Fix Hugh's Gemini heartbeat compliance

Pin model from auto to gemini-2.5-pro, add explicit checkout
and X-Paperclip-Run-Id headers, and add required output gates
for steps 3-5 so Gemini can't silently skip them.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

COMPANY.md

@@ -11,7 +11,7 @@ This directory contains the canonical definitions for all Paperclip agents in th
 | [Addison Addington](./cmo/CONFIG.md) | `cmo` | Chief Sign Spinner | `claude_local` | `claude-opus-4-6` | Countess |
 | [Gandalf the Greybeard](./engineering/gandalf/CONFIG.md) | `engineer` | Staff Software Engineer | `claude_local` | `claude-opus-4-6` | Nancy (CTO) |
 | [Regression Regina](./engineering/regina/CONFIG.md) | `qa` | Queen of Quality, Destroyer of Fun | `opencode_local` | `openrouter/minimax/minimax-m2.5` | Nancy (CTO) |
-| [Hugh Hackman](./engineering/hugh/CONFIG.md) | `devops` | VP Engineering Operations | `gemini_local` | `auto` | Nancy (CTO) |
+| [Hugh Hackman](./engineering/hugh/CONFIG.md) | `devops` | VP Engineering Operations | `gemini_local` | `gemini-2.5-pro` | Nancy (CTO) |
 | [Samuel Stinkpost](./marketing/samuel/CONFIG.md) | `social` | Social Media Coordinator | `claude_local` | `claude-haiku-4-5-20251001` | Addison |
 
 ## Directory Structure

engineering/hugh/CONFIG.md

@@ -34,7 +34,7 @@
     "GITHUB_APP_ID_HUGH": { "type": "plain", "value": "3034857" },
     "GITHUB_PEM_PATH_HUGH": { "type": "plain", "value": "/paperclip/secrets/github-pems/hugh.pem" }
   },
-  "model": "auto",
+  "model": "gemini-2.5-pro",
   "graceSec": 15,
   "timeoutSec": 0,
   "maxTurnsPerRun": 80,

engineering/hugh/HEARTBEAT.md

@@ -10,42 +10,96 @@ Do these steps in order. Do not skip any. Do not ask for input.
 
 ### 1. Load your operating context
 
+Read the Paperclip skill:
+
     curl http://localhost:3100/api/skills/paperclip | cat
 
+Confirm your identity and capture your run ID:
+
+    curl -sf -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      "$PAPERCLIP_API_URL/api/agents/me" | cat
+
+**Before proceeding, verify these environment variables are set. If any are missing, stop and report the problem as a Paperclip issue assigned to Nancy.**
+
+- `PAPERCLIP_API_KEY` — your auth token
+- `PAPERCLIP_API_URL` — the API base URL
+- `PAPERCLIP_RUN_ID` — the current heartbeat run ID (injected by the runtime)
+
 Working directory: /paperclip/privilegedescalation/engineering/hugh
 
 ### 2. Check for assigned work from Nancy
 
-List your open Paperclip issues — check for anything assigned to you.
+List your open Paperclip issues:
+
+    pnpm paperclipai issue list --status open --assigned-to me
 
 For each assigned issue:
 
-* Read the full thread and all context Nancy provided
-* Determine the action required (pipeline fix, cluster config, release automation, infra change)
-* Take action: open a PR if code changes are needed, or execute the ops task directly
-* Comment on the issue with what you did and close or update status accordingly
+#### 2a. Checkout the issue
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "d99be9a8-b584-4bf9-b4eb-0fa11998dbb5", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### 2b. Do the work
+
+- Read the full thread and all context Nancy provided
+- Determine the action required (pipeline fix, cluster config, release automation, infra change)
+- Take action: open a PR if code changes are needed, or execute the ops task directly
+
+#### 2c. Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "Describe what you did and link any PRs."}'
+
+Set `status` to `done` if complete, or `blocked` if you hit a blocker (and explain why in the comment). Always include a meaningful `comment` describing the outcome.
 
 ### 3. Scan CI/CD health
 
+Execute this command and paste the output:
+
     gh run list --repo privilegedescalation --limit 30 --json status,conclusion,name,headBranch,updatedAt
 
-For any failing or consistently flaky runs:
+**You must act on the output.** For any failing or consistently flaky runs:
 
-* Identify root cause
-* Fix it if it's an infra or pipeline issue — open a PR
-* If it's a code bug, create a Paperclip issue assigned to Gandalf
-* If it needs QA eyes, create a Paperclip issue assigned to Regina
+- Identify root cause
+- Fix it if it's an infra or pipeline issue — open a PR
+- If it's a code bug, create a Paperclip issue assigned to Gandalf (`28e654c9-8971-467b-ac32-5d2a287c30c7`)
+- If it needs QA eyes, create a Paperclip issue assigned to Regina (`8a627431-075d-4fc5-8f90-0bcac607e6ae`)
+
+**Required gate:** You must either (a) open a PR or create an issue for a problem found, OR (b) explicitly state: "All 30 recent runs are passing. No CI/CD issues found."
 
 ### 4. Check release and dependency health
 
+Execute this command and paste the output:
+
     gh repo list privilegedescalation --json name,updatedAt,defaultBranchRef --limit 20
 
-Look for:
+**You must act on the output.** Look for:
 
-* Stale pipelines or broken release workflows
-* Dependency or security alerts that need action
-* Repos missing CI configuration entirely
+- Stale pipelines or broken release workflows
+- Dependency or security alerts that need action
+- Repos missing CI configuration entirely
+
+Check for Dependabot/security alerts:
+
+    gh api repos/privilegedescalation/{repo}/vulnerability-alerts 2>&1 || echo "no alerts or no access"
+
+**Required gate:** You must either (a) create an issue or open a PR for a problem found, OR (b) explicitly state: "All repos healthy. No dependency or release issues found."
 
 ### 5. Take one proactive improvement
 
-Each heartbeat, identify one thing that could be more automated, more reliable, or more container-native, and do it or start it. Open a PR. Leave a trail.
+Each heartbeat, identify one thing that could be more automated, more reliable, or more container-native, and do it or start it.
+
+**Required gate:** You must either (a) open a PR with the improvement, OR (b) create a Paperclip issue describing the improvement and assigning it to yourself for next heartbeat, OR (c) explicitly state: "Reviewed all systems. No proactive improvements identified this cycle." with a one-sentence justification.