Add role-based GitHub App manifests

Four roles with scoped permissions enforcing PR workflow at GitHub level:
- CEO: merge authority, org admin
- CTO: PR review/approval, full engineering + workflows
- QA: PR review/approval, read-only contents, CI monitoring
- Engineer: push branches, open PRs, CI execution

Apps are org-scoped. PEM naming: <org>-<role>.pem
Branch protection rulesets to be configured after app creation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

github-apps/README.md

@@ -0,0 +1,36 @@
+# GitHub App Manifests
+
+Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions
+to enforce the PR workflow at the GitHub level.
+
+## Roles
+
+| App | Purpose | Merge | Approve | Push |
+|-----|---------|-------|---------|------|
+| `privilegedescalation-ceo` | PR merging, org admin | yes | no | yes |
+| `privilegedescalation-cto` | PR review/approval, engineering oversight | no | yes | yes |
+| `privilegedescalation-qa` | PR review/approval, bug filing, CI monitoring | no | yes | read-only |
+| `privilegedescalation-engineer` | Code push, PR creation, CI execution | no | no | yes |
+
+## Setup
+
+1. Go to `https://github.com/organizations/privilegedescalation/settings/apps/new`
+2. Paste the JSON from the corresponding manifest file
+3. Save the private key PEM
+4. Add the PEM to the `agent-github-pems` sealed secret in `cpfarhood/kubernetes`
+5. Install the app on the `privilegedescalation` org (all repos)
+6. Update agent CONFIG.md files with the new App ID and PEM path
+
+## Branch Protection
+
+After apps are created, set up branch protection rulesets on each repo:
+- Require PRs before merging to main
+- Require 2 approvals (from CTO + QA apps)
+- Restrict who can merge to the CEO app
+- Require status checks to pass
+
+## PEM Naming Convention
+
+`/paperclip/secrets/github-pems/privilegedescalation-<role>.pem`
+
+Example: `privilegedescalation-ceo.pem`, `privilegedescalation-cto.pem`, `privilegedescalation-qa.pem`, `privilegedescalation-engineer.pem`

github-apps/ceo.json

@@ -0,0 +1,19 @@
+{
+  "name": "privilegedescalation-ceo",
+  "url": "https://github.com/privilegedescalation",
+  "hook_attributes": {
+    "url": "https://example.com/placeholder"
+  },
+  "redirect_url": "https://github.com/privilegedescalation",
+  "public": false,
+  "default_permissions": {
+    "administration": "write",
+    "contents": "write",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "read",
+    "metadata": "read"
+  },
+  "default_events": [],
+  "description": "CEO agent \u2014 PR merging, org administration"
+}

github-apps/cto.json

@@ -0,0 +1,19 @@
+{
+  "name": "privilegedescalation-cto",
+  "url": "https://github.com/privilegedescalation",
+  "hook_attributes": {
+    "url": "https://example.com/placeholder"
+  },
+  "redirect_url": "https://github.com/privilegedescalation",
+  "public": false,
+  "default_permissions": {
+    "contents": "write",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "write",
+    "workflows": "write",
+    "metadata": "read"
+  },
+  "default_events": [],
+  "description": "CTO agent \u2014 PR review/approval, full engineering oversight"
+}

github-apps/engineer.json

@@ -0,0 +1,19 @@
+{
+  "name": "privilegedescalation-engineer",
+  "url": "https://github.com/privilegedescalation",
+  "hook_attributes": {
+    "url": "https://example.com/placeholder"
+  },
+  "redirect_url": "https://github.com/privilegedescalation",
+  "public": false,
+  "default_permissions": {
+    "contents": "write",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "write",
+    "pages": "write",
+    "metadata": "read"
+  },
+  "default_events": [],
+  "description": "Engineer agent \u2014 code push, PR creation, CI execution"
+}

github-apps/qa.json

@@ -0,0 +1,18 @@
+{
+  "name": "privilegedescalation-qa",
+  "url": "https://github.com/privilegedescalation",
+  "hook_attributes": {
+    "url": "https://example.com/placeholder"
+  },
+  "redirect_url": "https://github.com/privilegedescalation",
+  "public": false,
+  "default_permissions": {
+    "contents": "read",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "read",
+    "metadata": "read"
+  },
+  "default_events": [],
+  "description": "QA agent \u2014 PR review/approval, bug filing, CI monitoring"
+}