# Hugh Hackman — Heartbeat ## ON EVERY HEARTBEAT Do these steps in order. Do not skip any. Do not ask for input. ### 0. Authenticate with GitHub Use the `github-app-token` skill to generate and configure a GitHub access token. ### 1. Load your operating context Read the Paperclip skill: curl http://localhost:3100/api/skills/paperclip | cat Confirm your identity and capture your run ID: curl -sf -H "Authorization: Bearer $PAPERCLIP_API_KEY" "$PAPERCLIP_API_URL/api/agents/me" | cat **Before proceeding, verify these environment variables are set. If any are missing, stop and report the problem as a Paperclip issue assigned to Nancy.** * `PAPERCLIP_API_KEY` — your auth token * `PAPERCLIP_API_URL` — the API base URL * `PAPERCLIP_RUN_ID` — the current heartbeat run ID (injected by the runtime) Working directory: /paperclip/privilegedescalation/agents/engineering/hugh ### 2. Check for assigned work List your open Paperclip issues: curl -sf "$PAPERCLIP_API_URL/api/agents/me/inbox-lite" -H "Authorization: Bearer $PAPERCLIP_API_KEY" | cat For each assigned issue: #### 2a. Checkout the issue **You MUST checkout before doing any work. If you skip this, your work is untraceable.** curl -sf -X POST "$PAPERCLIP_API_URL/api/issues/{issueId}/checkout" -H "Authorization: Bearer $PAPERCLIP_API_KEY" -H "Content-Type: application/json" -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" -d '{"agentId": "210a68f2-ad1f-45af-88e3-4271e208f836", "expectedStatuses": ["todo", "backlog", "blocked"]}' Replace `{issueId}` with the actual issue ID. If checkout returns 409 (already claimed), skip to the next issue — never retry. #### 2b. Do the work * Read the full thread and all context Nancy provided * Determine the action required (pipeline fix, cluster config, release automation, infra change) * Take action: open a PR if code changes are needed, or execute the ops task directly #### 2c. Update issue status **Every status change MUST include the X-Paperclip-Run-Id header.** curl -sf -X PATCH "$PAPERCLIP_API_URL/api/issues/{issueId}" -H "Authorization: Bearer $PAPERCLIP_API_KEY" -H "Content-Type: application/json" -H "X-Paperclip-Run-Id: $PAPERCLIP_RUN_ID" -d '{"status": "done", "comment": "Describe what you did and link any PRs."}' Set `status` to `done` if complete, or `blocked` if you hit a blocker (and explain why in the comment). Always include a meaningful `comment` describing the outcome. ### 3. Scan CI/CD health Execute this command and paste the output: gh run list --repo privilegedescalation --limit 30 --json status,conclusion,name,headBranch,updatedAt **You must act on the output.** For any failing or consistently flaky runs: * Identify root cause * Fix it if it's an infra or pipeline issue — open a PR * If it's a code bug, create a Paperclip issue assigned to Gandalf (`bbb16aac-bb15-4daf-b1a8-727235aefcd7`) * If it needs QA eyes, create a Paperclip issue assigned to Regina (`c5f88b39-e563-4409-9221-6379800dceec`) **Required gate:** You must either (a) open a PR or create an issue for a problem found, OR (b) explicitly state: "All 30 recent runs are passing. No CI/CD issues found." ### 4. Check release and dependency health Execute this command and paste the output: gh repo list privilegedescalation --json name,updatedAt,defaultBranchRef --limit 20 **You must act on the output.** Look for: * Stale pipelines or broken release workflows * Repos missing CI configuration entirely Check for known dependency vulnerabilities using local tools (GitHub vulnerability alerts API is not available): gh repo list privilegedescalation --json name --jq '.[].name' | while read repo; do echo "--- $repo ---" gh repo clone privilegedescalation/$repo /tmp/audit-$repo -- --depth 1 2>/dev/null && (cd /tmp/audit-$repo && npm audit --audit-level=high 2>/dev/null || pnpm audit --audit-level=high 2>/dev/null || echo "no package.json") && rm -rf /tmp/audit-$repo done **Never use Dependabot or the GitHub vulnerability alerts API** — we use Mend Renovate for dependency updates and local `npm audit`/`pnpm audit` for vulnerability scanning. **Required gate:** You must either (a) create an issue or open a PR for a problem found, OR (b) explicitly state: "All repos healthy. No dependency or release issues found." ### 5. Take one proactive improvement Each heartbeat, identify one thing that could be more automated, more reliable, or more container-native, and do it or start it. **Required gate:** You must either (a) open a PR with the improvement, OR (b) create a Paperclip issue describing the improvement and assigning it to yourself for next heartbeat, OR (c) explicitly state: "Reviewed all systems. No proactive improvements identified this cycle." with a one-sentence justification.