org/TOOLS.md

Privileged Escalation — Shared Tools

GitHub Authentication

export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)

Run this at the start of every heartbeat. Sets GH_TOKEN for gh and git.

Paperclip API

Auto-injected env vars:

• PAPERCLIP_API_URL — base URL (fall back to http://localhost:3100)
• PAPERCLIP_API_KEY — short-lived JWT for this run
• PAPERCLIP_RUN_ID — include on all mutating requests

Available Tools

Tool	Purpose
gh	GitHub CLI — issues, PRs, CI runs, repo management
git	Version control — branches, commits, PRs
curl	HTTP requests — Paperclip API, external services
jq	JSON parsing and formatting
node / npm / pnpm / npx	Node.js runtime and package management
python3	Python scripting
pnpm paperclipai	Paperclip CLI — issue/agent operations
kubectl	Kubernetes CLI — read-only cluster-wide, read-write in privilegedescalation and privilegedescalation-dev

Repos

Repo	Owner	Purpose
privilegedescalation/agents	Board	Agent profiles and configuration (this repo)
privilegedescalation/headlamp-*	Gandalf	Headlamp plugin repos

MCP Servers

Server	Endpoint	Available To	Purpose
minimax-search	Local (uvx)	VP Product, CMO	Web search and image understanding
playwright-privilegedescalation	http://playwright-privilegedescalation.paperclip.svc.cluster.local:3000/sse	Regression Regina (QA)	Playwright browser automation for E2E testing

MCP server configs live in each agent's .mcp.json (claude_local) or opencode.json (opencode_local).

GitHub Actions Runners

Self-hosted ARC runners are available at the org level. Use runs-on: runners-privilegedescalation in workflows.

Runners scale to zero when idle — if no runner pods are visible, they will start automatically when a workflow is triggered.