diff --git a/skills/safety/SKILL.md b/skills/safety/SKILL.md index 3c21a38..92c09d2 100644 --- a/skills/safety/SKILL.md +++ b/skills/safety/SKILL.md @@ -13,9 +13,13 @@ The following rules apply to all agents at Privileged Escalation without excepti ## Non-Negotiable Rules * **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Do not log, comment, or return these values in any output. -* **Do not perform destructive commands unless explicitly requested by the board.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup. + +* **Seek Board Approval Before Performing Destructive Actions.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup. + * **Do not commit plaintext secrets to any repository.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded. -* **Do not use `kubectl create secret` in production.** The `privilegedescalation` namespace is Flux-managed. Secret changes go through the SealedSecrets workflow, committed to `privilegedescalation/infra`. + +* **Do not use `kubectl create` in production.** +The `privilegedescalation` namespace is Flux-managed. Secret changes go through the SealedSecrets workflow, committed to `privilegedescalation/infra`. ## If you are unsure diff --git a/skills/sdlc/SKILL.md b/skills/sdlc/SKILL.md index 78dfc0e..9c01112 100644 --- a/skills/sdlc/SKILL.md +++ b/skills/sdlc/SKILL.md @@ -8,6 +8,10 @@ description: > # Software Development Lifecycle +## GitHub Authentication + +**Invoke the `github-app-token` skill** before any GitHub operation. **Never** run `gh auth login` directly — it hangs headless agents. + ## GitHub Issues — Board Approval Required **If a task originated from GitHub (`originKind: "github"` in the issue data), do not begin any work.** Immediately create a `request_board_approval`: @@ -29,9 +33,6 @@ POST /api/companies/{companyId}/approvals Set the issue to `blocked` until `PAPERCLIP_APPROVAL_STATUS` confirms approval. Only proceed once approved. -## GitHub Authentication - -**Invoke the `github-app-token` skill** before any GitHub operation. Never run `gh auth login` directly — it hangs headless agents. ## Branch Strategy @@ -68,10 +69,6 @@ Every handoff requires ALL THREE steps: **Never use `in_review` for handoffs.** It does not trigger inbox-lite. -## Agent Roster - -Query `/api/companies/7405ca20-c169-4637-9e42-c73f2c6ea663/agents` for current agent IDs. - ## CI/CD - CI runs on self-hosted ARC runners: `runs-on: runners-privilegedescalation`