From c0298d3052ae0596f2bced8b3f647bb156b04a4b Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sat, 21 Mar 2026 10:56:32 -0400
Subject: [PATCH] Add cluster infrastructure standards to POLICIES.md,
 consolidate MCP in TOOLS.md

POLICIES.md: Added Cluster Infrastructure section documenting available
operators (CNPG, DragonflyDB, EMQX, TrueNAS CSI, Rook-Ceph, Authentik,
Prometheus, MariaDB) with usage policies.

TOOLS.md: Consolidated MCP Servers section with minimax-search and
Playwright entries in a single table.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 POLICIES.md | 15 +++++++++++++++
 TOOLS.md    |  7 +++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/POLICIES.md b/POLICIES.md
index 1da1568..3807200 100644
--- a/POLICIES.md
+++ b/POLICIES.md
@@ -16,6 +16,21 @@ All agents in this org must follow these policies.
 
 All releases use **SemVer** (semantic versioning). ArtifactHub requires SemVer for Headlamp plugin packages. Do not use CalVer.
 
+## Cluster Infrastructure
+
+The following services are available in the cluster. Use them via their operators — do not install standalone instances.
+
+| Layer | Technology | Policy |
+|-------|-----------|--------|
+| **Database** | CNPG (CloudNativePG) | All PostgreSQL via CNPG `Cluster` CRDs. No manual Postgres installs, no SQLite in production. |
+| **Cache / Pub-sub** | DragonflyDB Operator | Redis-compatible via `Dragonfly` CRDs. No standalone Redis. |
+| **MQTT** | EMQX Operator | MQTT broker via `EMQX` CRDs. For IoT and messaging workloads. |
+| **Block storage** | TrueNAS CSI | All PVCs backed by TrueNAS SCALE. |
+| **File / Object storage** | Rook-Ceph | CephFS for shared filesystems, RGW for S3-compatible object storage. |
+| **Auth** | Authentik | OIDC/SSO for all web apps. No custom auth systems. |
+| **Monitoring** | Prometheus Stack | Create ServiceMonitors and PrometheusRules for all services. AlertManager for alerting. |
+| **MariaDB** | MariaDB Operator | Available via `MariaDB` CRDs if needed. Not currently used by Paperclip orgs. |
+
 ## Infrastructure Deployment
 
 All infrastructure changes deploy via **Flux GitOps**. Flux reconciles the org's `infra` repo to the cluster automatically.
diff --git a/TOOLS.md b/TOOLS.md
index d47b736..20ead73 100644
--- a/TOOLS.md
+++ b/TOOLS.md
@@ -35,10 +35,13 @@ Auto-injected env vars:
 
 ## MCP Servers
 
-| Server | URL | Available To | Purpose |
-|--------|-----|-------------|----------|
+| Server | Endpoint | Available To | Purpose |
+|--------|----------|-------------|---------|
+| `minimax-search` | Local (uvx) | VP Product, CMO | Web search and image understanding |
 | `playwright-privilegedescalation` | `http://playwright-privilegedescalation.paperclip.svc.cluster.local:3000/sse` | Regression Regina (QA) | Playwright browser automation for E2E testing |
 
+MCP server configs live in each agent's `.mcp.json` (claude_local) or `opencode.json` (opencode_local).
+
 ## GitHub Actions Runners
 
 Self-hosted ARC runners are available at the org level. Use `runs-on: runners-privilegedescalation` in workflows.