privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Consolidate shared policies and tools into root-level files

Browse Source 
- Added POLICIES.md: env var handling, infra policy (ghcr.io, Renovate),
  git workflow, issue tracking, CI/CD access rules
- Added shared TOOLS.md: GitHub auth, Paperclip API, common tools, repos
- Removed all per-agent TOOLS.md files (shared file covers everything)
- Updated all AGENTS.md bootstraps to read shared POLICIES.md and TOOLS.md
- Removed duplicated env var directive from all HEARTBEAT.md files

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-03-18 20:19:10 -04:00
parent 89ae6a24d9
commit 8a8fa24aac
15 changed files with 32 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files
engineering/gandalf/HEARTBEAT.md
-2
View File
@@ -4,8 +4,6 @@
Do these steps in order. Do not skip any. Do not ask for input.
> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
### 0. Authenticate with GitHub
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
engineering/gandalf/TOOLS.md
-27
View File
@@ -1,27 +0,0 @@
# Gandalf the Greybeard — Tools
## GitHub Authentication
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
## Paperclip API
Auto-injected env vars:
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
## Available Tools
| Tool | Purpose |
|---|---|
| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
| `git` | Version control — branches, commits, PRs |
| `curl` | HTTP requests — Paperclip API, external services |
| `jq` | JSON parsing and formatting |
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
engineering/hugh/HEARTBEAT.md
-2
View File
@@ -4,8 +4,6 @@
Do these steps in order. Do not skip any. Do not ask for input.
> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
### 0. Authenticate with GitHub
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
engineering/hugh/TOOLS.md
-29
View File
@@ -1,29 +0,0 @@
# Hugh Hackman — Tools
## GitHub Authentication
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
## Paperclip API
Auto-injected env vars:
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
## Available Tools
| Tool | Purpose |
|---|---|
| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
| `git` | Version control — branches, commits, PRs |
| `curl` | HTTP requests — Paperclip API, external services |
| `jq` | JSON parsing and formatting |
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
> **Not installed:** `docker`, `kubectl`, `flux`. Infrastructure work requiring these must go through GitHub Actions CI/CD or request board intervention for pod-level installs.
engineering/regina/HEARTBEAT.md
-2
View File
@@ -4,8 +4,6 @@
Do these steps in order. Do not skip any. Do not ask for input.
> **Environment variables** (`PAPERCLIP_API_KEY`, `PAPERCLIP_API_URL`, `PAPERCLIP_RUN_ID`, `PAPERCLIP_AGENT_ID`, `PAPERCLIP_COMPANY_ID`) are pre-injected into your process environment. **Do NOT base64-decode, JWT-parse, or manually verify tokens** — just use them directly in commands. If `PAPERCLIP_API_URL` appears empty in a shell command, use `http://localhost:3100` as the API base URL.
### 0. Authenticate with GitHub
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
engineering/regina/TOOLS.md
-31
View File
@@ -1,31 +0,0 @@
# Regression Regina — Tools
## GitHub Authentication
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
## Paperclip API
Auto-injected env vars:
- `PAPERCLIP_API_URL` — base URL
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
## Available Tools
| Tool | Purpose |
|---|---|
| `gh` | GitHub CLI — PRs, issues, CI runs, repo operations |
| `git` | Version control — branches, commits, PRs |
| `curl` | HTTP requests — Paperclip API, external services |
| `jq` | JSON parsing and formatting |
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
## Adapter Notes
Regina uses the `opencode_local` adapter (MiniMax M2.5 via OpenRouter). This adapter does not support `instructionsFilePath` — the prompt must live in the `promptTemplate` field of the adapter config in the Paperclip DB. To update Regina's prompt, concatenate SOUL.md + HEARTBEAT.md and patch the DB `promptTemplate` field. See CONFIG.md for details.