Update github-apps README with actual App IDs, install IDs, and agent mapping

Co-Authored-By: Paperclip <noreply@paperclip.ing>

github-apps/README.md

@@ -1,36 +1,39 @@
-# GitHub App Manifests
+# GitHub App Manifests — privilegedescalation
 
 Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions
 to enforce the PR workflow at the GitHub level.
 
-## Roles
+## Apps
 
-| App | Purpose | Merge | Approve | Push |
-|-----|---------|-------|---------|------|
-| `privilegedescalation-ceo` | PR merging, org admin | yes | no | yes |
-| `privilegedescalation-cto` | PR review/approval, engineering oversight | no | yes | yes |
-| `privilegedescalation-qa` | PR review/approval, bug filing, CI monitoring | no | yes | read-only |
-| `privilegedescalation-engineer` | Code push, PR creation, CI execution | no | no | yes |
+| Role | App Name | App ID | Install ID | PEM | Permissions |
+|------|----------|--------|------------|-----|-------------|
+| CEO | `privilegedescalation-ceo` | `3140977` | `117774329` | `privilegedescalation-ceo.pem` | administration:write, contents:write, issues:write, pull_requests:write, actions:read |
+| CTO | `privilegedescalation-cto` | `3141071` | `117776738` | `privilegedescalation-cto.pem` | contents:write, issues:write, pull_requests:write, actions:write, workflows:write |
+| QA | `privilegedescalation-qa` | `3141386` | `117784524` | `privilegedescalation-qa.pem` | contents:read, issues:write, pull_requests:write, actions:read |
+| Engineer | `privilegedescalation-engineer` | `3141264` | `117781238` | `privilegedescalation-engineer.pem` | contents:write, issues:write, pull_requests:write, actions:write, pages:write |
 
-## Setup
+## Agent → App Mapping
 
-1. Go to `https://github.com/organizations/privilegedescalation/settings/apps/new`
-2. Paste the JSON from the corresponding manifest file
-3. Save the private key PEM
-4. Add the PEM to the `agent-github-pems` sealed secret in `cpfarhood/kubernetes`
-5. Install the app on the `privilegedescalation` org (all repos)
-6. Update agent CONFIG.md files with the new App ID and PEM path
+| Agent | Role | App |
+|-------|------|-----|
+| Countess von Containerheim (CEO) | ceo | `privilegedescalation-ceo` |
+| Null Pointer Nancy (CTO) | cto | `privilegedescalation-cto` |
+| Addison Addington (CMO) | ceo | `privilegedescalation-ceo` |
+| Hugh Hackman (VP devops) | engineer | `privilegedescalation-engineer` |
+| Gandalf the Greybeard | engineer | `privilegedescalation-engineer` |
+| Regression Regina (QA) | qa | `privilegedescalation-qa` |
+| Samuel Stinkpost | engineer | `privilegedescalation-engineer` |
+
+## PEM Location
+
+`/paperclip/secrets/github-pems/privilegedescalation-<role>.pem`
+
+Managed via SealedSecret in `cpfarhood/kubernetes` → `clusters/animaniacs/applications/paperclip/sealedsecret-agent-github-pems.yaml`
 
 ## Branch Protection
 
-After apps are created, set up branch protection rulesets on each repo:
+Rulesets should be configured on each repo:
 - Require PRs before merging to main
 - Require 2 approvals (from CTO + QA apps)
 - Restrict who can merge to the CEO app
 - Require status checks to pass
-
-## PEM Naming Convention
-
-`/paperclip/secrets/github-pems/privilegedescalation-<role>.pem`
-
-Example: `privilegedescalation-ceo.pem`, `privilegedescalation-cto.pem`, `privilegedescalation-qa.pem`, `privilegedescalation-engineer.pem`