
    "adapter_lane_pickup": "blocked-follow-up",
    "desktop_ui_wiring": "blocked-follow-up",
    "seed_local_acceptance": "complete-governed-local-jp-only",
    "proton_suite_seed_package_pickup": "blocked-provider-smoke",
    "secondbrain_governed_apply_route": "defined-no-live-apply",
    "profile_exposure_route": "blocked-core-route-required",
    "longer_standing_runtime_proof": "follow-up",
    "runtime_readiness_finalization": "blocked-follow-up",
    "browser_host_runtime_approval": "blocked-follow-up",
    "final_acceptance_packet": "blocked-follow-up"
  }
 }
@@ -0,0 +1,257 @@
 {
  "schema_version": "personal-agent-profile-surface-contract/v1",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "distribution_alias": "steev",
  "owner": "jp",
  "status": "active-authority",
  "authority_note": "personal-agent is the profile identity. Steev is the user-facing display name and current distribution alias.",
  "memory_policy": {
    "allowed_target": "secondbrain-personal",
    "forbidden_targets": [
      "orgbrain"
    ],
    "durable_write_policy": "proposal-only-until-governed-secondbrain-curator-apply-route",
    "proof_policy": "redacted-only"
  },
  "credential_policy": {
    "mode": "keyvault-reference-names-only",
    "forbidden_in_core_or_proof": [
      "credential_values",
      "secret_values",
      "session_cookies",
      "keychain_values",
      "password_manager_values"
    ]
  },
  "proof_redaction_policy": {
    "forbidden_in_core_or_proof": [
      "raw_messages",
      "mail_bodies",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "endpoint_payloads",
      "credentials",
      "cookies",
      "keychain_values",
      "password_manager_values",
      "secret_values"
    ]
  },
  "readiness_states": [
    "ready",
    "degraded",
    "pending",
    "blocked",
    "disabled"
  ],
  "surfaces": [
    {
      "name": "imessage.read",
      "capability_package": "bluebubbles",
      "package_surface": "bluebubbles.imessage.readonly",
      "status": "active-capability-package",
      "allowed_effects": [
        "read_message_stream",
        "read_conversation_history",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "send_message",
        "delete_message",
        "mark_read",
        "read_receipt",
        "contact_mutation",
        "chat_mutation",
        "attachment_download",
        "orgbrain_write"
      ],
      "confirmation": "not-applicable-read-only"
    },
    {
      "name": "mail.read",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "read_mail_metadata",
        "read_mail_body_when_user_requested",
        "search_mail",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "send_mail",
        "delete_mail",
        "archive_mail",
        "mark_read",
        "mark_unread",
        "orgbrain_write"
      ],
      "confirmation": "not-applicable-read"
    },
    {
      "name": "mail.draft",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "compose_draft_for_user_review"
      ],
      "denied_effects": [
        "send_mail",
        "mutate_mailbox",
        "orgbrain_write"
      ],
      "confirmation": "user-review-before-send"
    },
    {
      "name": "mail.send_with_confirmation",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "send_mail_after_explicit_confirmation"
      ],
      "denied_effects": [
        "send_without_confirmation",
        "bulk_send",
        "background_send",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "calendar.read",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "read_calendar_metadata",
        "read_event_detail_when_user_requested",
        "search_calendar",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "create_event",
        "update_event",
        "delete_event",
        "orgbrain_write"
      ],
      "confirmation": "not-applicable-read"
    },
    {
      "name": "calendar.propose_event",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "draft_calendar_change_for_user_review"
      ],
      "denied_effects": [
        "write_calendar",
        "delete_event",
        "orgbrain_write"
      ],
      "confirmation": "user-review-before-write"
    },
    {
      "name": "calendar.write_with_confirmation",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "create_event_after_explicit_confirmation",
        "update_event_after_explicit_confirmation"
      ],
      "denied_effects": [
        "write_without_confirmation",
        "delete_event",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "contacts.read",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "read_contact_metadata",
        "read_contact_detail_when_user_requested",
        "search_contacts",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "create_contact",
        "update_contact",
        "delete_contact",
        "orgbrain_write"
      ],
      "confirmation": "not-applicable-read"
    },
    {
      "name": "contacts.write_with_confirmation",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "create_contact_after_explicit_confirmation",
        "update_contact_after_explicit_confirmation"
      ],
      "denied_effects": [
        "write_without_confirmation",
        "delete_contact",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "drive.read",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "read_drive_metadata_when_user_requested",
        "read_file_when_user_requested",
        "emit_redacted_health",
        "emit_secondbrain_personal_proposal"
      ],
      "denied_effects": [
        "write_file",
        "move_file",
        "copy_file",
        "delete_file",
        "purge_directory",
        "orgbrain_write"
      ],
      "confirmation": "not-applicable-read"
    },
    {
      "name": "drive.write_with_confirmation",
      "capability_package": "proton-rclone",
      "status": "blocked-follow-up",
      "allowed_effects": [
        "write_file_after_explicit_confirmation",
        "move_file_after_explicit_confirmation",
        "copy_file_after_explicit_confirmation"
      ],
      "denied_effects": [
        "write_without_confirmation",
        "delete_file",
        "purge_directory",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "browser.host_runtime.full_control",
      "capability_package": "mac-mini-host-runtime",
      "status": "blocked-follow-up",
      "allowed_effects": [],
      "denied_effects": [
        "browser_full_control_without_hitl_approval",
        "read_password_manager",
        "export_cookies",
        "read_keychain",
        "orgbrain_write"
      ],
      "confirmation": "separate-hitl-host-runtime-approval-required"
    }
  ]
 }
@@ -0,0 +1,396 @@
 {
  "schema_version": "personal-agent-proton-rclone-package/v1",
  "status": "registered-child-local-package-degraded",
  "package_id": "proton-rclone",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "observed_date": "2026-06-15",
  "child_workspace_registered": true,
  "child_workspace_candidate_created": true,
  "package_runtime_readiness_claimed": false,
  "profile_runtime_readiness_claimed": false,
  "seed_readiness_claimed": false,
  "core_promotion_claimed": false,
  "child_workspace_candidate": {
    "path": "../proton-rclone",
    "commit": "f8403f1e5927933a0a5e283d2020119336e4e5e7",
    "validator_command": "python3 tools/validate_proton_rclone_child.py",
    "validator_result_observed": "ok",
    "core_registration_claimed": true,
    "runtime_readiness_claimed": false,
    "core_registration_candidate_packet": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-core-registration-candidate-packet.json",
    "live_redacted_health_proof": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-live-redacted-health.json",
    "runtime_gate_repair_proof": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-runtime-gate-repair-proof.json",
    "bridge_unit_convergence_proof": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-bridge-unit-convergence-proof.json",
    "current_runtime_state_reconciliation": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-current-runtime-state-reconciliation.json",
    "core_registration_pickup": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-core-registration-pickup.json",
    "core_s606_registration_output": "../core/.sot/08-OUTPUTS/2026-06-14-s606-proton-rclone-child-registration.json",
    "core_s641_governance_pickup": "../core/.sot/08-OUTPUTS/2026-06-15-s641-proton-suite-governance-pickup.json",
    "core_s642_seed_refresh_pickup": "../core/.sot/08-OUTPUTS/2026-06-15-s642-seed-proton-suite-refresh-pickup.json",
    "core_s643_seed_validator_repair_pickup": "../core/.sot/08-OUTPUTS/2026-06-15-s643-seed-personal-agent-validator-repair-pickup.json",
    "seed_final_acceptance_gate": "../seed/outputs/research/2026-06-14-cortex-os-seed-personal-agent-final-full-tool-acceptance-gate.json",
    "seed_boundary_decision": "../seed/outputs/research/2026-06-14-cortex-os-seed-personal-agent-core-promotion-productization-boundary-decision.json",
    "seed_objective_completion_audit": "../seed/outputs/research/2026-06-14-cortex-os-seed-personal-agent-objective-completion-audit.json",
    "source_hashes": {
      "readonly_contract": "d233a763ddb4fa49f5ff0bff02f5ec28595539375a735585902e535452f18686",
      "live_redacted_health": "eebbb75e69c407f6b1a82fc847c30185bfa3b28d95848ea501333141a3c50edf",
      "runtime_gate_repair_proof": "e9ebe2268209b6e9262a2d651d0baf9170c710e425fc591891f8b4ed81f21fbb",
      "current_runtime_state_reconciliation": "4562a62053ef4805833a41e9bba744ecf5ee9698d325f90b4a98191fe7aa579c",
      "bridge_unit_convergence_proof": "8a7c07e331ff3b49ff5462caa9a691fd29f6e4db7fb4c968e8a44a99b152c46b",
      "core_registration_pickup": "d7ebfa239026b4e6d2667f4337ae7acaf763251ee11123f8974581137f34aa46",
      "core_s606_registration_output": "ff7e0f93a705ce9149d48879a4a00f30ad5abf5903d569a738ba7f26ccc60d59",
      "core_s641_governance_pickup": "224b12db17306764208cc16ae6d8dc3df342c77c05c0cba65df11d7ba20b0de6",
      "core_s642_seed_refresh_pickup": "b3604875422663033772ba09a1a96e6152b654bcb020d1acc2dc6ccb9f44541f",
      "core_s643_seed_validator_repair_pickup": "c378f7e25c5cd2668060aada18f3a8a0ebdceb76c30431cae48e109e41610c5c",
      "seed_final_acceptance_gate": "1d56599c5fbc763e95a5734fa4a507767371189c56ec26f0da36b232f12f4869",
      "seed_boundary_decision": "230accd38c9608656935858db576d5b1b19d71184387ef9015d6b7945c0ae136",
      "seed_objective_completion_audit": "5bda7600319daee01348870bbe3c7cb716457f5507cdac974adb614540e08951"
    }
  },
  "authority_boundary": {
    "profile_owns_surface_exposure": true,
    "package_candidate_owns_runtime_inventory": true,
    "legacy_repositories_are_reference_only": true,
    "duplicate_profile_local_connectors_allowed": false,
    "notes": "This contract standardizes the Proton/rclone package shape for personal-agent. Core S606 registers proton-rclone as child-local authority only; runtime readiness, provider smokes, and Profile Exposure remain unclaimed."
  },
  "memory_policy": {
    "target": "secondbrain-personal",
    "forbidden": [
      "orgbrain"
    ],
    "durable_write_policy": "proposal-only-until-governed-secondbrain-curator-apply-route"
  },
  "credential_policy": {
    "mode": "keyvault-reference-names-only",
    "secret_values_in_contract": false,
    "credential_mutation_allowed": false
  },
  "surfaces": [
    {
      "name": "mail.read",
      "runtime_route": "proton-email MCP facade through Proton gate",
      "readiness": "degraded",
      "allowed_effects": [
        "email_folders",
        "email_list",
        "email_search",
        "email_read_metadata_or_body_when_requested"
      ],
      "denied_effects": [
        "send_without_confirmation",
        "delete_mail",
        "archive_mail",
        "mark_read",
        "mark_unread",
        "orgbrain_write"
      ],
      "confirmation": "not-required-for-read"
    },
    {
      "name": "mail.draft",
      "runtime_route": "proton-email MCP facade through Proton gate",
      "readiness": "pending",
      "allowed_effects": [
        "draft_reply",
        "draft_new_mail"
      ],
      "denied_effects": [
        "send_without_confirmation",
        "delete_mail",
        "orgbrain_write"
      ],
      "confirmation": "draft-only"
    },
    {
      "name": "mail.send_with_confirmation",
      "runtime_route": "proton-email MCP facade through Proton gate",
      "readiness": "disabled",
      "allowed_effects": [
        "send_after_explicit_jp_confirmation"
      ],
      "denied_effects": [
        "silent_send",
        "send_without_confirmation",
        "delete_mail",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "calendar.read",
      "runtime_route": "proton-calendar MCP facade through calendar gate",
      "readiness": "degraded",
      "allowed_effects": [
        "calendar_list",
        "calendar_events",
        "calendar_upcoming",
        "calendar_search",
        "calendar_event_get"
      ],
      "denied_effects": [
        "calendar_write_without_confirmation",
        "calendar_delete",
        "orgbrain_write"
      ],
      "confirmation": "not-required-for-read"
    },
    {
      "name": "calendar.propose_event",
      "runtime_route": "proton-calendar MCP facade through calendar gate",
      "readiness": "pending",
      "allowed_effects": [
        "propose_calendar_create",
        "propose_calendar_update"
      ],
      "denied_effects": [
        "calendar_write_without_confirmation",
        "calendar_delete",
        "orgbrain_write"
      ],
      "confirmation": "proposal-only"
    },
    {
      "name": "calendar.write_with_confirmation",
      "runtime_route": "proton-calendar MCP facade through calendar gate",
      "readiness": "disabled",
      "allowed_effects": [
        "calendar_create_after_explicit_jp_confirmation",
        "calendar_update_after_explicit_jp_confirmation"
      ],
      "denied_effects": [
        "silent_calendar_write",
        "calendar_delete",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "contacts.read",
      "runtime_route": "proton-contacts MCP facade through contacts gate",
      "readiness": "degraded",
      "allowed_effects": [
        "contacts_list",
        "contacts_search",
        "contacts_get"
      ],
      "denied_effects": [
        "contact_mutation_without_confirmation",
        "contacts_delete",
        "orgbrain_write"
      ],
      "confirmation": "not-required-for-read"
    },
    {
      "name": "contacts.write_with_confirmation",
      "runtime_route": "proton-contacts MCP facade through contacts gate",
      "readiness": "disabled",
      "allowed_effects": [
        "contacts_create_after_explicit_jp_confirmation",
        "contacts_update_after_explicit_jp_confirmation"
      ],
      "denied_effects": [
        "silent_contact_write",
        "contacts_delete",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    },
    {
      "name": "drive.read",
      "runtime_route": "rclone with explicit Proton config path",
      "readiness": "degraded",
      "allowed_effects": [
        "rclone_about_redacted",
        "rclone_list_only_when_requested"
      ],
      "denied_effects": [
        "drive_file_name_proof",
        "drive_file_content_download",
        "drive_write_without_confirmation",
        "drive_delete",
        "orgbrain_write"
      ],
      "confirmation": "not-required-for-redacted-about"
    },
    {
      "name": "drive.write_with_confirmation",
      "runtime_route": "rclone with explicit Proton config path",
      "readiness": "disabled",
      "allowed_effects": [
        "drive_write_after_explicit_jp_confirmation"
      ],
      "denied_effects": [
        "silent_drive_write",
        "drive_delete",
        "drive_purge",
        "drive_share",
        "orgbrain_write"
      ],
      "confirmation": "explicit-jp-confirmation-required"
    }
  ],
  "runtime_inventory": {
    "overall_state": "degraded",
    "chosen_runtime_path": "MCP facades for Mail, Calendar, Contacts; explicit rclone config for Drive",
    "pending_runtime_convergence": [
      "Promote the repaired email and contacts gate bind-mount shape into a canonical runtime deployment route.",
      "Keep stale native Proton Bridge user units disabled while the Docker bridge route is canonical.",
      "Keep rclone RC/proxy units disabled unless a governed wrapper admits them.",
      "Keep Core S606 registration child-local only; complete Proton Suite provider-smoke and canonical runtime routes before runtime readiness is claimed."
