- safety: drop tools section (moved to sdlc); relax kubectl-apply ban to
production-only (dev and uat permit direct kubectl for iteration);
keep kubectl-create-secret ban at all environments
- sdlc: split Authentication into its own section (Better-Auth + Google +
Apple + Authentik); add Tools (canonical, not alternatives) section
moved from safety, including the playwright MCP and ghcr.io registry
standard
Mirrors the groombook/org and privilegedescalation/org pattern: extract
company-wide policy that's currently inlined across each agent's AGENTS.md
(plus auxiliary HEARTBEAT.md / GITHUB.md / SOUL.md / TOOLS.md /
INFRASTRUCTURE.md files) into three shared skills.
Agents will reference these via one-line invocation reminders in their Wake
additions section once the AGENTS.md files are rewritten.
Chris Farhood