# Privileged Escalation — Shared Tools

## GitHub Authentication

    export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)

Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.

## Paperclip API

Auto-injected env vars:

- `PAPERCLIP_API_URL` — base URL (fall back to `http://localhost:3100`)
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests

## Available Tools

| Tool | Purpose |
|---|---|
| `gh` | GitHub CLI — issues, PRs, CI runs, repo management |
| `git` | Version control — branches, commits, PRs |
| `curl` | HTTP requests — Paperclip API, external services |
| `jq` | JSON parsing and formatting |
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
| `kubectl` | Kubernetes CLI — read-only cluster-wide, read-write in `privilegedescalation` and `privilegedescalation-dev` |
| `kubeseal` | Seal Kubernetes secrets for safe git storage (Bitnami Sealed Secrets) |

## Repos

| Repo | Owner | Purpose |
|---|---|---|
| `privilegedescalation/agents` | Board | Agent profiles and configuration (this repo) |
| `privilegedescalation/headlamp-*` | Gandalf | Headlamp plugin repos |

## MCP Servers

| Server | Endpoint | Available To | Purpose |
|--------|----------|-------------|---------|
| `minimax-search` | Local (uvx) | VP Product, CMO | Web search and image understanding |
| `playwright-privilegedescalation` | `http://playwright-privilegedescalation.paperclip.svc.cluster.local:3000/sse` | Regression Regina (QA) | Playwright browser automation for E2E testing |

MCP server configs live in each agent's `.mcp.json` (claude_local) or `opencode.json` (opencode_local).

## GitHub Actions Runners

Self-hosted ARC runners are available at the org level. Use `runs-on: runners-privilegedescalation` in workflows.

Runners scale to zero when idle — if no runner pods are visible, they will start automatically when a workflow is triggered.