    ],
    "mcp_servers": [
      {
        "name": "proton-calendar",
        "observed_status": "enabled"
      },
      {
        "name": "proton-email",
        "observed_status": "enabled"
      },
      {
        "name": "proton-contacts",
        "observed_status": "enabled"
      }
    ],
    "docker_routes": [
      {
        "name": "protonmail-bridge-active-container",
        "observed_state": "up"
      },
      {
        "name": "sdo-calendar-gate",
        "observed_state": "up"
      },
      {
        "name": "sdo-email-gate",
        "observed_state": "up"
      },
      {
        "name": "sdo-contacts-gate",
        "observed_state": "up"
      },
      {
        "name": "stale-sdo-protonmail-bridge-container",
        "observed_state": "created"
      }
    ],
    "systemd_user_units": [
      {
        "name": "proton-bridge.service",
        "observed_state": "inactive-dead",
        "unit_file_state": "disabled"
      },
      {
        "name": "proton-bridge-proxy.service",
        "observed_state": "inactive-dead",
        "unit_file_state": "disabled"
      },
      {
        "name": "rclone-rc.service",
        "observed_state": "inactive-dead",
        "unit_file_state": "disabled"
      },
      {
        "name": "rclone-proxy.service",
        "observed_state": "inactive-dead",
        "unit_file_state": "disabled"
      }
    ],
    "rclone": {
      "config_path": "/home/svrnty/.config/rclone/rclone.conf",
      "remote": "proton:",
      "listremotes_observed": true,
      "about_probe": "ok-redacted",
      "file_names_observed": false,
      "file_contents_observed": false
    }
  },
  "legacy_sources": [
    {
      "path": "/home/svrnty/workspaces/cortex/L4-svrnty.api-proton",
      "state": "legacy-reference",
      "reason": "Mail, Calendar, Contacts source material, not Cortex OS child authority."
    },
    {
      "path": "/home/svrnty/workspaces/cortex/L4-svrnty.tool-storage",
      "state": "legacy-reference",
      "reason": "Storage/rclone source material, not the canonical personal-agent package."
    },
    {
      "path": "/home/svrnty/workspaces/cortex/L5-vendor.lib-proton-bridge",
      "state": "legacy-reference",
      "reason": "Vendor bridge code, not profile authority."
    },
    {
      "path": "/home/svrnty/workspaces/cortex/L6-vendor.lib-proton-api",
      "state": "legacy-reference",
      "reason": "Vendor Proton API code, not profile authority."
    },
    {
      "path": "/home/svrnty/workspaces/cortex/L6-vendor.lib-rclone",
      "state": "legacy-reference",
      "reason": "Vendor rclone code, not profile authority."
    }
  ],
  "duplicate_skill_policy": [
    {
      "id": "skills/proton-tools",
      "state": "superseded-pending-package-install",
      "reason": "Keep as tool reference until the package child exists; governance now lives in this contract."
    },
    {
      "id": "proton-access",
      "state": "superseded-pending-consolidation",
      "reason": "Must not become separate Proton authority."
    },
    {
      "id": "proton-mail-operations",
      "state": "superseded-pending-consolidation",
      "reason": "Must fold into the canonical Proton/rclone package."
    },
    {
      "id": "proton-services",
      "state": "superseded-pending-consolidation",
      "reason": "Must fold into the canonical Proton/rclone package."
    }
  ],
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "mail_bodies",
      "mail_subjects",
      "sender_address",
      "recipient_address",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "drive_file_contents",
      "endpoint_payloads",
      "credentials",
      "secret_values"
    ]
  },
  "observed_commands": [
    "hermes -p steev mcp list",
    "systemctl --user list-unit-files --no-pager | rg -i 'proton|rclone|calendar|contacts|email'",
    "systemctl --user show proton-bridge.service rclone-rc.service rclone-proxy.service -p Id -p LoadState -p ActiveState -p SubState -p UnitFileState -p FragmentPath --no-pager",
    "systemctl --user show proton-bridge-proxy.service -p Id -p LoadState -p ActiveState -p SubState -p UnitFileState -p FragmentPath --no-pager",
    "docker ps -a --format '<name status image>' | rg -i 'proton|calendar|contacts|email|mail|rclone|sdo'",
    "rclone --config /home/svrnty/.config/rclone/rclone.conf listremotes",
    "rclone --config /home/svrnty/.config/rclone/rclone.conf about proton: --json"
  ],
  "remaining_gates": {
    "child_workspace_candidate": "complete-child-local",
    "registered_child_workspace": "complete-core-s606-child-local",
    "email_gate_repair": "complete-child-local",
    "contacts_gate_repair": "complete-child-local",
    "systemd_bridge_convergence": "complete-child-local-docker-route-active",
    "seed_personal_agent_local_acceptance": "complete-governed-local-jp-only",
    "proton_suite_provider_smoke": "blocked-follow-up",
    "proton_suite_seed_package_pickup": "blocked-provider-smoke",
    "secondbrain_durable_apply": "blocked-follow-up",
    "seed_package_pickup": "complete-governed-local-personal-agent"
  }
 }
@@ -0,0 +1,224 @@
 {
  "schema_version": "personal-agent-runtime-readiness-snapshot/v1",
  "status": "active-redacted-runtime-snapshot",
  "snapshot_id": "personal-agent-runtime-readiness-2026-06-15",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "observed_date": "2026-06-15",
  "aggregate_runtime_state": "degraded",
  "runtime_readiness_claimed": false,
  "seed_readiness_claimed": false,
  "seed_local_acceptance_claimed": true,
  "core_promotion_claimed": false,
  "memory_target": "secondbrain-personal",
  "forbidden_memory_targets": [
    "orgbrain"
  ],
  "surface_states": [
    {
      "surface": "imessage.read",
      "capability_package": "bluebubbles",
      "readiness_state": "ready",
      "health_source": "python3 tools/validate_bluebubbles_child.py",
      "redacted_health": {
        "validator_ok": true,
        "read_only_imessage": true,
        "memory_domain": "secondbrain-personal",
        "orgbrain_forbidden": true,
        "secondbrain_intake_contract": "ready",
        "secondbrain_governed_apply_route": "defined-no-live-apply",
        "package_runtime_claims": false
      },
      "remaining_gap": "Profile aggregate runtime readiness remains broader-degraded until Core Profile Exposure, durable apply, provider, productization, and longer standing-runtime gates close."
    },
    {
      "surface": "mail.read",
      "capability_package": "proton-rclone",
      "readiness_state": "degraded",
      "health_source": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-live-redacted-health.json",
      "redacted_health": {
        "mcp_server_enabled": true,
        "proton_bridge_systemd_running": false,
        "proton_bridge_systemd_state": "inactive-disabled",
        "docker_email_gate": "up",
        "child_workspace_candidate_validator_ok": true,
        "core_child_workspace_registered": true,
        "seed_local_acceptance": true,
        "raw_mail_observed": false
      },
      "remaining_gap": "Email gate and Docker Bridge route are repaired child-local; Seed-local acceptance is proven, but Proton Suite provider smokes and canonical runtime readiness remain blocked."
    },
    {
      "surface": "calendar.read",
      "capability_package": "proton-rclone",
      "readiness_state": "degraded",
      "health_source": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-live-redacted-health.json",
      "redacted_health": {
        "mcp_server_enabled": true,
        "calendar_gate_running": true,
        "proton_bridge_systemd_running": false,
        "proton_bridge_systemd_state": "inactive-disabled",
        "child_workspace_candidate_validator_ok": true,
        "core_child_workspace_registered": true,
        "seed_local_acceptance": true,
        "raw_calendar_events_observed": false
      },
      "remaining_gap": "Calendar read has service posture, Core S606 child registration, and Seed-local acceptance; provider-smoke and canonical runtime readiness remain blocked."
    },
    {
      "surface": "contacts.read",
      "capability_package": "proton-rclone",
      "readiness_state": "degraded",
      "health_source": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-live-redacted-health.json",
      "redacted_health": {
        "mcp_server_enabled": true,
        "docker_contacts_gate": "up",
        "child_workspace_candidate_validator_ok": true,
        "core_child_workspace_registered": true,
        "seed_local_acceptance": true,
        "raw_contacts_observed": false
      },
      "remaining_gap": "Contacts gate is repaired child-local; Seed-local acceptance is proven, but provider-smoke and canonical runtime readiness remain blocked."
    },
    {
      "surface": "drive.read",
      "capability_package": "proton-rclone",
      "readiness_state": "degraded",
      "health_source": "../proton-rclone/.sot/08-OUTPUTS/proton-rclone-live-redacted-health.json",
      "redacted_health": {
        "rclone_remote_present": true,
        "rclone_about_probe": "ok-redacted",
        "rclone_rc_unit": "disabled",
        "rclone_proxy_unit": "disabled",
        "child_workspace_candidate_validator_ok": true,
        "core_child_workspace_registered": true,
        "seed_local_acceptance": true,
        "drive_file_names_observed": false,
        "drive_file_contents_observed": false
      },
      "remaining_gap": "Drive read has redacted child proof and Core S606 registration; governed wrapper, provider smokes, and canonical runtime readiness remain required."
    }
  ],
  "supervisor_posture": {
    "mac_mini_bluebubbles": "package-validator-ok-redacted",
    "proton_bridge_service": "inactive-disabled",
    "proton_bridge_proxy_service": "inactive-disabled",
    "rclone_rc_service": "disabled-inactive",
    "rclone_proxy_service": "disabled-inactive"
  },
  "named_runtime_gaps": [
    {
      "id": "proton-runtime-gate-repair-source-lock-refresh",
      "severity": "follow-up",
      "state": "email and contacts gates repaired child-local; Seed and downstream profile snapshots need pickup",
      "impact": "runtime remains degraded until source locks and final acceptance catch up"
    },
    {
      "id": "proton-rclone-service-posture-disabled",
      "severity": "must-fix",
      "state": "rclone-rc.service and rclone-proxy.service are disabled and inactive",
      "impact": "Drive read can use redacted CLI proof, but an always-on runtime API is not claimed"
    },
    {
      "id": "stale-protonmail-bridge-container",
      "severity": "follow-up",
      "state": "stale sdo-protonmail-bridge container exists in Created state",
      "impact": "duplicate service topology must be resolved before final runtime readiness"
    },
    {
      "id": "proton-bridge-native-units-disabled-docker-route-active",
      "severity": "follow-up",
      "state": "stale native Proton Bridge user units are disabled; Docker bridge route is active",
      "impact": "native unit loop is resolved, but canonical runtime deployment is still not claimed"
    },
    {
      "id": "proton-rclone-child-registered-core-s606",
      "severity": "complete",
      "state": "Core S606 registers proton-rclone as child-local capability workspace",
      "impact": "Registration gap is closed; runtime readiness still depends on provider-smoke and canonical runtime gates"
    },
    {
      "id": "seed-local-acceptance-proven",
      "severity": "complete",
      "state": "Seed final full-tool acceptance, boundary decision, and objective audit are green for governed local JP scope",
      "impact": "Steev is accepted as a local Seed deployment, not Core-authorized or product-ready infrastructure"
    },
    {
      "id": "proton-suite-provider-smoke-blocked",
      "severity": "must-fix",
      "state": "Proton Suite provider-smoke gate is blocked pending local Proton Pass Agncy access, Keyvault parity, migration receipt, read-only smokes, rollback, and Conductor disclosure review",
      "impact": "Proton Suite cannot unlock provider execution, Pass access, or product readiness"
    },
    {
      "id": "profile-exposure-route-required",
      "severity": "must-fix",
      "state": "Core Profile Exposure change remains blocked until a governed Core route accepts it",
      "impact": "Broader tool exposure cannot be claimed from Seed-local proof"
    },
    {
      "id": "longer-standing-runtime-proof-beyond-three-poll",
      "severity": "follow-up",
      "state": "Current standing rollback proof is enough for Seed-local acceptance, not a longer always-on posture claim",
      "impact": "Daily-driver and production posture need a separate longer standing-runtime proof"
    },
    {
      "id": "secondbrain-apply-blocked",
      "severity": "must-fix",
      "state": "proposal route and governed apply route exist; live durable apply remains blocked without approval",
      "impact": "personal memory intake can be proposed and checked, but is not live-applied yet"
    },
    {
      "id": "desktop-adapter-exposure-blocked",
      "severity": "follow-up",
      "state": "adapter lane must pick up the contract before desktop display",
      "impact": "desktop app cannot display final personal-agent runtime readiness yet"
    }
  ],
  "optional_reboot_power_loss_proof": {
    "status": "not-run",
    "required_for_final_always_on_claim": true,
    "notes": "Current proof verifies supervisor posture and package validators, not reboot recovery."
