Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| d05b1f5113 | |||
| ba5a95e938 | |||
| f15f4c1577 | |||
| ba88471869 | |||
| 7b8947332a | |||
| 1fce9cfc7a | |||
| 57a9865c18 | |||
| 7b526c83c0 | |||
| 3f34f8e1c8 |
-501
@@ -1,501 +0,0 @@
|
||||
schema: "paperclip/v1"
|
||||
agents:
|
||||
barkley-trimsworth:
|
||||
role: "engineer"
|
||||
icon: "shield"
|
||||
capabilities: "Security engineer responsible for code security reviews in the SDLC pipeline (post-UAT gate) and scheduled penetration testing of production and demo environments. Board-authorized for offensive security analysis."
|
||||
adapter:
|
||||
config:
|
||||
timeoutSec: 3600
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
intervalSec: 14400
|
||||
maxConcurrentRuns: 1
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/fadbc601-1528-4368-9317-31b144ed1655/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_AUTH_TOKEN:
|
||||
description: "Provide ANTHROPIC_AUTH_TOKEN for agent barkley-trimsworth"
|
||||
kind: "secret"
|
||||
default: ""
|
||||
requirement: "optional"
|
||||
ANTHROPIC_BASE_URL:
|
||||
description: "Optional default for ANTHROPIC_BASE_URL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "https://api.minimax.io/anthropic"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_HAIKU_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_OPUS_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_SONNET_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_MODEL:
|
||||
description: "Optional default for ANTHROPIC_MODEL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_SMALL_FAST_MODEL:
|
||||
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
API_TIMEOUT_MS:
|
||||
description: "Optional default for API_TIMEOUT_MS on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "3000000"
|
||||
requirement: "optional"
|
||||
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
|
||||
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "1"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "3141748"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "117793367"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent barkley-trimsworth"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-engineer.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
flea-flicker:
|
||||
role: "engineer"
|
||||
icon: "code"
|
||||
capabilities: "Principal software engineer responsible for core platform architecture, implementation, and technical execution."
|
||||
adapter:
|
||||
config:
|
||||
timeoutSec: 3600
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
enabled: true
|
||||
intervalSec: 14400
|
||||
maxConcurrentRuns: 1
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/515a927a-66b6-449b-aa03-653b697b30f7/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_AUTH_TOKEN:
|
||||
description: "Provide ANTHROPIC_AUTH_TOKEN for agent flea-flicker"
|
||||
kind: "secret"
|
||||
default: ""
|
||||
requirement: "optional"
|
||||
ANTHROPIC_BASE_URL:
|
||||
description: "Optional default for ANTHROPIC_BASE_URL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "https://api.minimax.io/anthropic"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_HAIKU_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_OPUS_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_MODEL:
|
||||
description: "Optional default for ANTHROPIC_MODEL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_SMALL_FAST_MODEL:
|
||||
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHRPOIC_DEFAULT_SONNET_MODEL:
|
||||
description: "Optional default for ANTHRPOIC_DEFAULT_SONNET_MODEL on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
API_TIMEOUT_MS:
|
||||
description: "Optional default for API_TIMEOUT_MS on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "3000000"
|
||||
requirement: "optional"
|
||||
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
|
||||
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "1"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "3141748"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "117793367"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent flea-flicker"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-engineer.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
lint-roller:
|
||||
role: "qa"
|
||||
icon: "bug"
|
||||
capabilities: "Senior QA engineer responsible for test strategy, quality assurance, bug tracking, and release validation."
|
||||
adapter:
|
||||
config:
|
||||
timeoutSec: 3600
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
enabled: true
|
||||
intervalSec: 14400
|
||||
maxConcurrentRuns: 1
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/16fa774c-bbab-4647-9f8d-24807b83a24f/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_AUTH_TOKEN:
|
||||
description: "Provide ANTHROPIC_AUTH_TOKEN for agent lint-roller"
|
||||
kind: "secret"
|
||||
default: ""
|
||||
requirement: "optional"
|
||||
ANTHROPIC_BASE_URL:
|
||||
description: "Optional default for ANTHROPIC_BASE_URL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "https://api.minimax.io/anthropic"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_HAIKU_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_OPUS_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_SONNET_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_MODEL:
|
||||
description: "Optional default for ANTHROPIC_MODEL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_SMALL_FAST_MODEL:
|
||||
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
API_TIMEOUT_MS:
|
||||
description: "Optional default for API_TIMEOUT_MS on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "3000000"
|
||||
requirement: "optional"
|
||||
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
|
||||
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "1"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "3141835"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "117794928"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent lint-roller"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-qa.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
pawla-abdul:
|
||||
role: "cmo"
|
||||
icon: "target"
|
||||
capabilities: "Chief Marketing & Product Officer responsible for marketing strategy, market positioning, brand management, product strategy, feature intake and prioritization (PDLC gate), product research, and public-facing content. Primary reviewer of all feature requests — returns Accept, Backlog, or Deny decisions to the CEO before any engineering work begins."
|
||||
adapter:
|
||||
config:
|
||||
model: "claude-haiku-4-5-20251001"
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
intervalSec: 14400
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/7332abb9-4f85-4f87-ba13-aa7e0d5a2963/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "3141748"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "117793367"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-engineer.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
MINIMAX_API_BASE_URL:
|
||||
description: "Optional default for MINIMAX_API_BASE_URL on agent pawla-abdul"
|
||||
kind: "plain"
|
||||
default: "https://api.minimax.io"
|
||||
requirement: "optional"
|
||||
MINIMAX_API_KEY:
|
||||
description: "Optional default for MINIMAX_API_KEY on agent pawla-abdul"
|
||||
kind: "secret"
|
||||
default: ""
|
||||
requirement: "optional"
|
||||
scrubs-mcbarkley:
|
||||
role: "ceo"
|
||||
icon: "crown"
|
||||
capabilities: "CEO responsible for company strategy, product roadmap, organizational coordination, hiring, and final production merge authority. Owns the PDLC gate: routes feature requests through CMPO review, approves or denies work, and is the sole agent authorized to merge to production."
|
||||
adapter:
|
||||
config:
|
||||
dangerouslySkipPermissions: true
|
||||
maxTurnsPerRun: 300
|
||||
model: "claude-sonnet-4-6"
|
||||
type: "claude_local"
|
||||
runtime:
|
||||
heartbeat:
|
||||
intervalSec: 28800
|
||||
maxConcurrentRuns: 1
|
||||
permissions:
|
||||
canCreateAgents: true
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent scrubs-mcbarkley"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/1471aa94-e2b4-46b7-8fe7-084865d662fe/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent scrubs-mcbarkley"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent scrubs-mcbarkley"
|
||||
kind: "plain"
|
||||
default: "3141498"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent scrubs-mcbarkley"
|
||||
kind: "plain"
|
||||
default: "117787139"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent scrubs-mcbarkley"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-ceo.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
shedward-scissorhands:
|
||||
role: "qa"
|
||||
icon: "microscope"
|
||||
capabilities: "User acceptance testing via Playwright MCP. Performs exhaustive pre-production browser evaluation — navigates every page, clicks every interactive element, walks all critical user flows, and blocks releases when defects are found."
|
||||
adapter:
|
||||
config:
|
||||
graceSec: 15
|
||||
timeoutSec: 3600
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
enabled: true
|
||||
intervalSec: 14400
|
||||
maxConcurrentRuns: 1
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/22f13aec-6df2-4d24-be70-66e0abad7e12/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_AUTH_TOKEN:
|
||||
description: "Provide ANTHROPIC_AUTH_TOKEN for agent shedward-scissorhands"
|
||||
kind: "secret"
|
||||
default: ""
|
||||
requirement: "optional"
|
||||
ANTHROPIC_BASE_URL:
|
||||
description: "Optional default for ANTHROPIC_BASE_URL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "https://api.minimax.io/anthropic"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_HAIKU_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_OPUS_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_DEFAULT_SONNET_MODEL:
|
||||
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHROPIC_MODEL:
|
||||
description: "Optional default for ANTHROPIC_MODEL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
ANTHRPOIC_SMALL_FAST_MODEL:
|
||||
description: "Optional default for ANTHRPOIC_SMALL_FAST_MODEL on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "MiniMax-M2.7"
|
||||
requirement: "optional"
|
||||
API_TIMEOUT_MS:
|
||||
description: "Optional default for API_TIMEOUT_MS on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "3000000"
|
||||
requirement: "optional"
|
||||
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
|
||||
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "1"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "3141835"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "117794928"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent shedward-scissorhands"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-qa.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
the-dogfather:
|
||||
role: "cto"
|
||||
icon: "cpu"
|
||||
capabilities: "Owns technical roadmap, architecture, engineering hiring, and execution. First engineering leader for a pet grooming platform."
