chore: replace CEO heartbeat sync block with Paperclip routine
The board asked for sync logic to be removed from the CEO heartbeat
in favor of a dedicated Paperclip routine. Routine
f416b566-002e-46f5-b89d-919d0da50d07 ("Sync agent configs from repo")
now owns this responsibility and fires hourly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -4,112 +4,9 @@
|
||||
|
||||
Do these steps in order. Do not skip any. Do not ask for input.
|
||||
|
||||
### 1. Sync the agent roster repo and apply changes
|
||||
|
||||
**You MUST complete this step before moving on. No parallelization. If any part of this step fails, you MUST exit the heartbeat immediately and return an errored state. Do not continue to step 2 or any other step.**
|
||||
|
||||
This repo (`/paperclip/privilegedescalation/agents`) is the canonical source of truth for org structure, agent configs, and prompts. Treat repo changes as board directives — pull them and apply them.
|
||||
|
||||
#### 1a. Authenticate with GitHub and pull latest
|
||||
### 1. Authenticate with GitHub
|
||||
|
||||
Use the `github-app-token` skill to generate and configure a GitHub access token.
|
||||
cd /paperclip/privilegedescalation/agents
|
||||
git pull origin main
|
||||
|
||||
#### 1b. Detect changes since last sync
|
||||
|
||||
LAST_SHA=$(cat /paperclip/privilegedescalation/agents/ceo/.last-synced-sha 2>/dev/null || echo "")
|
||||
CURRENT_SHA=$(git -C /paperclip/privilegedescalation/agents rev-parse HEAD)
|
||||
|
||||
If `LAST_SHA` is non-empty, verify it still exists in the local history (it may be gone after a force-push or shallow clone):
|
||||
|
||||
if [ -n "$LAST_SHA" ] && \! git -C /paperclip/privilegedescalation/agents cat-file -e "$LAST_SHA" 2>/dev/null; then
|
||||
LAST_SHA="" # unreachable — treat as full resync
|
||||
fi
|
||||
|
||||
If `LAST_SHA` is empty or equals `CURRENT_SHA`, skip to step 1e. Otherwise:
|
||||
|
||||
git -C /paperclip/privilegedescalation/agents diff "$LAST_SHA".."$CURRENT_SHA" --name-only
|
||||
|
||||
#### 1c. Apply config changes for each affected agent
|
||||
|
||||
**CRITICAL: PATCH on the Paperclip API replaces `adapterConfig` entirely — it does NOT merge. You must always read-merge-write.**
|
||||
|
||||
For each agent whose files changed in the diff:
|
||||
|
||||
1. Get the agent's ID from their `CONFIG.md` Identity table
|
||||
2. Read the agent's current live config:
|
||||
|
||||
curl -sf -H "Authorization: Bearer $PAPERCLIP_API_KEY" \
|
||||
$PAPERCLIP_API_URL/api/agents/{agentId}
|
||||
|
||||
3. Read the desired config from the agent's `CONFIG.md` in the repo
|
||||
4. **Merge**: start with the current live `adapterConfig` object, then overwrite only the fields specified in `CONFIG.md`. This preserves any live-only fields (like `promptTemplate`).
|
||||
5. Write the merged config back:
|
||||
|
||||
curl -sf -X PATCH "$PAPERCLIP_API_URL/api/agents/{agentId}" \
|
||||
-H "Authorization: Bearer $PAPERCLIP_API_KEY" \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
|
||||
-d '{"adapterConfig": {MERGED_OBJECT}, "runtimeConfig": {"heartbeat": {FROM_CONFIG_MD}}, "capabilities": "{FROM_CONFIG_MD_CAPABILITIES}"}'
|
||||
|
||||
6. If the `CONFIG.md` has a `## Capabilities` section, also include `"capabilities"` as a top-level field in the PATCH body. This is a separate field from `adapterConfig`.