  },
  "observed_commands": [
    "python3 tools/validate_bluebubbles_child.py",
    "hermes -p steev mcp list",
    "systemctl --user show proton-bridge.service proton-bridge-proxy.service rclone-rc.service rclone-proxy.service -p Id -p LoadState -p ActiveState -p SubState -p UnitFileState --no-pager",
    "docker ps -a --format '<name status image>' | rg -i 'bluebubbles|proton|calendar|contacts|email|mail|rclone|sdo'",
    "rclone --config /home/svrnty/.config/rclone/rclone.conf about proton: --json"
  ],
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "message_text",
      "mail_bodies",
      "mail_subjects",
      "sender_address",
      "recipient_address",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "drive_file_contents",
      "attachment_content",
      "endpoint_payloads",
      "credentials",
      "secret_values"
    ]
  },
  "remaining_gates": {
    "proton_email_gate_repair": "complete-child-local",
    "proton_contacts_gate_repair": "complete-child-local",
    "proton_bridge_systemd_convergence": "complete-child-local-docker-route-active",
    "proton_rclone_child_candidate": "complete-child-local",
    "proton_rclone_child_registration": "complete-core-s606-child-local",
    "seed_local_acceptance": "complete-governed-local-jp-only",
    "proton_suite_provider_smoke": "blocked-follow-up",
    "profile_exposure_route": "blocked-core-route-required",
    "longer_standing_runtime_proof": "follow-up",
    "secondbrain_governed_apply_route": "defined-no-live-apply",
    "secondbrain_durable_apply": "blocked-follow-up",
    "desktop_adapter_exposure": "blocked-follow-up",
    "reboot_power_loss_drill": "optional-follow-up",
    "final_acceptance_packet": "blocked-follow-up"
  }
 }
@@ -0,0 +1,231 @@
 {
  "schema_version": "personal-agent-secondbrain-proposal-route/v1",
  "status": "active-profile-memory-proposal-route",
  "route_id": "personal-agent-secondbrain-proposal-route",
  "profile_identity": "personal-agent",
  "display_name": "Steev",
  "observed_date": "2026-06-14",
  "target_memory_domain": "secondbrain-personal",
  "target_domain_term": "Personal Memory Domain",
  "human_authority_principal": "jp",
  "forbidden_memory_domains": [
    "orgbrain"
  ],
  "durable_write_allowed": false,
  "direct_write_allowed": false,
  "profile_runtime_readiness_claimed": false,
  "secondbrain_runtime_readiness_claimed": false,
  "seed_readiness_claimed": false,
  "authority_boundary": {
    "profile_owns_source_surface_exposure": true,
    "secondbrain_owns_personal_memory_domain": true,
    "curator_owns_hygiene_review_queue": true,
    "capability_packages_emit_proposals_only": true,
    "apply_owner": "secondbrain",
    "hygiene_owner": "curator",
    "notes": "personal-agent capability packages may emit redacted proposal envelopes. Secondbrain now defines the governed apply route; live durable Memory Object writes still require approval and Secondbrain evidence."
  },
  "source_routes": [
    {
      "source_surface": "imessage.read",
      "capability_package": "bluebubbles",
      "proposal_type": "secondbrain.memory.propose_create_from_imessage",
      "secondbrain_intake_contract": "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-intake-contract.md",
      "secondbrain_apply_contract": "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md",
      "target_lifecycle_state": "inbox",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest"
      ],
      "denied_effects": [
        "durable_memory_write",
        "orgbrain_write",
        "message_send",
        "message_delete",
        "message_mark_read",
        "attachment_download"
      ]
    },
    {
      "source_surface": "mail.read",
      "capability_package": "proton-rclone",
      "proposal_type": "secondbrain.memory.propose_create_from_mail",
      "target_lifecycle_state": "inbox",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest"
      ],
      "denied_effects": [
        "durable_memory_write",
        "orgbrain_write",
        "mail_send",
        "mail_delete",
        "mail_mark_read"
      ]
    },
    {
      "source_surface": "calendar.read",
      "capability_package": "proton-rclone",
      "proposal_type": "secondbrain.memory.propose_create_from_calendar",
      "target_lifecycle_state": "inbox",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest"
      ],
      "denied_effects": [
        "durable_memory_write",
        "orgbrain_write",
        "calendar_write",
        "calendar_delete"
      ]
    },
    {
      "source_surface": "contacts.read",
      "capability_package": "proton-rclone",
      "proposal_type": "secondbrain.memory.propose_create_from_contacts",
      "target_lifecycle_state": "inbox",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest"
      ],
      "denied_effects": [
        "durable_memory_write",
        "orgbrain_write",
        "contact_mutation",
        "contact_delete"
      ]
    },
    {
      "source_surface": "drive.read",
      "capability_package": "proton-rclone",
      "proposal_type": "secondbrain.memory.propose_create_from_drive_pointer",
      "target_lifecycle_state": "inbox",
      "allowed_effects": [
        "emit_redacted_proposal",
        "emit_source_handle",
        "emit_content_digest"
      ],
      "denied_effects": [
        "durable_memory_write",
        "orgbrain_write",
        "drive_file_content_download",
        "drive_file_name_proof",
        "drive_write",
        "drive_delete"
      ]
    }
  ],
  "proposal_envelope_contract": {
    "schema_version": "personal-agent.secondbrain.proposal-envelope.v1",
    "required_fields": [
      "schema_version",
      "proposal_id",
      "profile_identity",
      "human_authority_principal",
      "target_memory_domain",
      "target_domain_term",
      "source_capability_package",
      "source_surface",
      "proposal_type",
      "target_lifecycle_state",
      "source_handle_redacted",
      "content_digest",
      "redacted_summary",
      "changed_fields",
      "validator_plan",
      "rollback_note",
      "approval_state",
      "proof_redaction"
    ],
    "target_memory_domain": "secondbrain-personal",
    "target_domain_term": "Personal Memory Domain",
    "approval_state": "pending",
    "raw_payload_custody": "source-runtime-or-secondbrain-apply-route-only",
    "raw_payload_in_core_or_profile_proof": false,
    "durable_apply_authorized_by_envelope": false
  },
  "apply_policy": {
    "apply_route": "Secondbrain governed memory write path",
    "apply_route_contract": "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md",
    "governed_apply_route_defined": true,
    "apply_allowed_now": false,
    "live_apply_executed": false,
    "durable_apply_without_approval": false,
    "requires_secondbrain_validator": "python3 tools/validate_secondbrain_child.py",
    "requires_focused_secondbrain_gate": true,
    "focused_secondbrain_gate_command": "python3 tools/check_secondbrain_personal_agent_imessage_intake.py",
    "focused_secondbrain_apply_gate_command": "python3 tools/check_secondbrain_personal_agent_imessage_apply.py",
    "requires_human_or_governed_approval": true,
    "requires_local_evidence_and_handoff": true,
    "push_allowed": false
  },
  "rejection_cases": [
    {
      "case": "target_orgbrain",
      "input_target": "orgbrain",
      "result": "rejected",
      "reason": "personal context cannot route to Organization Memory Domain"
    },
    {
      "case": "direct_durable_write",
      "requested_effect": "durable_memory_write",
      "result": "rejected",
      "reason": "capability packages emit proposal envelopes only"
    },
    {
      "case": "raw_payload_in_core_or_profile_proof",
      "requested_effect": "store_raw_payload_in_proof",
      "result": "rejected",
      "reason": "proof is redacted-only"
    },
    {
      "case": "apply_without_approval",
      "requested_effect": "secondbrain_apply",
      "result": "blocked",
      "reason": "Secondbrain governed apply requires approval and validators"
    }
  ],
  "referenced_secondbrain_contracts": [
    "../secondbrain/docs/integration/2026-06-09-secondbrain-personal-memory-domain-runtime-contract.md",
    "../secondbrain/docs/integration/2026-06-09-secondbrain-governed-agent-retrieval-contract.md",
    "../secondbrain/docs/integration/2026-06-09-secondbrain-governed-memory-write-path-contract.md",
    "../secondbrain/docs/integration/2026-06-09-secondbrain-curator-hygiene-queue-contract.md",
    "../secondbrain/docs/integration/2026-06-09-secondbrain-hermes-runtime-boundary.md",
    "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-intake-contract.md",
    "../secondbrain/docs/evidence/2026-06-14-secondbrain-personal-agent-imessage-intake-proof.md",
    "../secondbrain/docs/integration/2026-06-14-secondbrain-personal-agent-imessage-apply-contract.md",
    "../secondbrain/docs/evidence/2026-06-14-secondbrain-personal-agent-imessage-apply-proof.md"
  ],
  "proof_policy": {
    "mode": "redacted-only",
    "forbidden_fields": [
      "raw_messages",
      "message_text",
      "mail_bodies",
      "mail_subjects",
      "sender_address",
      "recipient_address",
      "contact_details",
      "calendar_event_details",
      "drive_file_names",
      "drive_file_contents",
      "attachment_content",
      "endpoint_payloads",
      "credentials",
      "secret_values"
    ]
  },
  "remaining_gates": {
    "secondbrain_governed_apply_route": "defined-no-live-apply",
    "secondbrain_imessage_intake_contract": "ready",
    "secondbrain_durable_apply": "blocked-follow-up",
    "curator_hygiene_apply_review": "blocked-follow-up",
    "desktop_adapter_exposure": "blocked-follow-up",
    "runtime_health_proof": "blocked-follow-up",
    "seed_package_pickup": "blocked-follow-up"
  }
 }
@@ -0,0 +1,41 @@
 ---
 name: 2026-06-14-personal-agent-proton-rclone-runtime-reconciliation
 status: complete
 triage: evidence
 owner: jp
 created: 2026-06-14
 source: docs/contracts/personal-agent-runtime-readiness-snapshot.json
 artifact_type: evidence
 ---
 # Personal-Agent Proton/rclone Runtime Reconciliation
 ## Scope
 This evidence reconciles the `personal-agent` Proton/rclone profile snapshot
 against a same-day redacted runtime probe.
 ## Redacted Probe
 - MCP registration: `proton-calendar`, `proton-email`, and `proton-contacts`
  are enabled for the Steev profile.
 - Docker inventory: calendar, email, and contacts gates are up after the
  child-local bind-mount repair; one Proton Bridge container is up, and one
  stale Proton Bridge container remains created.
 - systemd user inventory: stale native `proton-bridge.service` and
  `proton-bridge-proxy.service` are loaded but disabled/inactive while the
  Docker bridge route remains active.
 - rclone inventory: explicit Proton remote `about` probe succeeded with
  redacted quota output only; no drive file names or file contents were listed.
 ## Result
 The profile runtime snapshot now records the email and contacts gate repair as
 complete child-local. The aggregate `personal-agent` runtime state remains
 degraded because Core registration, rclone service posture, canonical runtime
 deployment, source-lock pickup, and final acceptance remain open.
 This proof does not read or store mail bodies, mail subjects, sender or
 recipient addresses, contact details, calendar event details, drive file names,
 drive file contents, endpoint payloads, credentials, cookies, Keychain values,
 password-manager values, or secret values.
@@ -0,0 +1,41 @@
 # Personal-Agent Core Seed Readiness Reconciliation
 Date: 2026-06-15
 Profile identity: `personal-agent`
 Display name: `Steev`
 Work item: `PACR-014`
 Status: complete profile-local reconciliation
 ## Objective
 Update Steev profile distribution truth after Seed-local acceptance and Core pickup work, without claiming Core authority, Profile Exposure, durable memory, provider, product, publish, deploy, or public readiness.
