hermes/steev
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
aeb17cce22
steev/DISCLOSURE.md
Svrnty 2491d48151 feat(steev): Wave 8 PAUSE-walk — apply Q4-Q10 + bte leak fix + proton-tools SKILL.md 
Q4: confirm personal-scope discriminators (chat_facing, delegates_to=[ceo-planb], sovereign_only=false)
Q5: drop google-workspace cred — builtin manages own OAuth via Hermes hub (not credctl vault)
Q6: split proton-bridge-imap → proton-bridge-imap-user + proton-bridge-imap-pass (vault exact-match)
Q7: rename perplexity-api → perplexity (vault exact-match)
Q8: add 3 proton vault entries (account-email, account-password, mailbox-password)
Q9: install.sh F6 — MCP allowlist materialization; wires 3 proton MCPs, removes bte (hard-rule leak)
Q10: macOS-only externals annotated os_constraint:darwin; install.sh F7 emits INFO on non-Darwin

credbridge.sh: drop google-workspace case, rewrite proton-bridge to use 2 vault entries, rename perplexity case
Disclosure §7 rewritten with 6 credentials matching vault exact-name policy (DISCLOSURE-SCHEMA §4.5)
Disclosure §12 PAUSE table marked all 8 rows RESOLVED (rows 1-7 Wave 8, row 8 Wave 7)

Untracked skills/proton-tools/SKILL.md (90 lines, declared in manifest since Wave 4) — committed for clone-ability

Verified:
  hermes -p steev skills list → 6 enabled (matches disclosure.skills declaration)
  hermes -p steev mcp list → 3 entries (proton-calendar, proton-email, proton-contacts); bte removed
  F7 on Linux host correctly suppresses macOS-only externals