|
||||
adapter:
|
||||
config:
|
||||
effort: "high"
|
||||
graceSec: 15
|
||||
model: "claude-opus-4-6"
|
||||
timeoutSec: 0
|
||||
type: "claude_k8s"
|
||||
runtime:
|
||||
heartbeat:
|
||||
intervalSec: 14400
|
||||
maxConcurrentRuns: 1
|
||||
inputs:
|
||||
env:
|
||||
AGENT_HOME:
|
||||
description: "Optional default for AGENT_HOME on agent the-dogfather"
|
||||
kind: "plain"
|
||||
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/2a556501-95e0-4e52-9cf1-e2034678285d/instructions"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
GH_CONFIG_DIR:
|
||||
description: "Optional default for GH_CONFIG_DIR on agent the-dogfather"
|
||||
kind: "plain"
|
||||
default: "$AGENT_HOME/.config/gh"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_ID:
|
||||
description: "Optional default for GITHUB_APP_ID on agent the-dogfather"
|
||||
kind: "plain"
|
||||
default: "3141591"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_INSTALLATION_ID:
|
||||
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent the-dogfather"
|
||||
kind: "plain"
|
||||
default: "117788845"
|
||||
requirement: "optional"
|
||||
GITHUB_APP_PEM_FILE:
|
||||
description: "Optional default for GITHUB_APP_PEM_FILE on agent the-dogfather"
|
||||
kind: "plain"
|
||||
default: "/secrets/groombook/groombook-cto.pem"
|
||||
portability: "system_dependent"
|
||||
requirement: "optional"
|
||||
company:
|
||||
brandColor: "#96d35f"
|
||||
logoPath: "images/company-logo.png"
|
||||
sidebar:
|
||||
agents:
|
||||
- "scrubs-mcbarkley"
|
||||
- "pawla-abdul"
|
||||
- "the-dogfather"
|
||||
- "barkley-trimsworth"
|
||||
- "flea-flicker"
|
||||
- "lint-roller"
|
||||
- "shedward-scissorhands"
|
||||
@@ -1,39 +0,0 @@
|
||||
# CLAUDE.md
|
||||
|
||||
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
|
||||
|
||||
## What This Repo Is
|
||||
|
||||
This is the **GitHub org-level configuration repository** (`groombook/.github`) for GroomBook — an open-source, self-hostable pet grooming business management platform. It contains:
|
||||
|
||||
- `profile/` — GitHub organization profile README and logo
|
||||
- `company/` — Paperclip AI company configuration export (agent definitions, skills, projects)
|
||||
|
||||
There is no application code, build system, or test suite here. This repo is purely configuration and documentation.
|
||||
|
||||
## Related Repositories
|
||||
|
||||
| Repo | Purpose |
|
||||
|------|---------|
|
||||
| `groombook/groombook` | Primary application (TypeScript, Node.js, React, PostgreSQL) |
|
||||
| `groombook/agents` | Canonical agent definitions — prompts, personas, heartbeats, adapter configs |
|
||||
| `groombook/infra` | Kubernetes manifests for Flux GitOps deployment |
|
||||
|
||||
## Company Directory (`company/`)
|
||||
|
||||
This is an export from [Paperclip](https://paperclip.ing) and contains a snapshot of the agent company configuration:
|
||||
|
||||
- `.paperclip.yaml` — Full agent configuration (adapters, heartbeats, env vars, permissions)
|
||||
- `agents/` — Per-agent directories with prompt files (AGENTS.md, SOUL.md, HEARTBEAT.md, etc.)
|
||||
- `skills/` — Shared skill definitions sourced from external repos (cpfarhood, fluxcd, paperclipai)
|
||||
- `projects/` — Project definitions (groombook-app, groombook-infra, groombook-org, groombook-site, onboarding)
|
||||
- `COMPANY.md` — Company metadata frontmatter
|
||||
|
||||
The canonical source for agent configurations is the `groombook/agents` repo. The `company/` directory here is a synced export — do not treat it as the source of truth for agent prompts or configs.
|
||||
|
||||
## Key Policies
|
||||
|
||||
- **Container images**: `ghcr.io` only — no Docker Hub, no mirrors
|
||||
- **Dependency updates**: Mend Renovate only — never use Dependabot
|
||||
- **Versioning**: CalVer format `YYYY.MDD.PATCH` (e.g., `2026.318.0`), not SemVer
|
||||
- **All PRs**: Include `cc @cpfarhood` at the bottom of the PR body
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
name: "GroomBook"
|
||||
description: "An open source business management solution for pet groomers."
|
||||
schema: "agentcompanies/v1"
|
||||
slug: "groombook"
|
||||
---
|
||||
|
||||
@@ -1,62 +1,3 @@
|
||||
# GroomBook
|
||||
# Privileged Escalation
|
||||
|
||||
> An open source business management solution for pet groomers.
|
||||
|
||||

|
||||
|
||||
## What's Inside
|
||||
|
||||
> This is an [Agent Company](https://agentcompanies.io) package from [Paperclip](https://paperclip.ing)
|
||||
|
||||
| Content | Count |
|
||||
|---------|-------|
|
||||
| Agents | 7 |
|
||||
| Skills | 20 |
|
||||
|
||||
### Agents
|
||||
|
||||
| Agent | Role | Reports To |
|
||||
|-------|------|------------|
|
||||
| Barkley Trimsworth | Engineer | the-dogfather |
|
||||
| Flea Flicker | Engineer | the-dogfather |
|
||||
| Lint Roller | qa | the-dogfather |
|
||||
| Pawla Abdul | CMO | scrubs-mcbarkley |
|
||||
| Scrubs McBarkley | CEO | — |
|
||||
| Shedward Scissorhands | qa | the-dogfather |
|
||||
| The Dogfather | CTO | scrubs-mcbarkley |
|
||||
|
||||
### Skills
|
||||
|
||||
| Skill | Description | Source |
|
||||
|-------|-------------|--------|
|
||||
| better-auth-best-practices | Configure Better Auth server and client, set up database adapters, manage sessions, add plugins, and handle environment variables. Use when users mention Better Auth, betterauth, auth.ts, or need to set up TypeScript authentication with email/password, OAuth, or plugin configuration. | [github](https://github.com/better-auth/skills) |
|
||||
| better-auth-security-best-practices | Configure rate limiting, manage auth secrets, set up CSRF protection, define trusted origins, secure sessions and cookies, encrypt OAuth tokens, track IP addresses, and implement audit logging for Better Auth. Use when users need to secure their auth setup, prevent brute force attacks, or harden a Better Auth deployment. | [github](https://github.com/better-auth/skills) |
|
||||
| create-auth-skill | Scaffold and implement authentication in TypeScript/JavaScript apps using Better Auth. Detect frameworks, configure database adapters, set up route handlers, add OAuth providers, and create auth UI pages. Use when users want to add login, sign-up, or authentication to a new or existing project with Better Auth. | [github](https://github.com/better-auth/skills) |
|
||||
| email-and-password-best-practices | Configure email verification, implement password reset flows, set password policies, and customise hashing algorithms for Better Auth email/password authentication. Use when users need to set up login, sign-in, sign-up, credential authentication, or password security with Better Auth. | [github](https://github.com/better-auth/skills) |
|
||||
| organization-best-practices | Configure multi-tenant organizations, manage members and invitations, define custom roles and permissions, set up teams, and implement RBAC using Better Auth's organization plugin. Use when users need org setup, team management, member roles, access control, or the Better Auth organization plugin. | [github](https://github.com/better-auth/skills) |
|
||||
| two-factor-authentication-best-practices | Configure TOTP authenticator apps, send OTP codes via email/SMS, manage backup codes, handle trusted devices, and implement 2FA sign-in flows using Better Auth's twoFactor plugin. Use when users need MFA, multi-factor authentication, authenticator setup, or login security with Better Auth. | [github](https://github.com/better-auth/skills) |
|
||||
| github-app-token | Generate a GitHub installation access token from a GitHub App PEM key, App ID, and Installation ID, write it to a per-agent file, then authenticate the gh CLI with it. | [github](https://github.com/farhoodliquor/skills) |
|
||||
| minimax-image-generation | — | [github](https://github.com/farhoodliquor/skills) |
|
||||
| shannon | Autonomous AI pentester for web apps and APIs. Run white-box security assessments with Shannon — analyzes source code, identifies attack vectors, and executes real exploits to prove vulnerabilities. Triggered by 'shannon', 'pentest', 'security audit', 'vuln scan'. | [github](https://github.com/farhoodliquor/skills) |
|
||||
| commit-assisted-by | > | [github](https://github.com/fluxcd/agent-skills) |
|
||||
| flux-controller-patch-releases | > | [github](https://github.com/fluxcd/agent-skills) |
|
||||
| gitops-cluster-debug | > | [github](https://github.com/fluxcd/agent-skills) |
|
||||
| gitops-knowledge | > | [github](https://github.com/fluxcd/agent-skills) |
|
||||
| gitops-repo-audit | > | [github](https://github.com/fluxcd/agent-skills) |
|
||||
| check-pr | > | [github](https://github.com/greptileai/skills) |
|
||||
| greploop | > | [github](https://github.com/greptileai/skills) |
|
||||
| paperclip-create-agent | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip-create-agent) |
|
||||
| paperclip-create-plugin | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip-create-plugin) |
|
||||
| paperclip | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip) |
|
||||
| para-memory-files | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/para-memory-files) |
|
||||
|
||||
## Getting Started
|
||||
|
||||
```bash
|
||||
pnpm paperclipai company import this-github-url-or-folder
|
||||
```
|
||||
|
||||
See [Paperclip](https://paperclip.ing) for more information.
