diff --git a/POLICIES.md b/POLICIES.md new file mode 100644 index 0000000..f03b6c8 --- /dev/null +++ b/POLICIES.md @@ -0,0 +1,27 @@ +# Privileged Escalation — Shared Policies + +All agents in this org must follow these policies. + +## Environment Variables + +`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID` are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. + +## Infrastructure + +- **Container images**: Push to `ghcr.io` only. We do not use Docker Hub, do not mirror public images, and do not maintain any other registry. +- **Dependency updates**: Managed by **Mend Renovate**. We do not use Dependabot — never enable it, never create `.github/dependabot.yml`, never reference it in workflows or docs. +- **Plugin installation**: ArtifactHub only via Headlamp's native plugin installer. No Helm-based plugin installation, no custom install scripts. + +## Git Workflow + +- All changes go through feature branches and PRs. Never push directly to main. +- Do not approve or merge PRs on the `privilegedescalation/agents` repo — only the board may approve changes to agent configurations and prompts. + +## Issue Tracking + +- **GitHub issues are the primary tracker.** All bugs, features, and work items are tracked as GitHub issues in the relevant repo. Paperclip issues are secondary — use them to trigger and coordinate agents (assignments, status handoffs, heartbeat wakes), not as the primary record of work. +- **GitHub issues stay open until merged.** A GitHub issue is not done when a PR is opened or approved. It is done when the fix is merged to main. + +## CI/CD Workflow Access + +Only Hugh Hackman has write access to `.github/workflows/` files. All other agents must delegate CI/CD workflow changes to him. diff --git a/ceo/TOOLS.md b/TOOLS.md similarity index 75% rename from ceo/TOOLS.md rename to TOOLS.md index 70732fb..817c785 100644 --- a/ceo/TOOLS.md +++ b/TOOLS.md @@ -1,4 +1,4 @@ -# Countess von Containerheim — Tools +# Privileged Escalation — Shared Tools ## GitHub Authentication @@ -10,7 +10,7 @@ Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. Auto-injected env vars: -- `PAPERCLIP_API_URL` — base URL +- `PAPERCLIP_API_URL` — base URL (fall back to `http://localhost:3100`) - `PAPERCLIP_API_KEY` — short-lived JWT for this run - `PAPERCLIP_RUN_ID` — include on all mutating requests @@ -19,9 +19,11 @@ Auto-injected env vars: | Tool | Purpose | |---|---| | `gh` | GitHub CLI — issues, PRs, CI runs, repo management | -| `git` | Version control — pull latest, check history, diff commits | +| `git` | Version control — branches, commits, PRs | | `curl` | HTTP requests — Paperclip API, external services | | `jq` | JSON parsing and formatting | +| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management | +| `python3` | Python scripting | | `pnpm paperclipai` | Paperclip CLI — issue/agent operations | ## Repos diff --git a/ceo/HEARTBEAT.md b/ceo/HEARTBEAT.md index 25e173a..b691b24 100644 --- a/ceo/HEARTBEAT.md +++ b/ceo/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 1. Load your operating context Read the Paperclip skill to understand how to interact with this system: diff --git a/cmo/HEARTBEAT.md b/cmo/HEARTBEAT.md index b9768a0..4ff5806 100644 --- a/cmo/HEARTBEAT.md +++ b/cmo/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/cmo/TOOLS.md b/cmo/TOOLS.md deleted file mode 100644 index d72ad25..0000000 --- a/cmo/TOOLS.md +++ /dev/null @@ -1,25 +0,0 @@ -# Addison Addington — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — issues, PRs, content repos | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, external services | -| `jq` | JSON parsing and formatting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations | diff --git a/cto/HEARTBEAT.md b/cto/HEARTBEAT.md index 5bf339e..1128a48 100644 --- a/cto/HEARTBEAT.md +++ b/cto/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/cto/TOOLS.md b/cto/TOOLS.md deleted file mode 100644 index dde3bd7..0000000 --- a/cto/TOOLS.md +++ /dev/null @@ -1,32 +0,0 @@ -# Null Pointer Nancy — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, external services | -| `jq` | JSON parsing and formatting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations | - -## Repos - -| Repo | Owner | Purpose | -|---|---|---| -| `privilegedescalation/agents` | Board | Agent profiles and configuration (this repo) | -| `privilegedescalation/headlamp-*` | Gandalf | Headlamp plugin repos | diff --git a/engineering/gandalf/HEARTBEAT.md b/engineering/gandalf/HEARTBEAT.md index b81a3e9..7ea0750 100644 --- a/engineering/gandalf/HEARTBEAT.md +++ b/engineering/gandalf/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/engineering/gandalf/TOOLS.md b/engineering/gandalf/TOOLS.md deleted file mode 100644 index 0d92e30..0000000 --- a/engineering/gandalf/TOOLS.md +++ /dev/null @@ -1,27 +0,0 @@ -# Gandalf the Greybeard — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, external services | -| `jq` | JSON parsing and formatting | -| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management | -| `python3` | Python scripting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations | diff --git a/engineering/hugh/HEARTBEAT.md b/engineering/hugh/HEARTBEAT.md index b87faf3..a8e745f 100644 --- a/engineering/hugh/HEARTBEAT.md +++ b/engineering/hugh/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/engineering/hugh/TOOLS.md b/engineering/hugh/TOOLS.md deleted file mode 100644 index 60548d0..0000000 --- a/engineering/hugh/TOOLS.md +++ /dev/null @@ -1,29 +0,0 @@ -# Hugh Hackman — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, external services | -| `jq` | JSON parsing and formatting | -| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management | -| `python3` | Python scripting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations | - -> **Not installed:** `docker`, `kubectl`, `flux`. Infrastructure work requiring these must go through GitHub Actions CI/CD or request board intervention for pod-level installs. diff --git a/engineering/regina/HEARTBEAT.md b/engineering/regina/HEARTBEAT.md index 2e0c031..3cc1cf0 100644 --- a/engineering/regina/HEARTBEAT.md +++ b/engineering/regina/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/engineering/regina/TOOLS.md b/engineering/regina/TOOLS.md deleted file mode 100644 index d5ae2dc..0000000 --- a/engineering/regina/TOOLS.md +++ /dev/null @@ -1,31 +0,0 @@ -# Regression Regina — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, external services | -| `jq` | JSON parsing and formatting | -| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management | -| `python3` | Python scripting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations | - -## Adapter Notes - -Regina uses the `opencode_local` adapter (MiniMax M2.5 via OpenRouter). This adapter does not support `instructionsFilePath` — the prompt must live in the `promptTemplate` field of the adapter config in the Paperclip DB. To update Regina's prompt, concatenate SOUL.md + HEARTBEAT.md and patch the DB `promptTemplate` field. See CONFIG.md for details. diff --git a/marketing/samuel/HEARTBEAT.md b/marketing/samuel/HEARTBEAT.md index 1ed464e..8080475 100644 --- a/marketing/samuel/HEARTBEAT.md +++ b/marketing/samuel/HEARTBEAT.md @@ -4,8 +4,6 @@ Do these steps in order. Do not skip any. Do not ask for input. -> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL. - ### 0. Authenticate with GitHub export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) diff --git a/marketing/samuel/TOOLS.md b/marketing/samuel/TOOLS.md deleted file mode 100644 index 687b79f..0000000 --- a/marketing/samuel/TOOLS.md +++ /dev/null @@ -1,26 +0,0 @@ -# Samuel Stinkpost — Tools - -## GitHub Authentication - - export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) - -Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`. - -## Paperclip API - -Auto-injected env vars: - -- `PAPERCLIP_API_URL` — base URL -- `PAPERCLIP_API_KEY` — short-lived JWT for this run -- `PAPERCLIP_RUN_ID` — include on all mutating requests - -## Available Tools - -| Tool | Purpose | -|---|---| -| `gh` | GitHub CLI — issues, PRs, repo operations | -| `git` | Version control — branches, commits, PRs | -| `curl` | HTTP requests — Paperclip API, GitHub API, external services | -| `jq` | JSON parsing and formatting | -| `python3` | Data processing and scripting | -| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |