2db2d26250
Closes the largest set of PROFILE-DISTRIBUTION-PROTOCOL §7 readiness gaps
surfaced in the 2026-05-23 audit. Profile goes from 4/8 to expected 8/8
once skills/proton-tools/ is committed.
New files:
credbridge.sh Personal-assistant variant of the shared-core
credbridge pattern. Three credentials in scope:
google-workspace (Gmail/Calendar/Contacts),
proton-bridge (himalaya IMAP/SMTP), perplexity
(raw WebSearch). Plan B marketing platforms
explicitly OUT OF SCOPE per CLAUDE.md hard rule.
validate_access.sh Emits PASS/BLOCKED/FAIL JSON line per credential.
Sourceable from install.sh and standalone. Exit
code always 0; status is in the JSON.
distribution.yaml Native Hermes install contract (`hermes profile
install` reads this). Mirrors cmo/ceo pattern.
Documents personal/agnostic naming exception
per FRAMEWORK §6.1 — no org suffix because there
is exactly one principal.
cron/steev-daily-briefing.json.template
06:30 daily briefing skeleton, ships disabled.
Aggregates calendar + flagged emails + due tasks
+ carried items + brief news scan into a single
digest in JP's voice. NEVER auto-sends, NEVER
touches business comms (CEO → CMO surface).
manifest.yaml fully rewritten:
- Added `contract: CONTRACT.md` pointer (was missing)
- Added inline comment explaining intentional `org:` omission
- Declared skills/proton-tools (on disk via JP's untracked WIP; declared
here so manifest matches disk truth once JP commits it)
- Added `lib:` block (credbridge.sh + validate_access.sh)
- Added `expected_external_skills:` informational list (google-workspace,
apple-*, obsidian, himalaya, imessage, perplexity) — these come from
Hermes' global skills tree per CLAUDE.md "reuse existing core skills"
- Added `optional_tools:` block (4 MCP servers: proton-calendar/-email/
-contacts, perplexity)
- Added `credentials:` block listing the 3 creds + resolution path
- Promoted `cron:` from empty list to a single steev-daily-briefing
entry (disabled_on_install: true)
- Added `sovereignty:` block (qwen3.6-35b-a3b on DGX Spark)
CONTRACT.md frontmatter migrated from legacy `tier: S` to T1 per
FRONTMATTER-SPEC. Added required fields (name, last_reviewed,
description, depends_on).
skills/proton-tools/ left untracked — that's JP's WIP, not mine to
commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
43 lines
1.4 KiB
Bash
Executable File
43 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# validate_access.sh — report PASS / BLOCKED / FAIL per credential, per
|
|
# PROFILE-DISTRIBUTION-PROTOCOL §7 (readiness checklist, "credbridge resolves
|
|
# every credential the manifest lists; validate_access reports PASS/BLOCKED/
|
|
# FAIL"). Sourceable from install.sh and standalone.
|
|
#
|
|
# Usage: validate_access.sh
|
|
# Exit code: always 0. Emits one JSON line per credential, suitable for jq /
|
|
# log aggregation.
|
|
#
|
|
# Statuses:
|
|
# PASS credctl key set + non-empty
|
|
# BLOCKED key absent or empty — actionable: run `credctl set <name>`
|
|
# FAIL credctl itself missing or broken — environmental issue
|
|
|
|
set -uo pipefail
|
|
|
|
CREDCTL="${CREDCTL:-/home/svrnty/workspaces/cortex/L6-svrnty.core-credentials/credctl}"
|
|
|
|
CREDENTIALS=(
|
|
google-workspace
|
|
proton-bridge-imap
|
|
perplexity-api
|
|
)
|
|
|
|
check() {
|
|
local name="$1" status reason
|
|
if [ ! -x "$CREDCTL" ]; then
|
|
status="FAIL"; reason="credctl not found at $CREDCTL"
|
|
elif ! "$CREDCTL" list 2>/dev/null | grep -q "^${name}[[:space:]]"; then
|
|
status="BLOCKED"; reason="credctl key not set — run: credctl set ${name}"
|
|
elif [ -z "$("$CREDCTL" get "$name" --unmask 2>/dev/null | sed -n '/^Value:/,$p' | sed '1s/^Value:[[:space:]]*//')" ]; then
|
|
status="BLOCKED"; reason="key exists but value empty"
|
|
else
|
|
status="PASS"; reason="present"
|
|
fi
|
|
printf '{"credential":"%s","status":"%s","reason":"%s"}\n' "$name" "$status" "$reason"
|
|
}
|
|
|
|
for cred in "${CREDENTIALS[@]}"; do
|
|
check "$cred"
|
|
done
|