Apply agent config audit fixes (PRI-14)

Syncs repo instruction files with corrected live bundles:
- Fix Regina's agent ID in Gandalf/Hugh configs (5 refs: 8a627431 → c5f88b39)
- Create Pixel Patty's HEARTBEAT.md and SOUL.md (was missing entirely)
- Fix Karen's PRODUCT-CONTEXT.md corruption (remove escaped duplicate)
- Clean up HTML entities and escape chars in Gandalf/Hugh files
- Trim excessive personification (Nancy review tone, Gandalf title, Hugh narrative)
- Consolidate redundant ArtifactHub and review-order policy text
- Normalize paths to use $AGENT_HOME

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

hugh-hackman/HEARTBEAT.md

@@ -6,24 +6,24 @@ Do these steps in order. Do not skip any. Do not ask for input.
 
 ### 0. Authenticate with GitHub
 
-    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
+export GH_TOKEN\=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
 
 ### 1. Load your operating context
 
 Read the Paperclip skill:
 
-    curl http://localhost:3100/api/skills/paperclip | cat
+curl http://localhost:3100/api/skills/paperclip | cat
 
 Confirm your identity and capture your run ID:
 
-    curl -sf -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
-      "$PAPERCLIP_API_URL/api/agents/me" | cat
+curl -sf -H "Authorization: Bearer $PAPERCLIP_API_KEY"
+"$PAPERCLIP_API_URL/api/agents/me" | cat
 
 **Before proceeding, verify these environment variables are set. If any are missing, stop and report the problem as a Paperclip issue assigned to Nancy.**
 
-- `PAPERCLIP_API_KEY` — your auth token
-- `PAPERCLIP_API_URL` — the API base URL
-- `PAPERCLIP_RUN_ID` — the current heartbeat run ID (injected by the runtime)
+* `PAPERCLIP_API_KEY` — your auth token
+* `PAPERCLIP_API_URL` — the API base URL
+* `PAPERCLIP_RUN_ID` — the current heartbeat run ID (injected by the runtime)
 
 Working directory: /paperclip/privilegedescalation/agents/engineering/hugh
 
@@ -31,8 +31,8 @@ Working directory: /paperclip/privilegedescalation/agents/engineering/hugh
 
 List your open Paperclip issues:
 
-    curl -sf "$PAPERCLIP_API_URL/api/agents/me/inbox-lite" \
-      -H "Authorization: Bearer $PAPERCLIP_API_KEY" | cat
+curl -sf "$PAPERCLIP_API_URL/api/agents/me/inbox-lite"
+-H "Authorization: Bearer $PAPERCLIP_API_KEY" | cat
 
 For each assigned issue:
 
@@ -40,29 +40,29 @@ For each assigned issue:
 
 **You MUST checkout before doing any work. If you skip this, your work is untraceable.**
 
-    curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" \
-      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
-      -H "Content-Type: application/json" \
-      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
-      -d '{"agentId": "d99be9a8-b584-4bf9-b4eb-0fa11998dbb5", "expectedStatuses": ["todo", "backlog", "blocked"]}'
+curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout"
+-H "Authorization: Bearer $PAPERCLIP_API_KEY"
+-H "Content-Type: application/json"
+-H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID"
+-d '{"agentId": "210a68f2-ad1f-45af-88e3-4271e208f836", "expectedStatuses": ["todo", "backlog", "blocked"]}'
 
 Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry.
 
 #### 2b. Do the work
 
-- Read the full thread and all context Nancy provided
-- Determine the action required (pipeline fix, cluster config, release automation, infra change)
-- Take action: open a PR if code changes are needed, or execute the ops task directly
+* Read the full thread and all context Nancy provided
+* Determine the action required (pipeline fix, cluster config, release automation, infra change)
+* Take action: open a PR if code changes are needed, or execute the ops task directly
 
 #### 2c. Update issue status
 
 **Every status change MUST include the X-Paperclip-Run-Id header.**
 
-    curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" \
-      -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
-      -H "Content-Type: application/json" \
-      -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
-      -d '{"status": "done", "comment": "Describe what you did and link any PRs."}'
+curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}"
+-H "Authorization: Bearer $PAPERCLIP_API_KEY"
+-H "Content-Type: application/json"
+-H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID"
+-d '{"status": "done", "comment": "Describe what you did and link any PRs."}'
 
 Set `status` to `done` if complete, or `blocked` if you hit a blocker (and explain why in the comment). Always include a meaningful `comment` describing the outcome.
 
@@ -70,14 +70,14 @@ Set `status` to `done` if complete, or `blocked` if you hit a blocker (and expla
 
 Execute this command and paste the output:
 
-    gh run list --repo privilegedescalation --limit 30 --json status,conclusion,name,headBranch,updatedAt
+gh run list --repo privilegedescalation --limit 30 --json status,conclusion,name,headBranch,updatedAt
 
 **You must act on the output.** For any failing or consistently flaky runs:
 
-- Identify root cause
-- Fix it if it's an infra or pipeline issue — open a PR
-- If it's a code bug, create a Paperclip issue assigned to Gandalf (`28e654c9-8971-467b-ac32-5d2a287c30c7`)
-- If it needs QA eyes, create a Paperclip issue assigned to Regina (`8a627431-075d-4fc5-8f90-0bcac607e6ae`)
+* Identify root cause
+* Fix it if it's an infra or pipeline issue — open a PR
+* If it's a code bug, create a Paperclip issue assigned to Gandalf (`bbb16aac-bb15-4daf-b1a8-727235aefcd7`)
+* If it needs QA eyes, create a Paperclip issue assigned to Regina (`c5f88b39-e563-4409-9221-6379800dceec`)
 
 **Required gate:** You must either (a) open a PR or create an issue for a problem found, OR (b) explicitly state: "All 30 recent runs are passing. No CI/CD issues found."
 
@@ -85,17 +85,17 @@ Execute this command and paste the output:
 
 Execute this command and paste the output:
 
-    gh repo list privilegedescalation --json name,updatedAt,defaultBranchRef --limit 20
+gh repo list privilegedescalation --json name,updatedAt,defaultBranchRef --limit 20
 
 **You must act on the output.** Look for:
 
-- Stale pipelines or broken release workflows
-- Dependency or security alerts that need action
-- Repos missing CI configuration entirely
+* Stale pipelines or broken release workflows
+* Dependency or security alerts that need action
+* Repos missing CI configuration entirely
 
 Check for Dependabot/security alerts:
 
-    gh api repos/privilegedescalation/{repo}/vulnerability-alerts 2>&1 || echo "no alerts or no access"
+gh api repos/privilegedescalation/{repo}/vulnerability-alerts 2>&1 || echo "no alerts or no access"
 
 **Required gate:** You must either (a) create an issue or open a PR for a problem found, OR (b) explicitly state: "All repos healthy. No dependency or release issues found."
 
@@ -103,4 +103,4 @@ Check for Dependabot/security alerts:
 
 Each heartbeat, identify one thing that could be more automated, more reliable, or more container-native, and do it or start it.
 
-**Required gate:** You must either (a) open a PR with the improvement, OR (b) create a Paperclip issue describing the improvement and assigning it to yourself for next heartbeat, OR (c) explicitly state: "Reviewed all systems. No proactive improvements identified this cycle." with a one-sentence justification.
+**Required gate:** You must either (a) open a PR with the improvement, OR (b) create a Paperclip issue describing the improvement and assigning it to yourself for next heartbeat, OR (c) explicitly state: "Reviewed all systems. No proactive improvements identified this cycle." with a one-sentence justification.