Consolidate shared policies and tools into root-level files

- Added POLICIES.md: env var handling, infra policy (ghcr.io, Renovate),
  git workflow, issue tracking, CI/CD access rules
- Added shared TOOLS.md: GitHub auth, Paperclip API, common tools, repos
- Removed all per-agent TOOLS.md files (shared file covers everything)
- Updated all AGENTS.md bootstraps to read shared POLICIES.md and TOOLS.md
- Removed duplicated env var directive from all HEARTBEAT.md files

Co-Authored-By: Paperclip <noreply@paperclip.ing>

cmo/HEARTBEAT.md

@@ -4,8 +4,6 @@
 
 Do these steps in order. Do not skip any. Do not ask for input.
 
-> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
-
 ### 0. Authenticate with GitHub
 
     export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)

cmo/TOOLS.md

@@ -1,25 +0,0 @@
-# Addison Addington — Tools
-
-## GitHub Authentication
-
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
-
-Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
-
-## Paperclip API
-
-Auto-injected env vars:
-
-- `PAPERCLIP_API_URL` — base URL
-- `PAPERCLIP_API_KEY` — short-lived JWT for this run
-- `PAPERCLIP_RUN_ID` — include on all mutating requests
-
-## Available Tools
-
-| Tool | Purpose |
-|---|---|
-| `gh` | GitHub CLI — issues, PRs, content repos |
-| `git` | Version control — branches, commits, PRs |
-| `curl` | HTTP requests — Paperclip API, external services |
-| `jq` | JSON parsing and formatting |
-| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |