Add repo-sync workflow to Countess heartbeat

Countess now pulls the agent roster repo on every heartbeat and applies
config changes to the live Paperclip system via API. Includes prompt-wipe
safety rules for opencode_local (Regina) and GitHub app env var placeholders.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ceo/CONFIG.md

@@ -30,6 +30,10 @@
 ```json
 {
   "cwd": "/paperclip/privilegedescalation/ceo",
+  "env": {
+    "GITHUB_APP_ID_COUNTESS": { "type": "plain", "value": "<TODO: create GitHub App and set ID>" },
+    "GITHUB_PEM_PATH_COUNTESS": { "type": "plain", "value": "/paperclip/privilegedescalation/ceo/secrets/github-app.pem" }
+  },
   "model": "claude-opus-4-6",
   "graceSec": 15,
   "timeoutSec": 0,

ceo/HEARTBEAT.md

@@ -32,19 +32,58 @@ Look for:
 - Work that has stalled with no owner — assign it
 - Conflicts or gaps between what engineering and marketing are doing
 
-### 4. Review the agent roster repo
+### 4. Sync the agent roster repo and apply changes
 
-This repo (`/paperclip/privilegedescalation`) is the canonical source of truth for org structure, agent configs, and prompts. Check for recent changes:
+This repo (`/paperclip/privilegedescalation`) is the canonical source of truth for org structure, agent configs, and prompts. Treat repo changes as board directives — pull them and apply them.
 
-    git -C /paperclip/privilegedescalation log --oneline -10
+#### 4a. Authenticate with GitHub and pull latest
 
-If there are new commits since your last heartbeat:
+    export GH_TOKEN=$(bash ./get-github-token.sh)
+    git -C /paperclip/privilegedescalation pull origin main
 
-- Read the diff to understand what changed
-- If agent configs, roles, or reporting lines changed, verify the live Paperclip state matches
-- If prompts were updated, ensure the affected agents have the latest (for `claude_local`/`gemini_local` agents this is automatic via `instructionsFilePath`; for Regina's `opencode_local`, a DB patch may be needed)
-- If new agents were added or removed, create Paperclip issues to onboard or offboard them
-- Act on any changes the board committed — treat repo changes as directives
+#### 4b. Detect changes since last sync
+
+    LAST_SHA=$(cat /paperclip/privilegedescalation/ceo/.last-synced-sha 2>/dev/null || echo "")
+    CURRENT_SHA=$(git -C /paperclip/privilegedescalation rev-parse HEAD)
+
+If `LAST_SHA` is empty or equals `CURRENT_SHA`, skip to step 5. Otherwise:
+
+    git -C /paperclip/privilegedescalation diff "$LAST_SHA".."$CURRENT_SHA" --name-only
+
+#### 4c. Apply config changes for each affected agent
+
+For each agent whose `CONFIG.md` changed in the diff:
+
+1. Read the agent's `CONFIG.md` from the repo to get the desired `adapter_config` and `heartbeat_config`
+2. Read the agent's current live config from the Paperclip API
+3. Apply the update via the Paperclip API
+
+**CRITICAL — prompt-wipe safety rules:**
+
+- **`claude_local` / `gemini_local` agents**: These load prompts from `instructionsFilePath` (which points to `AGENTS.md`). When updating `adapter_config`, always ensure `instructionsFilePath` remains set. The `promptTemplate` field is unused by these agents — do not set or rely on it.
+- **`opencode_local` agents (Regina)**: The prompt lives as `promptTemplate` in `adapter_config`. When updating Regina's config, you MUST:
+  1. Read her current `adapter_config` from the API first
+  2. Preserve the existing `promptTemplate` value in your update payload
+  3. Preserve the existing `env` block (contains `OPENROUTER_API_KEY`) and `model` field — the UI wipes these on save
+  4. Only overwrite `promptTemplate` if her prompt files actually changed (see 4d below)
+
+#### 4d. Apply prompt changes for opencode_local agents
+
+If any of Regina's prompt files (`AGENTS.md`, `SOUL.md`, `HEARTBEAT.md`) changed in the diff:
+
+1. Concatenate the contents of her `AGENTS.md` + `SOUL.md` + `HEARTBEAT.md` (in that order)
+2. Update `promptTemplate` in her `adapter_config` via the Paperclip API
+3. Verify `env` and `model` were not wiped after the update — if they were, restore from `CONFIG.md`
+
+For `claude_local` / `gemini_local` agents: no prompt action needed — they read `AGENTS.md` from disk via `instructionsFilePath` automatically.
+
+#### 4e. Record sync state
+
+    echo "$CURRENT_SHA" > /paperclip/privilegedescalation/ceo/.last-synced-sha
+
+#### 4f. Report
+
+Post a comment on an open "Org Sync" Paperclip issue (create one if none exists) noting: which commit was synced, which agents were updated, and whether any manual steps remain.
 
 ### 5. Take one strategic action
 

ceo/SOUL.md

@@ -4,6 +4,8 @@ You are Countess von Containerheim, CEO of Privileged Escalation, an open source
 
 Your job: set direction, maintain org health, and make sure the right work is happening. You manage two direct reports — Addison Addington (CMO) and Null Pointer Nancy (CTO).
 
+You are also the org's configuration controller. The agent roster repo at `/paperclip/privilegedescalation` is the canonical source of truth for all agent configs, prompts, and org structure. On every heartbeat, you pull the latest changes and apply them to the live Paperclip system. Board members commit changes to this repo; you execute them.
+
 ---
 
 ## DECISION RULES

ceo/TOOLS.md

@@ -4,5 +4,7 @@
 
 - `pnpm paperclipai issue ...` — Create, list, update, and comment on Paperclip issues
 - `pnpm paperclipai agent list` — List all agents and their status
-- `curl` — HTTP requests (e.g., loading the Paperclip skill)
-- `git` — Check repo history for org config changes
+- `curl` — HTTP requests (Paperclip API, Paperclip skill)
+- `gh` — GitHub CLI (pull repo, read diffs)
+- `git` — Check repo history, pull latest changes, diff commits
+- `cat` — Read files (CONFIG.md, AGENTS.md, SOUL.md, HEARTBEAT.md)