From d8d9d23a55d1b8338b7139f3e116bea1e9c47d6f Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 18 Mar 2026 14:43:00 -0400
Subject: [PATCH] =?UTF-8?q?Revert=20memory=20commit/push=20=E2=80=94=20git?=
 =?UTF-8?q?ignore=20life/=20and=20memory/=20instead?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Agent memory files can contain secrets (API keys, credentials, infra
details). These must not be committed to git. Memory persists on the
pod's persistent volume. Git is for board-authored config only.

- Added life/ and memory/ back to .gitignore
- Removed git add/commit/push from CEO heartbeat sync (pull-only now)
- Removed auto-merge workflow (no longer needed)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/FUNDING.yml                         |  1 -
 .github/workflows/auto-merge-agent-sync.yml | 24 ---------------------
 .gitignore                                  |  4 ++++
 ceo/HEARTBEAT.md                            |  4 +---
 4 files changed, 5 insertions(+), 28 deletions(-)
 delete mode 100644 .github/FUNDING.yml
 delete mode 100644 .github/workflows/auto-merge-agent-sync.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index 6aaf174..0000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1 +0,0 @@
-github: [privilegedescalation]
\ No newline at end of file
diff --git a/.github/workflows/auto-merge-agent-sync.yml b/.github/workflows/auto-merge-agent-sync.yml
deleted file mode 100644
index 5d3f029..0000000
--- a/.github/workflows/auto-merge-agent-sync.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Auto-merge agent-sync
-
-on:
-  push:
-    branches: [agent-sync]
-
-permissions:
-  contents: write
-
-jobs:
-  merge:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: main
-      - name: Merge agent-sync into main
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git merge origin/agent-sync --no-edit
-          git push origin main
-
diff --git a/.gitignore b/.gitignore
index febb753..c73740f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,10 @@
 .gitconfig
 .kube/
 
+# Agent memory (persists on volume, contains secrets — never commit)
+life/
+memory/
+
 # Editor swap files
 *.swp
 *.swo
diff --git a/ceo/HEARTBEAT.md b/ceo/HEARTBEAT.md
index 4c15cc3..402774a 100644
--- a/ceo/HEARTBEAT.md
+++ b/ceo/HEARTBEAT.md
@@ -77,9 +77,7 @@ This repo (`/paperclip/privilegedescalation/agents`) is the canonical source of
 
     export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
     cd /paperclip/privilegedescalation/agents
-    git add -A
-    git diff --cached --quiet || git commit -m "agent: memory and runtime updates $(date -u +%Y-%m-%dT%H:%M:%SZ)"
-    git pull --rebase origin main && git push origin HEAD:refs/heads/agent-sync -f
+    git pull origin main
 
 #### 5b. Detect changes since last sync