privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: privilegedescalation/org:docs/2026-03-13-status-report
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026
..
compare: privilegedescalation/org:df583bc183230ed9753dae916c6e16df90dab153
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026

14 Commits
docs/2026-03-13-status-report .. df583bc183

Author SHA1 Message Date
Chris Farhood df583bc183 Delete profile/README.md 2026-05-19 20:55:59 +00:00
Chris Farhood 07d9440966 Delete images/org-chart.png 2026-05-19 20:55:43 +00:00
Chris Farhood 94c881184e Delete directory 'agents' 2026-05-19 20:55:28 +00:00
Chris Farhood 18f4ef2126 feat(sdlc): add delegation model tier policy 
Set modelProfile cheap only for mechanical, bounded tasks. Leave unset
(judgment/reasoning/QA) for standard tier. When in doubt, leave unset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-04 22:36:55 -04:00
Chris Farhood d7e9c627a8 fix(coding-standards): align versioning with CalVer org policy 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-04 22:01:14 -04:00
Chris Farhood 93e70e6d66 feat(skills): align with cross-org review 
- safety: drop tools section (moved to sdlc), add explicit kubectl-prod
  ban, add no-tofu-direct rule, drop the merge-gate cross-reference into
  a separate bullet
- sdlc: add Phase 0 product-analysis intake (CMPO Pawla as gate); add
  scheduled penetration testing program (Barkley owns); standardize
  authentication to Better-Auth + Google + Apple + Authentik; add
  canonical tools section (moved from safety) including ghcr.io/groombook
  registry standard; reorganize PR review sections to match the cross-org
  pattern (named SDLC pipeline phases)
 2026-05-03 19:50:22 -04:00
Chris Farhood d496a67eae chore: remove vendored mirrors of external skill repos 
These were stale snapshots of skills owned by other orgs (better-auth,
fluxcd, greptileai, paperclipai, etc.) — Paperclip imports those
directly from their source repos at runtime. groombook/org should
contain only GroomBook-authored skills.
 2026-05-03 10:04:48 -04:00
Chris Farhood 4b32e84c03 feat(skills): add sdlc, safety, and coding-standards org skills 
Mirrors the privilegedescalation/org pattern: extract company-wide
policy that was previously inlined in each agent's AGENTS.md into three
shared skills. Agents will reference these via one-line invocation
reminders in their Wake additions section.
 2026-05-03 09:53:45 -04:00
Scrubs McBarkley c5e210f653 chore: sync company backup — 2026-04-16 
Export all agent configs, skills, and company metadata from the
Paperclip control plane to match current GroomBook org state.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-16 14:19:26 +00:00
groombook-ceo[bot] a945a825f2 Restore agent GITHUB.md files to GitHub instructions 
Restore agent GITHUB.md files to GitHub instructions
 2026-04-15 21:20:54 +00:00
Scrubs McBarkley 86a2422129 Restore agent GITHUB.md files to GitHub instructions 
Roll back Forgejo references and restore proper GitHub-based
instructions for all agents. Board has already restored CEO file.
Updated agents: the-dogfather, flea-flicker, lint-roller, pawla-abdul.

- Replace Forgejo auth (FGJ_TOKEN/fgj CLI) with GitHub App token skill
- Fix PR merge policy to reflect correct 3-environment SDLC
- Add proper github-app-token skill invocation instructions
- Standardize cc @cpfarhood visibility pattern across all agents

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 21:20:26 +00:00
groombook-ceo[bot] cc81906d3b Merge pull request #1 from groombook/backup/2026-04-13 
Merging company backup sync for 2026-04-13.
 2026-04-13 04:02:44 +00:00
Scrubs McBarkley 6bfd1b6c30 chore: sync company backup 2026-04-13 
Export full company configuration including agents, skills, and memory
files as of 2026-04-13. Adds missing agents (barkley-trimsworth,
daisy-clippington, shedward-scissorhands) and updates existing agent
instructions and skill definitions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-13 04:02:21 +00:00
Chris Farhood 6a422fe293 moving company export to different repo 2026-04-07 06:40:44 -04:00
19 changed files with 954 additions and 654 deletions
Expand all files Collapse all files
.paperclip.yaml
+501
View File
@@ -0,0 +1,501 @@
schema: "paperclip/v1"
agents:
barkley-trimsworth:
role: "engineer"
icon: "shield"
capabilities: "Security engineer responsible for code security reviews in the SDLC pipeline (post-UAT gate) and scheduled penetration testing of production and demo environments. Board-authorized for offensive security analysis."
adapter:
config:
timeoutSec: 3600
type: "claude_k8s"
runtime:
heartbeat:
intervalSec: 14400
maxConcurrentRuns: 1
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent barkley-trimsworth"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/fadbc601-1528-4368-9317-31b144ed1655/instructions"
portability: "system_dependent"
requirement: "optional"
ANTHROPIC_AUTH_TOKEN:
description: "Provide ANTHROPIC_AUTH_TOKEN for agent barkley-trimsworth"
kind: "secret"
default: ""
requirement: "optional"
ANTHROPIC_BASE_URL:
description: "Optional default for ANTHROPIC_BASE_URL on agent barkley-trimsworth"
kind: "plain"
default: "https://api.minimax.io/anthropic"
requirement: "optional"
ANTHROPIC_DEFAULT_HAIKU_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent barkley-trimsworth"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_OPUS_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent barkley-trimsworth"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_SONNET_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent barkley-trimsworth"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_MODEL:
description: "Optional default for ANTHROPIC_MODEL on agent barkley-trimsworth"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_SMALL_FAST_MODEL:
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent barkley-trimsworth"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
API_TIMEOUT_MS:
description: "Optional default for API_TIMEOUT_MS on agent barkley-trimsworth"
kind: "plain"
default: "3000000"
requirement: "optional"
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent barkley-trimsworth"
kind: "plain"
default: "1"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent barkley-trimsworth"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent barkley-trimsworth"
kind: "plain"
default: "3141748"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent barkley-trimsworth"
kind: "plain"
default: "117793367"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent barkley-trimsworth"
kind: "plain"
default: "/secrets/groombook/groombook-engineer.pem"
portability: "system_dependent"
requirement: "optional"
flea-flicker:
role: "engineer"
icon: "code"
capabilities: "Principal software engineer responsible for core platform architecture, implementation, and technical execution."
adapter:
config:
timeoutSec: 3600
type: "claude_k8s"
runtime:
heartbeat:
enabled: true
intervalSec: 14400
maxConcurrentRuns: 1
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent flea-flicker"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/515a927a-66b6-449b-aa03-653b697b30f7/instructions"
portability: "system_dependent"
requirement: "optional"
ANTHROPIC_AUTH_TOKEN:
description: "Provide ANTHROPIC_AUTH_TOKEN for agent flea-flicker"
kind: "secret"
default: ""
requirement: "optional"
ANTHROPIC_BASE_URL:
description: "Optional default for ANTHROPIC_BASE_URL on agent flea-flicker"
kind: "plain"
default: "https://api.minimax.io/anthropic"
requirement: "optional"
ANTHROPIC_DEFAULT_HAIKU_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent flea-flicker"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_OPUS_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent flea-flicker"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_MODEL:
description: "Optional default for ANTHROPIC_MODEL on agent flea-flicker"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_SMALL_FAST_MODEL:
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent flea-flicker"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHRPOIC_DEFAULT_SONNET_MODEL:
description: "Optional default for ANTHRPOIC_DEFAULT_SONNET_MODEL on agent flea-flicker"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
API_TIMEOUT_MS:
description: "Optional default for API_TIMEOUT_MS on agent flea-flicker"
kind: "plain"
default: "3000000"
requirement: "optional"
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent flea-flicker"
kind: "plain"
default: "1"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent flea-flicker"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent flea-flicker"
kind: "plain"
default: "3141748"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent flea-flicker"
kind: "plain"
default: "117793367"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent flea-flicker"
kind: "plain"
default: "/secrets/groombook/groombook-engineer.pem"
portability: "system_dependent"
requirement: "optional"
lint-roller:
role: "qa"
icon: "bug"
capabilities: "Senior QA engineer responsible for test strategy, quality assurance, bug tracking, and release validation."
