Standardize PEM paths to shared k8s Secret mount

All agents now reference PEMs at /paperclip/secrets/github-pems/<name>.pem
instead of per-agent secrets/ subdirectories. PEMs will be mounted from a
single Kubernetes Secret. Added .gitignore to prevent accidental secret commits.

Countess GitHub App ID set to 3097914.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -0,0 +1,3 @@
+secrets/
+*.pem
+.last-synced-sha

ceo/CONFIG.md

@@ -31,8 +31,8 @@
 {
   "cwd": "/paperclip/privilegedescalation/ceo",
   "env": {
-    "GITHUB_APP_ID_COUNTESS": { "type": "plain", "value": "<TODO: create GitHub App and set ID>" },
-    "GITHUB_PEM_PATH_COUNTESS": { "type": "plain", "value": "/paperclip/privilegedescalation/ceo/secrets/github-app.pem" }
+    "GITHUB_APP_ID_COUNTESS": { "type": "plain", "value": "3097914" },
+    "GITHUB_PEM_PATH_COUNTESS": { "type": "plain", "value": "/paperclip/secrets/github-pems/countess.pem" }
   },
   "model": "claude-opus-4-6",
   "graceSec": 15,

cmo/CONFIG.md

@@ -32,7 +32,7 @@
   "cwd": "/paperclip/privilegedescalation/cmo",
   "env": {
     "GITHUB_APP_ID_ADDISON": { "type": "plain", "value": "3032312" },
-    "GITHUB_PEM_PATH_ADDISON": { "type": "plain", "value": "/paperclip/privilegedescalation/cmo/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_ADDISON": { "type": "plain", "value": "/paperclip/secrets/github-pems/addison.pem" }
   },
   "model": "claude-opus-4-6",
   "graceSec": 15,

cto/CONFIG.md

@@ -32,7 +32,7 @@
   "cwd": "/paperclip/privilegedescalation/cto",
   "env": {
     "GITHUB_APP_ID_NANCY": { "type": "plain", "value": "3032056" },
-    "GITHUB_PEM_PATH_NANCY": { "type": "plain", "value": "/paperclip/privilegedescalation/cto/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_NANCY": { "type": "plain", "value": "/paperclip/secrets/github-pems/nancy.pem" }
   },
   "model": "claude-opus-4-6",
   "graceSec": 15,

engineering/gandalf/CONFIG.md

@@ -32,7 +32,7 @@
   "cwd": "/paperclip/privilegedescalation/engineering/gandalf",
   "env": {
     "GITHUB_APP_ID_GANDALF": { "type": "plain", "value": "3032771" },
-    "GITHUB_PEM_PATH_GANDALF": { "type": "plain", "value": "/paperclip/privilegedescalation/engineering/gandalf/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_GANDALF": { "type": "plain", "value": "/paperclip/secrets/github-pems/gandalf.pem" }
   },
   "model": "claude-opus-4-6",
   "graceSec": 15,

engineering/hugh/CONFIG.md

@@ -32,7 +32,7 @@
   "cwd": "/paperclip/privilegedescalation/engineering/hugh",
   "env": {
     "GITHUB_APP_ID_HUGH": { "type": "plain", "value": "3034857" },
-    "GITHUB_PEM_PATH_HUGH": { "type": "plain", "value": "/paperclip/privilegedescalation/engineering/hugh/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_HUGH": { "type": "plain", "value": "/paperclip/secrets/github-pems/hugh.pem" }
   },
   "model": "auto",
   "graceSec": 15,

engineering/regina/CONFIG.md

@@ -35,7 +35,7 @@
   "env": {
     "OPENROUTER_API_KEY": { "type": "plain", "value": "<REDACTED - restore from pg-fix-regina-env2.sh>" },
     "GITHUB_APP_ID_REGINA": { "type": "plain", "value": "3033788" },
-    "GITHUB_PEM_PATH_REGINA": { "type": "plain", "value": "/paperclip/privilegedescalation/engineering/regina/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_REGINA": { "type": "plain", "value": "/paperclip/secrets/github-pems/regina.pem" }
   },
   "model": "openrouter/minimax/minimax-m2.5",
   "mode": "",

marketing/samuel/CONFIG.md

@@ -32,7 +32,7 @@
   "cwd": "/paperclip/privilegedescalation/marketing/samuel",
   "env": {
     "GITHUB_APP_ID_SAMUEL": { "type": "plain", "value": "3032072" },
-    "GITHUB_PEM_PATH_SAMUEL": { "type": "plain", "value": "/paperclip/privilegedescalation/marketing/samuel/secrets/github-app.pem" }
+    "GITHUB_PEM_PATH_SAMUEL": { "type": "plain", "value": "/paperclip/secrets/github-pems/samuel.pem" }
   },
   "model": "claude-haiku-4-5-20251001",
   "graceSec": 15,