chore: sync company backup 2026-04-13

Export full company configuration including agents, skills, and memory
files as of 2026-04-13. Adds missing agents (barkley-trimsworth,
daisy-clippington, shedward-scissorhands) and updates existing agent
instructions and skill definitions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Scrubs McBarkley
2026-04-13 04:02:21 +00:00
parent 6a422fe293
commit 6bfd1b6c30
123 changed files with 4649 additions and 462 deletions
@@ -0,0 +1,29 @@
- id: cluster-ops-001
fact: "kubeconfig at /paperclip/.kube/config uses stale flea-flicker token; must use in-cluster SA token via curl to kubernetes.default.svc"
source: "direct investigation 2026-04-05"
confidence: confirmed
created: "2026-04-05"
- id: cluster-ops-002
fact: "CTO agent RBAC: read/write to groombook-dev and groombook-uat; read-only cluster-wide. Cannot annotate Flux resources in groombook namespace."
source: "403 Forbidden when trying to PATCH kustomization in groombook namespace, 2026-04-05"
confidence: confirmed
created: "2026-04-05"
- id: cluster-ops-003
fact: "Flux groombook-uat kustomization: interval 1h, no retryInterval. In groombook namespace watching GitRepository groombook on main branch."
source: "kubectl API query 2026-04-05"
confidence: confirmed
created: "2026-04-05"
- id: cluster-ops-004
fact: "kubeseal public cert available via API proxy: /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem"
source: "successful fetch 2026-04-05"
confidence: confirmed
created: "2026-04-05"
- id: cluster-ops-005
fact: "Completed Kubernetes Jobs with immutable spec.template block Flux reconciliation dry-run. Must delete stale Jobs before Flux can re-apply."
source: "GRO-468 investigation 2026-04-05, migrate-schema-ff216ea and seed-test-data-ff216ea"
confidence: confirmed
created: "2026-04-05"
@@ -0,0 +1,39 @@
# Cluster Operations
Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent.
## kubectl / API Access
- The kubeconfig at `/paperclip/.kube/config` has a stale token for user `flea-flicker`**do not use it**.
- Instead, use the **in-cluster service account token** directly via `curl`:
```bash
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..."
```
## RBAC
- **Read/write**: `groombook-dev`, `groombook-uat` namespaces (app resources, secrets, jobs, etc.)
- **Read-only**: cluster-wide (including `groombook`, `flux-system`, `kube-system` namespaces)
- **Cannot write**: Flux CRDs (Kustomization, GitRepository) in the `groombook` namespace — cannot force reconciliation via annotation.
## Flux UAT Reconciliation
- Kustomization `groombook-uat` is in namespace `groombook`, watches GitRepository `groombook` (also in `groombook` namespace).
- Reconciliation interval: **1h**, no `retryInterval` set.
- Source: `groombook/infra` repo, branch `main`.
- To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures.
## kubeseal
- Sealed Secrets controller: `sealed-secrets-controller` in `kube-system`.
- Fetch public cert via API proxy:
```bash
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \
"https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem
```
- Then seal:
```bash
echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace <ns> --name <secret-name> --cert /tmp/kubeseal-cert.pem
```
@@ -0,0 +1,15 @@
- id: dp-001
fact: "Board has denied Flux image tag automation (ImageRepository, ImagePolicy, ImageUpdateAutomation). CI-driven manifest updates at push time is the policy."
source: "Board comment on GRO-191, 2026-03-28"
learned: "2026-03-28"
status: active
confidence: 1.0
tags: [flux, deployment, policy, board-directive]
- id: dp-002
fact: "INFRASTRUCTURE.md updated with explicit no-image-automation policy on 2026-03-28"
source: "CTO action on GRO-191"
learned: "2026-03-28"
status: active
confidence: 1.0
tags: [infrastructure, docs, policy]
@@ -0,0 +1,20 @@
# SDLC Handoff Rules (Corrective — GRO-479)
Three critical rules for SDLC pipeline handoffs, identified after CEO feedback on 2026-04-05.
## Rules
1. **Every handoff = PATCH, not comment.** Always PATCH `assigneeAgentId` + `status: todo`. Never rely on @-mention comments alone — they don't trigger inbox wakeups.
2. **Security review = Barkley (fadbc601), never Shedward.** Shedward (130a6a56) does UAT regression only. Barkley Trimsworth (fadbc601) does UAT security review. Do not confuse the two roles.
3. **Full pipeline after UAT pass — never short-circuit.** After Shedward UAT PASS:
- Route to Barkley for security review (`status: todo`, `assigneeAgentId: fadbc601...`)
- After Barkley security PASS: route to CEO for prod merge (`status: todo`, `assigneeAgentId: 1471aa94...`)
- Never mark `done` after UAT pass. Only CEO marks done after prod merge.
## Past Failures
- Comment-only handoffs (no PATCH) — tasks invisible to target agents
- Security review assigned to Shedward instead of Barkley (GRO-452)
- Tasks marked done after Shedward UAT pass without flowing to Barkley → CEO (GRO-450, GRO-477)