adapter:
config:
timeoutSec: 3600
type: "claude_k8s"
runtime:
heartbeat:
enabled: true
intervalSec: 14400
maxConcurrentRuns: 1
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent lint-roller"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/16fa774c-bbab-4647-9f8d-24807b83a24f/instructions"
portability: "system_dependent"
requirement: "optional"
ANTHROPIC_AUTH_TOKEN:
description: "Provide ANTHROPIC_AUTH_TOKEN for agent lint-roller"
kind: "secret"
default: ""
requirement: "optional"
ANTHROPIC_BASE_URL:
description: "Optional default for ANTHROPIC_BASE_URL on agent lint-roller"
kind: "plain"
default: "https://api.minimax.io/anthropic"
requirement: "optional"
ANTHROPIC_DEFAULT_HAIKU_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent lint-roller"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_OPUS_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent lint-roller"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_SONNET_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent lint-roller"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_MODEL:
description: "Optional default for ANTHROPIC_MODEL on agent lint-roller"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_SMALL_FAST_MODEL:
description: "Optional default for ANTHROPIC_SMALL_FAST_MODEL on agent lint-roller"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
API_TIMEOUT_MS:
description: "Optional default for API_TIMEOUT_MS on agent lint-roller"
kind: "plain"
default: "3000000"
requirement: "optional"
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent lint-roller"
kind: "plain"
default: "1"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent lint-roller"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent lint-roller"
kind: "plain"
default: "3141835"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent lint-roller"
kind: "plain"
default: "117794928"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent lint-roller"
kind: "plain"
default: "/secrets/groombook/groombook-qa.pem"
portability: "system_dependent"
requirement: "optional"
pawla-abdul:
role: "cmo"
icon: "target"
capabilities: "Chief Marketing & Product Officer responsible for marketing strategy, market positioning, brand management, product strategy, feature intake and prioritization (PDLC gate), product research, and public-facing content. Primary reviewer of all feature requests — returns Accept, Backlog, or Deny decisions to the CEO before any engineering work begins."
adapter:
config:
model: "claude-haiku-4-5-20251001"
type: "claude_k8s"
runtime:
heartbeat:
intervalSec: 14400
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent pawla-abdul"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/7332abb9-4f85-4f87-ba13-aa7e0d5a2963/instructions"
portability: "system_dependent"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent pawla-abdul"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent pawla-abdul"
kind: "plain"
default: "3141748"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent pawla-abdul"
kind: "plain"
default: "117793367"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent pawla-abdul"
kind: "plain"
default: "/secrets/groombook/groombook-engineer.pem"
portability: "system_dependent"
requirement: "optional"
MINIMAX_API_BASE_URL:
description: "Optional default for MINIMAX_API_BASE_URL on agent pawla-abdul"
kind: "plain"
default: "https://api.minimax.io"
requirement: "optional"
MINIMAX_API_KEY:
description: "Optional default for MINIMAX_API_KEY on agent pawla-abdul"
kind: "secret"
default: ""
requirement: "optional"
scrubs-mcbarkley:
role: "ceo"
icon: "crown"
capabilities: "CEO responsible for company strategy, product roadmap, organizational coordination, hiring, and final production merge authority. Owns the PDLC gate: routes feature requests through CMPO review, approves or denies work, and is the sole agent authorized to merge to production."
adapter:
config:
dangerouslySkipPermissions: true
maxTurnsPerRun: 300
model: "claude-sonnet-4-6"
type: "claude_local"
runtime:
heartbeat:
intervalSec: 28800
maxConcurrentRuns: 1
permissions:
canCreateAgents: true
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent scrubs-mcbarkley"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/1471aa94-e2b4-46b7-8fe7-084865d662fe/instructions"
portability: "system_dependent"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent scrubs-mcbarkley"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent scrubs-mcbarkley"
kind: "plain"
default: "3141498"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent scrubs-mcbarkley"
kind: "plain"
default: "117787139"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent scrubs-mcbarkley"
kind: "plain"
default: "/secrets/groombook/groombook-ceo.pem"
portability: "system_dependent"
requirement: "optional"
shedward-scissorhands:
role: "qa"
icon: "microscope"
capabilities: "User acceptance testing via Playwright MCP. Performs exhaustive pre-production browser evaluation — navigates every page, clicks every interactive element, walks all critical user flows, and blocks releases when defects are found."
adapter:
config:
graceSec: 15
timeoutSec: 3600
type: "claude_k8s"
runtime:
heartbeat:
enabled: true
intervalSec: 14400
maxConcurrentRuns: 1
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent shedward-scissorhands"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/22f13aec-6df2-4d24-be70-66e0abad7e12/instructions"
portability: "system_dependent"
requirement: "optional"
ANTHROPIC_AUTH_TOKEN:
description: "Provide ANTHROPIC_AUTH_TOKEN for agent shedward-scissorhands"
kind: "secret"
default: ""
requirement: "optional"
ANTHROPIC_BASE_URL:
description: "Optional default for ANTHROPIC_BASE_URL on agent shedward-scissorhands"
kind: "plain"
default: "https://api.minimax.io/anthropic"
requirement: "optional"
ANTHROPIC_DEFAULT_HAIKU_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_HAIKU_MODEL on agent shedward-scissorhands"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_OPUS_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_OPUS_MODEL on agent shedward-scissorhands"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_DEFAULT_SONNET_MODEL:
description: "Optional default for ANTHROPIC_DEFAULT_SONNET_MODEL on agent shedward-scissorhands"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHROPIC_MODEL:
description: "Optional default for ANTHROPIC_MODEL on agent shedward-scissorhands"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
ANTHRPOIC_SMALL_FAST_MODEL:
description: "Optional default for ANTHRPOIC_SMALL_FAST_MODEL on agent shedward-scissorhands"
kind: "plain"
default: "MiniMax-M2.7"
requirement: "optional"
API_TIMEOUT_MS:
description: "Optional default for API_TIMEOUT_MS on agent shedward-scissorhands"
kind: "plain"
default: "3000000"
requirement: "optional"
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS:
description: "Optional default for CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS on agent shedward-scissorhands"
kind: "plain"
default: "1"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent shedward-scissorhands"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent shedward-scissorhands"
kind: "plain"
default: "3141835"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent shedward-scissorhands"
kind: "plain"
default: "117794928"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent shedward-scissorhands"
kind: "plain"
default: "/secrets/groombook/groombook-qa.pem"
portability: "system_dependent"
requirement: "optional"
the-dogfather:
role: "cto"
icon: "cpu"
capabilities: "Owns technical roadmap, architecture, engineering hiring, and execution. First engineering leader for a pet grooming platform."
adapter:
config:
effort: "high"
graceSec: 15
model: "claude-opus-4-6"
timeoutSec: 0
type: "claude_k8s"
runtime:
heartbeat:
intervalSec: 14400
maxConcurrentRuns: 1
inputs:
env:
AGENT_HOME:
description: "Optional default for AGENT_HOME on agent the-dogfather"
kind: "plain"
default: "/paperclip/instances/default/companies/d50d9792-5817-4ff5-9771-c3267ba12990/agents/2a556501-95e0-4e52-9cf1-e2034678285d/instructions"
portability: "system_dependent"
requirement: "optional"
GH_CONFIG_DIR:
description: "Optional default for GH_CONFIG_DIR on agent the-dogfather"
kind: "plain"
default: "$AGENT_HOME/.config/gh"
requirement: "optional"
GITHUB_APP_ID:
description: "Optional default for GITHUB_APP_ID on agent the-dogfather"
kind: "plain"
default: "3141591"
requirement: "optional"
GITHUB_APP_INSTALLATION_ID:
description: "Optional default for GITHUB_APP_INSTALLATION_ID on agent the-dogfather"
kind: "plain"
default: "117788845"
requirement: "optional"
GITHUB_APP_PEM_FILE:
description: "Optional default for GITHUB_APP_PEM_FILE on agent the-dogfather"
kind: "plain"
default: "/secrets/groombook/groombook-cto.pem"
portability: "system_dependent"
requirement: "optional"
company:
brandColor: "#96d35f"
logoPath: "images/company-logo.png"
sidebar:
agents:
- "scrubs-mcbarkley"
- "pawla-abdul"
- "the-dogfather"
- "barkley-trimsworth"
- "flea-flicker"
- "lint-roller"
- "shedward-scissorhands"
CLAUDE.md
+39
View File
@@ -0,0 +1,39 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## What This Repo Is
This is the **GitHub org-level configuration repository** (`groombook/.github`) for GroomBook — an open-source, self-hostable pet grooming business management platform. It contains:
- `profile/` — GitHub organization profile README and logo
- `company/` — Paperclip AI company configuration export (agent definitions, skills, projects)
There is no application code, build system, or test suite here. This repo is purely configuration and documentation.
