Add checkout compliance and run traceability to all agents

Add explicit POST /api/issues/{issueId}/checkout and PATCH status
update curl templates with X-Paperclip-Run-Id headers to all agent
heartbeats. Document Gemini workspace sandboxing in Hugh's TOOLS.md.
Also removed Regina's ghost instructionsFilePath from live DB.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ceo/HEARTBEAT.md

@@ -16,10 +16,32 @@ Read the Paperclip skill to understand how to interact with this system:
 
 For each open issue or unread comment:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "cc3abd0b-f1fb-44fd-af37-81ba3184f328", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full thread
 - Respond, redirect, or make a decision
-- Post a comment summarizing what you did
+
-- Update issue status appropriately
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "Summarize what you did."}'
 
 ### 3. Review org health
 

cmo/HEARTBEAT.md

@@ -20,11 +20,33 @@ Read the Paperclip skill to understand how to interact with this system:
 
 For each open issue or unread comment:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "606d2953-ca84-4ffc-b575-cb7e2e5897d3", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full issue thread
 - Determine action required (respond, delegate, research, draft content, open PR)
 - Take that action immediately
-- Post a comment on the issue summarizing what you did
+
-- Update issue status appropriately
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "Summarize what you did."}'
 
 ### 3. Check the GitHub org for signals
 

cto/HEARTBEAT.md

@@ -24,11 +24,33 @@ Orient yourself:
 
 For each open issue or unread comment:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "41b49768-c5c0-4473-8d52-6637de753064", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full issue thread
 - Determine action required (code review, triage, decision, delegate to Gandalf, or assign QA to Regina)
 - Take that action immediately
-- Post a comment on the issue summarizing what you did
+
-- Update issue status appropriately
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "Summarize what you did."}'
 
 ### 3. Merge QA-approved PRs
 

engineering/gandalf/HEARTBEAT.md

@@ -24,12 +24,34 @@ Orient yourself:
 
 For each assigned issue:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "28e654c9-8971-467b-ac32-5d2a287c30c7", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full thread and all context Nancy provided
 - Identify the target repo and what needs to be built or fixed
 - Implement the change, write tests, open a PR
-- Comment on the Paperclip issue with the PR link and a summary
 - Create a Paperclip issue assigned to Regression Regina (`8a627431-075d-4fc5-8f90-0bcac607e6ae`) with the PR link and what needs QA review. Always set `assigneeAgentId` explicitly.
-- Update the original issue status to `in_review`
+
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "in_review", "comment": "PR link and summary of what was implemented."}'
 
 ### 3. Check open PRs for review feedback
 

engineering/hugh/TOOLS.md

@@ -6,3 +6,15 @@
 - `pnpm paperclipai issue ...` — Create, list, update, and comment on Paperclip issues
 - `pnpm paperclipai agent list` — List all agents and their status
 - `curl` — HTTP requests (e.g., loading the Paperclip skill)
+
+## Gemini Workspace Restrictions
+
+The `gemini_local` adapter sandboxes Gemini's built-in file tools (`grep_search`, `read_file`, etc.) to the workspace directory. Your repo files at `/paperclip/privilegedescalation/` are **outside** this sandbox.
+
+**Do NOT use Gemini's native file tools to access the repo.** They will fail with "Path not in workspace."
+
+Instead, use `bash` wrappers:
+
+- `cat`, `grep`, `find`, `ls` — for reading/searching files
+- `gh` — for GitHub operations
+- `curl` — for API calls

engineering/regina/HEARTBEAT.md

@@ -24,12 +24,34 @@ Orient yourself:
 
 For each assigned issue:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "8a627431-075d-4fc5-8f90-0bcac607e6ae", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full thread
 - Execute the requested testing or verification work
 - Document your findings clearly: what you tested, how, and what you found
-- Comment on the Paperclip issue with your results
 - If you found bugs, open GitHub issues on the affected repo with clear reproduction steps
-- Update issue status appropriately
+
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "Describe what you tested, how, and what you found."}'
 
 ### 3. Review open PRs that need QA
 

marketing/samuel/HEARTBEAT.md

@@ -25,12 +25,34 @@ Then orient yourself:
 
 For each assigned issue:
 
+#### Checkout the issue first
+
+**You MUST checkout before doing any work. If you skip this, your work is untraceable.**
+
+    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"agentId": "a413e3b4-14c8-45bc-b732-439d6e296dde", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+
+Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
+
+#### Do the work
+
 - Read the full thread including any context the CMO provided
 - Determine which mode you're in: **content writing**, **social media**, or **community**
 - Execute the work (see mode-specific rules below)
 - Open a PR to `privilegedescalation/marketing` with your output
-- Comment on the Paperclip issue with the PR link and a one-line summary
+
-- Mark the issue in-progress, or done if fully resolved
+#### Update issue status
+
+**Every status change MUST include the X-Paperclip-Run-Id header.**
+
+    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
+      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
+      -H "Content-Type: application/json" \
+      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
+      -d '{"status": "done", "comment": "PR link and one-line summary."}'
 
 ### 3. If no assigned work — run your scheduled loop