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 18:13:40 -04:00

154 lines
11 KiB
Markdown
Raw Blame History

---
name: disclosure-steev
tier: T2
status: active
owner: jp
source: generated
last_reviewed: 2026-05-25
review_by: 2026-08-23
depends_on:
- disclosure-schema
- profile-distribution-protocol
description: Canonical disclosure of steev — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.
auto_regen_cmd: "yq '.disclosure' manifest.yaml | <renderer-script>"
---
# `steev` — Disclosure
> Live as of `2026-05-25`. Disclosure schema v2 (manifest `disclosure.schema_version: 2` — adds `external_orchestrators` per DISCLOSURE-SCHEMA §4.6). Source: `steev/manifest.yaml → disclosure:` block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live `hermes -p steev` runtime.
## §1 Identity
| Field | Value |
|---|---|
| Profile ID | `steev` |
| Repo | `/home/svrnty/workspaces/hermes/steev/` |
| Scope | `personal` |
| Org | `personal` |
| Owner | `jp` |
| Approval authority | `jp` |
| Role type | `personal-assistant` (Chief of Staff) |
| State | `stateful` (`steev.db` runtime-only, never committed) |
| Version | `1.0.0` |
| North star | keep JP unblocked — surface what needs attention, draft in JP voice, delegate business work to CEO |
| Chat-facing | `true` |
| Delegates to | `ceo-planb` |
| Sovereign-only | `false` |
## §2 Inheritance posture
| Field | Value | Rationale |
|---|---|---|
| `inherit_builtins` | `false` | Closes Wave-1 finding: 18 silently-enabled builtins (only `kanban-worker` cited in steev/ code — kept via explicit allowlist) |
| `inherit_mcp_toolsets` | `false` | **CLAUDE.md hard-rule fix.** Closes Wave-1 finding: `bte` MCP silently leaked from host. `bte` = Plan B marketing platform — forbidden to steev per `steev/CLAUDE.md:14` ("No access to Plan B marketing platform credentials (CMO-only)") |
| `inherit_dirs` | none | No external-dir skill bundles narrowed in |
| `sovereign_only` | `false` | steev intentionally calls Perplexity (hosted) for lightweight WebSearch per `manifest.yaml:90` — disclosed honestly |
| `external_orchestrators` | `[]` | Schema v2 field (DISCLOSURE-SCHEMA §4.6). steev has no exec'd orchestrators (no sandcastle equiv) — empty list. |
## §3 Skills (6)
Per `disclosure.skills` enum. Each row matches `hermes -p steev skills list` enabled set (pre-push check 6.a enforces).
| ID | Source | Role | Sovereign-req | Hosted-API | Justification |
|---|---|---|---|---|---|
| `steev-agent` | local | orchestrator | — | — | Orchestrator — daily briefing, inbox triage, comms drafting, delegate-to-CEO |
| `proton-tools` | local | toolkit | — | — | 24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface |
| `google-workspace` | builtin | engine | — | — | Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46) |
| `obsidian` | builtin | engine | — | — | PKM vault at `~/vaults/steev` (CLAUDE.md L17) |
| `himalaya` | builtin | engine | — | — | IMAP/SMTP via proton-bridge (manifest L50) |
| `kanban-worker` | builtin | engine | — | — | CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83) |
**Totals.** 6 skills total. Source breakdown: 2 local, 0 hub, 4 builtin, 0 external_dir.
**Wave-1 → Wave-4 delta.** Live `hermes -p steev skills list` showed 21 enabled (2 local + 18 builtins +/- the 7 declared external set). Wave-4 narrows to 6 — drops 17 inherited builtins (15 uncited; 8 of the 17 are CONTRACT.md §9 v2+ REUSE candidates re-added when v2 lands).
## §4 MCP servers (0)
No MCP servers exposed — deny-by-default allowlist is empty.
**Wave-1 → Wave-4 delta.** Live `hermes -p steev mcp list` showed `bte` registered + enabled (silently inherited via host-global `agent.inherit_mcp_toolsets: true`). Wave-4 sets `inherit_mcp_toolsets: false` and omits `bte` from the allowlist — **resolves CLAUDE.md hard-rule violation**. Four manifest-declared MCP installs (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) are NOT registered today; ADD-back deferred (see §12).
## §5 Sovereign APIs (0)
No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (currently unregistered) Proton/Perplexity MCP servers.
## §6 Cortex tools (0)
No `cortex/L6-*` or `cortex/PG-*` libraries consumed at runtime. `lib/` scripts (`credbridge.sh`, `validate_access.sh`) are repo-local utility shims, not cortex tools.
## §7 Credentials (6 declared)
Per `disclosure.credentials` allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match. **Wave 8 (2026-05-24): aligned with vault.**
| Vault name | Status | Scope | Used by | Governance |
|---|---|---|---|---|
| `proton-bridge-imap-user` | required | read | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP username (himalaya path) |
| `proton-bridge-imap-pass` | required | read | `credbridge.sh` | JP-personal; local Proton Bridge IMAP/SMTP password (himalaya path) |
| `perplexity` | optional | read | `credbridge.sh` | JP-personal; WebSearch fallback (MCP path preferred) |
| `proton-account-email` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton account email (consumed by proton-email MCP server) |
| `proton-account-password` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton account password (consumed by proton-email MCP server) |
| `proton-mailbox-password` | required | read | `credbridge.sh`, `mcp_proton_email` | JP-personal; Proton mailbox E2E key for mail decryption |