## Related Repositories
| Repo | Purpose |
|------|---------|
| `groombook/groombook` | Primary application (TypeScript, Node.js, React, PostgreSQL) |
| `groombook/agents` | Canonical agent definitions — prompts, personas, heartbeats, adapter configs |
| `groombook/infra` | Kubernetes manifests for Flux GitOps deployment |
## Company Directory (`company/`)
This is an export from [Paperclip](https://paperclip.ing) and contains a snapshot of the agent company configuration:
- `.paperclip.yaml` — Full agent configuration (adapters, heartbeats, env vars, permissions)
- `agents/` — Per-agent directories with prompt files (AGENTS.md, SOUL.md, HEARTBEAT.md, etc.)
- `skills/` — Shared skill definitions sourced from external repos (cpfarhood, fluxcd, paperclipai)
- `projects/` — Project definitions (groombook-app, groombook-infra, groombook-org, groombook-site, onboarding)
- `COMPANY.md` — Company metadata frontmatter
The canonical source for agent configurations is the `groombook/agents` repo. The `company/` directory here is a synced export — do not treat it as the source of truth for agent prompts or configs.
## Key Policies
- **Container images**: `ghcr.io` only — no Docker Hub, no mirrors
- **Dependency updates**: Mend Renovate only — never use Dependabot
- **Versioning**: CalVer format `YYYY.MDD.PATCH` (e.g., `2026.318.0`), not SemVer
- **All PRs**: Include `cc @cpfarhood` at the bottom of the PR body
COMPANY.md
+7
View File
@@ -0,0 +1,7 @@
---
name: "GroomBook"
description: "An open source business management solution for pet groomers."
schema: "agentcompanies/v1"
slug: "groombook"
---
DEPLOYMENT_CHECKLIST.md
-277
View File
@@ -1,277 +0,0 @@
# KubeCon Campaign & Content Rollout Checklist
## March 13-27, 2026
**Status**: Awaiting GitHub auth resolution
**Ready**: 8 feature branches with 12+ social posts, 3 blog posts
**Target**: Launch March 14, continuous deployment through March 27
---
## ⚠️ BLOCKING ISSUE
**GitHub authentication not configured**
- `get-github-token.sh` requires `GITHUB_APP_ID_HUGH` environment variable
- No `gh` CLI available for fallback
- **Resolution**: Set env var OR provide GH_TOKEN OR delegate to authenticated machine
**Once Resolved**: Follow checklist below in order.
---
## PHASE 1: Git Operations (30 mins)
**Responsible**: DevOps/Engineering
**Trigger**: GitHub auth is available
- [ ] Set `GITHUB_APP_ID_HUGH` env var OR configure GH_TOKEN
- [ ] From `/paperclip/privilegedescalation/marketing/samuel/org-repo`:
```bash
git push origin social/2026-03-12-industry-commentary
git push origin social/2026-03-10-why-we-built-these
git push origin social/march-9-puretensor-batch
git push origin social/2026-03-11-slow-burn-curiosity
git push origin social/kubecon-eu-2026
git push origin content/2026-03-11-technical-changelog
git push origin docs/2026-03-13-status-report
```
- [ ] Verify all 8 branches appear in origin: `git branch -a | grep origin`
---
## PHASE 2: PR Creation (1 hour)
**Responsible**: CMO or Samuel (once auth fixed)
**Action**: Create PRs in this specific order (dependencies matter)
| # | PR Title | Branch | Depends On | Timing |
|---|----------|--------|-----------|--------|
| #14 | [social] batch: Why We Built These — problem-solution narrative | `social/2026-03-10-why-we-built-these` | — | March 17 launch |
| #15 | [social] batch: slow-burn curiosity — dashboard discovery angle | `social/2026-03-11-slow-burn-curiosity` | #14 merged | March 20 launch |
| #16 | [social] batch: March 9 releases + PureTensor community moment | `social/march-9-puretensor-batch` | #14 merged | March 19 launch |
| #17 | [content] changelog: March 9 releases technical deep-dive | `content/2026-03-11-technical-changelog` | — | Anytime |
| #18 | [docs] status report: content inventory & deployment plan | `docs/2026-03-13-status-report` | — | CMO review only |
| #20 | [social] batch: Industry commentary — ops culture hot takes | `social/2026-03-12-industry-commentary` | — | March 14 launch |
| — | KubeCon posts already exist | `social/kubecon-eu-2026` | ready to merge | March 21 launch |
**PR Creation Steps**:
```bash
# PR #14
gh pr create --title "[social] batch: Why We Built These — problem-solution narrative" \
--body "Explains the pain point each of our 6 plugins solves. Serves as context for KubeCon campaign. Ready for immediate posting."
# PR #15
gh pr create --title "[social] batch: slow-burn curiosity — dashboard discovery angle" \
--body "Evergreen posts that seed curiosity without answering. Timing: March 20-22 (pre-KubeCon momentum)."
# PR #16
gh pr create --title "[social] batch: March 9 releases + PureTensor community moment" \
--body "Celebrates our first organic star (PureTensor lab running Ceph). Ties releases to real adoption."
# PR #17
gh pr create --title "[content] changelog: March 9 releases technical deep-dive" \
--body "Technical post for users who want release details. Versioning, breaking changes, upgrade path."
# PR #20
gh pr create --title "[social] batch: Industry commentary — ops culture hot takes" \
--body "Establishes voice as operators who understand reality vs aspirations. Posts 1-3 ship immediately. Posts 4-5 risky/discuss. Posts 6-7 evergreen."
```
---
## PHASE 3: Content Review (30 mins - 1 hour)
**Responsible**: CMO
**Action**: Review PRs and approve for merge
**What to look for**:
- ✅ Voice consistency (irreverent but credible, no corporate language)
- ✅ Technical accuracy (verified against release notes)
- ✅ Platform formatting (Twitter length, LinkedIn tone, Reddit conversational)
- ✅ No legal/trademark issues
- ✅ Timing makes sense for KubeCon strategy
**Merge order**:
1. #14 (Why We Built These) — provides context for later posts
2. #20 (Industry Commentary) — establishes credibility early
3. #16 (Releases + PureTensor) — community moment, timely
4. #15 (Slow-Burn Curiosity) — builds momentum into KubeCon
5. KubeCon branch — ready when conference approaches
---
## PHASE 4: Scheduling Setup (1-2 hours)
**Responsible**: Operations/Social Media Manager
**Action**: Import posts into scheduling tool
**Tool Integration** (choose one):
- [ ] Buffer
- [ ] Hootsuite
- [ ] Twitter/X native scheduler
- [ ] Manual posting (not recommended for volume)
- [ ] Other: ___________
**Content to Import**:
**THIS WEEK (March 14-19)**
```
March 14 (Thu): Industry Commentary Post 1 — Observability Theater
March 15 (Fri): Industry Commentary Post 2 — 3-Line PR Bottleneck
March 16 (Sat): Industry Commentary Post 3 — README as Docs
March 17 (Sun): Why We Built These — Post 1 (Rook-Ceph)
March 18 (Mon): Why We Built These — Post 2 (Sealed Secrets)
March 19 (Tue): Why We Built These — Post 3 (Polaris)
+ March 9 Releases Post 1 (Rook release news)
March 20 (Wed): Why We Built These — Post 4 (Intel GPU)
+ Slow-Burn Post 1 (Dashboard discovery)
```
**KUBECON WEEK (March 21-27)**
```
March 21 (Thu): Why We Built These — Post 5 (TrueNAS CSI)
+ KubeCon Teaser Post
March 23 (Sat): KubeCon Day 1 — Rook-Ceph deep-dive
March 24 (Sun): KubeCon Day 2 — Intel GPU hot take
March 25 (Mon): KubeCon Day 3 — Sealed Secrets UX+Security
March 26 (Tue): KubeCon Day 4 — Ecosystem Thread (MARQUEE POST)
March 27 (Wed): KubeCon Recap + CTA (star the repos)
```
**Reddit Post**:
- [ ] Schedule `r/kubernetes` post for March 23 (KubeCon Day 1)
- [ ] Title: "We built 6 Headlamp plugins for Kubernetes — storage, security, GPU monitoring. All open source."
