C-level and VP agents explicitly state they do not do IC work and name
who they delegate to. IC agents declare owned domains and tech skills.
Format: scope sentence + delegation boundary + domain tags.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
All agents now have explicit NEVER DO rule: only the board may approve
or merge PRs on the agents repo (agent configurations and prompts).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- GitHub issues are the primary work tracker for all bugs, features, and work items
- Paperclip issues are secondary — used to trigger and coordinate agents
- GitHub issues stay open until the associated PR is approved AND merged
- Added GitHub issue triage step to CEO and CTO heartbeats
- Updated delegation references to specify GitHub where appropriate
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Nancy will close without merging and reprimand any PR proposing alternatives.
All agents updated to understand this is non-negotiable.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Repo renamed from privilegedescalation/privilegedescalation to
privilegedescalation/agents. All filesystem paths in agent configs,
heartbeats, and tools updated to match the new on-disk location.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Each agent gets HOME set to their cwd so ~/.gitconfig and
~/.config/gh/ don't collide between concurrent heartbeats.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Strengthen decision rules to explicitly prohibit investigating,
debugging, or reading logs. Rename heartbeat steps from "do the work"
to "triage and delegate" with clear delegation targets per signal type.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add explicit POST /api/issues/{issueId}/checkout and PATCH status
update curl templates with X-Paperclip-Run-Id headers to all agent
heartbeats. Document Gemini workspace sandboxing in Hugh's TOOLS.md.
Also removed Regina's ghost instructionsFilePath from live DB.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Single script at repo root that auto-detects GITHUB_APP_ID_* and
GITHUB_PEM_PATH_* env vars, generates a JWT, and exchanges it for a
GitHub App installation token. Contains no secrets.
Updated all heartbeats to reference the absolute path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All agents now reference PEMs at /paperclip/secrets/github-pems/<name>.pem
instead of per-agent secrets/ subdirectories. PEMs will be mounted from a
single Kubernetes Secret. Added .gitignore to prevent accidental secret commits.
Countess GitHub App ID set to 3097914.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Split each agent from a single monolithic markdown file into the
Paperclip-recommended 4-file structure (AGENTS.md, SOUL.md, HEARTBEAT.md,
TOOLS.md) plus CONFIG.md as operational backup.
Bug fixes applied during restructure:
- Nancy reports to Countess, not Baron von Namespace
- Gandalf is Staff Software Engineer, not VP of Engineering
- Samuel restored from git history and role changed to `social`
- Addison references Samuel Stinkpost, not Shitposting Samuel
- Nancy instructionsFilePath corrected to /cto/ path
- Added missing model field to Addison, Nancy, Gandalf
- Added missing instructionsFilePath to Addison, Gandalf, Hugh, Samuel
- Added WHAT YOU NEVER DO section to Hugh
- Hugh adapter changed to gemini_local with model auto
- Removed Baron von Namespace and Nancy (Engineer) from roster
- Countess heartbeat now checks this repo for org config changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood