privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
128 Commits 17 Branches 0 Tags
ef259dcbb2f3b91908fb452f755e84fdec59f483
Commit Graph

16 Commits

Author SHA1 Message Date
Chris Farhood ef259dcbb2 policy updates 2026-03-22 17:32:33 -04:00
Chris Farhood ab55b94051 Add no-package-mirrors policy 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-21 21:20:48 -04:00
Chris Farhood 66d78ef403 Add sealed secrets policy and kubeseal to tools 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-21 15:52:56 -04:00
Chris Farhood 75ff06be00 Recommend Flux for dev namespace, keep kubectl as fallback 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-21 15:20:23 -04:00
Chris Farhood d13e094d5e Add cc @cpfarhood to PR body policy 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-21 12:06:54 -04:00
Chris Farhood e687d9abfc Clarify two-stage GitOps deployment pipeline in POLICIES.md 
Agents were assuming the org infra repo is what Flux watches directly.
The actual flow is: org/infra → cpfarhood/kubernetes (Flux watches this).

New policy explains:
- Existing resources: commit to org infra repo, Flux picks it up
- New resources (namespaces, kustomizations, secrets): also needs
  a cpfarhood/kubernetes change — escalate to the board
- Never assume committing to org infra repo is always sufficient

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-21 11:24:21 -04:00
Chris Farhood 08c912deb2 Add Headlamp namespace policy: prod in kube-system, dev in privilegedescalation-dev 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-21 11:05:58 -04:00
Chris Farhood 2fd9f0691d Add dev namespace access and kubectl to POLICIES.md and TOOLS.md 
Each org now has a -dev namespace where agents can freely use kubectl
for testing and iteration. Production namespaces remain Flux-only.

Access model:
- Cluster-wide: read-only
- Production namespace: read-write (Flux-managed, no manual kubectl)
- Dev namespace: read-write (agents may use kubectl freely)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-21 11:05:32 -04:00
Chris Farhood c0298d3052 Add cluster infrastructure standards to POLICIES.md, consolidate MCP in TOOLS.md 
POLICIES.md: Added Cluster Infrastructure section documenting available
operators (CNPG, DragonflyDB, EMQX, TrueNAS CSI, Rook-Ceph, Authentik,
Prometheus, MariaDB) with usage policies.

TOOLS.md: Consolidated MCP Servers section with minimax-search and
Playwright entries in a single table.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-21 10:56:32 -04:00
Chris Farhood d4b984b283 Tighten Kubernetes policy: kubectl is read-only, Flux is the only write path 
- POLICIES.md: explicitly list kubectl as read-only, enumerate banned
  mutating commands (apply, delete, edit, patch, create)
- Groom Book TECH_STACK.md: fixed "read/write access" to "read-only"
  and removed language implying manual kubectl apply is acceptable

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 23:37:30 -04:00
Chris Farhood cd62d2f6ec Add Flux GitOps deployment policy to shared POLICIES.md 
All infra changes go through the infra repo and Flux reconciliation.
No manual kubectl apply, no direct cluster modifications.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 21:40:36 -04:00
Chris Farhood 13c5b14522 Add Task Assignment section to shared POLICIES.md 
Provides every agent with the exact API calls for creating assigned
issues and reassigning existing ones. Includes curl examples with
assigneeAgentId, parentId, and run ID headers.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 21:15:00 -04:00
Chris Farhood 8665e041ef Add versioning policy: CalVer for most orgs, SemVer for PRI (ArtifactHub) 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 08:21:48 -04:00
Chris Farhood b477940f2a Issues stay open until deployed and validated, not just merged 
Updated across all POLICIES.md and SOUL.md files in all orgs.
Merging is a step in the process, not the finish line.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 08:02:25 -04:00
Chris Farhood 33c076aaa0 Enforce PR workflow: QA + CTO approve, CEO merges, GitHub branch protection 
POLICIES.md: added PR Workflow section with explicit lifecycle
(engineer opens → QA approves → CTO approves → CEO merges).
Updated issue tracking to reference dual approval before merge.
Added branch protection enforcement directive.

CEO: added merge step to heartbeat, merge authority in SOUL.md,
branch protection enforcement responsibility.

CTO: removed merge authority, review and approve only.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 07:18:52 -04:00
Chris Farhood 8a8fa24aac Consolidate shared policies and tools into root-level files 
- Added POLICIES.md: env var handling, infra policy (ghcr.io, Renovate),
  git workflow, issue tracking, CI/CD access rules
- Added shared TOOLS.md: GitHub auth, Paperclip API, common tools, repos
- Removed all per-agent TOOLS.md files (shared file covers everything)
- Updated all AGENTS.md bootstraps to read shared POLICIES.md and TOOLS.md
- Removed duplicated env var directive from all HEARTBEAT.md files

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-18 20:19:10 -04:00