- [ ] Note: Cannot schedule Reddit posts; requires manual posting or thread bot
- [ ] Backup: Post manually at 9am PT on March 23
---
## PHASE 5: Launch Monitoring (March 14+)
**Responsible**: CMO / Samuel
**Action**: Monitor initial posts for engagement/issues
**March 14 Soft Launch**:
- [ ] Post Industry Commentary Post #1 (Observability Theater)
- [ ] Monitor for:
- Reply volume (engagement signal)
- Negative sentiment (adjust tone if needed)
- Link clicks (traffic to plugins)
- Retweets/shares (reach)
- [ ] If strong engagement: Consider bumping post frequency
- [ ] If low engagement: Debug (wrong platform? wrong time? wrong audience?)
- [ ] Document learnings in slack/comment thread
**March 21-27 KubeCon Monitoring**:
- [ ] Monitor #KubeCon hashtag for:
- Mentions of our plugins
- People asking about dashboard tools
- Competitors posting (Lens, Rancher, etc.)
- [ ] If someone mentions a pain point we solve:
- Consider quick reply with relevant plugin link
- CC Samuel for potential follow-up content
- [ ] Log all interactions for post-KubeCon report
---
## PHASE 6: Post-KubeCon Reflection (March 28+)
**Responsible**: CMO / Samuel
**Action**: Measure impact and plan next steps
**Metrics to Track**:
- [ ] Social media followers gained (Twitter, LinkedIn, Bluesky, Mastodon)
- [ ] GitHub stars added across 6 plugins
- [ ] Repository fork growth
- [ ] Website traffic (from social links)
- [ ] Mentions in r/kubernetes, r/DevOps, etc.
- [ ] Plugin adoption signals (issues filed, PRs submitted)
- [ ] Community commentary (screenshots, appreciation posts)
**Content Opportunities Emerging**:
- [ ] Did anyone deploy the plugins? (spotlight post candidate)
- [ ] Did anyone fork/modify? (community contribution moment)
- [ ] Are there feature requests? (product insight)
- [ ] Did any Kubernetes influencers mention us? (follow-up engagement)
**Prepare for Next Cycle**:
- [ ] Samuel drafts "KubeCon Reflection" blog post (what we learned)
- [ ] Next social batch topic: based on questions received during KubeCon
- [ ] Engineering: Review plugin issues/PRs for triage
---
## Risk Mitigation
**If GitHub Auth Remains Blocked Beyond March 15**:
- [ ] Delegate push/PR creation to authenticated machine
- [ ] Samuel continues drafting on local branches
- [ ] CMO manually manages PR sequence
**If KubeCon News Breaks Before March 21** (e.g., keynote announcement):
- [ ] Samuel drafts reactive/tie-in post immediately
- [ ] CMO approves and posts within 2 hours
- [ ] Works even if PR system is still blocked (emergency posting)
**If Post Engagement is Low**:
- [ ] Check posting time (might be hitting time zone wrong)
- [ ] Verify posts went live (scheduler didn't fail)
- [ ] Ask: wrong audience? wrong platform? wrong message?
- [ ] Adjust March 18+ strategy based on March 14-17 learnings
**If Mentions Are Negative**:
- [ ] Don't delete/argue
- [ ] Log the feedback
- [ ] Samuel drafts thoughtful reply (can be shared in DM or comment)
- [ ] Review whether tone was misinterpreted
---
## Success Criteria
**Minimum**:
- All 27+ posts published on schedule
- No duplicate posts
- No broken links to repos
- At least one plugin gains a new star during KubeCon week
**Ideal**:
- 500+ new Twitter followers during KubeCon week
- 10+ new stars across plugins
- At least one blog post shared by Kubernetes influencer
- At least 3 GitHub issues opened with plugin feature requests
- r/kubernetes post gets 50+ upvotes
**Excellent**:
- One plugin hits 10+ stars
- Headlamp team notices and retweets campaign
- One plugin featured in a third-party blog post or newsletter
- Real adoption reported (teams running the plugins)
---
## Communication Channels
**If Issues Arise**:
- Slack: #social-media (Samuel)
- GitHub: Comments on relevant PR
- Emergency: Direct message CMO
**Status Updates**:
- Daily: Samuel posts progress in #social-media
- End of week: Engagement summary to CMO
- Post-KubeCon: Full metrics report
---
## Files to Reference
- `/paperclip/privilegedescalation/marketing/samuel/org-repo/STATUS_REPORT_2026-03-13.md` — Full content inventory
- `/paperclip/privilegedescalation/marketing/samuel/org-repo/social/` — All drafted posts
- `/paperclip/privilegedescalation/marketing/samuel/org-repo/content/` — Blog posts
---
**Last Updated**: March 13, 2026
**Status**: Ready to execute upon GitHub auth resolution
**Owner**: Samuel (drafted), CMO (execution)
README.md
+61 -2
View File
@@ -1,3 +1,62 @@
# Privileged Escalation
# GroomBook
Org-level content, social media queue, and community responses.
> An open source business management solution for pet groomers.
![Org Chart](images/org-chart.png)
## What's Inside
> This is an [Agent Company](https://agentcompanies.io) package from [Paperclip](https://paperclip.ing)
| Content | Count |
|---------|-------|
| Agents | 7 |
| Skills | 20 |
### Agents
| Agent | Role | Reports To |
|-------|------|------------|
| Barkley Trimsworth | Engineer | the-dogfather |
| Flea Flicker | Engineer | the-dogfather |
| Lint Roller | qa | the-dogfather |
| Pawla Abdul | CMO | scrubs-mcbarkley |
| Scrubs McBarkley | CEO | — |
| Shedward Scissorhands | qa | the-dogfather |
| The Dogfather | CTO | scrubs-mcbarkley |
### Skills
| Skill | Description | Source |
|-------|-------------|--------|
| better-auth-best-practices | Configure Better Auth server and client, set up database adapters, manage sessions, add plugins, and handle environment variables. Use when users mention Better Auth, betterauth, auth.ts, or need to set up TypeScript authentication with email/password, OAuth, or plugin configuration. | [github](https://github.com/better-auth/skills) |
| better-auth-security-best-practices | Configure rate limiting, manage auth secrets, set up CSRF protection, define trusted origins, secure sessions and cookies, encrypt OAuth tokens, track IP addresses, and implement audit logging for Better Auth. Use when users need to secure their auth setup, prevent brute force attacks, or harden a Better Auth deployment. | [github](https://github.com/better-auth/skills) |
| create-auth-skill | Scaffold and implement authentication in TypeScript/JavaScript apps using Better Auth. Detect frameworks, configure database adapters, set up route handlers, add OAuth providers, and create auth UI pages. Use when users want to add login, sign-up, or authentication to a new or existing project with Better Auth. | [github](https://github.com/better-auth/skills) |
| email-and-password-best-practices | Configure email verification, implement password reset flows, set password policies, and customise hashing algorithms for Better Auth email/password authentication. Use when users need to set up login, sign-in, sign-up, credential authentication, or password security with Better Auth. | [github](https://github.com/better-auth/skills) |
| organization-best-practices | Configure multi-tenant organizations, manage members and invitations, define custom roles and permissions, set up teams, and implement RBAC using Better Auth's organization plugin. Use when users need org setup, team management, member roles, access control, or the Better Auth organization plugin. | [github](https://github.com/better-auth/skills) |
| two-factor-authentication-best-practices | Configure TOTP authenticator apps, send OTP codes via email/SMS, manage backup codes, handle trusted devices, and implement 2FA sign-in flows using Better Auth's twoFactor plugin. Use when users need MFA, multi-factor authentication, authenticator setup, or login security with Better Auth. | [github](https://github.com/better-auth/skills) |
| github-app-token | Generate a GitHub installation access token from a GitHub App PEM key, App ID, and Installation ID, write it to a per-agent file, then authenticate the gh CLI with it. | [github](https://github.com/farhoodliquor/skills) |
| minimax-image-generation | — | [github](https://github.com/farhoodliquor/skills) |
| shannon | Autonomous AI pentester for web apps and APIs. Run white-box security assessments with Shannon — analyzes source code, identifies attack vectors, and executes real exploits to prove vulnerabilities. Triggered by 'shannon', 'pentest', 'security audit', 'vuln scan'. | [github](https://github.com/farhoodliquor/skills) |
| commit-assisted-by | > | [github](https://github.com/fluxcd/agent-skills) |
| flux-controller-patch-releases | > | [github](https://github.com/fluxcd/agent-skills) |
| gitops-cluster-debug | > | [github](https://github.com/fluxcd/agent-skills) |
| gitops-knowledge | > | [github](https://github.com/fluxcd/agent-skills) |
| gitops-repo-audit | > | [github](https://github.com/fluxcd/agent-skills) |
| check-pr | > | [github](https://github.com/greptileai/skills) |
| greploop | > | [github](https://github.com/greptileai/skills) |
| paperclip-create-agent | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip-create-agent) |
| paperclip-create-plugin | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip-create-plugin) |
| paperclip | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/paperclip) |
| para-memory-files | > | [github](https://github.com/paperclipai/paperclip/tree/master/skills/para-memory-files) |
## Getting Started
```bash
pnpm paperclipai company import this-github-url-or-folder
```
See [Paperclip](https://paperclip.ing) for more information.
---
Exported from [Paperclip](https://paperclip.ing) on 2026-04-16
STATUS_REPORT_2026-03-13.md
-235
View File
@@ -1,235 +0,0 @@
# Status Report — March 13, 2026
## Content Ready for Deployment | GitHub Auth Blocker
---
## Executive Summary
**Status**: All content is drafted and committed locally. Ready to deploy immediately once GitHub auth is resolved.
-**8 feature branches** with 12+ social posts, 3 blog posts, 1 tutorial
-**KubeCon campaign** (March 23-26) fully drafted and staged
-**Blocker**: GitHub authentication preventing PR submission and branch pushes
-**Timeline**: KubeCon starts March 23 (10 days). Content needs to flow starting March 19-20 to build momentum
---
## Content Inventory
### Ready to Post (Committed on Feature Branches)
| Batch | Type | Posts | Branch | Status |
|-------|------|-------|--------|--------|
| Industry Commentary | Social | 7 posts | `social/2026-03-12-industry-commentary` | ✅ Ready |
| Why We Built These | Social | 6 posts | `social/2026-03-10-why-we-built-these` | ✅ Ready |
| March 9 Releases + PureTensor | Social | 4 posts | `social/march-9-puretensor-batch` | ✅ Ready |
| Slow-Burn Curiosity | Social | 3 posts | `social/2026-03-11-slow-burn-curiosity` | ✅ Ready |
| KubeCon EU 2026 | Social | 6 posts + Reddit | `social/kubecon-eu-2026` | ✅ Ready |
| March 9 Releases Technical Changelog | Blog | 1 post | `content/2026-03-11-technical-changelog` | ✅ Ready |
| **Total** | | **27 posts** | — | — |
### Already on Main (Merged)
- ✅ First Social Batch (7 posts) — deployed
- ✅ Intro Blog Post — deployed
---
## Recommended Rollout Schedule
**GOAL**: Build momentum into KubeCon, establish voice before conference conversation heats up.
### Timeline
**This Week (March 13-19)**
1. **March 14**: Industry Commentary Batch (Posts 1-3)
- "Observability Theater", "3-Line PR Wait", "README as Docs"
- Establishes credibility + operator perspective
- No dependencies
2. **March 17**: Why We Built These Batch (6 posts, staggered)
- Pain point education for each plugin
- Essential context before KubeCon
- Set to post daily March 17-22
**Pre-KubeCon Build-Up (March 19-22)**
3. **March 19**: March 9 Releases + PureTensor (4 posts)
- Emphasize community adoption (Rook's first star)
- Timeliness + social proof
4. **March 20-22**: Slow-Burn Curiosity (3 posts, spaced)
- Questions without answers
- Drive curiosity as people travel to Amsterdam
**KubeCon Main Event (March 23-26)**
5. **March 21-27**: KubeCon Campaign
- Daily posts during conference
- March 21: Teaser
- March 23-25: Plugin deep-dives (Rook, GPU, Secrets)
- March 26: Ecosystem thread (marquee post)
- March 27: Recap + call-to-action
---
## Blocker: GitHub Authentication
### Issue
- `get-github-token.sh` requires `GITHUB_APP_ID_HUGH` environment variable (not set)
- No `gh` CLI available as fallback
- Cannot push to remote or create PRs
- **All 8 branches are locally committed but immobile**
### Impact
- Cannot create PRs
- Cannot push branches to origin
- Content cannot be staged for automated posting
- Manual coordination required once auth is resolved
### Resolution Path
**Option 1 (Recommended)**: Set `GITHUB_APP_ID_HUGH` environment variable
- Allows automated token generation
- Restores full git workflow
**Option 2**: Provide `GH_TOKEN` with write access to `privilegedescalation/org`
- Allows immediate git push/PR creation
- No environment setup required
**Option 3**: Provide GitHub CLI (`gh`) on this machine
- Fallback authentication method
- Works with existing user credentials
**Option 4**: Delegate to CMO or maintainer
- Push branches from authenticated machine
- Create PRs via GitHub UI
- Samuel continues drafting content locally
---
## Pre-Deployment Checks
All content has been reviewed for:
- ✅ Brand voice consistency (irreverent but credible)
- ✅ No corporate language or clichés
- ✅ Technical accuracy (verified against release notes)
- ✅ Platform-specific formatting (Twitter length, LinkedIn tone, etc.)
- ✅ Strategic intent documented (why each post exists)
- ✅ No legal/trademark violations
---
## Critical Path Dependencies
1. **Auth resolution** (immediate)
2. **Push 8 branches to origin** (1-2 hours)
3. **Create 5 PRs in order** (see rollout schedule above):
- PR #14: Why We Built These
- PR #15: Slow-Burn Curiosity
- PR #16: March 9 + PureTensor
- PR #17: Technical Changelog
- PR #20: Industry Commentary
4. **Import posts into scheduling tool** (buffer/Hootsuite/etc.)
5. **Set calendar for March 14 launch**
---
## What Samuel Can Do Locally (While Blocked on Auth)
1. ✅ Draft supplementary content:
- KubeCon day-of response templates (if unexpected narratives emerge)
- Post-KubeCon metrics/reflection post (template)
- Community response templates (FAQ for plugin questions)
2. ✅ Research emerging KubeCon narratives:
- Monitor Kubernetes news/blog for themes (storage, GPU, security trends)
- Prepare optional tie-in posts if news breaks that aligns with our narrative
3. ✅ Prepare CMO brief:
- High-level KubeCon strategy doc (target accounts, key hashtags, response protocols)
- Content-to-metric mapping (what each post is supposed to drive)
4. ✅ Monitor plugin repos for emergency content:
- If any plugin gets external attention/fork during March 13-27, draft celebratory post
- If issues or PRs spike, identify community moment to spotlight
---
## Questions for CMO
1. **Scheduling tool**: What platform are we using to schedule posts? (Buffer, Hootsuite, Twitter native scheduler, manual?)
- Affects how we format the final content export
2. **Post frequency**: The schedule above assumes daily/near-daily posts March 14-26. Acceptable?
- Can adjust cadence if different platform strategy preferred
3. **Reddit strategy**: Should the KubeCon Reddit post be cross-posted to other communities? (r/DevOps, r/SRE, etc.)
- Have opt-in templates ready if yes
4. **KubeCon day-of monitoring**: Should Samuel monitor #KubeCon hashtag during March 23-26 for response opportunities?
- Ready to draft real-time replies to conference conversations if needed
---
## Next Steps
1. **Resolve GitHub auth** (CMO/Engineering)
- Provide env var, GH_TOKEN, or gh CLI
- Samuel will push 8 branches immediately upon auth
2. **Approve rollout schedule** (CMO)
- Confirm March 14 launch date
- Approve Industry Commentary batch for immediate posting
- Flag any timing adjustments needed
3. **Set up scheduling tool** (CMO/Operations)
- Import KubeCon campaign posts
- Configure automation for daily posts March 21-27
4. **Samuel continues research** (in parallel)
- Draft supplementary content (community responses, FAQ)
- Monitor for emerging KubeCon themes
- Ready to create tactical day-of posts if needed
---
## Content Quality Highlights
**Industry Commentary Batch**: Establishes voice as operators who understand the gap between aspirational documentation and actual practices. Posts 1-3 are safe/immediately postable. Posts 4-5 are edgier but worth discussing. Posts 6-7 are evergreen.
**Why We Built These Batch**: Pain-point education that builds context before KubeCon. Each post has specific use case + why we built it. Strong candidate for pre-conference posting to establish credibility.
**KubeCon Campaign**: Rides #KubeCon conversation without forcing. Mix of self-deprecation ("1 star"), technical depth, and community positioning. Marquee post (March 26 ecosystem thread) should drive meaningful traffic.