 ## Source Locks
 | Source | Commit | Path | SHA-256 |
 | --- | --- | --- | --- |
 | Proton/rclone current head | `f8403f1e5927933a0a5e283d2020119336e4e5e7` | `.sot/08-OUTPUTS/proton-suite-redacted-health-panel.json` | `0cb6938f00618fa794081a04a45ecc258e14e9f31ded990d67845dd35f0f1207` |
 | Proton/rclone child registration pickup | `f8403f1e5927933a0a5e283d2020119336e4e5e7` | `.sot/08-OUTPUTS/proton-rclone-core-registration-pickup.json` | `d7ebfa239026b4e6d2667f4337ae7acaf763251ee11123f8974581137f34aa46` |
 | Core S606 registration output | `52b2293b` | `.sot/08-OUTPUTS/2026-06-14-s606-proton-rclone-child-registration.json` | `ff7e0f93a705ce9149d48879a4a00f30ad5abf5903d569a738ba7f26ccc60d59` |
 | Core S641 Proton Suite governance pickup | `52b2293b` | `.sot/08-OUTPUTS/2026-06-15-s641-proton-suite-governance-pickup.json` | `224b12db17306764208cc16ae6d8dc3df342c77c05c0cba65df11d7ba20b0de6` |
 | Core S642 Seed Proton Suite refresh pickup | `52b2293b` | `.sot/08-OUTPUTS/2026-06-15-s642-seed-proton-suite-refresh-pickup.json` | `b3604875422663033772ba09a1a96e6152b654bcb020d1acc2dc6ccb9f44541f` |
 | Core S643 Seed validator repair pickup | `52b2293b` | `.sot/08-OUTPUTS/2026-06-15-s643-seed-personal-agent-validator-repair-pickup.json` | `c378f7e25c5cd2668060aada18f3a8a0ebdceb76c30431cae48e109e41610c5c` |
 | Seed final acceptance gate | `999f286fc7dafc5635cc72d2a63f08b7b2f98433` | `outputs/research/2026-06-14-cortex-os-seed-personal-agent-final-full-tool-acceptance-gate.json` | `1d56599c5fbc763e95a5734fa4a507767371189c56ec26f0da36b232f12f4869` |
 | Seed boundary decision | `999f286fc7dafc5635cc72d2a63f08b7b2f98433` | `outputs/research/2026-06-14-cortex-os-seed-personal-agent-core-promotion-productization-boundary-decision.json` | `230accd38c9608656935858db576d5b1b19d71184387ef9015d6b7945c0ae136` |
 | Seed objective audit | `999f286fc7dafc5635cc72d2a63f08b7b2f98433` | `outputs/research/2026-06-14-cortex-os-seed-personal-agent-objective-completion-audit.json` | `5bda7600319daee01348870bbe3c7cb716457f5507cdac974adb614540e08951` |
 ## Result
 Steev is represented as Seed-local accepted for the governed JP local package scope. Proton/rclone is represented as Core S606 child-local registered. The profile distribution still reports broader aggregate runtime state as degraded.
 ## Remaining Gates
 - `profile_exposure_route`: Core route required before broader Profile Exposure.
 - `secondbrain_durable_apply`: Secondbrain route and exact approval required.
 - `proton_suite_provider_smoke`: blocked on local Proton Pass Agncy access, Keyvault parity, migration receipt, read-only smokes, rollback, and Conductor disclosure review.
 - `longer_standing_runtime_proof`: needed before daily-driver or production posture.
 - `productization_release_distribution_lane`: separate approval and release decision required.
 ## False Effects
 No Core mutation, Seed mutation, sibling mutation, Runtime start, Docker start, Desktop/Dashboard launch, browser control, Webwright control, secret read, provider call, Profile Exposure change, Memory Domain grant, durable Secondbrain apply, Hindsight live write, publish, deploy, public release, product readiness, production readiness, or broad goal-completion claim occurred in this Steev slice.
@@ -0,0 +1,42 @@
 # Personal-Agent Current Governed Boundary
 Date: 2026-06-15
 Profile identity: `personal-agent`
 Display name: `Steev`
 Work item: `PACR-015`
 Status: complete profile-local boundary reconciliation
 ## Objective
 Record the current Steev boundary after Core S654 and the Proton Suite health-panel signal, without changing Seed, Core, Proton, Keyvault, Runtime, Desktop, or memory state.
 ## Source Locks
 | Source | Commit or stage | Path | SHA-256 |
 | --- | --- | --- | --- |
 | Core S654 Seed branch authority pickup | `S654` | `../core/.sot/08-OUTPUTS/2026-06-15-s654-seed-main-branch-authority-gate-pickup.json` | `d92e77e23418b67e27cc3058a9f415a9b4a023cfcd71e4465cbe859df9b8d7e4` |
 | Core S654 validator | `3cc8a77a06de4ff282b36205e101c99c2fb54c9b` | `../core/tools/check_personal_agent_21_seed_main_branch_authority_gate_pickup.py` | `20fffdb88f1e7a023e715465aa944c33201bc83ccff218833d6ba72f900f0944` |
 | Seed S653 branch authority gate | `fd880ef15232895da05bc31ae4449e32418190ec` | `../seed/outputs/research/2026-06-15-cortex-os-seed-main-branch-authority-gate.json` | `12515390f89263318f853c26918155b36376f7b976009101a026043d4d3c2379` |
 | Seed S653 branch authority validator | `fd880ef15232895da05bc31ae4449e32418190ec` | `../seed/tools/validate_cortex_os_seed_main_branch_authority_gate.py` | `b7ce32bcfe48e8e568280c1659c09ec46729af8aa7d3c9e6433fb028506847e1` |
 | Proton Suite health contract | `f8403f1e5927933a0a5e283d2020119336e4e5e7` | `../proton-rclone/contracts/personal-agent-proton-suite-health-contract.json` | `ec835d487aae52fe0aa251076caafbdb1fc7b7ec7a4923ca89de8c246f87495f` |
 | Proton Suite redacted health panel | `f8403f1e5927933a0a5e283d2020119336e4e5e7` | `../proton-rclone/.sot/08-OUTPUTS/proton-suite-redacted-health-panel.json` | `0cb6938f00618fa794081a04a45ecc258e14e9f31ded990d67845dd35f0f1207` |
 | Proton Suite health panel proof | `f8403f1e5927933a0a5e283d2020119336e4e5e7` | `../proton-rclone/.sot/08-OUTPUTS/proton-suite-health-panel-proof.json` | `03ece893a3c7678365741cfdd01cb2c6cc2c30c20519e5d8649c25afac5ce31b` |
 ## Current Boundary
 - `seed_branch_authority`: approval-required. Core S654 carries the current approval target for Seed HEAD `fd880ef15232895da05bc31ae4449e32418190ec`.
 - `stale_s653_approval`: blocker. The older Seed S653 gate targets `56a1a36cc51d3cd084a65e01eb77210f58d7b6fd` and must not be used for current branch authority.
 - `seed_main_repoint`: not executed. Local Seed `main` was not archived or repointed by this Steev slice.
 - `profile_exposure`: blocked. Broader Steev tool exposure still needs a Core route.
 - `durable_memory`: blocked. Secondbrain/Hindsight live writes still need governed approval.
 - `provider_policy`: blocked. Real provider calls and credential custody still need a governed route.
 - `keyvault_replacement`: future-governed-route. Proton Suite health-panel architecture may inform Keyvault successor work, but it does not replace Keyvault here.
 - `runtime_readiness`: degraded. Seed-local acceptance exists, but broader runtime readiness and product readiness are not claimed.
 ## Operator Note
 Use the Core S654 exact current-head approval text before any local Seed branch-authority execution. Do not use the older S653 approval text for current Seed HEAD `fd880ef15232895da05bc31ae4449e32418190ec`.
 ## False Effects
 No Core mutation, Seed mutation, Proton mutation, Keyvault mutation, Runtime start, Docker start, Desktop/Dashboard launch, browser control, Webwright control, secret read, provider call, Profile Exposure change, Memory Domain grant, durable Secondbrain apply, Hindsight live write, branch repoint, publish, deploy, public release, product readiness, production readiness, or broad goal-completion claim occurred in this Steev slice.
@@ -0,0 +1,180 @@
 ---
 name: 2026-06-14-personal-agent-context-runtime-work-orders
 status: active
 triage: ready-for-agent
 owner: jp
 source: docs/prd/2026-06-14-personal-agent-context-runtime-prd.md
 created: 2026-06-14
 last_reviewed: 2026-06-14
 core_promotion_status: not-promoted
 description: Dependency-ordered vertical slices for personal-agent context runtime standardization.
 artifact_type: work-orders
 ---
 # Personal-Agent Context Runtime Work Orders
 Each slice is vertical and proof-backed. `personal-agent` owns the profile contract.
 BlueBubbles and Proton/rclone own capability packages. Personal context targets
 personal Secondbrain only. `orgbrain`, raw payloads, and secrets are forbidden.
 ## PACR-001 Profile Authority And Surface Contract
 Type: AFK. Blocked by: None. User stories: 1-17, 21-23, 28-31.
 ## What to build
 Define the `personal-agent` profile contract: surfaces, allowed effects, denied effects,
 memory target, credential posture, runtime proof, and package ownership.
 ## Acceptance criteria
 - [ ] `personal-agent` declares iMessage, Proton Mail, Calendar, Contacts, Drive, and future browser host surfaces.
 - [ ] Required surfaces are named: `imessage.read`, Proton read/draft/propose/confirmation-write surfaces, and Drive read/confirmation-write.
 - [ ] Personal Secondbrain is the only memory target; `orgbrain`, raw payloads, credentials, and secrets are denied.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-002 Supersession And Graph Hygiene Register
 Type: AFK. Blocked by: PACR-001. User stories: 24-27, 29, 36.
 ## What to build
 Classify older personal-agent/Steev, BlueBubbles, Proton, rclone, and legacy Cortex artifacts
 as active, superseded, archived, legacy-reference, or blocked-follow-up.
 ## Acceptance criteria
 - [ ] Every known prior workstream has a supersession state and one-line reason.
 - [ ] Legacy Cortex Proton/rclone repos are marked reference-only unless promoted.
 - [ ] The register names the single canonical pickup path per work area.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-003 BlueBubbles Capability Pickup Into Personal-Agent
 Type: AFK. Blocked by: PACR-001, PACR-002. User stories: 1-3, 13-18, 24-26, 32.
 ## What to build
 Bind `personal-agent`'s `imessage.read` surface to the existing BlueBubbles package.
 Preserve read-only runtime, redacted proof, Mac Mini host ownership, and
 proposal-only personal memory intake.
 ## Acceptance criteria
 - [ ] `personal-agent` references BlueBubbles as package authority, not profile-local connector code.
 - [ ] Sends, read receipts, mark-read, contact/chat mutation, downloads, and deletes remain denied.
 - [ ] BlueBubbles health/watchdog proof remains redacted evidence.
 - [ ] Personal-agent distribution and BlueBubbles validators pass.
 ## PACR-004 Proton And Rclone Capability Standardization
 Type: AFK. Blocked by: PACR-001, PACR-002. User stories: 4-12, 15-17, 19-20, 24-31.
 ## What to build
 Shape a Proton/rclone capability package for `personal-agent`: Mail, Calendar, Contacts, and
 Drive: surfaces, runtime path, rclone config posture, health, and write gates.
 ## Acceptance criteria
 - [ ] Proton and Drive surfaces use read/draft/propose/confirmation naming.
 - [ ] Docker, systemd, MCP, CLI, and rclone routes are inventoried with one chosen or pending runtime path.
 - [ ] Health is redacted and per-surface, including degraded and not-running states.
 - [ ] Duplicate Proton skills are consolidated or clearly superseded.
 ## PACR-005 Personal Secondbrain Proposal And Apply Route
 Type: AFK. Blocked by: PACR-003, PACR-004. User stories: 13-14, 16-17, 29, 32, 34.
 ## What to build
 Define proposal-only memory intake for iMessage, Proton, and Drive-derived
 context. Durable writes wait for the owning Secondbrain/curator apply route.
 ## Acceptance criteria
 - [ ] Proposal envelopes target personal Secondbrain only.
 - [ ] `orgbrain` attempts are rejected and proven.
 - [ ] Proof excludes raw bodies, contacts, event details, drive names, attachments, and secrets unless later approved.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-006 Conductor And Curator Service Handoff
 Type: AFK. Blocked by: PACR-001 and active conductor/curator lane release. User stories: 17, 23, 29, 33-34.
 ## What to build
 Publish service identity, health shape, effects, credential posture, and
 apply-envelope expectations for future conductor/curator adoption.
 ## Acceptance criteria
 - [ ] Each capability has service identity, health, allowed effects, and denied effects.
 - [ ] Apply expectations are redacted and personal-only.
 - [ ] No conductor or curator files are mutated from the personal-agent distribution route.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-007 Runtime Readiness And Always-On Proof
 Type: AFK. Blocked by: PACR-003, PACR-004, PACR-006. User stories: 17-20, 28-29, 33.
 ## What to build
 Prove per-surface runtime state with redacted health, supervisor posture,
 restart behavior, and explicit ready/degraded/pending/blocked claims.
 ## Acceptance criteria
 - [ ] iMessage, Mail, Calendar, Contacts, and Drive each have a readiness state.
 - [ ] Broken, duplicate, inactive, or missing services are named as gaps.
 - [ ] Optional reboot/power-loss proof is separate from normal readiness.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-008 Desktop Adapter Exposure Contract
 Type: AFK. Blocked by: PACR-001 and active adapter lane release. User stories: 22, 29, 35.
 ## What to build
 Prepare the desktop/adapter contract for capability readiness display. Do not
 wire UI or mutate adapter code from this route.
 ## Acceptance criteria
 - [ ] Desktop-visible states come from contract and redacted runtime health.
 - [ ] State names are ready, degraded, pending, blocked, and disabled.
 - [ ] Personal memory only and no `orgbrain` are preserved.
 - [ ] The personal-agent distribution validator passes.