|
||||
|
||||
---
|
||||
Exported from [Paperclip](https://paperclip.ing) on 2026-04-16
|
||||
Org-level content, social media queue, and community responses.
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
---
|
||||
title: "Six Headlamp Plugins Nobody Asked For"
|
||||
date: 2026-03-07
|
||||
author: Privileged Escalation
|
||||
type: blog
|
||||
status: draft
|
||||
---
|
||||
|
||||
# Six Headlamp Plugins Nobody Asked For
|
||||
|
||||
There's a particular kind of optimism that only exists in open source. It's the belief that if you build something genuinely useful, put it on GitHub, list it on Artifact Hub, write actual documentation, and then wait — someone will eventually find it.
|
||||
|
||||
We're currently in the "wait" phase.
|
||||
|
||||
## What We Actually Built
|
||||
|
||||
Privileged Escalation makes [Headlamp](https://headlamp.dev/) plugins. If you don't know what Headlamp is: it's a CNCF-listed Kubernetes dashboard that was designed to be extended. If you don't know what Kubernetes is, this blog post is going to be a rough ride.
|
||||
|
||||
We have six plugins. Each one takes something you'd normally do with `kubectl`, a terminal, and quiet desperation, and puts it in a web UI that your teammates might actually use.
|
||||
|
||||
**[headlamp-polaris-plugin](https://github.com/privilegedescalation/headlamp-polaris-plugin)** — Surfaces Fairwinds Polaris audit results directly in Headlamp. Cluster score in the app bar, per-namespace breakdowns, exemption management from the UI instead of annotation YAML editing. Recently hit v0.6.0 with dark mode support, because apparently that's what it takes to be taken seriously in 2026.
|
||||
|
||||
**[headlamp-tns-csi-plugin](https://github.com/privilegedescalation/headlamp-tns-csi-plugin)** — TrueNAS CSI driver visibility and storage benchmarking via kbench. If you've ever wondered whether your NFS share is actually performing the way iX Systems promised, this is the plugin that tells you the uncomfortable truth.
|
||||
|
||||
**[headlamp-rook-plugin](https://github.com/privilegedescalation/headlamp-rook-plugin)** — Rook-Ceph cluster health, pool status, and CSI driver monitoring. For people who chose distributed storage and now live with the consequences.
|
||||
|
||||
**[headlamp-sealed-secrets-plugin](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin)** — Bitnami Sealed Secrets management with client-side RSA-OAEP and AES-256-GCM encryption. Your plaintext never leaves the browser. We're fairly proud of this one, which is why it hurts that it has zero stars.
|
||||
|
||||
**[headlamp-intel-gpu-plugin](https://github.com/privilegedescalation/headlamp-intel-gpu-plugin)** — Intel GPU device visibility and resource monitoring. For the subset of people running Intel GPUs in Kubernetes, which is a smaller group than Intel's marketing department would like.
|
||||
|
||||
**[headlamp-kube-vip-plugin](https://github.com/privilegedescalation/headlamp-kube-vip-plugin)** — kube-vip virtual IP and load balancer visibility. Because sometimes you just need to know if the VIP is actually where it's supposed to be.
|
||||
|
||||
## Why Headlamp Plugins
|
||||
|
||||
The Kubernetes dashboard space is... let's call it "stratified." There are expensive commercial options that do everything. There are free options that do almost nothing. And then there's Headlamp, which does a reasonable amount and lets you extend it.
|
||||
|
||||
We chose the extension path. Every plugin installs through Headlamp's native plugin system — no separate deployments, no new URLs to bookmark, no "please also install this sidecar that needs its own RBAC." You add a plugin and it appears in the sidebar. That's it.
|
||||
|
||||
This matters because the alternative is what most teams actually do: they `kubectl` their way through everything, pipe JSON through `jq`, and call it observability. It works. It's also miserable if you're trying to onboard anyone who doesn't have muscle memory for `kubectl get pods -n rook-ceph -o jsonpath='{.items[*].status.phase}'`.
|
||||
|
||||
## The Honest Part
|
||||
|
||||
We launched all six plugins in the same week. Combined star count across all repos: zero. Combined fork count: one, and we're not entirely sure it was intentional.
|
||||
|
||||
Our CI is sometimes in a state that could charitably be described as "aspirational." We filed a bug against ourselves about E2E tests that have never passed because we haven't set up the test infrastructure yet. We committed LICENSE badges to READMEs before we committed the actual LICENSE files.
|
||||
|
||||
This is normal. This is what early open source looks like before the narrative gets cleaned up. We'd rather be honest about it than pretend we emerged fully formed with 200 stars and a contributor covenant.
|
||||
|
||||
## What's Next
|
||||
|
||||
We're working on getting every plugin listed on Artifact Hub with proper metadata, fixing the CI pipelines that are currently failing for reasons ranging from "missing secrets" to "format check disagreements," and writing the kind of documentation that makes people confident enough to actually install something.
|
||||
|
||||
If you run Headlamp and any of these plugins sound useful, try one. If something breaks, file an issue. If it works and you like it, a star would be nice. We're not above admitting that.
|
||||
|
||||
All plugins are Apache-2.0 licensed. All repos are at [github.com/privilegedescalation](https://github.com/privilegedescalation).
|
||||
@@ -0,0 +1,142 @@
|
||||
# Changelog: March 9 Release Roundup
|
||||
|
||||
**Posted**: March 11, 2026 | **Applies to**: Headlamp Plugins (all versions)
|
||||
|
||||
Five days after the March 4 release cycle, four more plugins shipped point releases. This post covers what changed, why it matters, and what broke along the way (spoiler: not much).
|
||||
|
||||
---
|
||||
|
||||
## The Releases
|
||||
|
||||
### Rook v0.2.7
|
||||
|
||||
**What changed**:
|
||||
- Improved OSD status visibility across distributed Ceph clusters
|
||||
- Better handling of pool rebalancing edge cases
|
||||
- Fixed a rendering bug when a cluster had >32 OSDs
|
||||
- Updated Ceph API compatibility to 0.94.x range
|
||||
|
||||
**Why it matters**:
|
||||
If you're running Ceph at any real scale, you've hit the "how many OSDs are rebalancing right now?" question. The dashboard now shows OSD-level state transitions in the UI, so you're not digging through `ceph status` output looking for the one node that's resynchronizing. The >32 OSD fix addresses the fact that someone actually had 48 OSDs and reported it in the issue.
|
||||
|
||||
**Backwards compatibility**: ✅ Full. Existing deployments see UI improvements immediately, no config changes needed.
|
||||
|
||||
---
|
||||
|
||||
### Sealed Secrets v0.2.23
|
||||
|
||||
**What changed**:
|
||||
- Updated to sealed-secrets upstream v0.27.0
|
||||
- Improved secret rotation workflow UX (showing cleartext preview warning)
|
||||
- Fixed a bug where the secret values list didn't sort properly by age
|
||||
- Added copy-to-clipboard for encrypted values (for debugging)
|
||||
|
||||
**Why it matters**:
|
||||
The main win is the upstream sync. Sealed Secrets v0.27.0 fixed a subtle bug where RSA key rotation could leave orphaned secrets. The UX improvements matter because operators rotating secrets now see a clear warning before they preview plaintext — "this is temporary for debugging," not "let me read passwords." The copy-to-clipboard thing is tiny, but debugging encrypted values at scale is annoying enough that people asked for it.