|
||||
|
||||
**Safety rules for the merge:**
|
||||
|
||||
- ALWAYS preserve the existing `promptTemplate` from the live config unless you are intentionally updating it
|
||||
- ALWAYS preserve `env` values that contain secrets — the repo may have redacted placeholders, do NOT overwrite live secrets with redacted values
|
||||
- For `claude_local` agents: ensure `instructionsFilePath` is always present in the merged config
|
||||
|
||||
**Copy runtime config files to agent cwd:**
|
||||
|
||||
After patching the API, copy any runtime config files (`opencode.json`, `.mcp.json`) from the agent's directory in this repo to their `cwd` (from `CONFIG.md` adapter config). These files must exist in the agent's working directory at runtime — the repo is not the cwd.
|
||||
|
||||
# For each agent with an opencode.json or .mcp.json in their repo directory:
|
||||
AGENT_CWD=$(jq -r '.cwd' <<< "$ADAPTER_CONFIG")
|
||||
mkdir -p "$AGENT_CWD"
|
||||
cp /paperclip/privilegedescalation/agents/engineering/<agent>/opencode.json "$AGENT_CWD/" 2>/dev/null || true
|
||||
cp /paperclip/privilegedescalation/agents/engineering/<agent>/.mcp.json "$AGENT_CWD/" 2>/dev/null || true
|
||||
|
||||
This applies to all `opencode_local` agents (they need `opencode.json` in cwd for permissions and MCP config) and `claude_local` agents with `.mcp.json` (for MCP server access).
|
||||
|
||||
**Handling new agents (placeholder IDs):**
|
||||
|
||||
If an agent directory exists in the diff but its `CONFIG.md` contains `<AGENT_ID_PLACEHOLDER>` (or any `<..._PLACEHOLDER>` value) instead of a real UUID, this is a **new hire** that needs to be created:
|
||||
|
||||
1. Read the agent's `CONFIG.md` to gather: role, title, adapter type, model, capabilities, heartbeat config, and adapter config
|
||||
2. Create the agent via the Paperclip API:
|
||||
|
||||
curl -sf -X POST "$PAPERCLIP_API_URL/api/companies/$PAPERCLIP_COMPANY_ID/agents" \
|
||||
-H "Authorization: Bearer $PAPERCLIP_API_KEY" \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" \
|
||||
-d '{"name": "<agent name>", "role": "<role>", "title": "<title>", "adapter": "<adapter type>", "adapterConfig": {CONFIG_FROM_MD}, "runtimeConfig": {"heartbeat": {HEARTBEAT_CONFIG}}, "capabilities": "<capabilities text>"}'
|
||||
|
||||
3. Capture the returned agent ID from the response
|
||||
4. Create a feature branch, update the agent's `CONFIG.md` (ID field and Reports To ID) and `HEARTBEAT.md` (agentId in checkout call) with the real IDs, then open a PR:
|
||||
|
||||
cd /paperclip/privilegedescalation/agents
|
||||
git checkout -b onboard-<agent-name>
|
||||
# ... edit CONFIG.md and HEARTBEAT.md to replace placeholders with real IDs ...
|
||||
git add engineering/<agent>/CONFIG.md engineering/<agent>/HEARTBEAT.md
|
||||
git commit -m "chore: fill in <agent name> agent ID and credentials"
|
||||
git push -u origin onboard-<agent-name>
|
||||
gh pr create --repo privilegedescalation/agents \
|
||||
--title "Onboard <agent name> — fill in agent ID" \
|
||||
--body "Created <agent name> via Paperclip API. This PR fills in the agent ID and credential placeholders. cc @cpfarhood"
|
||||
|
||||
5. **Do NOT merge this PR yourself.** The board must approve new hires. Switch back to `main` and continue the heartbeat.
|
||||
|
||||
git checkout main
|
||||
|
||||
#### 1d. Record sync state
|
||||
|
||||
echo "$CURRENT_SHA" > /paperclip/privilegedescalation/agents/ceo/.last-synced-sha
|
||||
|
||||
#### 1e. Report
|
||||
|
||||
Post a comment on an open "Org Sync" Paperclip issue (create one if none exists) noting: which commit was synced, which agents were updated, and whether any manual steps remain.
|
||||
|
||||
### 2. Load your operating context
|
||||
|
||||
|
||||
Reference in New Issue
Block a user