org/github-apps/README.md

# GitHub App Manifests

Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions
to enforce the PR workflow at the GitHub level.

## Roles

| App | Purpose | Merge | Approve | Push |
|-----|---------|-------|---------|------|
| `privilegedescalation-ceo` | PR merging, org admin | yes | no | yes |
| `privilegedescalation-cto` | PR review/approval, engineering oversight | no | yes | yes |
| `privilegedescalation-qa` | PR review/approval, bug filing, CI monitoring | no | yes | read-only |
| `privilegedescalation-engineer` | Code push, PR creation, CI execution | no | no | yes |

## Setup

1. Go to `https://github.com/organizations/privilegedescalation/settings/apps/new`
2. Paste the JSON from the corresponding manifest file
3. Save the private key PEM
4. Add the PEM to the `agent-github-pems` sealed secret in `cpfarhood/kubernetes`
5. Install the app on the `privilegedescalation` org (all repos)
6. Update agent CONFIG.md files with the new App ID and PEM path

## Branch Protection

After apps are created, set up branch protection rulesets on each repo:
- Require PRs before merging to main
- Require 2 approvals (from CTO + QA apps)
- Restrict who can merge to the CEO app
- Require status checks to pass

## PEM Naming Convention

`/paperclip/secrets/github-pems/privilegedescalation-<role>.pem`

Example: `privilegedescalation-ceo.pem`, `privilegedescalation-cto.pem`, `privilegedescalation-qa.pem`, `privilegedescalation-engineer.pem`