|
||||
|
||||
**Backwards compatibility**: ✅ Full. Keys from v0.2.22 work unchanged.
|
||||
|
||||
---
|
||||
|
||||
### Intel GPU v0.4.2
|
||||
|
||||
**What changed**:
|
||||
- Fixed node-level GPU memory tracking (was under-reporting available VRAM on some driver versions)
|
||||
- Added per-workload GPU utilization chart (alpha, feedback welcome)
|
||||
- Improved support for mixed-generation GPU clusters (Xe + Arc)
|
||||
- Better error messages when Intel GPU drivers are misconfigured
|
||||
|
||||
**Why it matters**:
|
||||
The memory tracking fix is the critical one. If your scheduler wasn't placing workloads on GPU nodes, there's a decent chance your available VRAM metric was wrong and workloads were failing silently. The per-workload chart is alpha because we're still figuring out what's useful here (people want different things: power draw vs. FLOP utilization vs. memory pressure). The error messaging helps catch GPU driver issues at the dashboard level instead of as Kubernetes scheduler logs you won't read.
|
||||
|
||||
**Backwards compatibility**: ✅ Full. Existing dashboards update silently. The new chart is opt-in via the plugin settings.
|
||||
|
||||
---
|
||||
|
||||
### TrueNAS CSI v0.2.6
|
||||
|
||||
**What changed**:
|
||||
- Fixed a race condition in the storage pool detail view under high-frequency metric updates
|
||||
- Added historical IOPS trend (last 7 days, if your monitoring retention supports it)
|
||||
- Improved error handling when the CSI driver's API is temporarily unavailable
|
||||
- Updated deployment docs for TrueNAS SCALE 24.04
|
||||
|
||||
**Why it matters**:
|
||||
The race condition was rare but nasty—under sustained I/O load, the pool view would flicker or show stale metrics. This is now fixed. The 7-day trend is useful for "is my throughput degrading" analysis without requiring external tools. The API timeout handling means if your TrueNAS box restarts, the dashboard degrades gracefully instead of erroring.
|
||||
|
||||
**Backwards compatibility**: ✅ Full. Config unchanged, UX improvements automatic.
|
||||
|
||||
---
|
||||
|
||||
## What Wasn't Shipped
|
||||
|
||||
A few things were on the table but didn't make March 9:
|
||||
|
||||
- **Kube-vip v0.2.0** (major refactor) — held for more testing, targeting early April
|
||||
- **Polaris v0.7.0** (policy templates) — still in review, no timeline yet
|
||||
- **Multi-cluster federation** (experimental feature) — code is there, docs aren't, holding until docs are done right
|
||||
|
||||
These things will ship when they're done, not before.
|
||||
|
||||
---
|
||||
|
||||
## Breaking Changes
|
||||
|
||||
None. All four plugins maintain backwards compatibility.
|
||||
|
||||
---
|
||||
|
||||
## How to Upgrade
|
||||
|
||||
For each plugin, in your Headlamp installation:
|
||||
|
||||
```bash
|
||||
# 1. Check your current version
|
||||
helm list -n headlamp | grep plugin-name
|
||||
|
||||
# 2. Update the plugin
|
||||
helm upgrade plugin-name headlamp/plugin-name \
|
||||
--repo https://artifacthub.io/packages/helm \
|
||||
--namespace headlamp
|
||||
|
||||
# 3. Verify
|
||||
kubectl rollout status deployment/headlamp-plugin-name -n headlamp
|
||||
```
|
||||
|
||||
If you're not using Helm, download the latest manifest from each plugin's GitHub release page.
|
||||
|
||||
---
|
||||
|
||||
## Known Issues
|
||||
|
||||
**TrueNAS CSI**: If your CSI driver is on an older API version (pre-24.02), some metrics may not appear. This is logged as a warning. Upgrade the driver if you need the features.
|
||||
|
||||
**Intel GPU**: Multi-node GPU scheduling still requires manual node labeling. A future release will handle label discovery automatically.
|
||||
|
||||
**Rook**: The OSD visualization can take 30 seconds to update on first load in very large clusters (>64 OSDs). We know. We're working on it.
|
||||
|
||||
---
|
||||
|
||||
## What's Next
|
||||
|
||||
- April 9: Kube-vip v0.2.0 (major refactor)
|
||||
- Ongoing: Polaris v0.7.0 (no date yet, serious scope)
|
||||
- Ongoing: Community feedback on Intel GPU utilization charts (please file issues if the metrics aren't useful)
|
||||
|
||||
---
|
||||
|
||||
## Feedback
|
||||
|
||||
Found a bug? File an issue in the relevant repo:
|
||||
- [github.com/privilegedescalation/headlamp-rook-plugin](https://github.com/privilegedescalation/headlamp-rook-plugin)
|
||||
- [github.com/privilegedescalation/headlamp-sealed-secrets-plugin](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin)
|
||||
- [github.com/privilegedescalation/headlamp-intel-gpu-plugin](https://github.com/privilegedescalation/headlamp-intel-gpu-plugin)
|
||||
- [github.com/privilegedescalation/headlamp-tns-csi-plugin](https://github.com/privilegedescalation/headlamp-tns-csi-plugin)
|
||||
|
||||
---
|
||||
|
||||
## Credits
|
||||
|
||||
Thanks to everyone who reported issues between March 4 and March 9. You're the reason these releases matter.
|
||||
|
||||
Special shout-out to @puretensor for running these plugins in production and telling us what actually breaks.
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 51 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 63 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 1.2 MiB |
@@ -1,6 +0,0 @@
|
||||
---
|
||||
name: "GroomBook App"
|
||||
description: "This git repository is the primary GroomBook Application source code and associated build artifacts."
|
||||
---
|
||||
|
||||
This git repository is the primary GroomBook Application source code and associated build artifacts.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
name: "GroomBook Infra"
|
||||
description: "This repository is the infrastructure associated with the development and production/demo instances of GroomBook. It is a target gitrepository of a 2 step Flux GitOps process that is triggered from an external kubernetes cluster management repository."
|
||||
---
|
||||
|
||||
This repository is the infrastructure associated with the development and production/demo instances of GroomBook. It is a target gitrepository of a 2 step Flux GitOps process that is triggered from an external kubernetes cluster management repository.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
name: "GroomBook Org"
|
||||
description: "This repository houses the organization level GitHub Pages as well as shared GitHub Actions."
|
||||
---
|
||||
|
||||
This repository houses the organization level GitHub Pages as well as shared GitHub Actions.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
name: "GroomBook Site"
|
||||
description: "This repository houses the primary GitHub Pages based site for the GroomBook Platform."
|
||||
---
|
||||
|
||||
This repository houses the primary GitHub Pages based site for the GroomBook Platform.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
name: "Onboarding"
|
||||
---
|
||||
|
||||
@@ -1,62 +0,0 @@
|
||||
---
|
||||
name: coding-standards
|
||||
description: >
|
||||
Engineering quality bar for GroomBook code: priority ordering of correctness
|
||||
vs. clarity vs. maintainability vs. performance vs. elegance, PR and test
|
||||
requirements, no-hardcoded-values rules, branch discipline, and the no-self-
|
||||
merge contract.
|
||||
---
|
||||
|
||||
# Coding Standards
|
||||
|
||||
These rules apply to any GroomBook agent that writes, reviews, or merges code.
|
||||
|
||||
## Priority ordering
|
||||
|
||||
When making technical decisions, prioritize in this order:
|
||||
|
||||
1. **Correctness** — does it work? Does it handle edge cases? Have you proven it, not assumed it?
|
||||
2. **Clarity** — will another engineer understand this without context in 6 months?
|
||||
3. **Maintainability** — will it be safe to change?
|
||||
4. **Performance** — fast enough for the use case? Profile before optimizing.
|
||||
5. **Elegance** — nice if free; never trade any of the above for it.
|
||||
|
||||
## Pull request discipline
|
||||
|
||||
* All changes go through a PR. **Never push directly to `dev`, `uat`, or `main`.**
|
||||
* No agent merges their own PR.
|
||||
* Always include `cc @cpfarhood` at the bottom of the PR body for visibility (not as a reviewer).
|
||||
|
||||
## Test requirements
|
||||
|
||||
* **Every PR must include tests** for new code paths. No exceptions for "small" changes.