 ## PACR-009 Browser And Webwright Host Runtime Approval
 Type: HITL. Blocked by: PACR-001, PACR-002, explicit JP approval. User stories: 21, 29, 33, 35.
 ## What to build
 Prepare a separate Mac Mini browser/Webwright Host Runtime approval packet.
 This grants broad authenticated computer authority and must not hide inside
 messaging or Proton work.
 ## Acceptance criteria
 - [ ] The packet names browser session, password-manager, cookie, Google Drive, and desktop-control risks.
 - [ ] Default denied effects apply until JP grants scope.
 - [ ] No browser/Webwright runtime is enabled by this issue.
 - [ ] JP approval is required before execution.
 ## PACR-010 Final Acceptance And Promotion Packet
 Type: HITL. Blocked by: PACR-002 through PACR-009. User stories: 28-36.
 ## What to build
 Assemble final acceptance across profile, capability, memory, runtime, Seed,
 Core, conductor/curator, desktop, and graph hygiene claims.
 ## Acceptance criteria
 - [ ] Accepted, pending, and rejected claims are named with owning evidence.
 - [ ] Old work is archived, superseded, or marked legacy-reference.
 - [ ] Core and Seed readiness are claimed only through governed routes.
 - [ ] JP can read one page and know exactly what remains.
@@ -0,0 +1,145 @@
 ---
 name: 2026-06-14-personal-agent-context-runtime-prd
 status: active
 triage: ready-for-agent
 owner: jp
 source: user-request-2026-06-14-personal-agent-context-runtime
 created: 2026-06-14
 last_reviewed: 2026-06-14
 core_promotion_status: not-promoted
 description: PRD for making the personal-agent profile the governed personal context runtime over iMessage, Proton, rclone, and future host-control capabilities.
 artifact_type: prd
 ---
 # Personal-Agent Context Runtime PRD
 ## Problem Statement
 JP wants the `personal-agent` profile, displayed to users as Steev, to know him through the live
 communication and personal-data surfaces that already shape his day: iMessage,
 Proton Mail, Calendar, Contacts, Proton Drive through rclone, and later the Mac
 Mini browser host. Today those surfaces exist in different states across
 profile docs, BlueBubbles child work, Proton skills, older Cortex repositories,
 Docker services, systemd units, Hermes adapters, and Secondbrain/curator lanes.
 The risk is context confusion. Future agents can mistake the Steev display name
 or old work for active profile authority, build duplicate connectors, route
 private personal context toward the wrong memory domain, or claim runtime
 readiness from partial proofs. The `personal-agent` profile needs one clean
 contract that says which personal surfaces are active,
 which capability package owns each surface, which mutations are forbidden,
 which durable memory route is allowed, and which old artifacts are archived,
 superseded, or legacy reference only.
 ## Solution
 Make `personal-agent` a governed personal context runtime profile. The profile declares
 the personal context surfaces it may observe, the capability packages that
 provide those surfaces, the exact memory routing policy, the mutation policy,
 and the runtime readiness gates. BlueBubbles/iMessage, Proton/rclone, and
 future browser/Webwright host control stay in separate capability packages, but
 `personal-agent` owns the profile-level decision that those packages belong to JP's
 personal-agent runtime and must route personal context only through governed personal
 memory paths.
 The first target state is read-first and proof-backed:
 - iMessage is `imessage.read` only.
 - Proton exposes read, draft, propose, and confirmation-gated write surfaces.
 - Proton Drive through rclone starts as `drive.read`.
 - Durable memory proposals target only personal Secondbrain storage.
 - `orgbrain` is forbidden for message, mail, contact, calendar, and drive-derived personal context.
 - Core stores no raw personal content, endpoint payloads, credentials, or secret values.
 - Old work is classified so graph context has one canonical pickup path.
 ## User Stories
 1. As JP, I want `personal-agent` to understand my recent iMessage exchanges, so that he can answer with real personal context.
 2. As JP, I want `personal-agent` to read iMessages without sending, so that personal-agent context does not mutate my Messages state.
 3. As JP, I want BlueBubbles to be the iMessage capability package, so that iMessage runtime work is not duplicated inside the profile distribution.
 4. As JP, I want `personal-agent` to read Proton Mail, so that my personal-agent knows what people are asking me.
 5. As JP, I want `personal-agent` to draft Proton replies without sending them, so that I keep final control of outbound mail.
 6. As JP, I want Proton sends to require explicit confirmation, so that no agent sends mail silently.
 7. As JP, I want `personal-agent` to read Proton Calendar, so that it knows my time commitments.
 8. As JP, I want `personal-agent` to propose calendar changes before writing them, so that scheduling remains controlled.
 9. As JP, I want `personal-agent` to read Proton Contacts, so that it can identify people across channels.
 10. As JP, I want contact writes to require explicit confirmation, so that my address book is not changed silently.
 11. As JP, I want `personal-agent` to read Proton Drive through rclone, so that it can find personal context when I ask.
 12. As JP, I want Drive writes to be confirmation-gated, so that personal files are not changed silently.
 13. As JP, I want all personal context routed to personal Secondbrain storage, so that my private life stays personal.
 14. As JP, I want `orgbrain` forbidden for this data, so that personal messages and mail never become organization memory.
 15. As JP, I want `personal-agent` to use Keyvault references only, so that this project does not become a credential migration.
 16. As JP, I want Core to store only redacted proofs, so that governance can be reviewed without exposing personal content.
 17. As JP, I want each capability to report health without leaking payloads, so that runtime readiness is observable and private.
 18. As JP, I want the Mac Mini BlueBubbles runtime to stay always-on, so that iMessage context is available continuously.
 19. As JP, I want Proton services to have one canonical runtime path, so that Docker, systemd, and MCP do not fight each other.
 20. As JP, I want rclone to use an explicit governed config path, so that Drive access is repeatable and not ambient.
 21. As JP, I want browser/Webwright Mac control separated from messaging, so that full computer authority is approved deliberately.
 22. As JP, I want desktop app integration to wait for the adapter lane, so that UI work uses the right service boundary.
 23. As JP, I want conductor and curator to become the standard service path, so that capabilities are centralized cleanly.
 24. As JP, I want every old planning artifact classified, so that future graph context has no ambiguous authority.
 25. As JP, I want superseded work marked visibly, so that agents do not revive stale plans.
 26. As JP, I want active capability packages named explicitly, so that agents know where to continue work.
 27. As JP, I want legacy repositories treated as reference material, so that useful code is preserved without becoming authority.
 28. As JP, I want runtime readiness separated from Seed readiness, so that package claims are not inflated.
 29. As JP, I want final completion to require profile, capability, runtime, memory, and graph hygiene acceptance, so that "done" has one meaning.
 30. As a profile maintainer, I want the personal-agent manifest and disclosure to match live capability exposure, so that runtime drift is caught.
 31. As a capability maintainer, I want each surface to declare allowed and forbidden effects, so that test coverage follows real risk.
 32. As a Secondbrain maintainer, I want proposal-only intake before durable apply, so that memory writes remain governed.
 33. As a conductor operator, I want service identity and health shapes per capability, so that the central service lane can adopt them.
 34. As a curator operator, I want redacted apply envelopes, so that personal memory can be reviewed without raw payload sprawl.
 35. As a desktop adapter operator, I want one profile capability contract, so that the desktop app can display personal-agent readiness without guessing.
 36. As a future agent, I want a sandcastle pickup map, so that I continue vertically instead of re-planning horizontally.
 ## Implementation Decisions
 - `personal-agent` owns the profile-level personal context runtime contract; individual integrations remain child capability packages.
 - Steev is the user-facing display name and current distribution/repo alias for `personal-agent`; it is not a separate product authority.
 - BlueBubbles owns the iMessage capability package. `personal-agent` consumes the package as `imessage.read` and does not implement a second connector.
 - Proton/rclone must become a standardized capability package with declared surfaces for Mail, Calendar, Contacts, and Drive.
 - The personal-agent memory target is personal Secondbrain storage only. `orgbrain` is a hard-denied target for this work.
 - Runtime claims require redacted live proof and a local validator. Partial service availability must be named per surface.
 - Mutations use surface names that encode consent: read, draft, propose, send-with-confirmation, and write-with-confirmation.
 - Message sends, mail sends, mark-read/read receipts, deletes, contact mutation, calendar mutation, and file mutation are forbidden unless the surface explicitly requires confirmation and JP confirms.
 - Core promotion is out of scope for the child route. Core may receive only governed promotion packets and redacted evidence.
 - Seed readiness is out of scope until the Seed lane accepts a package.
 - Desktop app integration must wait for the adapter lane to settle.
 - Conductor and curator are the desired service and apply path, but this PRD does not mutate those workspaces.
 - Browser/Webwright Mac Mini host control is a separate runtime route because it grants broader computer authority than read-only communications.
 - Old work must be classified in a supersession register before final readiness claims.
 - Hindsight compliance means every major decision has a durable pickup artifact, a supersession state, and a one-line reason.
 - Indie-dev compliance means vertical slices stay small, demoable, and useful without adding process that does not reduce confusion or risk.
 ## Testing Decisions
 - The highest profile seam is the personal-agent distribution validator plus manifest/disclosure consistency.
 - The highest iMessage seam is the BlueBubbles read-only runtime package and its redacted watchdog proof.
 - The highest Proton seam is a redacted health check per surface: Mail, Calendar, Contacts, and Drive.
 - The highest memory seam is a proposal envelope that targets personal Secondbrain storage and rejects `orgbrain`.
 - The highest graph-hygiene seam is the supersession register plus graph context showing one canonical pickup path.
 - The highest runtime seam is always-on supervisor posture with redacted proof, not raw payload capture.
 - The highest desktop seam is a contract handoff, not UI wiring, until the adapter lane releases.
 - Tests should assert external behavior: allowed reads work, denied mutations fail before transport, confirmation-gated writes cannot run silently, personal memory proposals do not become durable writes, and proof files contain no raw personal data or secrets.
 - Every completed slice must leave the current distribution validator passing.
 ## Out of Scope
 - Sending iMessages.
 - Sending mail without explicit confirmation.
 - Deleting messages, mail, calendar events, contacts, or files.
 - Marking messages or mail read unless a later approved surface grants it.
 - Downloading attachments unless separately approved.
 - Reading or exporting password-manager contents.
 - Granting browser/Webwright full computer control through this PRD.
 - Writing durable Secondbrain memory directly from capability packages.
 - Routing any personal context to `orgbrain`.
 - Mutating Core, Seed, conductor, curator, desktop adapter, BlueBubbles, Proton, or Secondbrain workspaces from this personal-agent planning route.
 ## Further Notes
 This PRD intentionally moves the center of gravity from individual connector
 experiments to the `personal-agent` profile contract. BlueBubbles remains the concrete
 iMessage package. Proton/rclone becomes the next standardized capability
 package. The current Steev-named distribution becomes the governed `personal-agent` package that declares which
 capabilities are allowed, how they route memory, and which old work is no
 longer authoritative.
@@ -0,0 +1,82 @@
 ---
 name: 2026-06-14-personal-agent-context-runtime-sandcastle
 status: prepared
 triage: ready-for-agent
 owner: jp
 source: docs/issues/2026-06-14-personal-agent-context-runtime-work-orders.md
 created: 2026-06-14
 last_reviewed: 2026-06-14
 artifact_type: sandcastle-descriptor
 ---
 # Personal-Agent Context Runtime Sandcastle
 ## Active Sandcastle Decision
 - Source repo: `/home/svrnty/workspaces/cortex-os/steev`
 - Profile identity: `personal-agent`
 - User display name / distribution alias: Steev
 - Active personal-agent sandcastle before this work: none found
 - Prepared pickup descriptor: this file
 - Local issue tracker: `docs/issues/2026-06-14-personal-agent-context-runtime-work-orders.md`
 - PRD: `docs/prd/2026-06-14-personal-agent-context-runtime-prd.md`
 - Supersession register: `docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md`
 - Local gate: `python3 tools/validate_steev_child.py`
 ## Decision
 Use `personal-agent` as the profile-level sandcastle for personal context runtime
 standardization. Do not open a competing iMessage connector, Proton connector,
 rclone storage service, desktop adapter, conductor, curator, or Secondbrain
 runtime from this route.
 Continue BlueBubbles-specific execution in the existing BlueBubbles completion
 readiness sandcastle. Use this package as the `personal-agent` profile contract
 that says which capability packages the profile may consume and how personal
 context must route. Steev remains the user-facing name.
 ## Purpose
 Make `personal-agent` the clean profile over JP's real personal context:
 iMessage, Proton Mail, Calendar, Contacts, Proton Drive through rclone, and
 future browser/Webwright host control. This sandcastle exists to remove context
 confusion, classify old work, and produce vertical implementation slices.
 ## Boundaries
 - No Core mutation from this route.
 - No Seed readiness claim until Seed accepts a package.
 - No conductor or curator mutation until their active lane releases.
 - No desktop adapter mutation until the adapter lane releases.
 - No second production BlueBubbles connector.
 - No profile-local Proton/rclone connector rewrite before capability packaging.
 - No durable Secondbrain writes; proposal/apply route only.
 - No `orgbrain` target.
 - No iMessage sends, read receipts, mark-read, deletes, contact mutation, or attachment download.
 - No Proton send, calendar write, contact write, Drive write, move, copy, purge, or delete without an explicit confirmation surface and JP confirmation.
