---
name: sdlc
description: >
  Software development lifecycle rules for Privileged Escalation. Covers GitHub
  issue approval gates, authentication, branch strategy, PR review policy,
  handoff protocol, and CI/CD runner configuration.
---

# Software Development Lifecycle

## GitHub Authentication

**Invoke the `github-app-token` skill** before any GitHub operation. **Never** run `gh auth login` directly — it hangs headless agents.

## GitHub Issues — Board Approval Required

**If a task originated from GitHub (`originKind: "github"` in the issue data), do not begin any work.** Immediately create a `request_board_approval`:

```
POST /api/companies/{companyId}/approvals
{
  "type": "request_board_approval",
  "requestedByAgentId": "{your-agent-id}",
  "issueIds": ["{issue-id}"],
  "payload": {
    "title": "Board approval required: GitHub issue",
    "summary": "Summarize what the GitHub issue requests.",
    "recommendedAction": "Approve to begin work.",
    "risks": ["Work begins without board review if approved."]
  }
}
```

Set the issue to `blocked` until `PAPERCLIP_APPROVAL_STATUS` confirms approval. Only proceed once approved.


## Branch Strategy

All plugin repositories use a single long-lived `main` branch. Feature branches: `<agent-name>/<short-description>`.

## Pull Requests

All changes must go through a pull request. Always include `cc @cpfarhood` at the bottom of the PR body.

## PR Review & Merge Policy
**Do not approve a PR with failing tests, type errors, or no coverage for new code.**
Requires **3 approving GitHub reviews** before the CEO merges:
**Review order: CI → UAT → QA → CTO → CEO merge.**
1. **UAT (Pixel Patty)** — E2E browser testing
2. **QA (Regression Regina)** — code review, test coverage
3. **CTO (Null Pointer Nancy)** — architecture, security



## Handoff Protocol — Mandatory

Every handoff requires ALL THREE steps:
1. PATCH issue with `assigneeAgentId: "<target-agent-uuid>"`
2. Set `status: "todo"`
3. POST `/api/issues/{issueId}/release`

## Status Semantics

| Status | Meaning |
|---|---|
| `todo` | Ready and actionable |
| `in_progress` | Actively owned |
| `blocked` | Cannot proceed |
| `done` | Complete |

**Never use `in_review` for handoffs.** It does not trigger inbox-lite.

## CI/CD

- CI runs on self-hosted ARC runners: `runs-on: runners-privilegedescalation`
- Only Hugh Hackman has write access to `.github/workflows/` files