steev/DISCLOSURE.md

name	tier	status	owner	source	last_reviewed	review_by	depends_on	description	auto_regen_cmd
disclosure-steev	T2	active	jp	generated	2026-05-25	2026-08-23	disclosure-schema profile-distribution-protocol	Canonical disclosure of steev — exposed skills + MCP + sovereign APIs + cortex tools + credentials. Drift-checked vs live runtime by pre-push hook check 6.	yq '.disclosure' manifest.yaml | <renderer-script>

steev — Disclosure

Live as of 2026-05-25. Disclosure schema v2 (manifest disclosure.schema_version: 2 — adds external_orchestrators per DISCLOSURE-SCHEMA §4.6). Source: steev/manifest.yaml → disclosure: block. Pre-push hook check 6 (curator/lib/pre-push.sh) enforces this == live hermes -p steev runtime.

§1 Identity

Field	Value
Profile ID	steev
Repo	/home/svrnty/workspaces/hermes/steev/
Scope	personal
Org	personal
Owner	jp
Approval authority	jp
Role type	personal-assistant (Chief of Staff)
State	stateful (steev.db runtime-only, never committed)
Version	1.0.0
North star	keep JP unblocked — surface what needs attention, draft in JP voice, delegate business work to CEO
Chat-facing	true
Delegates to	ceo-planb
Sovereign-only	false

§2 Inheritance posture

Field	Value	Rationale
inherit_builtins	false	Closes Wave-1 finding: 18 silently-enabled builtins (only kanban-worker cited in steev/ code — kept via explicit allowlist)
inherit_mcp_toolsets	false	CLAUDE.md hard-rule fix. Closes Wave-1 finding: bte MCP silently leaked from host. bte = Plan B marketing platform — forbidden to steev per steev/CLAUDE.md:14 ("No access to Plan B marketing platform credentials (CMO-only)")
inherit_dirs	none	No external-dir skill bundles narrowed in
sovereign_only	false	steev intentionally calls Perplexity (hosted) for lightweight WebSearch per manifest.yaml:90 — disclosed honestly
external_orchestrators	[]	Schema v2 field (DISCLOSURE-SCHEMA §4.6). steev has no exec'd orchestrators (no sandcastle equiv) — empty list.

§3 Skills (6)

Per disclosure.skills enum. Each row matches hermes -p steev skills list enabled set (pre-push check 6.a enforces).

ID	Source	Role	Sovereign-req	Hosted-API	Justification
steev-agent	local	orchestrator	—	—	Orchestrator — daily briefing, inbox triage, comms drafting, delegate-to-CEO
proton-tools	local	toolkit	—	—	24-tool Proton facade (Calendar+Email+Contacts) — JP-personal comms surface
google-workspace	builtin	engine	—	—	Gmail+Calendar+Contacts for daily briefing + inbox triage (manifest L46)
obsidian	builtin	engine	—	—	PKM vault at ~/vaults/steev (CLAUDE.md L17)
himalaya	builtin	engine	—	—	IMAP/SMTP via proton-bridge (manifest L50)
kanban-worker	builtin	engine	—	—	CEO delegation transport — steev → ceo-planb (steev-agent SKILL.md L83)

Totals. 6 skills total. Source breakdown: 2 local, 0 hub, 4 builtin, 0 external_dir.

Wave-1 → Wave-4 delta. Live hermes -p steev skills list showed 21 enabled (2 local + 18 builtins +/- the 7 declared external set). Wave-4 narrows to 6 — drops 17 inherited builtins (15 uncited; 8 of the 17 are CONTRACT.md §9 v2+ REUSE candidates re-added when v2 lands).

§4 MCP servers (0)

No MCP servers exposed — deny-by-default allowlist is empty.

Wave-1 → Wave-4 delta. Live hermes -p steev mcp list showed bte registered + enabled (silently inherited via host-global agent.inherit_mcp_toolsets: true). Wave-4 sets inherit_mcp_toolsets: false and omits bte from the allowlist — resolves CLAUDE.md hard-rule violation. Four manifest-declared MCP installs (mcp_proton_calendar, mcp_proton_email, mcp_proton_contacts, mcp_perplexity) are NOT registered today; ADD-back deferred (see §12).

§5 Sovereign APIs (0)

No direct HTTP/gRPC sovereign API calls. Indirect access flows through the (currently unregistered) Proton/Perplexity MCP servers.

§6 Cortex tools (0)

No cortex/L6-* or cortex/PG-* libraries consumed at runtime. lib/ scripts (credbridge.sh, validate_access.sh) are repo-local utility shims, not cortex tools.

§7 Credentials (6 declared)

Per disclosure.credentials allowlist. Names + scopes only — NEVER values. Pre-push check 6.d enforces vault_name exact-match. Wave 8 (2026-05-24): aligned with vault.

Vault name	Status	Scope	Used by	Governance
proton-bridge-imap-user	required	read	credbridge.sh	JP-personal; local Proton Bridge IMAP/SMTP username (himalaya path)
proton-bridge-imap-pass	required	read	credbridge.sh	JP-personal; local Proton Bridge IMAP/SMTP password (himalaya path)
perplexity	optional	read	credbridge.sh	JP-personal; WebSearch fallback (MCP path preferred)
proton-account-email	required	read	credbridge.sh, mcp_proton_email	JP-personal; Proton account email (consumed by proton-email MCP server)
proton-account-password	required	read	credbridge.sh, mcp_proton_email	JP-personal; Proton account password (consumed by proton-email MCP server)
proton-mailbox-password	required	read	credbridge.sh, mcp_proton_email	JP-personal; Proton mailbox E2E key for mail decryption

google-workspace removed Wave 8 — Hermes builtin google-workspace skill manages its own OAuth flow via Hermes hub, not credctl vault. credbridge.sh google-workspace case dropped accordingly.