 - No browser/Webwright full-control runtime until separate Host Runtime approval.
 - No raw message bodies, mail bodies, contact details, event details, drive file names, endpoint payloads, credentials, cookies, keychain values, password-manager values, or secret values in proof artifacts.
 ## Pickup Order
 - Start with `PACR-001` to define the profile authority and surface contract.
 - Then run `PACR-002` to classify old work and prevent graph ambiguity.
 - Run `PACR-003` and `PACR-004` in parallel only after the supersession register exists.
 - Run `PACR-005` after iMessage and Proton/rclone surfaces are clear.
 - Keep `PACR-006` blocked until conductor/curator release their lane.
 - Keep `PACR-008` blocked until the adapter lane releases.
 - Keep `PACR-009` HITL because it grants broad Mac/browser authority.
 - Use `PACR-010` only as the final acceptance gate.
 ## One-Line Execution Map
 - Define `personal-agent` profile surfaces: one personal context contract.
 - Classify old work: active, superseded, archived, or legacy-reference.
 - Pick up BlueBubbles: `imessage.read`, read-only, personal memory only.
 - Package Proton/rclone: Mail, Calendar, Contacts, Drive surfaces.
 - Route memory: proposal-only to personal Secondbrain, no `orgbrain`.
 - Hand off services: conductor and curator shape, no cross-route mutation.
 - Prove runtime: per-surface redacted health, no payload leakage.
 - Prepare desktop: adapter contract only, no early UI wiring.
 - Separate host control: browser/Webwright approval packet.
 - Accept final state: only evidence-backed claims become complete.
@@ -0,0 +1,98 @@
 ---
 name: 2026-06-14-personal-agent-context-runtime-supersession-register
 status: active
 triage: ready-for-agent
 owner: jp
 source: docs/prd/2026-06-14-personal-agent-context-runtime-prd.md
 created: 2026-06-14
 last_reviewed: 2026-06-14
 core_promotion_status: not-promoted
 description: Supersession register for personal-agent context runtime work so old artifacts do not confuse graph context.
 artifact_type: supersession-register
 ---
 # Personal-Agent Context Runtime Supersession Register
 ## Rule
 Every artifact that talks about `personal-agent`, Steev display-name context, iMessage, BlueBubbles,
 Proton, rclone, Secondbrain memory routing, conductor/curator routing, or
 desktop exposure must be treated as one of:
 - `active-authority`: current pickup path for this route.
 - `active-capability-package`: current package owned by another child route.
 - `superseded`: useful history, not a pickup path.
 - `legacy-reference`: source material only, not current authority.
 - `blocked-follow-up`: valid work, blocked by another owning lane.
 ## Canonical Pickup Paths
 | Area | Status | Canonical pickup |
 | --- | --- | --- |
 | Personal-agent profile contract | active-authority | This PRD and work orders |
 | Steev display name | active-alias | User-facing name for `personal-agent`, not separate authority |
 | Personal-agent BlueBubbles binding | active-authority | `docs/contracts/personal-agent-bluebubbles-binding.json` binds `imessage.read` to the package |
 | BlueBubbles iMessage | active-capability-package | BlueBubbles child completion-readiness package |
 | Proton/rclone package candidate | active-authority | `docs/contracts/personal-agent-proton-rclone-package.json` links to the child-local `../proton-rclone` candidate without Core registration or runtime readiness overclaim |
 | Proton Mail/Calendar/Contacts | blocked-follow-up | Child candidate exists and email/contacts gates are repaired child-local; Core registration, bridge convergence, source-lock pickup, and final readiness remain follow-up work |
 | Proton Drive/rclone | blocked-follow-up | Child candidate has redacted rclone `about` proof; governed wrapper and write gates remain follow-up work |
 | Personal-agent Secondbrain proposal/apply route | active-authority | `docs/contracts/personal-agent-secondbrain-proposal-route.json` defines proposal-only personal memory intake and references the governed Secondbrain apply route |
 | Personal memory live durable apply | blocked-follow-up | Secondbrain apply route is defined, but live apply still requires approval; profile/capability packages do not write durable memory |
 | Personal-agent Conductor/Curator service handoff | active-authority | `docs/contracts/personal-agent-conductor-curator-service-handoff.json` gives route and hygiene lanes a redacted service map |
 | Conductor/curator adoption | blocked-follow-up | Owning lanes must explicitly pick up the handoff; this profile does not mutate them |
 | Personal-agent runtime readiness snapshot | active-authority | `docs/contracts/personal-agent-runtime-readiness-snapshot.json` names per-surface states and runtime gaps without aggregate readiness claim |
 | Personal-agent desktop exposure contract | active-authority | `docs/contracts/personal-agent-desktop-exposure-contract.json` defines adapter-visible rows without UI wiring |
 | Desktop app exposure wiring | blocked-follow-up | Owning adapter lane must pick up the contract and wire UI after approval |
 | Browser/Webwright host control | blocked-follow-up | `PACR-009`, explicit approval only |
 ## Known Artifacts And Supersession State
 | Artifact family | State | One-line reason |
 | --- | --- | --- |
 | Steev-named distribution repo | active-alias | Current repo path for `personal-agent`; display name is not separate profile authority. |
 | `CONTRACT.md` v1 iMessage-as-v2 wording | superseded | iMessage is now main personal context intake, not a low-priority future messaging item. |
 | `AGENT.md` reused-skill summary | superseded | It names useful tools but not the new governed surface model. |
 | `skills/steev-agent` current memory protocol | superseded | It says episodic memory only but does not encode personal Secondbrain proposal/apply routing. |
 | `skills/proton-tools` | superseded-pending-package-install | It remains tool reference material, but governance now lives in the Proton/rclone package candidate. |
 | `DISCLOSURE.md` Wave 8/8.5 runtime disclosure | superseded-pending-refresh | It is historical disclosure and must be refreshed after the profile capability contract changes. |
 | BlueBubbles runtime-readiness PRD | active-capability-package | It remains valid for the iMessage capability package, subordinate to the `personal-agent` profile contract. |
 | BlueBubbles completion-readiness PRD | active-capability-package | It remains the BlueBubbles package pickup for read-only iMessage readiness. |
 | BlueBubbles Hermes connector convergence PRD | active-capability-package | It prevents duplicate connector work and remains aligned with the `personal-agent` profile contract. |
 | Legacy Cortex Proton API repo | legacy-reference | It has useful Mail/Calendar/Contacts service code but is not Cortex OS child authority. |
 | Legacy Cortex Proton Bridge repo | legacy-reference | It has bridge/container material but is not the canonical runtime package. |
 | Legacy Cortex rclone storage repo | legacy-reference | It has Drive service and permission code but is not the canonical personal-agent package. |
 | Hermes installed `proton-access` skill | superseded-pending-consolidation | It overlaps with Steev `proton-tools` and should not be a separate authority. |
 | Hermes installed `proton-mail-operations` skill | superseded-pending-consolidation | It overlaps with Steev `proton-tools` and should fold into the canonical Proton package. |
 | Hermes installed `proton-services` skill | superseded-pending-consolidation | It overlaps with Steev `proton-tools` and should fold into the canonical Proton package. |
 | Proton/rclone child candidate | active-capability-package | Child-local repo exists at `../proton-rclone`, validates locally, and still needs Core registry pickup. |
 | Direct rclone CLI proofs | active-evidence-source | Read-only `about` proof is captured redacted in the child candidate, but runtime authority still needs a governed wrapper. |
 | Docker Proton Bridge and calendar gate state | active-evidence-source | Current runtime fact is captured redacted in the child candidate, not a readiness claim by itself. |
 | Broken user `proton-bridge.service` state | superseded | Stale native user units are disabled; Docker bridge route remains active in the Proton/rclone child proof. |
 | Inactive rclone RC/proxy units | active-gap | Must stay disabled or become gated through a governed wrapper before runtime readiness. |
 | Secondbrain direct-write ideas | superseded | Personal context begins as redacted proposal envelopes; durable apply belongs to Secondbrain governed memory write path. |
 | Desktop integration ideas before adapter lane release | blocked-follow-up | Valid direction, but not an active mutation route. |
 | Browser/Webwright full-control ideas inside messaging work | superseded | Host control needs its own approval packet because it is broader authority. |
 ## Graph Hygiene Requirements
 - Graph context should expose this PRD as the `personal-agent` profile-level pickup.
 - Graph context should treat Steev as display name / distribution alias only.
 - Graph context should expose BlueBubbles as the active iMessage capability package.
 - Graph context should expose the Proton/rclone child candidate as the active standardization pickup, not a Core-registered or runtime-ready package.
 - Graph context should expose the personal-agent Secondbrain proposal/apply route as active while keeping live durable apply blocked to approval and Secondbrain/curator.
 - Graph context should expose the personal-agent Conductor/Curator service handoff as active, while adoption remains blocked to owning lanes.
 - Graph context should expose the personal-agent runtime snapshot as degraded until the named runtime gaps close.
 - Graph context should expose the personal-agent desktop exposure contract as active, while adapter UI wiring remains blocked to the adapter lane.
 - Graph context should not treat legacy Cortex Proton/rclone repositories as active authority.
 - Graph context should not treat duplicate Proton skills as separate current product surfaces.
 - Graph context should mark browser/Webwright host control as separate HITL runtime authority.
 - Graph context should preserve `secondbrain-personal` as the only allowed personal memory target.
 - Graph context should preserve `orgbrain` as denied for this work.
 ## Archive And Supersede Actions
 - Add visible supersession notes to the personal-agent contract and disclosure when `PACR-001` is implemented.
 - Add Core registration pickup after the child-local Proton/rclone candidate is route-approved.
 - Keep BlueBubbles artifacts active but subordinate to the `personal-agent` profile contract.
 - Archive or mark duplicate Proton skills after the canonical package is installed.
 - Record final graph cleanup in `PACR-010`; do not claim complete before this register matches the graph pickup state.
@@ -123,7 +123,7 @@ elif command -v hermes >/dev/null 2>&1 && command -v yq >/dev/null 2>&1; then
  # Try --json first; fall back to table parse w/ box-draw chars (Wave 5 parser).
  ALL_BUILTINS=$(hermes skills list --json 2>/dev/null | jq -r '.[] | select(.source=="builtin") | .name' 2>/dev/null || true)
  if [ -z "$ALL_BUILTINS" ]; then
-    ALL_BUILTINS=$(hermes skills list 2>/dev/null | awk -F'│' 'NR>3 && /builtin/ {gsub(/^ +| +$/, "", $2); print $2}' || true)
+    ALL_BUILTINS=$(COLUMNS=200 hermes skills list 2>/dev/null | awk -F'│' 'NR>3 && /builtin/ {name=$2; gsub(/^[[:space:]]+|[[:space:]]+$/, "", name); gsub(/…$/, "", name); print name}' || true)
  fi
  ALLOWLIST_BUILTIN=$(yq -r '.disclosure.skills[] | select(.source=="builtin") | .id' "$REPO/manifest.yaml" 2>/dev/null | sort -u)
  if [ -z "$ALL_BUILTINS" ]; then
@@ -147,6 +147,33 @@ else
  echo "  WARN: F2 hermes/yq missing — skipping denylist"
 fi
 # F2b — enable builtin allowlist via additive external_dirs
 # Hermes 0.14 uses additive external_dirs model (not pure denylist) — to enable
 # a builtin skill, add its hermes-agent/skills/<category>/<skill> path here.
 HERMES_AGENT_SKILLS="$HERMES_WORKSPACE/hermes-agent/skills"
 if [ "$DRY" = 1 ]; then
  echo "DRY: F2b enable builtin allowlist via additive external_dirs → $PROFILE_CFG"
 elif command -v yq >/dev/null 2>&1; then
  BUILTIN_PATHS=$(yq -r '.disclosure.skills[]? | select(.source=="builtin") | .path' "$REPO/manifest.yaml" 2>/dev/null || true)
  BUILTIN_ENABLED=0
  for p in $BUILTIN_PATHS; do
    full="$HERMES_AGENT_SKILLS/$p"
    if [ -d "$full" ]; then
      if ! yq -r '.skills.external_dirs[]?' "$PROFILE_CFG" 2>/dev/null | grep -qF "$full"; then
        mkdir -p "$(dirname "$PROFILE_CFG")"
        full="$full" yq -i '.skills.external_dirs += [env(full)]' "$PROFILE_CFG" \
          || echo "  WARN: F2b yq write to $PROFILE_CFG failed for $full"
        BUILTIN_ENABLED=$((BUILTIN_ENABLED + 1))
      fi
    else
      echo "  ⚠ F2b: builtin path missing — $full (skipped)" >&2
    fi
  done
  [ "$BUILTIN_ENABLED" -gt 0 ] && echo "  F2b enabled $BUILTIN_ENABLED builtin allowlist path(s) in external_dirs"
 else
  echo "  WARN: F2b yq not on PATH — skipping builtin allowlist"
 fi
 # F3 — propagate disclosure.inherit_mcp_toolsets to per-profile config.yaml
 if [ "$DRY" = 1 ]; then
  echo "DRY: F3 write agent.inherit_mcp_toolsets → $PROFILE_CFG"
@@ -243,7 +270,7 @@ PY
    # 6.a skills drift
    if command -v hermes >/dev/null 2>&1; then
      declared=$(yq -r '.disclosure.skills[].id' "$REPO_ROOT/manifest.yaml" 2>/dev/null | sort -u)
-      live=$(hermes -p "$PROFILE_NAME" skills list 2>/dev/null | awk 'NR>3 && /enabled|│ *enabled/ {for (i=1; i<=NF; i++) if ($i != "│" && $i != "enabled") {print $i; break}}' | sort -u || echo "")
+      live=$(COLUMNS=200 hermes -p "$PROFILE_NAME" skills list 2>/dev/null | awk -F'│' 'NF>=6 && $(NF-1) ~ /enabled[[:space:]]*$/ {name=$2; gsub(/^[[:space:]]+|[[:space:]]+$/, "", name); gsub(/…$/, "", name); if (name ~ /^[a-z]/) print name}' | sort -u || echo "")
      if [ -n "$live" ]; then
        drift=$(diff <(echo "$declared") <(echo "$live") 2>/dev/null || true)
        [ -n "$drift" ] && fail "skills drift: $drift"
@@ -283,8 +310,83 @@ HOOK_EOF
  echo "  F4 installed: $HOOK_DST"
 fi
 # F6 — MCP server materialization (Wave 8 Q9)
 # Reads manifest.optional_tools (mcp_<server-name-with-underscores> aliases),
 # maps to runtime MCP server names (hyphenated), copies global config block
 # into per-profile config.yaml. Removes non-declared MCPs (closes bte leak).
 if [ "$DRY" = 1 ]; then
  echo "DRY: F6 materialize MCP allowlist → $PROFILE_CFG"