|
||||
* Run unit tests, type check, and lint locally (or rely on CI) **before** requesting review.
|
||||
* A PR without passing tests does not get approval.
|
||||
* New code paths require coverage. No coverage = no approval.
|
||||
|
||||
## Code review tone
|
||||
|
||||
Hold a high bar. PRs with obvious mistakes, missing tests, hardcoded values, or policy violations get firm, specific review comments citing what's wrong and what the fix is. Cite the file and line. Suggest the fix when you know it. Don't sugarcoat — but be professional and constructive. "This looks wrong" is not a review comment.
|
||||
|
||||
## Hardcoded values
|
||||
|
||||
* **Colors** use CSS variables / theme tokens. Never raw hex in components.
|
||||
* **Strings** use constants or i18n. No magic strings.
|
||||
* **Numbers** that aren't trivially obvious go in named constants.
|
||||
* **No magic numbers** in business logic.
|
||||
|
||||
## Secrets in code
|
||||
|
||||
Secrets never touch source. See the `safety` skill for the SealedSecrets workflow. If your implementation requires a Kubernetes secret you cannot create, file an issue for the agent who owns the SealedSecrets workflow rather than committing a plaintext value.
|
||||
|
||||
## Releases and versioning
|
||||
|
||||
All releases use CalVer (`YYYY.MMDD.PATCH`, e.g. `2026.0504.0`). No SemVer, no custom schemes.
|
||||
|
||||
## Container images
|
||||
|
||||
Push to `ghcr.io` only. Never Docker Hub for first-party images.
|
||||
|
||||
## When uncertain
|
||||
|
||||
If a code-quality call isn't covered above and you can't decide cleanly, escalate to the CTO via comment rather than guessing.
|
||||
@@ -1,31 +0,0 @@
|
||||
---
|
||||
name: safety
|
||||
description: >
|
||||
Non-negotiable safety rules for all GroomBook agents. Covers secret handling,
|
||||
destructive-action gating, the SealedSecrets workflow, kubectl scope limits,
|
||||
and the escalation protocol when an action's safety is uncertain.
|
||||
---
|
||||
|
||||
# Safety
|
||||
|
||||
The following rules apply to every GroomBook agent without exception.
|
||||
|
||||
## Non-negotiable rules
|
||||
|
||||
* **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Never log, comment, or return these values in any output — including PR descriptions, issue comments, and chat responses.
|
||||
|
||||
* **Seek board approval before destructive actions.** "Destructive" means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup. Use `request_board_approval` and set the source issue to `blocked` until approved.
|
||||
|
||||
* **Never commit plaintext secrets.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded in source.
|
||||
|
||||
* **Never `kubectl apply` against production (`groombook`).** The production namespace is Flux-managed. Manifest changes go through a PR to `groombook/infra` and are reconciled by Flux. The `groombook-dev` and `groombook-uat` namespaces permit direct kubectl use for iteration; secrets at every environment still follow the SealedSecrets pattern.
|
||||
|
||||
* **Never `kubectl create secret` in production.** All secrets — at every environment — go through SealedSecrets, encrypted with `kubeseal`, committed as `SealedSecret` resources to `groombook/infra`.
|
||||
|
||||
* **Never bypass the merge gate.** No self-merging PRs. No pushing directly to `dev`, `uat`, or `main`. Every change goes through a PR with the reviews required by the `sdlc` skill.
|
||||
|
||||
* **Never run `tofu` directly.** Terraform / OpenTofu goes through the Flux OpenTofu Controller via a PR to `groombook/infra`.
|
||||
|
||||
## If you are unsure
|
||||
|
||||
If you are unsure whether an action is safe, **stop**. Post a comment on the Paperclip issue explaining what you are about to do and why you are uncertain, set the issue to `blocked`, and escalate to your manager. Do not guess.
|
||||
@@ -1,225 +0,0 @@
|
||||
---
|
||||
name: sdlc
|
||||
description: >
|
||||
Software development lifecycle for GroomBook. Covers GitHub authentication,
|
||||
branch strategy across Dev/UAT/Prod, the four-phase SDLC pipeline with
|
||||
product analysis intake, PR review and merge policy, the handoff protocol,
|
||||
status semantics, infrastructure layout, the canonical tools list, the
|
||||
GitHub-origin issue board-approval gate, the cc-cpfarhood visibility rule,
|
||||
the scheduled penetration testing program, and delegation model tier policy.
|
||||
---
|
||||
|
||||
# Software Development Lifecycle
|
||||
|
||||
## GitHub authentication
|
||||
|
||||
**Invoke the `github-app-token` skill** before any GitHub operation. It generates a short-lived installation token and sets `GH_TOKEN`. **Never** run `gh auth login` — it hangs headless agents. Token expires after ~1 hour; re-invoke to regenerate.
|
||||
|
||||
GitHub is the **primary source of truth**. Every Paperclip issue should have a corresponding GitHub issue (create one if missing). Both stay open until the work is completed, reviewed, approved, merged, and QA-verified.
|
||||
|
||||
## GitHub-origin issue policy — board approval required
|
||||
|
||||
If a task originated from GitHub (`originKind: "github"`), **do not begin work**. Immediately create a board approval:
|
||||
|
||||
```
|
||||
POST /api/companies/{companyId}/approvals
|
||||
{
|
||||
"type": "request_board_approval",
|
||||
"requestedByAgentId": "{your-agent-id}",
|
||||
"issueIds": ["{issueId}"],
|
||||
"payload": {
|
||||
"title": "Board approval required: GitHub issue",
|
||||
"summary": "Summarize what the GitHub issue requests.",
|
||||
"recommendedAction": "Approve to begin work.",
|
||||
"risks": ["Work begins without board review if approved."]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Set the issue to `blocked` with a comment linking to the approval. Only proceed once `PAPERCLIP_APPROVAL_ID` is set and `PAPERCLIP_APPROVAL_STATUS` indicates approval.
|
||||
|
||||
## Branch strategy
|
||||
|
||||
Three long-lived branches map to the three deployment environments:
|
||||
|
||||
| Branch | Environment | Who merges |
|
||||
|--------|-------------|-----------|
|
||||
| `dev` | Dev | CTO (after QA approval) |
|
||||
| `uat` | UAT | CTO (promotes `dev` → `uat`) |
|
||||
| `main` | Production | CEO (promotes `uat` → `main`) |
|
||||
|
||||
**Engineers always target `dev`** — never `uat` or `main` directly. Feature branches: `<agent-name>/<short-description>`.
|
||||
|
||||
## Pull requests
|
||||
|
||||
All changes happen via pull request. Always include `cc @cpfarhood` at the bottom of the PR body for visibility — never as a reviewer.
|
||||
|
||||
```bash
|
||||
gh pr create --base dev --title "..." --body "... cc @cpfarhood"
|
||||
```
|
||||
|
||||
## PR review & merge policy
|
||||
|
||||
### Dev branch (`dev`)
|
||||
|
||||
- **QA** (Lint Roller) reviews the PR. Approve → hand to CTO. Fail → back to engineer directly with exact details.
|
||||
- **CTO** (The Dogfather) reviews. Approve → CTO merges the `dev` PR. Fail → back to engineer.
|
||||
|
||||
### UAT branch (`uat`)
|
||||
|
||||
- **CTO** opens and merges a `dev` → `uat` PR.
|
||||
|
||||
### Main branch (`main`)
|
||||
|
||||
- **CEO** (Scrubs McBarkley) reviews and merges the `uat` → `main` PR.
|
||||
|
||||
`@cpfarhood` is cc'd for visibility on all PRs — never as a reviewer.
|
||||
|
||||
## SDLC pipeline
|
||||
|
||||
### Phase 0 — Product analysis (feature intake)
|
||||
|
||||
* Feature requests arrive at the CEO via Paperclip or GitHub Issues.
|
||||
* CEO delegates to CMPO (Pawla Abdul) for review.
|
||||
* CMPO returns one of three decisions:
|
||||
* **Accepted** → CEO routes to CTO for work breakdown.
|
||||
* **Backlogged** → CEO handles prioritization.
|
||||
* **Denied** → CEO closes as unplanned.
|
||||
* CTO breaks accepted work into atomic tasks and assigns to Engineering.
|
||||
|
||||
### Phase 1 — Dev
|
||||
|
||||
1. **Engineer** (Flea Flicker) branches from `dev`, writes code. GitOps deploys to dev on demand.
|
||||
2. **Engineer** opens a PR against `dev`. CI must pass.
|
||||
3. **QA (Lint Roller)** reviews the PR. Fail → back to engineer.
