Svrnty 8e8ced470b feat(disclosure): Wave 4 — steev disclosure: block (CLAUDE.md hard-rule fix: REMOVE bte MCP) — sprint 2026-05-24

Applies Wave-3 auto-approved recommendations per
sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md.

HARD-RULE FIX:
  - REMOVE bte MCP (inherit_mcp_toolsets: false + mcp_servers: []).
    bte = Plan B marketing platform; steev/CLAUDE.md:14 forbids access.

Auto-approved REMOVE/DROP:
  - 17 silently-inherited builtin skills denied (inherit_builtins: false).
  - Skills allowlist narrowed to 6: steev-agent, proton-tools, google-workspace,
    obsidian, himalaya, kanban-worker.

ADD (auto-approved):
  - schema_version: 1
  - inherit_builtins: false, inherit_mcp_toolsets: false

ADD (PAUSED-for-JP rows surfaced in DISCLOSURE.md §12):
  - Personal-scope discriminators (scope/chat_facing/delegates_to/sovereign_only)
    populated per audit §7d; values confirmation pending JP.
  - 3 cred name-mismatches kept as-declared in manifest; rename decision deferred
    (manifest vs vault vs bundle-indirection — W3.4 governance class).
  - 4 manifest-declared MCP installs (mcp_proton_*, mcp_perplexity) not registered;
    install ordering deferred.

Surface: 2 files only — steev/manifest.yaml + steev/DISCLOSURE.md.
sot-precommit --full-tree: EXIT 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 15:59:58 -04:00

9.6 KiB

Raw Blame History

name

tier

status

owner

source

last_reviewed

review_by

depends_on

description

auto_regen_cmd

disclosure-steev

active

generated

2026-05-24

2026-08-22

disclosure-schema

profile-distribution-protocol

Canonical disclosure of steev — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.

yq '.disclosure' manifest.yaml | <renderer-script>

`steev` — Disclosure

Live as of 2026-05-24. Source: steev/manifest.yaml → disclosure: block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live hermes -p steev runtime.

§1 Identity

Field	Value
Profile ID	`steev`
Repo	`/home/svrnty/workspaces/hermes/steev/`
Scope	`personal`
Org	`personal`
Owner	`jp`
Approval authority	`jp`
Role type	`personal-assistant` (Chief of Staff)
State	`stateful` (`steev.db` runtime-only, never committed)
Version	`1.0.0`
North star	keep JP unblocked — surface what needs attention, draft in JP voice, delegate business work to CEO
Chat-facing	`true`
Delegates to	`ceo-planb`
Sovereign-only	`false`

§2 Inheritance posture

Field	Value	Rationale
`inherit_builtins`	`false`	Closes Wave-1 finding: 18 silently-enabled builtins (only `kanban-worker` cited in steev/ code — kept via explicit allowlist)
`inherit_mcp_toolsets`	`false`	CLAUDE.md hard-rule fix. Closes Wave-1 finding: `bte` MCP silently leaked from host. `bte` = Plan B marketing platform — forbidden to steev per `steev/CLAUDE.md:14` ("No access to Plan B marketing platform credentials (CMO-only)")
`inherit_dirs`	none	No external-dir skill bundles narrowed in
`sovereign_only`	`false`	steev intentionally calls Perplexity (hosted) for lightweight WebSearch per `manifest.yaml:90` — disclosed honestly

§3 Skills (6)

Per disclosure.skills enum. Each row matches hermes -p steev skills list enabled set (pre-push check 6.a enforces).

ID	Source	Role	Sovereign-req	Hosted-API	Justification
`steev-agent`	local	orchestrator	—	—	Orchestrator — daily briefing, inbox triage, comms drafting, delegate-to-CEO
`proton-tools`	local	toolkit	—	—	24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface
`google-workspace`	builtin	engine	—	—	Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46)
`obsidian`	builtin	engine	—	—	PKM vault at `~/vaults/steev` (CLAUDE.md L17)
`himalaya`	builtin	engine	—	—	IMAP/SMTP via proton-bridge (manifest L50)
`kanban-worker`	builtin	engine	—	—	CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)

Totals. 6 skills total. Source breakdown: 2 local, 0 hub, 4 builtin, 0 external_dir.

Wave-1 → Wave-4 delta. Live hermes -p steev skills list showed 21 enabled (2 local + 18 builtins +/- the 7 declared external set). Wave-4 narrows to 6 — drops 17 inherited builtins (15 uncited; 8 of the 17 are CONTRACT.md §9 v2+ REUSE candidates re-added when v2 lands).

§4 MCP servers (0)

No MCP servers exposed — deny-by-default allowlist is empty.

Wave-1 → Wave-4 delta. Live hermes -p steev mcp list showed bte registered + enabled (silently inherited via host-global agent.inherit_mcp_toolsets: true). Wave-4 sets inherit_mcp_toolsets: false and omits bte from the allowlist — resolves CLAUDE.md hard-rule violation. Four manifest-declared MCP installs (mcp_proton_calendar, mcp_proton_email, mcp_proton_contacts, mcp_perplexity) are NOT registered today; ADD-back deferred (see §12).