 elif command -v yq >/dev/null 2>&1 && [ -f "$HERMES_HOME/config.yaml" ]; then
  # Declared MCP set (mcp_proton_calendar → proton-calendar etc).
  DECLARED_MCPS=$(yq -r '.optional_tools[]?' "$REPO/manifest.yaml" 2>/dev/null | sed 's/^mcp_//; s/_/-/g')
  if [ -z "$DECLARED_MCPS" ]; then
    echo "  F6: no optional_tools declared — skip"
  else
    mkdir -p "$(dirname "$PROFILE_CFG")"
    [ -f "$PROFILE_CFG" ] || : > "$PROFILE_CFG"
    F6_ADDED=0; F6_REMOVED=0; F6_MISSING=0
    # Set the per-profile mcp_servers block from the declared list. Existing
    # entries NOT in declared list are dropped (denylist enforcement).
    GLOBAL_CFG="$HERMES_HOME/config.yaml"
    python3 - "$GLOBAL_CFG" "$PROFILE_CFG" "$DECLARED_MCPS" <<'PY'
 import sys, yaml
 gcfg, pcfg, declared_str = sys.argv[1], sys.argv[2], sys.argv[3]
 declared = [s.strip() for s in declared_str.splitlines() if s.strip()]
 g = yaml.safe_load(open(gcfg).read()) or {}
 p = yaml.safe_load(open(pcfg).read()) or {}
 g_mcps = g.get('mcp_servers', {}) or {}
 new_block = {}
 missing = []
 for name in declared:
    if name in g_mcps:
        new_block[name] = g_mcps[name]
    else:
        missing.append(name)
 prev = set((p.get('mcp_servers') or {}).keys())
 new = set(new_block.keys())
 added = sorted(new - prev)
 removed = sorted(prev - new)
 p['mcp_servers'] = new_block
 open(pcfg, 'w').write(yaml.safe_dump(p, sort_keys=False, allow_unicode=True))
 for n in added:    print(f"  F6 + {n}")
 for n in removed:  print(f"  F6 - {n} (denied)")
 for n in missing:  print(f"  F6 ⚠ {n} (declared but not in global mcp_servers — skipped)")
 print(f"  F6 wrote mcp_servers: {len(new_block)} entr{'y' if len(new_block)==1 else 'ies'}")
 PY
  fi
 else
  echo "  WARN: F6 yq/global config missing — skipping MCP materialization"
 fi
 echo ""
 echo "== model policy → Codex primary + Qwen fallback =="
 POLICY_SCRIPT="$(cd "$REPO/.." && pwd)/scripts/apply-hermes-model-policy.py"
 if [ "$DRY" = 1 ]; then
  echo "DRY: python3 '$POLICY_SCRIPT' --config '$PROFILE_CFG'"
 elif [ -f "$POLICY_SCRIPT" ]; then
  python3 "$POLICY_SCRIPT" --config "$PROFILE_CFG"
 else
  echo "  WARN: policy script not found: $POLICY_SCRIPT"
 fi
 # F7 — macOS-only externals OS-gate (Wave 8 Q10)
 # Reads expected_external_skills entries with os_constraint: darwin and emits
 # an INFO line on non-Darwin hosts. No install action (these are external
 # prereqs, not provisioned by this installer); annotation is the audit record.
 HOST_OS="$(uname -s 2>/dev/null || echo Unknown)"
 if [ "$DRY" = 1 ]; then
  echo "DRY: F7 OS-gate check (host=$HOST_OS)"
 elif command -v yq >/dev/null 2>&1; then
  MACOS_ONLY=$(yq -r '.expected_external_skills[] | select(type == "!!map") | select(.os_constraint == "darwin") | .name' "$REPO/manifest.yaml" 2>/dev/null || true)
  if [ -n "$MACOS_ONLY" ] && [ "$HOST_OS" != "Darwin" ]; then
    echo "  F7 INFO: macOS-only externals declared but host=$HOST_OS — unavailable:"
    while IFS= read -r s; do [ -n "$s" ] && echo "    - $s"; done <<< "$MACOS_ONLY"
  fi
 fi
 echo ""
 echo "== done =="
 echo "  verify skills:                hermes -p steev skills list | grep steev-agent"
 echo "  verify mcp servers:           hermes -p steev mcp list"
 echo "  verify assignee registered:   hermes kanban assignees | grep steev"
 echo "  start gateway (when ready):   hermes profile gateway start steev"
@@ -2,6 +2,8 @@
 # Read by install.sh. Convention shared by all Hermes profile distributions
 # (see ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md — the canonical protocol).
 profile: steev                 # Hermes profile name (personal — no org suffix per FRAMEWORK §6.1)
 profile_identity: personal-agent # canonical profile identity; Steev is display/distribution alias.
 display_name: Steev
 kind: profile-distribution     # family marker; steev = personal-assistant reference impl
 role: personal-assistant       # function — Chief of Staff for one principal (JP)
 # org: ~                       # intentionally omitted — steev is personal/agnostic
@@ -44,12 +46,16 @@ lib:
 # tree (~/.hermes/skills/) or external skill libraries the principal already installed.
 expected_external_skills:
  - google-workspace           # Gmail + Calendar + Contacts
  - apple-notes                # macOS-local via osascript
  - apple-reminders            # macOS-local via osascript
  - obsidian                   # ~/vaults/steev PKM
  - himalaya                   # IMAP/SMTP via proton-bridge sidecar
  - imessage                   # macOS-local
  - perplexity                 # WebSearch toolset (lightweight; MCP preferred)
  # macOS-only skills (Wave 8 Q10): install.sh F7 emits info on non-Darwin hosts.
  - name: apple-notes
    os_constraint: darwin
  - name: apple-reminders
    os_constraint: darwin
  - name: imessage
    os_constraint: darwin
 # MCP servers Steev consumes. Names match runtime-prefixed form (mcp_<server>_<tool>).
 optional_tools:
@@ -61,15 +67,26 @@ optional_tools:
 requires_tools: [terminal, memory_tool]
 credentials:                   # validated by validate_access.sh
-  - name: google-workspace
+  # Wave 8 (2026-05-24): aligned with vault exact-match per DISCLOSURE-SCHEMA §4.5.
-    purpose: Gmail + Calendar + Contacts read/write for daily briefing + inbox triage
+  # google-workspace removed — builtin manages its own OAuth via Hermes hub (not credctl vault).
  - name: proton-bridge-imap-user
    purpose: Proton Bridge IMAP/SMTP username (himalaya path)
    resolved_via: credbridge.sh
-  - name: proton-bridge-imap
+  - name: proton-bridge-imap-pass
-    purpose: local Proton Bridge IMAP/SMTP password (himalaya path)
+    purpose: Proton Bridge IMAP/SMTP password (himalaya path)
    resolved_via: credbridge.sh
-  - name: perplexity-api
+  - name: perplexity
    purpose: Perplexity API key for raw WebSearch (MCP path preferred)
    resolved_via: credbridge.sh
  - name: proton-account-email
    purpose: Proton account email (consumed by proton-email MCP server)
    resolved_via: credbridge.sh
  - name: proton-account-password
    purpose: Proton account password (consumed by proton-email MCP server)
    resolved_via: credbridge.sh
  - name: proton-mailbox-password
    purpose: Proton mailbox E2E key for mail decryption (consumed by proton-email MCP server)
    resolved_via: credbridge.sh
 db:
  file: steev.db               # runtime state; created from schema.sql; never committed
@@ -95,12 +112,11 @@ sovereignty:
 #     access — steev is JP-personal-scope).
 #   - DENY 17 silently-inherited builtin skills (only kanban-worker kept for CEO
 #     delegation transport).
-#   - Personal-scope discriminator fields (scope/chat_facing/delegates_to) populated.
+#   - Personal-scope discriminator fields (scope/delegates_to) populated.
 # Pre-push hook check 6 enforces this == live `hermes -p steev …` runtime.
 disclosure:
  scope: personal
  schema_version: 2
  chat_facing: true                         # sole JP chat touchpoint per CLAUDE.md L7-L8
  delegates_to: [ceo-planb]                 # business work routed to CEO via kanban
  inherit_builtins: false                   # deny Hermes 84-builtin default; allowlist below
  inherit_mcp_toolsets: false               # deny host MCP propagation (closes bte leak)
@@ -118,6 +134,22 @@ disclosure:
      path: skills/proton-tools
      role: toolkit
      justification: "24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface"
    - id: assistant-identity
      source: builtin
      role: utility
      justification: "live enabled Hermes profile skill surfaced by disclosure drift gate"
    - id: proton-access
      source: builtin
      role: utility
      justification: "live enabled Hermes profile skill surfaced by disclosure drift gate"
    - id: proton-mail-operations
      source: builtin
      role: utility
      justification: "live enabled Hermes profile skill surfaced by disclosure drift gate"
    - id: proton-services
      source: builtin
      role: utility
      justification: "live enabled Hermes profile skill surfaced by disclosure drift gate"
    - id: google-workspace
      source: builtin
      path: productivity/google-workspace
@@ -138,28 +170,83 @@ disclosure:
      path: devops/kanban-worker
      role: engine
      justification: "CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)"
    - id: webwright
      source: builtin
      role: utility
      justification: "live enabled Hermes builtin surfaced by disclosure drift gate"
-  mcp_servers: []                           # DENY-BY-DEFAULT. bte REMOVED (hard-rule fix).
+  mcp_servers:
-                                            # proton-* + perplexity MCP installs PENDING JP review
+    - name: proton-calendar
-                                            # (install-gap row in DISCLOSURE.md §12).
+      description: "Proton Calendar facade"
      tools:
        - calendar_list
        - calendar_events
        - calendar_upcoming
        - calendar_search
        - calendar_event_get
        - calendar_create
        - calendar_update
        - calendar_delete
    - name: proton-email
      description: "Proton Email facade"
      tools:
        - email_folders
        - email_list
        - email_read
        - email_search
        - email_send
        - email_reply
        - email_forward
        - email_archive
        - email_mark_read
        - email_mark_unread
    - name: proton-contacts
      description: "Proton Contacts facade"
      tools:
        - contacts_list
        - contacts_search
        - contacts_get
        - contacts_create
        - contacts_update
        - contacts_delete
                                            # DENY-BY-DEFAULT: bte removed (hard-rule fix).
                                            # mcp_perplexity intentionally omitted from disclosure until it is
                                            # registered in the live Hermes MCP list and can be introspected.
  sovereign_apis: []                        # 0 direct HTTP/gRPC calls (per audit §3)
  cortex_tools: []                          # steev does not consume cortex/L6-* or cortex/PG-*
  credentials:
-    - vault_name: google-workspace
+    # Wave 8 (2026-05-24) — aligned with vault per DISCLOSURE-SCHEMA §4.5 (exact-match).
