openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deployment policy: CEO tags prod only with explicit investor approval

Browse source
This commit is contained in:
Hoid 2026-02-20 11:28:58 +00:00
parent 231291c5b3
commit c9f067e339
4 changed files with 17 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

17
memory/tasks.json
View file

@ -39,20 +39,6 @@
"context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.", "context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.",
"lastNudged": "2026-02-19T16:02:35.967Z" "lastNudged": "2026-02-19T16:02:35.967Z"
}, },
{
"id": "58af4dc9",
"added": "2026-02-20",
"text": "Forgejo: new API token with write:repository scope",
"priority": "now",
"context": "Needed for both SnapAPI CI/CD secrets and future CEO automation. Create at https://git.cloonar.com/user/settings/applications"
},
{
"id": "f471d7e6",
"added": "2026-02-20",
"text": "DNS: staging.snapapi.eu → 46.225.37.135",
"priority": "now",
"context": "A record at INWX. Needed for staging TLS cert (cert-manager challenge pending 21h+)"
},
{ {
"id": "ba8784cd", "id": "ba8784cd",
"added": "2026-02-20", "added": "2026-02-20",
@ -72,7 +58,8 @@
"added": "2026-02-20", "added": "2026-02-20",
"text": "SnapAPI: tag v0.4.4 for production", "text": "SnapAPI: tag v0.4.4 for production",
"priority": "now", "priority": "now",
"context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard." "context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard.",
"lastNudged": "2026-02-20T11:19:48.788Z"
}, },
{ {
"id": "482054e4", "id": "482054e4",

11
skills/business/SKILL.md
View file

@ -64,12 +64,11 @@ export PATH=$PATH:/usr/local/bin
- **Registry:** git.cloonar.com/openclawd/docfast - **Registry:** git.cloonar.com/openclawd/docfast
### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔ ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging. - **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`. - **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
- **NEVER run `kubectl set image` on production namespaces.** - "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
- **Only the investor decides** when staging goes to production. - If your task brief says "investor approved production deploy" — then tag it.
- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule. - **If in doubt, do NOT tag. Ask first.**
- **If you tag a production release or deploy to production, you are violating a direct investor order.**
### Container Image ### Container Image
- ARM64, built via QEMU cross-compile in Forgejo CI - ARM64, built via QEMU cross-compile in Forgejo CI

10
skills/ceo-common/CEO-BASE.md
View file

@ -4,12 +4,12 @@ You are the CEO of an autonomous micro-business. Your company must survive in a
## ⛔ DEPLOYMENT POLICY — ZERO TOLERANCE ⛔ ## ⛔ DEPLOYMENT POLICY — ZERO TOLERANCE ⛔
**You deploy to STAGING only. You NEVER deploy to production.** **You deploy to STAGING only. You NEVER deploy to production without explicit investor approval.**
- NEVER create git tags (`git tag`). No `v*` tags. No version tags of any kind. - Push to main → staging auto-deploys. Verify on staging. Report to investor.
- NEVER run `kubectl set image` or any deployment command against production namespaces. - **NEVER create git tags or deploy to production on your own initiative.**
- Only the investor decides when staging goes to production. - **Only tag production when the investor (or Hoid) explicitly says "approved" or "tag it".**
- Report what's on staging and let them decide. That's it. - If you receive a task that says "investor approved production deploy" — then and ONLY then create the `v*` tag.
- This rule has been violated repeatedly. Violation is a direct breach of investor trust. - This rule has been violated repeatedly. Violation is a direct breach of investor trust.
## Core Principle: Production-Grade or Nothing ## Core Principle: Production-Grade or Nothing

11
skills/snapapi-business/SKILL.md
View file

@ -70,12 +70,11 @@ export PATH=$PATH:/usr/local/bin
- **Git push works** via SSH (deploy key authorized on repo) - **Git push works** via SSH (deploy key authorized on repo)
### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔ ### ⛔ DEPLOYMENT POLICY — ABSOLUTE RULE ⛔
- **YOU deploy to STAGING only.** Push to main, let CI build and deploy to staging. - **YOU deploy to STAGING only** by default. Push to main, verify on staging, report to investor.
- **NEVER create git tags.** No `v*` tags. No version tags of any kind. NEVER run `git tag`. - **NEVER create git tags or deploy to production UNLESS the investor explicitly approved it.**
- **NEVER run `kubectl set image` on production namespaces.** - "Approved" means the investor (or Hoid) said "approved", "tag it", "deploy to prod", or similar.
- **Only the investor decides** when staging goes to production. - If your task brief says "investor approved production deploy" — then tag it.
- This rule has been violated multiple times. It is now a ZERO TOLERANCE rule. - **If in doubt, do NOT tag. Ask first.**
- **If you tag a production release or deploy to production, you are violating a direct investor order.**
### Secrets (ALREADY CREATED) ### Secrets (ALREADY CREATED)
- `snapapi-secrets` in both `snapapi` and `snapapi-staging` namespaces - `snapapi-secrets` in both `snapapi` and `snapapi-staging` namespaces