---
## Git Branch Reference
```
d05b1f5 [social] batch: Industry commentary on Kubernetes ops culture
ba5a95e [content] technical changelog: March 9 releases and updates
f15f4c1 [social] batch: slow-burn curiosity post - K8s maturity gap awareness
b00be78 [social] batch: Why We Built These — problem-solution narrative for 6 plugins
f55dc48 [social] batch: March 9 releases + PureTensor community moment
0e07503 Draft KubeCon EU 2026 social posts — 6 posts for March 21-27
```
---
## Appendix: Full Content Titles
**Social Batches**
- Industry Commentary: observability theater, maintainer bottleneck, README as docs, consolidation trap, observability checkboxes, dependency hell, platform team reality
- Why We Built These: 6 posts (one per plugin, pain point + solution)
- March 9 + PureTensor: releases news + community moment
- Slow-Burn Curiosity: "The Dashboard You Don't Know You Need" (3 platform variants)
- KubeCon: 6 posts (teaser, 3 plugin spotlights, ecosystem thread, recap) + Reddit post
**Blog Posts**
- March 9 Releases Technical Changelog: versioned feature list + upgrade guide
- (Already deployed) Intro Blog Post
---
**Status**: Ready to ship on authorization. All content is quality-checked and voice-consistent. Awaiting GitHub auth resolution and CMO schedule approval.
**Last Updated**: March 13, 2026 | Samuel
content/drafts/2026-03-07-six-headlamp-plugins-nobody-asked-for.md
-55
View File
@@ -1,55 +0,0 @@
---
title: "Six Headlamp Plugins Nobody Asked For"
date: 2026-03-07
author: Privileged Escalation
type: blog
status: draft
---
# Six Headlamp Plugins Nobody Asked For
There's a particular kind of optimism that only exists in open source. It's the belief that if you build something genuinely useful, put it on GitHub, list it on Artifact Hub, write actual documentation, and then wait — someone will eventually find it.
We're currently in the "wait" phase.
## What We Actually Built
Privileged Escalation makes [Headlamp](https://headlamp.dev/) plugins. If you don't know what Headlamp is: it's a CNCF-listed Kubernetes dashboard that was designed to be extended. If you don't know what Kubernetes is, this blog post is going to be a rough ride.
We have six plugins. Each one takes something you'd normally do with `kubectl`, a terminal, and quiet desperation, and puts it in a web UI that your teammates might actually use.
**[headlamp-polaris-plugin](https://github.com/privilegedescalation/headlamp-polaris-plugin)** — Surfaces Fairwinds Polaris audit results directly in Headlamp. Cluster score in the app bar, per-namespace breakdowns, exemption management from the UI instead of annotation YAML editing. Recently hit v0.6.0 with dark mode support, because apparently that's what it takes to be taken seriously in 2026.
**[headlamp-tns-csi-plugin](https://github.com/privilegedescalation/headlamp-tns-csi-plugin)** — TrueNAS CSI driver visibility and storage benchmarking via kbench. If you've ever wondered whether your NFS share is actually performing the way iX Systems promised, this is the plugin that tells you the uncomfortable truth.
**[headlamp-rook-plugin](https://github.com/privilegedescalation/headlamp-rook-plugin)** — Rook-Ceph cluster health, pool status, and CSI driver monitoring. For people who chose distributed storage and now live with the consequences.
**[headlamp-sealed-secrets-plugin](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin)** — Bitnami Sealed Secrets management with client-side RSA-OAEP and AES-256-GCM encryption. Your plaintext never leaves the browser. We're fairly proud of this one, which is why it hurts that it has zero stars.
**[headlamp-intel-gpu-plugin](https://github.com/privilegedescalation/headlamp-intel-gpu-plugin)** — Intel GPU device visibility and resource monitoring. For the subset of people running Intel GPUs in Kubernetes, which is a smaller group than Intel's marketing department would like.
**[headlamp-kube-vip-plugin](https://github.com/privilegedescalation/headlamp-kube-vip-plugin)** — kube-vip virtual IP and load balancer visibility. Because sometimes you just need to know if the VIP is actually where it's supposed to be.
## Why Headlamp Plugins
The Kubernetes dashboard space is... let's call it "stratified." There are expensive commercial options that do everything. There are free options that do almost nothing. And then there's Headlamp, which does a reasonable amount and lets you extend it.
We chose the extension path. Every plugin installs through Headlamp's native plugin system — no separate deployments, no new URLs to bookmark, no "please also install this sidecar that needs its own RBAC." You add a plugin and it appears in the sidebar. That's it.
This matters because the alternative is what most teams actually do: they `kubectl` their way through everything, pipe JSON through `jq`, and call it observability. It works. It's also miserable if you're trying to onboard anyone who doesn't have muscle memory for `kubectl get pods -n rook-ceph -o jsonpath='{.items[*].status.phase}'`.
## The Honest Part
We launched all six plugins in the same week. Combined star count across all repos: zero. Combined fork count: one, and we're not entirely sure it was intentional.
Our CI is sometimes in a state that could charitably be described as "aspirational." We filed a bug against ourselves about E2E tests that have never passed because we haven't set up the test infrastructure yet. We committed LICENSE badges to READMEs before we committed the actual LICENSE files.
This is normal. This is what early open source looks like before the narrative gets cleaned up. We'd rather be honest about it than pretend we emerged fully formed with 200 stars and a contributor covenant.
## What's Next
We're working on getting every plugin listed on Artifact Hub with proper metadata, fixing the CI pipelines that are currently failing for reasons ranging from "missing secrets" to "format check disagreements," and writing the kind of documentation that makes people confident enough to actually install something.
If you run Headlamp and any of these plugins sound useful, try one. If something breaks, file an issue. If it works and you like it, a star would be nice. We're not above admitting that.
All plugins are Apache-2.0 licensed. All repos are at [github.com/privilegedescalation](https://github.com/privilegedescalation).
images/company-logo.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

privilegedescalation-logo.jpg
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 63 KiB

profile/groombook-logo.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 MiB

projects/groombook-app/PROJECT.md
+6
View File
@@ -0,0 +1,6 @@
---
name: "GroomBook App"
description: "This git repository is the primary GroomBook Application source code and associated build artifacts."
---
This git repository is the primary GroomBook Application source code and associated build artifacts.
projects/groombook-infra/PROJECT.md
+6
View File
@@ -0,0 +1,6 @@
---
name: "GroomBook Infra"
description: "This repository is the infrastructure associated with the development and production/demo instances of GroomBook. It is a target gitrepository of a 2 step Flux GitOps process that is triggered from an external kubernetes cluster management repository."
---
This repository is the infrastructure associated with the development and production/demo instances of GroomBook. It is a target gitrepository of a 2 step Flux GitOps process that is triggered from an external kubernetes cluster management repository.
projects/groombook-org/PROJECT.md
+6
View File
@@ -0,0 +1,6 @@
---
name: "GroomBook Org"
description: "This repository houses the organization level GitHub Pages as well as shared GitHub Actions."
---
This repository houses the organization level GitHub Pages as well as shared GitHub Actions.
projects/groombook-site/PROJECT.md
+6
View File
@@ -0,0 +1,6 @@
---
name: "GroomBook Site"
description: "This repository houses the primary GitHub Pages based site for the GroomBook Platform."
---
This repository houses the primary GitHub Pages based site for the GroomBook Platform.
projects/onboarding/PROJECT.md
+4
View File
@@ -0,0 +1,4 @@
---
name: "Onboarding"
---
skills/coding-standards/SKILL.md
+62
View File
@@ -0,0 +1,62 @@
---
name: coding-standards
description: >
Engineering quality bar for GroomBook code: priority ordering of correctness
vs. clarity vs. maintainability vs. performance vs. elegance, PR and test
requirements, no-hardcoded-values rules, branch discipline, and the no-self-
merge contract.
---
# Coding Standards
These rules apply to any GroomBook agent that writes, reviews, or merges code.
## Priority ordering
When making technical decisions, prioritize in this order:
1. **Correctness** — does it work? Does it handle edge cases? Have you proven it, not assumed it?
2. **Clarity** — will another engineer understand this without context in 6 months?
3. **Maintainability** — will it be safe to change?
4. **Performance** — fast enough for the use case? Profile before optimizing.
5. **Elegance** — nice if free; never trade any of the above for it.
## Pull request discipline
* All changes go through a PR. **Never push directly to `dev`, `uat`, or `main`.**
* No agent merges their own PR.
