privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
52446ea77cd8fb4c956f71ffa4e40766136fab37
org/TOOLS.md
T
Chris Farhood 2fd9f0691d Add dev namespace access and kubectl to POLICIES.md and TOOLS.md 
Each org now has a -dev namespace where agents can freely use kubectl
for testing and iteration. Production namespaces remain Flux-only.

Access model:
- Cluster-wide: read-only
- Production namespace: read-write (Flux-managed, no manual kubectl)
- Dev namespace: read-write (agents may use kubectl freely)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-21 11:05:32 -04:00

51 lines
2.0 KiB
Markdown
Raw Blame History

# Privileged Escalation — Shared Tools
## GitHub Authentication
export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh)
Run this at the start of every heartbeat. Sets `GH_TOKEN` for `gh` and `git`.
## Paperclip API
Auto-injected env vars:
- `PAPERCLIP_API_URL` — base URL (fall back to `http://localhost:3100`)
- `PAPERCLIP_API_KEY` — short-lived JWT for this run
- `PAPERCLIP_RUN_ID` — include on all mutating requests
## Available Tools
| Tool | Purpose |
|---|---|
| `gh` | GitHub CLI — issues, PRs, CI runs, repo management |
| `git` | Version control — branches, commits, PRs |
| `curl` | HTTP requests — Paperclip API, external services |
| `jq` | JSON parsing and formatting |
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
| `kubectl` | Kubernetes CLI — read-only cluster-wide, read-write in `privilegedescalation` and `privilegedescalation-dev` |
## Repos
| Repo | Owner | Purpose |
|---|---|---|
| `privilegedescalation/agents` | Board | Agent profiles and configuration (this repo) |
| `privilegedescalation/headlamp-*` | Gandalf | Headlamp plugin repos |
## MCP Servers
| Server | Endpoint | Available To | Purpose |
|--------|----------|-------------|---------|
| `minimax-search` | Local (uvx) | VP Product, CMO | Web search and image understanding |
| `playwright-privilegedescalation` | `http://playwright-privilegedescalation.paperclip.svc.cluster.local:3000/sse` | Regression Regina (QA) | Playwright browser automation for E2E testing |
MCP server configs live in each agent's `.mcp.json` (claude_local) or `opencode.json` (opencode_local).
## GitHub Actions Runners
Self-hosted ARC runners are available at the org level. Use `runs-on: runners-privilegedescalation` in workflows.
Runners scale to zero when idle — if no runner pods are visible, they will start automatically when a workflow is triggered.
Reference in New Issue View Git Blame Copy Permalink