    # google-workspace removed (Hermes builtin self-manages OAuth, not in credctl vault).
    - vault_name: proton-bridge-imap-user
      status: required
-      scope: read-write
+      scope: read
      used_by: [credbridge.sh]
-      governance: "JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage"
+      governance: "JP-personal; local Proton Bridge IMAP/SMTP username (himalaya path)"
-    - vault_name: proton-bridge-imap
+    - vault_name: proton-bridge-imap-pass
      status: required
-      scope: read-write
+      scope: read
      used_by: [credbridge.sh]
-      governance: "JP-personal; local Proton Bridge IMAP/SMTP (himalaya path)"
+      governance: "JP-personal; local Proton Bridge IMAP/SMTP password (himalaya path)"
-    - vault_name: perplexity-api
+    - vault_name: perplexity
      status: optional
      scope: read
      used_by: [credbridge.sh]
      governance: "JP-personal; WebSearch fallback (MCP path preferred)"
    - vault_name: proton-account-email
      status: required
      scope: read
      used_by: [credbridge.sh, mcp_proton_email]
      governance: "JP-personal; Proton account email (consumed by proton-email MCP server)"
    - vault_name: proton-account-password
      status: required
      scope: read
      used_by: [credbridge.sh, mcp_proton_email]
      governance: "JP-personal; Proton account password (consumed by proton-email MCP server)"
    - vault_name: proton-mailbox-password
      status: required
      scope: read
      used_by: [credbridge.sh, mcp_proton_email]
      governance: "JP-personal; Proton mailbox E2E key for mail decryption"
@@ -0,0 +1,92 @@
 ---
 name: proton-tools
 description: "When Steev needs to access JP's Proton account — Calendar, Mail, Contacts, or explicitly requested Proton Drive checks via rclone. Use this skill to discover which tool answers the user's question, and how to call it. Covers all 24 Proton MCP tools across the three cortex MCP servers (proton-calendar, proton-email, proton-contacts). Triggers: any request involving JP's calendar (events, meetings, availability), mail (inbox, send, reply, search, folders), contacts (lookup, add, search), or Drive via rclone."
 metadata:
  version: 1.0.0
  hermes:
    requires_mcp_servers: [proton-calendar, proton-email, proton-contacts]
 ---
 # Proton Tools — Calendar + Mail + Contacts
 Authoritative reference for the 24 tools exposed by three cortex MCP servers — `proton-calendar` (8 tools), `proton-email` (10 tools), `proton-contacts` (6 tools). Each MCP facade dials a long-running gRPC gate that holds the Proton session.
 ## Hard rules
 - **Drive is out of scope for Proton MCP tools.** There is no `drive_*` MCP tool. If the user explicitly asks to check Drive via `rclone`, use the live Proton Drive rclone remote instead of claiming no access: this Steev/Hermes profile sets `HOME=/home/svrnty/.hermes/profiles/steev/home`, so plain `rclone` sees the profile config; the working Proton Drive config is `/home/svrnty/.config/rclone/rclone.conf` with remote `proton:`. Use read-only probes first (`rclone --config /home/svrnty/.config/rclone/rclone.conf about proton: --json`) and do not list file names unless JP asks.
 - **Destructive tools require explicit confirmation.** `email_send`, `email_reply`, `email_forward`, `calendar_delete`, `contacts_delete`. Never call these without quoting back the action + target + asking JP to confirm.
 - **Calendar date filters:** the MCP schema may advertise RFC3339, but `calendar_events`/underlying gate expects date-only filters (`YYYY-MM-DD`) for reliable results. RFC3339 ranges can return empty even when events exist. Convert relative dates ("tomorrow", "next Tuesday") into `YYYY-MM-DD` for list/search filters; keep event create/update timestamps RFC3339.
 - **Pagination**: `email_list`, `calendar_events`, `contacts_list` are paginated. Default page size is small (~20). Fetch additional pages only when the user asks for more.
 ## When to use which tool
 ### Calendar (8 tools)
 | User intent | Tool |
 |---|---|
 | "What calendars do I have?" | `calendar_list` |
 | "What's on my calendar today/this week?" | `calendar_events` with date range |
 | "What's coming up?" "Next few meetings?" | `calendar_upcoming` |
 | "Find meetings about X" | `calendar_search` |
 | "Show me details of [event]" | `calendar_event_get` |
 | "Schedule a meeting with…" | `calendar_create` (confirm first) |
 | "Move my 3pm to 4pm" | `calendar_update` |
 | "Cancel my 3pm" | `calendar_delete` (DESTRUCTIVE — confirm) |
 ### Mail (10 tools)
 | User intent | Tool |
 |---|---|
 | "How many unread?" "What folders?" | `email_folders` |
 | "Show me my inbox" "Latest emails" | `email_list` (folder=INBOX) |
 | "Open that email" | `email_read` by UID |
 | "Search inbox for…" | `email_search` |
 | "Send an email to…" | `email_send` (DESTRUCTIVE — draft + confirm) |
 | "Reply to that" | `email_reply` (DESTRUCTIVE — draft + confirm) |
 | "Forward this to…" | `email_forward` (DESTRUCTIVE — confirm) |
 | "Archive that" | `email_archive` |
 | "Mark as read/unread" | `email_mark_read` / `email_mark_unread` |
 ### Contacts (6 tools)
 | User intent | Tool |
 |---|---|
 | "Who do I have in contacts?" | `contacts_list` |
 | "Look up [person]" | `contacts_search` |
 | "Pull up [person]'s details" | `contacts_get` |
 | "Add [person] to contacts" | `contacts_create` |
 | "Update [person]'s email/phone" | `contacts_update` |
 | "Remove [person]" | `contacts_delete` (DESTRUCTIVE — confirm) |
 ## Daily briefing — tool order
 When JP asks for the morning briefing, query in this order:
 1. `calendar_upcoming` (hours=24) → events today
 2. `email_folders` → unread counts
 3. `email_list` (folder=INBOX, limit=10) → recent inbox
 4. `email_search` (folder=INBOX, query="from:important-person OR is:flagged") → priorities
 Don't dump raw output. Synthesize. Lead with what's actionable in JP's voice.
 ## Search composition
 For broad questions like "anything from [person] this week":
 - `email_search` (folder=INBOX, query="from:<person>")
 - `calendar_search` (query="<person>")
 - `contacts_search` (query="<person>")
 Run in parallel. Merge results. Group by source.
 ## Error handling
 - **"WaitReady timeout"** → proton connector still booting. Retry once after 2-3s. If still failing, say so + suggest JP check `hermes mcp test proton`.
 - **403 / scope error** → proton session expired. Tool handler should re-auth automatically; if not, JP needs to re-run setup.
 - **Network / 5xx** → transient. Retry once. If persistent, report and stop.
 - **`calendar_create` timeout** → do not retry blindly. First verify the target date range with `calendar_events` using `YYYY-MM-DD` filters to avoid duplicate events. If the event is still absent, one direct gate fallback may be attempted. If creates keep timing out while reads work, refresh `sdo-calendar-gate`: `docker restart sdo-calendar-gate`, wait for `connected to Proton` + `calendar-gate gRPC server listening`, then retry once. If restart fails with a bind-mount error because `/home/svrnty/workspaces/cortex/svrnty.sdo-agents/config/calendar-gate.toml` is a directory, replace it with a symlink to `../../L3-svrnty.agents-fleet/config/calendar-gate.toml`, then `docker start sdo-calendar-gate`.
 ## What NOT to do
 - Don't paginate aggressively — fetch one page, summarize, ask if JP wants more.
 - Don't auto-send drafts. Even after JP says "send" once, re-quote subject + recipient on the next compose.
 - Don't synthesize calendar events from email content unless JP explicitly asks ("add this to my calendar").
 - Don't enumerate every contact when JP asks "who's [person]" — use search, not list.
Author	SHA1	Message	Date
Svrnty	26411d6128	Normalize Steev pickup posture	2026-06-19 07:36:30 -04:00
Svrnty	0c549cb620	Align WorkBoard validator with closed-owner rule	2026-06-18 14:00:20 -04:00
Svrnty	958890ff7e	Clear completed WorkBoard owners	2026-06-18 13:57:18 -04:00
Svrnty	da9d1df0ff	Validate Steev profile review	2026-06-18 11:08:02 -04:00
Svrnty	0ec0f886c4	Classify Steev local ignored state	2026-06-18 06:34:03 -04:00
Svrnty	3d0ab3fa14	Normalize AGENTS pickup field	2026-06-18 05:15:50 -04:00
Svrnty	74224da778	Add Steev legacy ingest overview	2026-06-18 03:03:49 -04:00
Svrnty	71eb1d6b22	Compact Steev agent pickup	2026-06-18 01:33:38 -04:00
Svrnty	aadd2ce5ea	Add Steev navigation index	2026-06-17 23:36:07 -04:00
Svrnty	e3ada3edea	Normalize AGENTS authority pickup	2026-06-17 22:15:24 -04:00
Svrnty	0e194f64f2	Add Steev agent contract blocks	2026-06-17 19:06:30 -04:00
Svrnty	6edcaaff33	docs: add steev endgoal pickup	2026-06-16 16:56:47 -04:00
Svrnty	7184c7dc01	CC: clear Steev completed owners	2026-06-15 16:17:57 -04:00
Svrnty	e5d71b697d	CC: refresh Steev governed boundary source lock	2026-06-15 16:13:58 -04:00
Svrnty	777806cee1	CC: tolerate repaired Core S654 validator	2026-06-15 06:44:40 -04:00
Svrnty	76ae8ad2f1	docs: pin Steev governed boundary	2026-06-15 05:55:31 -04:00
Svrnty	121b5bb1e6	docs: reconcile Steev Core Seed readiness	2026-06-15 00:47:38 -04:00
Svrnty	3b926000a6	docs: pick up proton bridge unit convergence	2026-06-14 11:21:30 -04:00
Svrnty	f127076665	docs: pick up proton rclone runtime gate repair	2026-06-14 11:09:17 -04:00
Svrnty	5d77eaffc9	docs: link proton rclone child candidate to personal-agent	2026-06-14 10:49:01 -04:00
Svrnty	d19825c3e6	docs: reconcile personal-agent secondbrain apply route	2026-06-14 09:39:12 -04:00
Svrnty	389bd1e89d	docs: link imessage intake to secondbrain route	2026-06-14 09:08:42 -04:00
Svrnty	8c8d005fe8	docs: reconcile proton rclone runtime posture	2026-06-14 09:07:14 -04:00
Svrnty	0944fc7fd0	docs: define personal-agent desktop exposure contract	2026-06-14 08:46:33 -04:00
Svrnty	8274edffeb	docs: capture personal-agent runtime readiness snapshot	2026-06-14 08:40:58 -04:00
Svrnty	412f669b93	docs: hand off personal-agent services to conductor curator	2026-06-14 08:36:34 -04:00
Svrnty	5807a86b2e	docs: define personal Secondbrain proposal route	2026-06-14 08:32:20 -04:00
Svrnty	c1e4d77611	docs: standardize Proton rclone package candidate	2026-06-14 08:28:36 -04:00
Svrnty	91d4e7f08b	docs: bind BlueBubbles to personal-agent profile	2026-06-14 08:21:40 -04:00
Svrnty	0d4a7ff4e4	chore: ignore local sandcastles	2026-06-14 08:16:27 -04:00
Svrnty	8d4b216a6f	docs: enforce personal-agent profile contract	2026-06-14 08:16:03 -04:00
Svrnty	0acd11b544	docs: clarify personal-agent profile naming	2026-06-14 07:46:35 -04:00
Svrnty	d2a99ca36e	docs: plan Steev personal context runtime	2026-06-14 07:18:48 -04:00
Svrnty	aeb17cce22	chore: sync Steev disclosure skills	2026-06-01 09:33:52 -04:00
Svrnty	c7b72a8758	chore: add Cortex child governance	2026-06-01 09:30:58 -04:00
Svrnty	0487a3d8fd	Refine Steev profile disclosure and Proton tools	2026-05-30 23:35:53 -04:00
Svrnty	fdc27aa92f	chore(steev): Wave 8.5 — strip chat_facing field (fiction — webui exposes all profiles to chat) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 19:55:17 -04:00
Svrnty	2491d48151	feat(steev): Wave 8 PAUSE-walk — apply Q4-Q10 + bte leak fix + proton-tools SKILL.md Q4: confirm personal-scope discriminators (chat_facing, delegates_to=[ceo-planb], sovereign_only=false) Q5: drop google-workspace cred — builtin manages own OAuth via Hermes hub (not credctl vault) Q6: split proton-bridge-imap → proton-bridge-imap-user + proton-bridge-imap-pass (vault exact-match) Q7: rename perplexity-api → perplexity (vault exact-match) Q8: add 3 proton vault entries (account-email, account-password, mailbox-password) Q9: install.sh F6 — MCP allowlist materialization; wires 3 proton MCPs, removes bte (hard-rule leak) Q10: macOS-only externals annotated os_constraint:darwin; install.sh F7 emits INFO on non-Darwin credbridge.sh: drop google-workspace case, rewrite proton-bridge to use 2 vault entries, rename perplexity case Disclosure §7 rewritten with 6 credentials matching vault exact-name policy (DISCLOSURE-SCHEMA §4.5) Disclosure §12 PAUSE table marked all 8 rows RESOLVED (rows 1-7 Wave 8, row 8 Wave 7) Untracked skills/proton-tools/SKILL.md (90 lines, declared in manifest since Wave 4) — committed for clone-ability Verified: hermes -p steev skills list → 6 enabled (matches disclosure.skills declaration) hermes -p steev mcp list → 3 entries (proton-calendar, proton-email, proton-contacts); bte removed F7 on Linux host correctly suppresses macOS-only externals Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 18:13:40 -04:00
Svrnty	959b8c8871	fix(install): R1 — COLUMNS=200 + untruncated awk parser for hermes skills list — Wave 7.5 Root cause: hermes 0.14 table renderer truncates skill names at column width with unicode '…' suffix. Awk parser stripped '…' but couldn't recover the truncated trailing chars (e.g., 'baoyu-article-illustr…' lost 'ator'). Fix: COLUMNS=200 env prefix forces wide table render → awk sees full names. Affects both F2 (denylist write) and subrepo pre-push hook (drift check). Re-run install.sh to refresh both per-profile config.yaml denylist + .git /hooks/pre-push body. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 17:32:38 -04:00
Svrnty	57ef5411a4	feat(install): Wave 7.5 — steev F2b enable builtin allowlist via additive external_dirs — sprint 2026-05-25 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 17:20:11 -04:00