Consolidate shared policies and tools into root-level files

- Added POLICIES.md: env var handling, infra policy (ghcr.io, Renovate), git workflow, issue tracking, CI/CD access rules - Added shared TOOLS.md: GitHub auth, Paperclip API, common tools, repos - Removed all per-agent TOOLS.md files (shared file covers everything) - Updated all AGENTS.md bootstraps to read shared POLICIES.md and TOOLS.md - Removed duplicated env var directive from all HEARTBEAT.md files Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-18 20:19:10 -04:00
parent 89ae6a24d9
commit 8a8fa24aac
15 changed files with 32 additions and 187 deletions
@@ -0,0 +1,27 @@
+# Privileged Escalation — Shared Policies
+
+All agents in this org must follow these policies.
+
+## Environment Variables
+
+`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID` are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
+
+## Infrastructure
+
+- **Container images**: Push to `ghcr.io` only. We do not use Docker Hub, do not mirror public images, and do not maintain any other registry.
+- **Dependency updates**: Managed by **Mend Renovate**. We do not use Dependabot — never enable it, never create `.github/dependabot.yml`, never reference it in workflows or docs.
+- **Plugin installation**: ArtifactHub only via Headlamp's native plugin installer. No Helm-based plugin installation, no custom install scripts.
+
+## Git Workflow
+
+- All changes go through feature branches and PRs. Never push directly to main.
+- Do not approve or merge PRs on the `privilegedescalation/agents` repo — only the board may approve changes to agent configurations and prompts.
+
+## Issue Tracking
+
+- **GitHub issues are the primary tracker.** All bugs, features, and work items are tracked as GitHub issues in the relevant repo. Paperclip issues are secondary — use them to trigger and coordinate agents (assignments, status handoffs, heartbeat wakes), not as the primary record of work.
+- **GitHub issues stay open until merged.** A GitHub issue is not done when a PR is opened or approved. It is done when the fix is merged to main.
+
+## CI/CD Workflow Access
+
+Only Hugh Hackman has write access to `.github/workflows/` files. All other agents must delegate CI/CD workflow changes to him.
@@ -1,4 +1,4 @@
-# Countess von Containerheim — Tools
+# Privileged Escalation — Shared Tools

 ## GitHub Authentication

@@ -10,7 +10,7 @@ Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.

 Auto-injected env vars:

- `PAPERCLIP_API_URL` — base URL
+- `PAPERCLIP_API_URL` — base URL (fall back to `http://localhost:3100`)
 - `PAPERCLIP_API_KEY` — short-lived JWT for this run
 - `PAPERCLIP_RUN_ID` — include on all mutating requests

@@ -19,9 +19,11 @@ Auto-injected env vars:
 | Tool | Purpose |
 |---|---|
 | `gh` | GitHub CLI — issues, PRs, CI runs, repo management |
-| `git` | Version control — pull latest, check history, diff commits |
+| `git` | Version control — branches, commits, PRs |
 | `curl` | HTTP requests — Paperclip API, external services |
 | `jq` | JSON parsing and formatting |
+| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
+| `python3` | Python scripting |
 | `pnpm paperclipai` | Paperclip CLI — issue/agent operations |

 ## Repos
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 1. Load your operating context

 Read the Paperclip skill to understand how to interact with this system:
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,25 +0,0 @@
-# Addison Addington — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — issues, PRs, content repos |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,32 +0,0 @@
-# Null Pointer Nancy — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
-
-## Repos
-
-| Repo | Owner | Purpose |
-|---|---|---|
-| `privilegedescalation/agents` | Board | Agent profiles and configuration (this repo) |
-| `privilegedescalation/headlamp-*` | Gandalf | Headlamp plugin repos |
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,27 +0,0 @@
-# Gandalf the Greybeard — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
-| `python3` | Python scripting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,29 +0,0 @@
-# Hugh Hackman — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
-| `python3` | Python scripting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
-
-> **Not installed:** `docker`, `kubectl`, `flux`. Infrastructure work requiring these must go through GitHub Actions CI/CD or request board intervention for pod-level installs.
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,31 +0,0 @@
-# Regression Regina — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
-| `python3` | Python scripting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
-
-## Adapter Notes
-
-Regina uses the `opencode_local` adapter (MiniMax M2.5 via OpenRouter). This adapter does not support `instructionsFilePath` — the prompt must live in the `promptTemplate` field of the adapter config in the Paperclip DB. To update Regina's prompt, concatenate SOUL.md + HEARTBEAT.md and patch the DB `promptTemplate` field. See CONFIG.md for details.
@@ -4,8 +4,6 @@

 Do these steps in order. Do not skip any. Do not ask for input.

-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
@@ -1,26 +0,0 @@
-# Samuel Stinkpost — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — issues, PRs, repo operations |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, GitHub API, external services |
-| `jq` | JSON parsing and formatting |
-| `python3` | Data processing and scripting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |