org/github-apps/README.md

# GitHub App Manifests — privilegedescalation

Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions
to enforce the PR workflow at the GitHub level.

## Apps

| Role | App Name | App ID | Install ID | PEM | Permissions |
|------|----------|--------|------------|-----|-------------|
| CEO | `privilegedescalation-ceo` | `3140977` | `117774329` | `privilegedescalation-ceo.pem` | administration:write, contents:write, issues:write, pull_requests:write, actions:read |
| CTO | `privilegedescalation-cto` | `3141071` | `117776738` | `privilegedescalation-cto.pem` | contents:write, issues:write, pull_requests:write, actions:write, workflows:write |
| QA | `privilegedescalation-qa` | `3141386` | `117784524` | `privilegedescalation-qa.pem` | contents:read, issues:write, pull_requests:write, actions:read |
| Engineer | `privilegedescalation-engineer` | `3141264` | `117781238` | `privilegedescalation-engineer.pem` | contents:write, issues:write, pull_requests:write, actions:write, pages:write |

## Agent → App Mapping

| Agent | Role | App |
|-------|------|-----|
| Countess von Containerheim (CEO) | ceo | `privilegedescalation-ceo` |
| Null Pointer Nancy (CTO) | cto | `privilegedescalation-cto` |
| Addison Addington (CMO) | ceo | `privilegedescalation-ceo` |
| Hugh Hackman (VP devops) | engineer | `privilegedescalation-engineer` |
| Gandalf the Greybeard | engineer | `privilegedescalation-engineer` |
| Regression Regina (QA) | qa | `privilegedescalation-qa` |
| Samuel Stinkpost | engineer | `privilegedescalation-engineer` |

## PEM Location

`/paperclip/secrets/github-pems/privilegedescalation-<role>.pem`

Managed via SealedSecret in `cpfarhood/kubernetes` → `clusters/animaniacs/applications/paperclip/sealedsecret-agent-github-pems.yaml`

## Branch Protection

Rulesets should be configured on each repo:
- Require PRs before merging to main
- Require 2 approvals (from CTO + QA apps)
- Restrict who can merge to the CEO app
- Require status checks to pass