Branch protection on main requires three status checks:
- CI / lint (pull_request) [was already satisfied]
- CI / ci (pull_request) [new: validates JSON files]
- Promotion Gate / Promotion Gate (pull_request) [new: validates skills structure]
Adding the ci job and Promotion Gate workflow so all required checks
can pass on PRs, unblocking future merges to main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- sdlc-diagram.md: remove double blank line (MD012)
- sdlc/SKILL.md: add 'text' lang to fenced code blocks (MD040, 2 instances)
- uat/SKILL.md: add trailing newline (MD047)
These pre-existing issues were present on main and caused CI to fail
on any incoming PR.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Move Generate GitHub App token before Create GitHub Release
- Use steps.app-token.outputs.token instead of secrets.GITHUB_TOKEN
secrets.GITHUB_TOKEN is not injected by Gitea runners; the app token
must be generated first and passed explicitly.
Original work by Gandalf (commit 64b4d59, branch gandalf/restore-github-release-workflow).
Rebased onto main by CEO to resolve Gitea HTTP 500 caused by unrelated history.
Ref: PRI-1703, PRI-1702
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Gitea picks up workflows from .gitea/. Adds yamllint, shellcheck,
and a skill-frontmatter validation step alongside the existing
markdownlint run, so PRs catch malformed YAML, shell scripts, and
missing skill metadata before merge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add skills/uat/SKILL.md with concrete testing procedures for all 7 Headlamp plugins
- Update SDLC skill to reference the new uat skill for detailed procedures
- Fix namespace reference: UAT runs in headlamp-uat namespace, not privilegedescalation
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Plugin existed on GitHub but was missing from the skill inventory, causing
it to be omitted from UAT gap analysis. Count updated from 6 to 7.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The previous commit used string IDs like "qa-review" for execution policy
stages, but the API requires UUIDs and rejects non-UUID values. Also
renamed the section to "Issue Reviewers and Approvers" to match the UI
field names that agents need to populate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Added new section explaining how to configure executionPolicy for automated reviewer handoffs
- Documented Pipeline A execution policy with QA and UAT stages
- Documented Pipeline B execution policy with single QA stage
- Explained triggering handoffs via in_review status
- Referenced Paperclip API reference for full schema
Co-Authored-By: Paperclip <noreply@paperclip.ing>
These are Paperclip platform mechanics already covered by the
Paperclip skill. The SDLC skill should only contain development
process rules, not platform API usage patterns.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace the 5-stage pipeline (CI→UAT→QA→CTO→CEO) with a three-branch
promotion chain: dev (engineer self-merge) → uat (QA gates) → main
(UAT gates). Removes CTO review stage, CEO merge bottleneck, and SLA
timelines. Each gate owner has merge authority.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
SLA timelines are meaningless to agents operating in heartbeats.
Removed the 48-hour PR review SLA from SKILL.md and the SLA
gantt chart from sdlc-diagram.md.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Restore .github/workflows/ci.yaml that was deleted in April cleanup
- Add .markdownlint.yaml with relaxed rules for skill files
- Fix MD040 error in skills/sdlc/SKILL.md (add language to code block)
- Allows line lengths > 80, emphasis-as-headings, compact tables
Fixes CI failures on 'Merge POLICIES.md content into agent instruction bundles' commit.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Board directive (PRI-1245): agents suggesting or making model changes for
other agents due to quota exhaustion is explicitly forbidden. Quota issues
must be escalated to the board.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Enhanced the ci-health-check.sh script to:
- Add stale repo detection (repos with no updates in 30+ days)
- Add CI workflow configuration checks
- Add color-coded output for better readability
- Track multiple failure types (CI failures, stale repos, no CI)
- Provide clearer summary reporting
- Increase CRITICAL_THRESHOLD to 3 for better filtering
This enables proactive monitoring of both CI health and repository
maintenance status across all privilegedescalation repos.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Skill files use dashes for unordered lists, but markdownlint expects asterisks
- Disable MD004 to allow both dash and asterisk styles
- Aligns with existing exceptions for MD013, MD036, and MD060
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Restore .github/workflows/ci.yaml that was deleted in April cleanup
- Add .markdownlint.yaml with relaxed rules for skill files
- Fix MD040 error in skills/sdlc/SKILL.md (add language to code block)
- Allows line lengths > 80, emphasis-as-headings, compact tables
Fixes CI failures on 'Merge POLICIES.md content into agent instruction bundles' commit.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Following PRI-737 investigation, add two rules to skills/safety/SKILL.md:
1. Anti-impersonation rule: agents must never sign, attribute, or present
GitHub comments, PR reviews, or external communications as another
agent. Every comment must accurately identify the authoring agent.
2. Role-boundary rule for GitHub actions: agents must only post GitHub PR
comments and reviews within their defined SDLC role (engineer, QA, UAT,
CTO, CEO). An agent must not post a review type belonging to another
role, even if that role's agent has not yet completed its review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
SDLC skill (250 → ~127 lines):
- Remove Hugh-exclusive .github/workflows/ language; engineers share access
- Condense 48-hour SLA from 38 to 8 lines
- Replace verbose 5-stage pipeline description with compact diagrams
- Condense handoff protocol from 17 to 5 lines
- Remove status transition rules table (redundant with handoff protocol)
- Remove agent roster (agents have UUIDs in their own AGENTS.md)
- Remove work distribution section (redundant with agent instructions)
Coding-standards skill:
- Add SemVer, ArtifactHub distribution, ghcr.io registry rules
- Add Renovate/Dependabot, no-package-mirrors, npm-audit rules
- These were previously only in individual AGENTS.md files
Part of PRI-1094 — agent and process review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Extracts the product context section (plugin portfolio, target users,
competitive landscape, evaluation framework, feature spec template)
into a version-controlled company skill at skills/product-context/SKILL.md.
Updates CLAUDE.md with skill documentation and loading order.
Part of PRI-1094 — agent and process review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace dismissal-threat framing with operational consequences:
- 24h: public visibility + status flag
- 48h: merge queue block + escalation
- 72h+: blocks release if critical-path
- Exceptions: documented hand-off, not absolute prohibition
This makes the enforcement mechanism work for agents (visibility/process blocking)
rather than humans (dismissal threats), matching actual organizational incentives.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Gandalf the Greybeard
Null Pointer Nancy
Chris Farhood
Countess von Containerheim