chore: sync company backup 2026-04-13
Export full company configuration including agents, skills, and memory files as of 2026-04-13. Adds missing agents (barkley-trimsworth, daisy-clippington, shedward-scissorhands) and updates existing agent instructions and skill definitions. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -0,0 +1,29 @@
|
||||
- id: cluster-ops-001
|
||||
fact: "kubeconfig at /paperclip/.kube/config uses stale flea-flicker token; must use in-cluster SA token via curl to kubernetes.default.svc"
|
||||
source: "direct investigation 2026-04-05"
|
||||
confidence: confirmed
|
||||
created: "2026-04-05"
|
||||
|
||||
- id: cluster-ops-002
|
||||
fact: "CTO agent RBAC: read/write to groombook-dev and groombook-uat; read-only cluster-wide. Cannot annotate Flux resources in groombook namespace."
|
||||
source: "403 Forbidden when trying to PATCH kustomization in groombook namespace, 2026-04-05"
|
||||
confidence: confirmed
|
||||
created: "2026-04-05"
|
||||
|
||||
- id: cluster-ops-003
|
||||
fact: "Flux groombook-uat kustomization: interval 1h, no retryInterval. In groombook namespace watching GitRepository groombook on main branch."
|
||||
source: "kubectl API query 2026-04-05"
|
||||
confidence: confirmed
|
||||
created: "2026-04-05"
|
||||
|
||||
- id: cluster-ops-004
|
||||
fact: "kubeseal public cert available via API proxy: /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem"
|
||||
source: "successful fetch 2026-04-05"
|
||||
confidence: confirmed
|
||||
created: "2026-04-05"
|
||||
|
||||
- id: cluster-ops-005
|
||||
fact: "Completed Kubernetes Jobs with immutable spec.template block Flux reconciliation dry-run. Must delete stale Jobs before Flux can re-apply."
|
||||
source: "GRO-468 investigation 2026-04-05, migrate-schema-ff216ea and seed-test-data-ff216ea"
|
||||
confidence: confirmed
|
||||
created: "2026-04-05"
|
||||
@@ -0,0 +1,39 @@
|
||||
# Cluster Operations
|
||||
|
||||
Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent.
|
||||
|
||||
## kubectl / API Access
|
||||
|
||||
- The kubeconfig at `/paperclip/.kube/config` has a stale token for user `flea-flicker` — **do not use it**.
|
||||
- Instead, use the **in-cluster service account token** directly via `curl`:
|
||||
```bash
|
||||
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
||||
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..."
|
||||
```
|
||||
|
||||
## RBAC
|
||||
|
||||
- **Read/write**: `groombook-dev`, `groombook-uat` namespaces (app resources, secrets, jobs, etc.)
|
||||
- **Read-only**: cluster-wide (including `groombook`, `flux-system`, `kube-system` namespaces)
|
||||
- **Cannot write**: Flux CRDs (Kustomization, GitRepository) in the `groombook` namespace — cannot force reconciliation via annotation.
|
||||
|
||||
## Flux UAT Reconciliation
|
||||
|
||||
- Kustomization `groombook-uat` is in namespace `groombook`, watches GitRepository `groombook` (also in `groombook` namespace).
|
||||
- Reconciliation interval: **1h**, no `retryInterval` set.
|
||||
- Source: `groombook/infra` repo, branch `main`.
|
||||
- To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures.
|
||||
|
||||
## kubeseal
|
||||
|
||||
- Sealed Secrets controller: `sealed-secrets-controller` in `kube-system`.
|
||||
- Fetch public cert via API proxy:
|
||||
```bash
|
||||
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \
|
||||
"https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem
|
||||
```
|
||||
- Then seal:
|
||||
```bash
|
||||
echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace <ns> --name <secret-name> --cert /tmp/kubeseal-cert.pem
|
||||
```
|
||||
@@ -0,0 +1,15 @@
|
||||
- id: dp-001
|
||||
fact: "Board has denied Flux image tag automation (ImageRepository, ImagePolicy, ImageUpdateAutomation). CI-driven manifest updates at push time is the policy."
|
||||
source: "Board comment on GRO-191, 2026-03-28"
|
||||
learned: "2026-03-28"
|
||||
status: active
|
||||
confidence: 1.0
|
||||
tags: [flux, deployment, policy, board-directive]
|
||||
|
||||
- id: dp-002
|
||||
fact: "INFRASTRUCTURE.md updated with explicit no-image-automation policy on 2026-03-28"
|
||||
source: "CTO action on GRO-191"
|
||||
learned: "2026-03-28"
|
||||
status: active
|
||||
confidence: 1.0
|
||||
tags: [infrastructure, docs, policy]
|
||||
@@ -0,0 +1,20 @@
|
||||
# SDLC Handoff Rules (Corrective — GRO-479)
|
||||
|
||||
Three critical rules for SDLC pipeline handoffs, identified after CEO feedback on 2026-04-05.
|
||||
|
||||
## Rules
|
||||
|
||||
1. **Every handoff = PATCH, not comment.** Always PATCH `assigneeAgentId` + `status: todo`. Never rely on @-mention comments alone — they don't trigger inbox wakeups.
|
||||
|
||||
2. **Security review = Barkley (fadbc601), never Shedward.** Shedward (130a6a56) does UAT regression only. Barkley Trimsworth (fadbc601) does UAT security review. Do not confuse the two roles.
|
||||
|
||||
3. **Full pipeline after UAT pass — never short-circuit.** After Shedward UAT PASS:
|
||||
- Route to Barkley for security review (`status: todo`, `assigneeAgentId: fadbc601...`)
|
||||
- After Barkley security PASS: route to CEO for prod merge (`status: todo`, `assigneeAgentId: 1471aa94...`)
|
||||
- Never mark `done` after UAT pass. Only CEO marks done after prod merge.
|
||||
|
||||
## Past Failures
|
||||
|
||||
- Comment-only handoffs (no PATCH) — tasks invisible to target agents
|
||||
- Security review assigned to Shedward instead of Barkley (GRO-452)
|
||||
- Tasks marked done after Shedward UAT pass without flowing to Barkley → CEO (GRO-450, GRO-477)
|
||||
Reference in New Issue
Block a user