* Always include `cc @cpfarhood` at the bottom of the PR body for visibility (not as a reviewer).
## Test requirements
* **Every PR must include tests** for new code paths. No exceptions for "small" changes.
* Run unit tests, type check, and lint locally (or rely on CI) **before** requesting review.
* A PR without passing tests does not get approval.
* New code paths require coverage. No coverage = no approval.
## Code review tone
Hold a high bar. PRs with obvious mistakes, missing tests, hardcoded values, or policy violations get firm, specific review comments citing what's wrong and what the fix is. Cite the file and line. Suggest the fix when you know it. Don't sugarcoat — but be professional and constructive. "This looks wrong" is not a review comment.
## Hardcoded values
* **Colors** use CSS variables / theme tokens. Never raw hex in components.
* **Strings** use constants or i18n. No magic strings.
* **Numbers** that aren't trivially obvious go in named constants.
* **No magic numbers** in business logic.
## Secrets in code
Secrets never touch source. See the `safety` skill for the SealedSecrets workflow. If your implementation requires a Kubernetes secret you cannot create, file an issue for the agent who owns the SealedSecrets workflow rather than committing a plaintext value.
## Releases and versioning
All releases use CalVer (`YYYY.MMDD.PATCH`, e.g. `2026.0504.0`). No SemVer, no custom schemes.
## Container images
Push to `ghcr.io` only. Never Docker Hub for first-party images.
## When uncertain
If a code-quality call isn't covered above and you can't decide cleanly, escalate to the CTO via comment rather than guessing.
skills/safety/SKILL.md
+31
View File
@@ -0,0 +1,31 @@
---
name: safety
description: >
Non-negotiable safety rules for all GroomBook agents. Covers secret handling,
destructive-action gating, the SealedSecrets workflow, kubectl scope limits,
and the escalation protocol when an action's safety is uncertain.
---
# Safety
The following rules apply to every GroomBook agent without exception.
## Non-negotiable rules
* **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Never log, comment, or return these values in any output — including PR descriptions, issue comments, and chat responses.
* **Seek board approval before destructive actions.** "Destructive" means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup. Use `request_board_approval` and set the source issue to `blocked` until approved.
* **Never commit plaintext secrets.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded in source.
* **Never `kubectl apply` against production (`groombook`).** The production namespace is Flux-managed. Manifest changes go through a PR to `groombook/infra` and are reconciled by Flux. The `groombook-dev` and `groombook-uat` namespaces permit direct kubectl use for iteration; secrets at every environment still follow the SealedSecrets pattern.
* **Never `kubectl create secret` in production.** All secrets — at every environment — go through SealedSecrets, encrypted with `kubeseal`, committed as `SealedSecret` resources to `groombook/infra`.
* **Never bypass the merge gate.** No self-merging PRs. No pushing directly to `dev`, `uat`, or `main`. Every change goes through a PR with the reviews required by the `sdlc` skill.
* **Never run `tofu` directly.** Terraform / OpenTofu goes through the Flux OpenTofu Controller via a PR to `groombook/infra`.
## If you are unsure
If you are unsure whether an action is safe, **stop**. Post a comment on the Paperclip issue explaining what you are about to do and why you are uncertain, set the issue to `blocked`, and escalate to your manager. Do not guess.
skills/sdlc/SKILL.md
+225
View File
@@ -0,0 +1,225 @@
---
name: sdlc
description: >
Software development lifecycle for GroomBook. Covers GitHub authentication,
branch strategy across Dev/UAT/Prod, the four-phase SDLC pipeline with
product analysis intake, PR review and merge policy, the handoff protocol,
status semantics, infrastructure layout, the canonical tools list, the
GitHub-origin issue board-approval gate, the cc-cpfarhood visibility rule,
the scheduled penetration testing program, and delegation model tier policy.
---
# Software Development Lifecycle
## GitHub authentication
**Invoke the `github-app-token` skill** before any GitHub operation. It generates a short-lived installation token and sets `GH_TOKEN`. **Never** run `gh auth login` — it hangs headless agents. Token expires after ~1 hour; re-invoke to regenerate.
GitHub is the **primary source of truth**. Every Paperclip issue should have a corresponding GitHub issue (create one if missing). Both stay open until the work is completed, reviewed, approved, merged, and QA-verified.
## GitHub-origin issue policy — board approval required
If a task originated from GitHub (`originKind: "github"`), **do not begin work**. Immediately create a board approval:
```
POST /api/companies/{companyId}/approvals
{
"type": "request_board_approval",
"requestedByAgentId": "{your-agent-id}",
"issueIds": ["{issueId}"],
"payload": {
"title": "Board approval required: GitHub issue",
"summary": "Summarize what the GitHub issue requests.",
"recommendedAction": "Approve to begin work.",
"risks": ["Work begins without board review if approved."]
}
}
```
Set the issue to `blocked` with a comment linking to the approval. Only proceed once `PAPERCLIP_APPROVAL_ID` is set and `PAPERCLIP_APPROVAL_STATUS` indicates approval.
## Branch strategy
Three long-lived branches map to the three deployment environments:
| Branch | Environment | Who merges |
|--------|-------------|-----------|
| `dev` | Dev | CTO (after QA approval) |
| `uat` | UAT | CTO (promotes `dev``uat`) |
| `main` | Production | CEO (promotes `uat``main`) |
**Engineers always target `dev`** — never `uat` or `main` directly. Feature branches: `<agent-name>/<short-description>`.
## Pull requests
All changes happen via pull request. Always include `cc @cpfarhood` at the bottom of the PR body for visibility — never as a reviewer.
```bash
gh pr create --base dev --title "..." --body "... cc @cpfarhood"
```
## PR review & merge policy
### Dev branch (`dev`)
- **QA** (Lint Roller) reviews the PR. Approve → hand to CTO. Fail → back to engineer directly with exact details.
- **CTO** (The Dogfather) reviews. Approve → CTO merges the `dev` PR. Fail → back to engineer.
### UAT branch (`uat`)
- **CTO** opens and merges a `dev``uat` PR.
### Main branch (`main`)
- **CEO** (Scrubs McBarkley) reviews and merges the `uat``main` PR.
`@cpfarhood` is cc'd for visibility on all PRs — never as a reviewer.
## SDLC pipeline
### Phase 0 — Product analysis (feature intake)
* Feature requests arrive at the CEO via Paperclip or GitHub Issues.
* CEO delegates to CMPO (Pawla Abdul) for review.
* CMPO returns one of three decisions:
* **Accepted** → CEO routes to CTO for work breakdown.
* **Backlogged** → CEO handles prioritization.
* **Denied** → CEO closes as unplanned.
* CTO breaks accepted work into atomic tasks and assigns to Engineering.
### Phase 1 — Dev
1. **Engineer** (Flea Flicker) branches from `dev`, writes code. GitOps deploys to dev on demand.
2. **Engineer** opens a PR against `dev`. CI must pass.
3. **QA (Lint Roller)** reviews the PR. Fail → back to engineer.
4. QA approves and hands off to CTO.
5. **CTO (The Dogfather)** reviews the PR. Fail → back to engineer.
6. **CTO** merges the dev PR.
7. **CI** builds and deploys automatically to Dev (`https://dev.groombook.dev`).
### Phase 2 — UAT promotion
8. **CTO** opens and merges a PR from `dev` to `uat`.
9. **CI** builds and deploys automatically to UAT (`https://uat.groombook.dev`).
10. **CTO** creates a UAT regression task for **Shedward Scissorhands** immediately after promoting.
### Phase 3 — UAT testing & security
11. **UAT (Shedward Scissorhands)** runs full regression against UAT — every feature, no exceptions.
12. UAT fail → CTO redistributes to engineer (return to Phase 1).
13. UAT pass → **Security Engineer (Barkley Trimsworth)** performs a security code review of the changes.
14. Security fail → CTO redistributes to engineer (return to Phase 1).
### Phase 4 — Production
15. Security pass → **CEO (Scrubs McBarkley)** reviews and merges the production PR (`uat → main`). Fail → back to CTO.
16. **CI** deploys automatically to Production (`https://demo.groombook.dev`).
### Hierarchy rules
* CTO rejections at Dev go directly to the engineer (not back through QA).
* UAT failures (Shedward) go to CTO — CTO cascades to engineer.
* Security failures (Barkley) go to CTO — CTO cascades to engineer.
* CEO rejections at Prod go to CTO.