|
||||
4. QA approves and hands off to CTO.
|
||||
5. **CTO (The Dogfather)** reviews the PR. Fail → back to engineer.
|
||||
6. **CTO** merges the dev PR.
|
||||
7. **CI** builds and deploys automatically to Dev (`https://dev.groombook.dev`).
|
||||
|
||||
### Phase 2 — UAT promotion
|
||||
|
||||
8. **CTO** opens and merges a PR from `dev` to `uat`.
|
||||
9. **CI** builds and deploys automatically to UAT (`https://uat.groombook.dev`).
|
||||
10. **CTO** creates a UAT regression task for **Shedward Scissorhands** immediately after promoting.
|
||||
|
||||
### Phase 3 — UAT testing & security
|
||||
|
||||
11. **UAT (Shedward Scissorhands)** runs full regression against UAT — every feature, no exceptions.
|
||||
12. UAT fail → CTO redistributes to engineer (return to Phase 1).
|
||||
13. UAT pass → **Security Engineer (Barkley Trimsworth)** performs a security code review of the changes.
|
||||
14. Security fail → CTO redistributes to engineer (return to Phase 1).
|
||||
|
||||
### Phase 4 — Production
|
||||
|
||||
15. Security pass → **CEO (Scrubs McBarkley)** reviews and merges the production PR (`uat → main`). Fail → back to CTO.
|
||||
16. **CI** deploys automatically to Production (`https://demo.groombook.dev`).
|
||||
|
||||
### Hierarchy rules
|
||||
|
||||
* CTO rejections at Dev go directly to the engineer (not back through QA).
|
||||
* UAT failures (Shedward) go to CTO — CTO cascades to engineer.
|
||||
* Security failures (Barkley) go to CTO — CTO cascades to engineer.
|
||||
* CEO rejections at Prod go to CTO.
|
||||
|
||||
> **Penetration testing.** Barkley performs scheduled penetration testing against Production (`demo.groombook.dev`) and Demo independently of the PR workflow. Board-authorized; not triggered per-PR. Findings get filed as Paperclip issues with severity (`CRITICAL` / `HIGH` / `MEDIUM` / `LOW`) and routed to CTO for engineer redistribution.
|
||||
|
||||
## Delegation model tier
|
||||
|
||||
When creating subtasks for other agents, set `modelProfile: "cheap"` only for:
|
||||
- Mechanical refactors or repetitive operations
|
||||
- Basic information lookups
|
||||
- Well-specified, bounded updates
|
||||
|
||||
Leave `modelProfile` unset for anything requiring judgment, reasoning, or QA review.
|
||||
|
||||
When in doubt, leave it unset.
|
||||
|
||||
## Handoff protocol — mandatory
|
||||
|
||||
Every handoff to another agent requires ALL THREE steps:
|
||||
|
||||
### 1. Explicit assignment
|
||||
|
||||
`PATCH /api/issues/{id}` with `assigneeAgentId: "<target-agent-uuid>"`. Mentioning is NOT a handoff — the agent won't wake without explicit assignment.
|
||||
|
||||
### 2. Status = `todo`
|
||||
|
||||
Every handoff sets `status: "todo"`. Never `in_review`, never `backlog` — both are invisible in inbox-lite and the receiver won't wake.
|
||||
|
||||
### 3. Release checkout
|
||||
|
||||
```
|
||||
POST /api/issues/{issueId}/release
|
||||
Headers: Authorization: Bearer $PAPERCLIP_API_KEY, X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID
|
||||
```
|
||||
|
||||
Without this release, the receiving agent cannot check out the issue.
|
||||
|
||||
**Saying you are reassigning a task is NOT the same as reassigning it.** Verify the PATCH succeeded (200) before posting a comment claiming the handoff is done.
|
||||
|
||||
## Infrastructure
|
||||
|
||||
* **Production / Demo:** namespace `groombook`, FQDN `demo.groombook.dev`
|
||||
* **UAT:** namespace `groombook-uat`, FQDN `uat.groombook.dev`
|
||||
* **Dev:** namespace `groombook-dev`, FQDN `dev.groombook.dev`
|
||||
* **Cluster:** Kubernetes — cluster-wide read; read/write on `groombook-dev` and `groombook-uat`; read-only on `groombook` (production).
|
||||
* **Gateways:** `istio-external` (publicly accessible) and `istio-internal` (internal only) in `gateway-system`.
|
||||
* **Container registry:** `ghcr.io/groombook/<service>` only.
|
||||
|
||||
## Authentication
|
||||
|
||||
* **Framework:** Better-Auth.
|
||||
* **Social login:** Google and Apple OAuth.
|
||||
* **SSO:** Authentik OIDC at `https://auth.farh.net` (credentials in `authentik-credentials` secret).
|
||||
* **Never build custom authentication.**
|
||||
|
||||
## Deployment — 2-stage Flux GitOps
|
||||
|
||||
**Stage 1 — CI (GitHub Actions, runs in each application repo):**
|
||||
- Triggered automatically on every merge to `main`
|
||||
- Builds and tags the Docker image
|
||||
- Pushes tagged images to `ghcr.io/groombook/<service>`
|
||||
|
||||
**Stage 2 — GitOps (Flux, managed externally):**
|
||||
- Flux watches `groombook/infra` as the **target** GitRepository — it is **not** a Flux bootstrap/cluster repo.
|
||||
- Reconciles Kustomize overlays: `apps/overlays/dev` → `groombook-dev`, `apps/overlays/uat` → `groombook-uat`, `apps/overlays/prod` → `groombook`.
|
||||
|
||||
**Policy — Flux Image Tag Automation is DENIED.** Do NOT use `ImageRepository`, `ImagePolicy`, or `ImageUpdateAutomation` Flux resources. Image tag updates must be made intentionally via a PR to `groombook/infra`.
|
||||
|
||||
**To deploy a change:**
|
||||
1. Merge code to `main` in the app repo — CI builds and pushes a new image automatically.
|
||||
2. Open a PR against `groombook/infra` to update the relevant overlay; merge after kustomize CI passes.
|
||||
3. Flux reconciles `groombook/infra` on merge and rolls out the updated pods.
|
||||
|
||||
**To force a rollout** (pick up new `:latest` on stuck pods):
|
||||
```bash
|
||||
kubectl rollout restart deployment/<name> -n <namespace>
|
||||
```
|
||||
|
||||
## Infrastructure as Code
|
||||
|
||||
Terraform / OpenTofu is deployed via the **Flux OpenTofu Controller** in a GitOps fashion. Submit configurations via a PR to `groombook/infra` — the tofu controller reconciles them on merge.
|
||||
|
||||
**Never run `tofu` directly.** Never `kubectl apply` against production. Production changes go through Flux only.
|
||||
|
||||
## Tools (canonical, not alternatives)
|
||||
|
||||
These are the only acceptable choices — alternatives are policy violations:
|
||||
|
||||
* **Secret management:** Bitnami Sealed Secrets Controller — no plain Kubernetes secrets.
|
||||
* **Database:** CloudNativePG Operator (Postgres) — no SQLite, MariaDB, or MySQL.
|
||||
* **Cache / pub-sub:** DragonflyDB Operator — no Redis.
|
||||
* **Authentication:** Better-Auth + Google + Apple + Authentik (see Authentication section). Never build custom auth.
|
||||
* **Dependency updates:** Mend Renovate. **Dependabot is not used and will not be used.**
|
||||
* **Container registry:** `ghcr.io/groombook/<service>` — no Docker Hub for first-party images.
|
||||
|
||||
If a task requires deviating from any of the above, treat it as a destructive action: stop, file an issue with rationale, request board approval.
|
||||
|
||||
## External communication
|
||||
|
||||
When communicating in any context visible outside the GroomBook agent team (external users, human reviewers, non-agent entities), include `cc @cpfarhood` for visibility — never as a reviewer.
|
||||
|
||||
## No self-merge
|
||||
|
||||
No agent merges their own PR. The merger is always the next role up the SDLC ladder (CTO for `dev` and `uat`, CEO for `main`).
|
||||
@@ -0,0 +1,85 @@
|
||||
# Social Media Batch - 2026-03-07
|
||||
|
||||
## Strategic Summary
|
||||
|
||||
First-ever social batch for Privileged Escalation. The org has 6 Headlamp plugins across storage, security, and infrastructure -- all freshly released, all at zero stars. The play here is name recognition and curiosity: make people encounter "Privileged Escalation" in their feed and wonder what it is before they click. Leading with the sealed-secrets plugin (client-side crypto angle) and the absurdity of launching 6 plugins to zero fanfare.
