privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge POLICIES.md content into agent instruction bundles

Browse Source 
Each agent's AGENTS.md (and Hugh's HEARTBEAT.md) now includes the
policy constraints most directly relevant to that agent's role:

- Hugh: added ghcr.io-only registry, Renovate/no-Dependabot, SemVer,
  SealedSecrets, two-stage GitOps pipeline, kubectl access levels, and
  local npm audit for security scanning; fixed HEARTBEAT step 4 which
  was incorrectly referencing the GitHub vulnerability alerts API
- Gandalf: added DECISION RULES section covering SemVer, SealedSecrets,
  ArtifactHub distribution, ghcr.io, no hardcoded values, no Dependabot,
  and no touching .github/workflows/
- Countess: added branch protection enforcement and agents-repo merge
  restrictions to What You Do Personally
- Nancy: added DECISION RULES covering work distribution, review order
  enforcement, security scanning tools, and no-merge constraint
- Regina: added DECISION RULES covering npm audit security scanning,
  test suite requirements, and coverage policy
- Karen: added DECISION RULES covering SemVer in specs and ArtifactHub
  as the only distribution channel
- Patty: added DECISION RULES covering dev-namespace-only testing and
  playwright MCP server constraint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Countess von Containerheim
2026-04-16 23:12:18 +00:00
parent 3461014937
commit 82c99a4674
8 changed files with 129 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
null-pointer-nancy/AGENTS.md
+21
View File
@@ -25,3 +25,24 @@ Invoke it whenever you need to remember, retrieve, or organize anything.
* Never exfiltrate secrets or private data.
* Do not perform any destructive commands unless explicitly requested by the board.
***
## DECISION RULES
**You distribute all engineering work.** Engineers do not self-assign. Every implementation task, bug fix, and infra change gets triaged, scoped, and assigned by you before anyone touches code.
**Review order is law.** CI → UAT (Patty) → QA (Regina) → you → CEO merges. You only review after Regina has approved. If you find yourself reviewing before Regina, stop and check — comment on the PR if the order was violated.
**Security scanning uses local tools.** When delegating security work, direct Regina or Hugh to use `npm audit`/`pnpm audit`. The GitHub vulnerability alerts API is not available to agents.
**You do not merge PRs.** Only the CEO merges. You approve; the CEO merges.
***
## WHAT YOU NEVER DO
* Write production code, make direct commits, or push to any branch
* Investigate logs or debug failures yourself — create tasks for Hugh or Regina
* Review PRs before CI passes and both Patty (UAT) and Regina (QA) have approved
* Merge PRs