§5 Sovereign APIs (0)

No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (currently unregistered) Proton/Perplexity MCP servers.

§6 Cortex tools (0)

No cortex/L6-* or cortex/PG-* libraries consumed at runtime. lib/ scripts (credbridge.sh, validate_access.sh) are repo-local utility shims, not cortex tools.

§7 Credentials (3 declared)

Per disclosure.credentials allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match.

Vault name	Status	Scope	Used by	Governance
`google-workspace`	required	read-write	`credbridge.sh`	JP-personal; Gmail+Calendar+Contacts for briefing + inbox triage
`proton-bridge-imap`	required	read-write	`credbridge.sh`	JP-personal; local Proton Bridge IMAP/SMTP (himalaya path)
`perplexity-api`	optional	read	`credbridge.sh`	JP-personal; WebSearch fallback (MCP path preferred)

PENDING JP REVIEW — Per Wave-3 recommendations §5a, all three declared names are reported by audit as not exact-matching the vault (credctl list shows proton-bridge-imap-pass/-user split, perplexity without -api, and google-workspace plausibly absent or composite). Cred-rename rows are governance-class W3.4 and require JP decision (manifest-rename vs vault-rename vs bundle-indirection) — surfaced in §12.

§8 Cron (1)

Job	Schedule	Skill	Disabled on install
`steev-daily-briefing`	`30 6 * * *` (06:30 local)	`steev-agent`	`true` (per §6 Safety)

§9 Drift status

Surface	Declared	Live (Wave-1)	Status
Skills	6	21 enabled	drift expected post-Wave-4 reinstall → in-sync
MCP servers	0	1 (`bte`)	drift — Wave-4 reinstall removes `bte`; pending install.sh patch + reinstall
MCP tools (total)	0	n/a (`bte` is `all`-tools)	n/a after MCP removal
Credentials	3	3 declared, 3 vault-name mismatches	name-canonicalization drift (PENDING JP, §12)

Pre-push hook check 6 last run: not yet — Wave-4 inserts the check; first run validates this disclosure after install.sh reapplies disclosure.* to ~/.hermes/profiles/steev/config.yaml.

§10 Sovereign-purity audit

Steev's owned code (steev/skills/, steev/lib/): CLEAN — only Proton + Google Workspace + Perplexity (last is hosted but sovereign_only: false discloses honestly).
Bundled-skill exposure layer: CLEAN post-Wave-4 — 17 builtins removed; only 4 builtins allowlisted (google-workspace, obsidian, himalaya, kanban-worker), none hosted-API.
sovereign_only: false — validator rule 6.e does not apply.

§11 Governance refs

Vision: ../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md, ../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md
Governing protocols: ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md
Standards: ../sot/04-STANDARDS/FRONTMATTER-SPEC.md, ../sot/04-STANDARDS/SOT-ENFORCEMENT.md, ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org

§12 Open issues + next steps (PENDING JP REVIEW)

Rows below are PAUSED for JP per W3.4 governance-class rule. Wave-4 applies auto-approved rows only (REMOVE bte MCP + DROP 17 builtins + scaffold disclosure block). JP must mark each PAUSE row approve/reject/edit before next apply wave.

#	Topic	Recommended action	Why PAUSED
1	Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`)	Confirm values	New disclosure surface; JP confirms intent matches CLAUDE.md L7-L8 + CONTRACT delegation chain
2	Cred `google-workspace` not in vault	(a) add composite OAuth JSON to vault, OR (b) split manifest into per-cred entries matching vault	Cred binding (W3.4)
3	Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user`	Rename manifest entry to TWO entries matching vault	Cred binding (W3.4)
4	Cred `perplexity-api` vs vault `perplexity`	Rename manifest declaration `perplexity-api` → `perplexity` (exact-match per schema §4.5)	Cred binding (W3.4)
5	5 vault entries plausibly steev-scope but undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`, `proton-bridge-imap-pass`, `proton-bridge-imap-user`)	ADD to `disclosure.credentials` after MCP install confirms which are consumed	Cred binding (W3.4); also depends on MCP install (row 6)
6	4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`)	Confirm install order — Wave-4 install.sh patch, or deferred	Install gap; cred-adjacent
7	macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills`	Gate on OS in `install.sh`, or document as macOS-host-only	OS-platform decision
8	Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+)	Wire check 6 per DISCLOSURE-SCHEMA §6	Cross-profile rollup (Wave-5)

../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md — schema definition
../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md — protocol disclosure extends
../sot/06-REGISTRY/PROFILE-CATALOG.md — fleet rollup (aggregates this doc + 4 siblings)
../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md — Wave-1 discovery
../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md — Wave-3 recommendations
./manifest.yaml — machine-readable disclosure: block
./AGENT.md — identity (T2)
./CONTRACT.md — behavior contract (T1)

9.6 KiB Raw Blame History

steev — Disclosure