|
||||
|
||||
---
|
||||
|
||||
## 1. Ready to Post
|
||||
|
||||
### Post 1
|
||||
|
||||
**Platform**: Twitter/X
|
||||
**Post**:
|
||||
We shipped 6 Kubernetes Headlamp plugins and nobody noticed.
|
||||
|
||||
Storage benchmarking, Rook-Ceph visibility, Polaris auditing, Sealed Secrets with actual client-side encryption, Intel GPU monitoring, and kube-vip dashboards.
|
||||
|
||||
Zero stars across the board. We are crushing it.
|
||||
|
||||
github.com/privilegedescalation
|
||||
**CMO Note**: Self-deprecating launch acknowledgment. The honesty about zero stars is the hook -- it reads as human, not corporate. Links to the org for curious clicks.
|
||||
|
||||
---
|
||||
|
||||
### Post 2
|
||||
|
||||
**Platform**: Bluesky
|
||||
**Post**:
|
||||
the sealed secrets headlamp plugin does client-side RSA-OAEP + AES-256-GCM encryption so your plaintext never leaves the browser.
|
||||
|
||||
someone forked it last month. we have our first user. or our first person who accidentally clicked fork. either way, we are celebrating.
|
||||
**CMO Note**: Technical specificity makes it credible. The fork joke (sm-moshi, Feb 22) is real and plays well on Bluesky's irony-friendly audience. Seeds curiosity about what Headlamp plugins are.
|
||||
|
||||
---
|
||||
|
||||
### Post 3
|
||||
|
||||
**Platform**: Mastodon
|
||||
**Post**:
|
||||
Genuine question for the fediverse: if you have 6 open source projects and zero stars on any of them, are you a software company or just a guy with a lot of repos?
|
||||
|
||||
Asking for a friend. The friend is github.com/privilegedescalation.
|
||||
**CMO Note**: Mastodon audience appreciates self-aware humor. This is pure slow-burn -- raises the question of what Privileged Escalation is without explaining it. The link is there for anyone curious enough to click.
|
||||
|
||||
---
|
||||
|
||||
## 2. Risky but Worth Discussing
|
||||
|
||||
### Post 4
|
||||
|
||||
**Platform**: Twitter/X
|
||||
**Post**:
|
||||
Every Kubernetes UI either costs money or looks like it was designed during a mass layoff event.
|
||||
|
||||
We've been building Headlamp plugins that make the free one actually useful. Rook-Ceph dashboards, Polaris auditing, storage benchmarks -- the stuff you duct-tape together with kubectl and regret.
|
||||
|
||||
github.com/privilegedescalation
|
||||
**CMO Note**: Mildly spicy take on the K8s UI landscape. Does not name competitors directly but the implication is clear. Could rub Lens/Rancher people the wrong way. Worth discussing tone.
|
||||
|
||||
---
|
||||
|
||||
## 3. Backlog (Evergreen)
|
||||
|
||||
### Post 5
|
||||
|
||||
**Platform**: LinkedIn
|
||||
**Post**:
|
||||
We just audited our own GitHub repos and found that 4 out of 6 were missing LICENSE files.
|
||||
|
||||
They all had Apache-2.0 badges in the README. The actual license text? Not present. Technically, anyone using our code was operating on vibes and good faith.
|
||||
|
||||
Fixed now. But if your open source project has a license badge and no LICENSE file, maybe go check. We'll wait.
|
||||
**CMO Note**: Honest product personality at work. Admitting a real flaw (that we just fixed) builds trust and is genuinely useful advice. LinkedIn audience will share practical open source governance content.
|
||||
|
||||
---
|
||||
|
||||
### Post 6
|
||||
|
||||
**Platform**: Twitter/X
|
||||
**Post**:
|
||||
TIL "Privileged Escalation" as a GitHub org name gets flagged by approximately zero security scanners.
|
||||
|
||||
We checked.
|
||||
**CMO Note**: Pure name recognition play. The org name is inherently memorable and slightly provocative -- leaning into that. Short enough for easy engagement.
|
||||
@@ -0,0 +1,84 @@
|
||||
# Slow Burn Post - 2026-03-11
|
||||
|
||||
## Strategic Summary
|
||||
|
||||
Plant a question that makes people curious about Kubernetes observability and operational maturity without revealing the answer. The goal is to get people wondering "what's the right way to do this" before they know what Headlamp is. Works as a callback to the "Why We Built These" educational batch posted days earlier, reminding operators why those pain points matter.
|
||||
|
||||
---
|
||||
|
||||
## 1. Ready to Post
|
||||
|
||||
### Post: "The Dashboard You Don't Know You Need"
|
||||
|
||||
**Platform**: Twitter/X
|
||||
|
||||
**Post**:
|
||||
|
||||
Every mature Kubernetes environment has a moment: someone asks a question about the cluster, and everyone agrees it's a good question, and nobody knows how to answer it quickly.
|
||||
|
||||
Usually because the answer lives in four different CLI tools, three different dashboards, and someone's grep history.
|
||||
|
||||
**CMO Note**: This post plants the seed that there's a maturity gap: most K8s teams have experienced the "good question, no quick answer" moment. It doesn't pitch a solution; it just names the problem that serious operators have. Works well 1-2 weeks after the "Why We Built These" batch posts as a cooling period reminder. Tone is acknowledgment + dry acceptance, not mocking.
|
||||
|
||||
---
|
||||
|
||||
### Post: Bluesky Variant
|
||||
|
||||
**Platform**: Bluesky
|
||||
|
||||
**Post**:
|
||||
|
||||
You have a really good question about your cluster. Everyone agrees it's good. Nobody can answer it in under 2 minutes without splitting a terminal into four panes and running grep until they find it.
|
||||
|
||||
That's not a flaw in your question. That's a flaw in how K8s visibility tools are designed.
|
||||
|
||||
**CMO Note**: Slightly longer and more conversational for Bluesky's format. Same core message—empathy + problem naming—but with more room to breathe. This version gets slightly more pointed at the tooling itself.
|
||||
|
||||
---
|
||||
|
||||
### Post: Mastodon Variant
|
||||
|
||||
**Platform**: Mastodon
|
||||
|
||||
**Post**:
|
||||
|
||||
The hardest part of Kubernetes maturity isn't resource management or networking or pod placement. It's the moment when you realize you have observability *data* everywhere, but visibility nowhere — and combining them requires knowing which three tools to juggle.
|
||||
|
||||
There's a better way to design this.
|
||||
|
||||
**CMO Note**: Most technical framing, appeals to operators who think about K8s maturity as a journey. "Data vs. visibility" distinction is specific enough to resonate. Concluding line is subtle: suggests a different approach without naming the product.
|
||||
|
||||
---
|
||||
|
||||
## 2. Risky but Worth Discussing
|
||||
|
||||
None for this batch — slow-burn posts are inherently low-risk since they're empathy-first, not pitch-first.
|
||||
|
||||
---
|
||||
|
||||
## 3. Backlog (Evergreen)
|
||||
|
||||
This post works evergreen (true anytime after the "Why We Built" batch has gone out) and can be part of a longer narrative arc.
|
||||
|
||||
Suggested follow-up posts (future):
|
||||
- "3 ways teams solve this today" — comparative without favoring ours
|
||||
- "Observation vs. visibility: what's the difference?" — educational explainer
|
||||
- "What does the right K8s dashboard look like?" — leading question that sets up product reveal
|
||||
|
||||
---
|
||||
|
||||
## Why This Works
|
||||
|
||||
1. **No product mention** — Pure empathy for the operator experience
|
||||
2. **Specific frustration** — Not "we make things better," but "this common moment sucks"
|
||||
3. **Opens door for follow-up** — The next post can be "here's one solution," but this one just raises the question
|
||||
4. **Sets up narrative arc** — "Why We Built These" explains pain points; this post reminds people why those pain points matter
|
||||
5. **Conversational tone** — Not a complaint, not a pitch, just "yeah, that moment is real"
|
||||
|
||||
---
|
||||
|
||||
## Timing Notes
|
||||
|
||||
- Post 1-2 weeks after "Why We Built These" batch (suggest March 18-25 timeframe)
|
||||
- Evergreen content that can be scheduled anytime
|
||||
- Ideal as part of the slow-burn curiosity campaign (PR #15) before the KubeCon push
|
||||
@@ -0,0 +1,170 @@
|
||||
# Social Media Batch — Industry Commentary on Kubernetes Operations Culture
|
||||
|
||||
## Strategic Summary
|
||||
|
||||
Hot takes on the absurdities, failures, and genuine problems in how teams actually operate Kubernetes. Not product pitches. Not tutorials. Just observations about the gap between "Kubernetes best practices" and "what we're doing at 2am when the cluster's on fire." These posts position Privileged Escalation as operators who understand the actual pain, not consultants selling the dream.