§8 Cron (1)

Job	Schedule	Skill	Disabled on install
steev-daily-briefing	30 6 * * * (06:30 local)	steev-agent	true (per §6 Safety)

§9 Drift status

Surface	Declared	Live (Wave-1)	Status
Skills	6	21 enabled	drift expected post-Wave-4 reinstall → in-sync
MCP servers	0	1 (bte)	drift — Wave-4 reinstall removes bte; pending install.sh patch + reinstall
MCP tools (total)	0	n/a (bte is all-tools)	n/a after MCP removal
Credentials	3	3 declared, 3 vault-name mismatches	name-canonicalization drift (PENDING JP, §12)

Pre-push hook check 6 last run: not yet — Wave-4 inserts the check; first run validates this disclosure after install.sh reapplies disclosure.* to ~/.hermes/profiles/steev/config.yaml.

§10 Sovereign-purity audit

• Steev's owned code (steev/skills/, steev/lib/): CLEAN — only Proton + Google Workspace + Perplexity (last is hosted but sovereign_only: false discloses honestly).
• Bundled-skill exposure layer: CLEAN post-Wave-4 — 17 builtins removed; only 4 builtins allowlisted (google-workspace, obsidian, himalaya, kanban-worker), none hosted-API.
• sovereign_only: false — validator rule 6.e does not apply.

§11 Governance refs

• Vision: ../sot/01-ROADMAP/CORTEX-OS-ROADMAP.md, ../sot/02-FRAMEWORK/CORTEX-OS-FRAMEWORK.md
• Governing protocols: ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md
• Standards: ../sot/04-STANDARDS/FRONTMATTER-SPEC.md, ../sot/04-STANDARDS/SOT-ENFORCEMENT.md, ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md
• Brand master ref: omitted (scope: personal) — steev serves JP personally, not a brand/org

§12 Open issues + next steps

All 8 Wave-3 PAUSE rows resolved in Wave 8 (2026-05-24). Audit trail retained below.

#	Topic	Resolution	Wave
1	Personal-scope discriminator values (chat_facing: true, delegates_to: [ceo-planb], sovereign_only: false)	CONFIRMED (Q4). Matches CLAUDE.md L7-L8 + CONTRACT delegation chain.	8
2	Cred google-workspace not in vault	REMOVED (Q5 + scope-expansion). Builtin manages own OAuth via Hermes hub; no credctl vault entry needed. credbridge.sh google-workspace case dropped.	8
3	Cred proton-bridge-imap vs vault proton-bridge-imap-pass + proton-bridge-imap-user	SPLIT (Q6). Manifest split into 2 entries matching vault. credbridge.sh exports both PROTON_BRIDGE_IMAP_USER + PROTON_BRIDGE_IMAP_PASSWORD.	8
4	Cred perplexity-api vs vault perplexity	RENAMED (Q7). Manifest + credbridge.sh updated to perplexity (exact-match per schema §4.5).	8
5	3 proton vault entries undeclared (proton-account-email, proton-account-password, proton-mailbox-password)	ADDED (Q8). Declared in disclosure.credentials w/ used_by: [credbridge.sh, mcp_proton_email]. The other 2 (proton-bridge-imap-pass/-user) covered by row 3.	8
6	4 declared MCP servers absent from hermes mcp list (mcp_proton_calendar, mcp_proton_email, mcp_proton_contacts, mcp_perplexity)	MATERIALIZED 3/4 (Q9). install.sh F6 wires 3 proton MCPs into per-profile config from optional_tools. Also removed bte (hard-rule leak discovered Wave 8). mcp_perplexity DEFERRED (server not in global hermes mcp list).	8
7	macOS-only externals (apple-notes, apple-reminders, imessage) in expected_external_skills	OS-GATED (Q10). Annotated os_constraint: darwin. install.sh F7 emits INFO on non-Darwin hosts that these are unavailable.	8
8	Pre-push hook check 6 not yet wired (curator/lib/pre-push.sh patch belongs to Wave-5+)	WIRED (Wave 7 D6). Subrepo pre-push hook installed via install.sh F4; main repo hook covers 6.a-6.f.	7

Wave 8 follow-ups (not PAUSE — separate work)

• mcp_perplexity install — server doesn't exist in global hermes mcp list. When provisioned, install.sh F6 will materialize automatically (no code change).
• Per-tool enumeration in disclosure.mcp_servers — currently [] w/ install.sh F6 driven from optional_tools. Wave 8.5: introspect each MCP server, populate disclosure.mcp_servers[*].tools[] per DISCLOSURE-SCHEMA §4.2.

§13 Related

• ../sot/04-STANDARDS/DISCLOSURE-SCHEMA.md — schema definition
• ../sot/03-PROTOCOLS/PROFILE-DISTRIBUTION-PROTOCOL.md — protocol disclosure extends
• ../sot/06-REGISTRY/PROFILE-CATALOG.md — fleet rollup (aggregates this doc + 4 siblings)
• ../sot/06-REGISTRY/audits/AUDIT-steev-2026-05-24.md — Wave-1 discovery
• ../sot/06-REGISTRY/audits/RECOMMENDATIONS-steev-2026-05-24.md — Wave-3 recommendations
• ./manifest.yaml — machine-readable disclosure: block
• ./AGENT.md — identity (T2)
• ./CONTRACT.md — behavior contract (T1)