> **google-workspace removed Wave 8** — Hermes builtin `google-workspace` skill manages its own OAuth flow via Hermes hub, not credctl vault. credbridge.sh google-workspace case dropped accordingly.
## §8 Cron (1)
| Job | Schedule | Skill | Disabled on install |
|---|---|---|---|
| `steev-daily-briefing` | `30 6 * * *` (06:30 local) | `steev-agent` | `true` (per §6 Safety) |
## §9 Drift status
| Surface | Declared | Live (Wave-1) | Status |
|---|---|---|---|
| Skills | 6 | 21 enabled | drift expected post-Wave-4 reinstall → in-sync |
| MCP servers | 0 | 1 (`bte`) | drift — Wave-4 reinstall removes `bte`; pending install.sh patch + reinstall |
| MCP tools (total) | 0 | n/a (`bte` is `all`-tools) | n/a after MCP removal |
| Credentials | 3 | 3 declared, 3 vault-name mismatches | name-canonicalization drift (PENDING JP, §12) |
> Pre-push hook check 6 last run: not yet — Wave-4 inserts the check; first run validates this disclosure after `install.sh` reapplies `disclosure.*` to `~/.hermes/profiles/steev/config.yaml`.
## §10 Sovereign-purity audit
- Steev's owned code (`steev/skills/`, `steev/lib/`): **CLEAN** — only Proton + Google Workspace + Perplexity (last is hosted but `sovereign_only: false` discloses honestly).
- Bundled-skill exposure layer: **CLEAN post-Wave-4** — 17 builtins removed; only 4 builtins allowlisted (google-workspace, obsidian, himalaya, kanban-worker), none hosted-API.
- `sovereign_only: false` — validator rule 6.e does not apply.
## §11 Governance refs
- Vision: `../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md`, `../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md`
- Governing protocols: `../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`
- Standards: `../sot/04-STANDARDS/FRONTMATTER-SPEC.md`, `../sot/04-STANDARDS/SOT-ENFORCEMENT.md`, `../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`
- Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org
## §12 Open issues + next steps
All 8 Wave-3 PAUSE rows resolved in **Wave 8 (2026-05-24)**. Audit trail retained below.
| # | Topic | Resolution | Wave |
|---|---|---|---|
| 1 | Personal-scope discriminator values (`chat_facing: true`, `delegates_to: [ceo-planb]`, `sovereign_only: false`) | **CONFIRMED** (Q4). Matches CLAUDE.md L7-L8 + CONTRACT delegation chain. | 8 |
| 2 | Cred `google-workspace` not in vault | **REMOVED** (Q5 + scope-expansion). Builtin manages own OAuth via Hermes hub; no credctl vault entry needed. credbridge.sh google-workspace case dropped. | 8 |
| 3 | Cred `proton-bridge-imap` vs vault `proton-bridge-imap-pass` + `proton-bridge-imap-user` | **SPLIT** (Q6). Manifest split into 2 entries matching vault. credbridge.sh exports both `PROTON_BRIDGE_IMAP_USER` + `PROTON_BRIDGE_IMAP_PASSWORD`. | 8 |
| 4 | Cred `perplexity-api` vs vault `perplexity` | **RENAMED** (Q7). Manifest + credbridge.sh updated to `perplexity` (exact-match per schema §4.5). | 8 |
| 5 | 3 proton vault entries undeclared (`proton-account-email`, `proton-account-password`, `proton-mailbox-password`) | **ADDED** (Q8). Declared in `disclosure.credentials` w/ `used_by: [credbridge.sh, mcp_proton_email]`. The other 2 (`proton-bridge-imap-pass/-user`) covered by row 3. | 8 |
| 6 | 4 declared MCP servers absent from `hermes mcp list` (`mcp_proton_calendar`, `mcp_proton_email`, `mcp_proton_contacts`, `mcp_perplexity`) | **MATERIALIZED 3/4** (Q9). install.sh F6 wires 3 proton MCPs into per-profile config from `optional_tools`. Also removed bte (hard-rule leak discovered Wave 8). mcp_perplexity DEFERRED (server not in global `hermes mcp list`). | 8 |
| 7 | macOS-only externals (`apple-notes`, `apple-reminders`, `imessage`) in `expected_external_skills` | **OS-GATED** (Q10). Annotated `os_constraint: darwin`. install.sh F7 emits INFO on non-Darwin hosts that these are unavailable. | 8 |
| 8 | Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+) | **WIRED** (Wave 7 D6). Subrepo pre-push hook installed via `install.sh F4`; main repo hook covers 6.a-6.f. | 7 |
### Wave 8 follow-ups (not PAUSE — separate work)
- **mcp_perplexity install** — server doesn't exist in global `hermes mcp list`. When provisioned, install.sh F6 will materialize automatically (no code change).
- **Per-tool enumeration in `disclosure.mcp_servers`** — currently `[]` w/ install.sh F6 driven from `optional_tools`. Wave 8.5: introspect each MCP server, populate `disclosure.mcp_servers[*].tools[]` per DISCLOSURE-SCHEMA §4.2.
## §13 Related
- [`../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md`](../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md) — schema definition
- [`../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md`](../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md) — protocol disclosure extends
- [`../sot/06-REGISTRY/PROFILE-CATALOG.md`](../sot/06-REGISTRY/PROFILE-CATALOG.md) — fleet rollup (aggregates this doc + 4 siblings)
- [`../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md) — Wave-1 discovery
- [`../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md`](../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md) — Wave-3 recommendations
- `./manifest.yaml` — machine-readable `disclosure:` block
- `./AGENT.md` — identity (T2)
- `./CONTRACT.md` — behavior contract (T1)
Reference in New Issue View Git Blame Copy Permalink