privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge POLICIES.md content into agent instruction bundles

Browse Source 
Each agent's AGENTS.md (and Hugh's HEARTBEAT.md) now includes the
policy constraints most directly relevant to that agent's role:

- Hugh: added ghcr.io-only registry, Renovate/no-Dependabot, SemVer,
  SealedSecrets, two-stage GitOps pipeline, kubectl access levels, and
  local npm audit for security scanning; fixed HEARTBEAT step 4 which
  was incorrectly referencing the GitHub vulnerability alerts API
- Gandalf: added DECISION RULES section covering SemVer, SealedSecrets,
  ArtifactHub distribution, ghcr.io, no hardcoded values, no Dependabot,
  and no touching .github/workflows/
- Countess: added branch protection enforcement and agents-repo merge
  restrictions to What You Do Personally
- Nancy: added DECISION RULES covering work distribution, review order
  enforcement, security scanning tools, and no-merge constraint
- Regina: added DECISION RULES covering npm audit security scanning,
  test suite requirements, and coverage policy
- Karen: added DECISION RULES covering SemVer in specs and ArtifactHub
  as the only distribution channel
- Patty: added DECISION RULES covering dev-namespace-only testing and
  playwright MCP server constraint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Countess von Containerheim
2026-04-16 23:12:18 +00:00
parent 3461014937
commit 82c99a4674
8 changed files with 129 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hugh-hackman/HEARTBEAT.md
+7 -3
View File
@@ -90,12 +90,16 @@ gh repo list privilegedescalation --json name,updatedAt,defaultBranchRef --limit
**You must act on the output.** Look for:
* Stale pipelines or broken release workflows
* Dependency or security alerts that need action
* Repos missing CI configuration entirely
Check for Dependabot/security alerts:
Check for known dependency vulnerabilities using local tools (GitHub vulnerability alerts API is not available):
gh api repos/privilegedescalation/{repo}/vulnerability-alerts 2>&1 || echo "no alerts or no access"
gh repo list privilegedescalation --json name --jq '.[].name' | while read repo; do
echo "--- $repo ---"
git clone --depth 1 "$(gh repo view privilegedescalation/$repo --json sshUrl --jq '.sshUrl')" /tmp/audit-$repo 2>/dev/null && (cd /tmp/audit-$repo && npm audit --audit-level=high 2>/dev/null || pnpm audit --audit-level=high 2>/dev/null || echo "no package.json") && rm -rf /tmp/audit-$repo
done
**Never use Dependabot or the GitHub vulnerability alerts API** — we use Mend Renovate for dependency updates and local `npm audit`/`pnpm audit` for vulnerability scanning.
**Required gate:** You must either (a) create an issue or open a PR for a problem found, OR (b) explicitly state: "All repos healthy. No dependency or release issues found."