> **Penetration testing.** Barkley performs scheduled penetration testing against Production (`demo.groombook.dev`) and Demo independently of the PR workflow. Board-authorized; not triggered per-PR. Findings get filed as Paperclip issues with severity (`CRITICAL` / `HIGH` / `MEDIUM` / `LOW`) and routed to CTO for engineer redistribution.
## Delegation model tier
When creating subtasks for other agents, set `modelProfile: "cheap"` only for:
- Mechanical refactors or repetitive operations
- Basic information lookups
- Well-specified, bounded updates
Leave `modelProfile` unset for anything requiring judgment, reasoning, or QA review.
When in doubt, leave it unset.
## Handoff protocol — mandatory
Every handoff to another agent requires ALL THREE steps:
### 1. Explicit assignment
`PATCH /api/issues/{id}` with `assigneeAgentId: "<target-agent-uuid>"`. Mentioning is NOT a handoff — the agent won't wake without explicit assignment.
### 2. Status = `todo`
Every handoff sets `status: "todo"`. Never `in_review`, never `backlog` — both are invisible in inbox-lite and the receiver won't wake.
### 3. Release checkout
```
POST /api/issues/{issueId}/release
Headers: Authorization: Bearer $PAPERCLIP_API_KEY, X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID
```
Without this release, the receiving agent cannot check out the issue.
**Saying you are reassigning a task is NOT the same as reassigning it.** Verify the PATCH succeeded (200) before posting a comment claiming the handoff is done.
## Infrastructure
* **Production / Demo:** namespace `groombook`, FQDN `demo.groombook.dev`
* **UAT:** namespace `groombook-uat`, FQDN `uat.groombook.dev`
* **Dev:** namespace `groombook-dev`, FQDN `dev.groombook.dev`
* **Cluster:** Kubernetes — cluster-wide read; read/write on `groombook-dev` and `groombook-uat`; read-only on `groombook` (production).
* **Gateways:** `istio-external` (publicly accessible) and `istio-internal` (internal only) in `gateway-system`.
* **Container registry:** `ghcr.io/groombook/<service>` only.
## Authentication
* **Framework:** Better-Auth.
* **Social login:** Google and Apple OAuth.
* **SSO:** Authentik OIDC at `https://auth.farh.net` (credentials in `authentik-credentials` secret).
* **Never build custom authentication.**
## Deployment — 2-stage Flux GitOps
**Stage 1 — CI (GitHub Actions, runs in each application repo):**
- Triggered automatically on every merge to `main`
- Builds and tags the Docker image
- Pushes tagged images to `ghcr.io/groombook/<service>`
**Stage 2 — GitOps (Flux, managed externally):**
- Flux watches `groombook/infra` as the **target** GitRepository — it is **not** a Flux bootstrap/cluster repo.
- Reconciles Kustomize overlays: `apps/overlays/dev``groombook-dev`, `apps/overlays/uat``groombook-uat`, `apps/overlays/prod``groombook`.
**Policy — Flux Image Tag Automation is DENIED.** Do NOT use `ImageRepository`, `ImagePolicy`, or `ImageUpdateAutomation` Flux resources. Image tag updates must be made intentionally via a PR to `groombook/infra`.
**To deploy a change:**
1. Merge code to `main` in the app repo — CI builds and pushes a new image automatically.
2. Open a PR against `groombook/infra` to update the relevant overlay; merge after kustomize CI passes.
3. Flux reconciles `groombook/infra` on merge and rolls out the updated pods.
**To force a rollout** (pick up new `:latest` on stuck pods):
```bash
kubectl rollout restart deployment/<name> -n <namespace>
```
## Infrastructure as Code
Terraform / OpenTofu is deployed via the **Flux OpenTofu Controller** in a GitOps fashion. Submit configurations via a PR to `groombook/infra` — the tofu controller reconciles them on merge.
**Never run `tofu` directly.** Never `kubectl apply` against production. Production changes go through Flux only.
## Tools (canonical, not alternatives)
These are the only acceptable choices — alternatives are policy violations:
* **Secret management:** Bitnami Sealed Secrets Controller — no plain Kubernetes secrets.
* **Database:** CloudNativePG Operator (Postgres) — no SQLite, MariaDB, or MySQL.
* **Cache / pub-sub:** DragonflyDB Operator — no Redis.
* **Authentication:** Better-Auth + Google + Apple + Authentik (see Authentication section). Never build custom auth.
* **Dependency updates:** Mend Renovate. **Dependabot is not used and will not be used.**
* **Container registry:** `ghcr.io/groombook/<service>` — no Docker Hub for first-party images.
If a task requires deviating from any of the above, treat it as a destructive action: stop, file an issue with rationale, request board approval.
## External communication
When communicating in any context visible outside the GroomBook agent team (external users, human reviewers, non-agent entities), include `cc @cpfarhood` for visibility — never as a reviewer.
## No self-merge
No agent merges their own PR. The merger is always the next role up the SDLC ladder (CTO for `dev` and `uat`, CEO for `main`).
social/queue/2026-03-07-first-batch.md
-85
View File
@@ -1,85 +0,0 @@
# Social Media Batch - 2026-03-07
## Strategic Summary
First-ever social batch for Privileged Escalation. The org has 6 Headlamp plugins across storage, security, and infrastructure -- all freshly released, all at zero stars. The play here is name recognition and curiosity: make people encounter "Privileged Escalation" in their feed and wonder what it is before they click. Leading with the sealed-secrets plugin (client-side crypto angle) and the absurdity of launching 6 plugins to zero fanfare.
---
## 1. Ready to Post
### Post 1
**Platform**: Twitter/X
**Post**:
We shipped 6 Kubernetes Headlamp plugins and nobody noticed.
Storage benchmarking, Rook-Ceph visibility, Polaris auditing, Sealed Secrets with actual client-side encryption, Intel GPU monitoring, and kube-vip dashboards.
Zero stars across the board. We are crushing it.
github.com/privilegedescalation
**CMO Note**: Self-deprecating launch acknowledgment. The honesty about zero stars is the hook -- it reads as human, not corporate. Links to the org for curious clicks.
---
### Post 2
**Platform**: Bluesky
**Post**:
the sealed secrets headlamp plugin does client-side RSA-OAEP + AES-256-GCM encryption so your plaintext never leaves the browser.
someone forked it last month. we have our first user. or our first person who accidentally clicked fork. either way, we are celebrating.
**CMO Note**: Technical specificity makes it credible. The fork joke (sm-moshi, Feb 22) is real and plays well on Bluesky's irony-friendly audience. Seeds curiosity about what Headlamp plugins are.
---
### Post 3
**Platform**: Mastodon
**Post**:
Genuine question for the fediverse: if you have 6 open source projects and zero stars on any of them, are you a software company or just a guy with a lot of repos?
Asking for a friend. The friend is github.com/privilegedescalation.
**CMO Note**: Mastodon audience appreciates self-aware humor. This is pure slow-burn -- raises the question of what Privileged Escalation is without explaining it. The link is there for anyone curious enough to click.
---
## 2. Risky but Worth Discussing
### Post 4
**Platform**: Twitter/X
**Post**:
Every Kubernetes UI either costs money or looks like it was designed during a mass layoff event.
We've been building Headlamp plugins that make the free one actually useful. Rook-Ceph dashboards, Polaris auditing, storage benchmarks -- the stuff you duct-tape together with kubectl and regret.
github.com/privilegedescalation
**CMO Note**: Mildly spicy take on the K8s UI landscape. Does not name competitors directly but the implication is clear. Could rub Lens/Rancher people the wrong way. Worth discussing tone.
---
## 3. Backlog (Evergreen)
### Post 5
**Platform**: LinkedIn
**Post**:
We just audited our own GitHub repos and found that 4 out of 6 were missing LICENSE files.
They all had Apache-2.0 badges in the README. The actual license text? Not present. Technically, anyone using our code was operating on vibes and good faith.
Fixed now. But if your open source project has a license badge and no LICENSE file, maybe go check. We'll wait.
**CMO Note**: Honest product personality at work. Admitting a real flaw (that we just fixed) builds trust and is genuinely useful advice. LinkedIn audience will share practical open source governance content.
---
### Post 6
**Platform**: Twitter/X
**Post**:
TIL "Privileged Escalation" as a GitHub org name gets flagged by approximately zero security scanners.
We checked.
**CMO Note**: Pure name recognition play. The org name is inherently memorable and slightly provocative -- leaning into that. Short enough for easy engagement.