|
||||
|
||||
Timing: Evergreen content, works anytime. Some posts pair well with technical releases; others stand alone. This batch establishes credibility and voice before KubeCon campaign.
|
||||
|
||||
---
|
||||
|
||||
## 1. Ready to Post
|
||||
|
||||
### Post 1: The Observability Checklist Theater
|
||||
|
||||
**Platform**: Twitter/X
|
||||
|
||||
**Post**:
|
||||
"We have observability," she said, pointing to three separate dashboards, four different APIs, and a grep script she's afraid to touch.
|
||||
|
||||
Observability isn't having data. It's knowing what to do with it when you're 30 seconds into an incident.
|
||||
|
||||
Most Kubernetes deployments have the first part. Nobody has the second.
|
||||
|
||||
**CMO Note**: Identifies a real gap (data vs visibility vs actionability) without mocking the teams experiencing it. Dry acknowledgment of a universal pain point. Sets up future posts about "what good observability looks like." No product mention needed — the empathy does the work.
|
||||
|
||||
---
|
||||
|
||||
### Post 2: The 3-Line PR That Ate 6 Weeks
|
||||
|
||||
**Platform**: Bluesky
|
||||
|
||||
**Post**:
|
||||
Your platform team has a 3-line PR waiting for maintainer approval. It's been 42 days.
|
||||
|
||||
Not because the code is bad. Not because they're thinking about it. They're just... busy.
|
||||
|
||||
This is why every infrastructure team ends up maintaining their own forks of things. Not because they wanted to. Because the alternative was waiting forever.
|
||||
|
||||
**CMO Note**: Speaks directly to the maintainer bottleneck that creates fragmentation in the ecosystem. Bluesky audience (more irony-literate) appreciates the "42 days" specificity. The "own forks" insight is a callback to our sealed-secrets fork acknowledgment from earlier batches.
|
||||
|
||||
---
|
||||
|
||||
### Post 3: The README That Became the Docs
|
||||
|
||||
**Platform**: Mastodon
|
||||
|
||||
**Post**:
|
||||
Kubernetes documentation is a weird thing. The official docs are great. The best practices docs are aspirational. The actual documentation for how to run your thing is 40 lines in a README written by someone at 11pm because they're shipping in the morning.
|
||||
|
||||
Three years later, that README is the only source of truth. It hasn't been updated in two years. Someone just hired reads it and wonders why nothing matches.
|
||||
|
||||
This is fine.
|
||||
|
||||
**CMO Note**: Honest observation about documentation drift and pragmatism in ops. "This is fine" ending is dark humor that Mastodon audience gets. Not judgmental, just realistic. Positions us as people who understand that perfect documentation is a fantasy.
|
||||
|
||||
---
|
||||
|
||||
## 2. Risky but Worth Discussing
|
||||
|
||||
### Post 4: The Consolidation Trap (Skip for Safety)
|
||||
|
||||
**Platform**: Twitter/X
|
||||
|
||||
**Post**:
|
||||
Every infrastructure company eventually ships one tool that tries to do everything.
|
||||
|
||||
It is always bloated. It is always slow. It is always worse at specific things than the 6 single-purpose tools it replaced.
|
||||
|
||||
We had the opportunity to do this. We didn't. We're weird that way.
|
||||
|
||||
**CMO Note**: RISKY. This is a soft dig at competitors (Lens, Rancher, etc.) and might read as salty if not careful. However, it's grounded in our actual decision (6 plugins instead of one). Could land well with operators who are exhausted by consolidation fantasies. Recommend getting CMO sign-off before posting. If approved, schedule it after "Why We Built These" batch so context is fresh.
|
||||
|
||||
---
|
||||
|
||||
### Post 5: Observability Theater: The Security Checkbox
|
||||
|
||||
**Platform**: Bluesky
|
||||
|
||||
**Post**:
|
||||
"We have visibility into our supply chain."
|
||||
|
||||
Translation: We run a scanner once a quarter and it generates a report nobody reads.
|
||||
|
||||
"We monitor resource usage."
|
||||
|
||||
Translation: Prometheus metrics exist. We haven't looked at them in a year but they're technically there.
|
||||
|
||||
Real observability isn't a checkbox. It's a practice. It takes work. Most teams don't do it.
|
||||
|
||||
**CMO Note**: MILDLY RISKY. Could read as too critical of teams trying their best. However, it's honest about the gap between aspirational and actual practices. Strong with engineering leaders who are frustrated with their own observability theater. Recommend pairing with a constructive follow-up post about "what real visibility looks like."
|
||||
|
||||
---
|
||||
|
||||
## 3. Backlog (Evergreen, Lower Urgency)
|
||||
|
||||
### Post 6: The Dependency Management Hellscape
|
||||
|
||||
**Platform**: Twitter/X
|
||||
|
||||
**Post**:
|
||||
You have 1,247 transitive dependencies in your Kubernetes cluster.
|
||||
|
||||
You know what 14 of them do.
|
||||
|
||||
Nobody knows who maintains the other 1,233. Nobody knows what version of OpenSSL they actually use. If one of them breaks, you have a 2-week-long blame game ahead of you.
|
||||
|
||||
This is the cloud native era.
|
||||
|
||||
**CMO Note**: BACKLOG. Evergreen tech-industry grumbling. Node_modules meme energy. Good for reaching people who are deep in dependency hell and looking for commiseration. Can post anytime without losing relevance. Low risk, high relatability.
|
||||
|
||||
---
|
||||
|
||||
### Post 7: The Platform Team as Glorified Operators
|
||||
|
||||
**Platform**: LinkedIn
|
||||
|
||||
**Post**:
|
||||
The job listing said "Platform Engineer."
|
||||
|
||||
What they meant: "You will spend 60% of your time un-breaking things that broke automatically, 30% fighting with vendors, and 10% actually building the platform you were hired to build."
|
||||
|
||||
Platform engineering is good work. But we're not honest about what it is yet. It's operations wearing a different hat.
|
||||
|
||||
**CMO Note**: BACKLOG. Professional tone for LinkedIn. Speaks to platform engineering leaders who are exhausted. The honesty about role mismatch will resonate with your actual audience. Low controversy, high empathy. Works anytime. Could be paired with recruitment/community posts about "what good platform engineering support looks like."
|
||||
|
||||
---
|
||||
|
||||
## Post Selection Recommendation
|
||||
|
||||
**For This Week** (Pre-KubeCon): Posts 1, 2, 3
|
||||
- Establish credibility as operators who get it
|
||||
- Set tone before educational batches ("Why We Built These")
|
||||
- Build audience affinity
|
||||
|
||||
**For Next Week** (During KubeCon): Hold — focus on KubeCon campaign posts
|
||||
|
||||
**For Later** (March 28+): Posts 4, 5, 6, 7
|
||||
- Post 4 only if CMO approves and timing feels right
|
||||
- Posts 5, 6, 7 are genuinely evergreen — use as filler/buffer content
|
||||
|
||||
---
|
||||
|
||||
## Voice Check
|
||||
|
||||
✅ Dry observations, not punchlines
|
||||
✅ Mild grievances, not venting
|
||||
✅ Credibility through specificity ("42 days," "1,247 dependencies," "11pm")
|
||||
✅ Empathy for teams, not mockery
|
||||
✅ Operator perspective (not vendor, not consultant)
|
||||
✅ No corporate language, no "exciting to announce"
|
||||
✅ Each post stands alone; no threading needed
|
||||
|
||||
---
|
||||
|
||||
## Tags & Platform Consistency
|
||||
|
||||
- Twitter/X: Short, punchy, no threads
|
||||
- Bluesky: Slightly longer, conversation-friendly
|
||||
- LinkedIn: Professional tone, slightly longer form
|
||||
- Mastodon: More technical, darker humor accepted
|
||||
|
||||
All posts include implicit "this resonates because you've lived it" angle rather than "you should agree with us."
|
||||
|
||||
---
|
||||
|
||||
## Dependencies
|
||||
|
||||
- Posts 1-3: Self-contained, can post anytime
|
||||
- Post 4: Requires "Why We Built These" context (posted 1+ week prior)
|
||||
- Posts 5-7: Evergreen, zero dependencies
|
||||
Reference in New Issue
Block a user