hanh.tonguyen/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a5eaba622d9d7f83dd26fbfac6b7fa45ae0a74b
paperclip/doc/plans/2026-02-19-ceo-agent-creation-and-hiring.md
Dotta 9c7d9ded1e docs: organize plans into doc/plans with date prefixes 
Move plans from doc/plan/ into doc/plans/ and add YYYY-MM-DD date
prefixes to all undated plan files based on document headers or
earliest git commit dates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 09:11:56 -05:00

390 lines
11 KiB
Markdown
Raw Blame History

# CEO Agent Creation and Hiring Governance Plan (V1.1)
Status: Proposed
Date: 2026-02-19
Owner: Product + Server + UI + Skills
## 1. Goal
Enable a CEO agent to create new agents directly, with lightweight but explicit governance:
- Company-level toggle: new hires require board approval (default ON).
- Agent-level permission: `can_create_agents` (default ON for CEO, OFF for everyone else).
- Clear hire workflow with draft/limbo state until approval.
- Config reflection so hiring agents can inspect available adapter configuration and compare existing agent configs (including self).
- Approval collaboration flow with comments, revision requests, and audit trail.
## 2. Current State (Repo Reality)
- Agent creation is board-only at `POST /api/companies/:companyId/agents` (`server/src/routes/agents.ts`).
- Approvals support `pending/approved/rejected/cancelled` and `hire_agent` + `approve_ceo_strategy` (`packages/shared/src/constants.ts`, `server/src/services/approvals.ts`).
- `hire_agent` approval currently creates the agent only on approval; there is no pre-created limbo agent.
- There is no agent permissions system today.
- There is no company setting for "new hires require board approval".
- Approvals have no comment thread or revision-request state.
- Inbox and Approvals UIs support approve/reject only; no approval detail route exists in app routes.
- Agent adapter configuration is free-form JSON; no runtime reflection endpoint exists for machine-readable or text discovery.
## 3. Product Decisions
## 3.1 Company setting
Add company setting:
- `requireBoardApprovalForNewAgents: boolean`
- Default: `true`
- Editable only in company advanced settings (not onboarding/company creation flow UI)
## 3.2 Agent permissions
Introduce lightweight permission model with one explicit permission now:
- `can_create_agents: boolean`
Defaults:
- CEO: `true`
- Everyone else: `false`
Authority:
- Board can edit permissions for any agent.
- CEO can edit permissions for agents in same company.
No broader RBAC system in this phase.
## 3.3 Limbo state for hires
Introduce dedicated non-operational status:
- `pending_approval`
Meaning:
- Agent record exists in org tree and can be reviewed.
- Agent cannot run, receive assignments, create keys, or be resumed to active states until approved.
## 4. Data Model Changes
## 4.1 `companies`
Add column:
- `require_board_approval_for_new_agents` boolean not null default `true`
Sync required:
- `packages/db/src/schema/companies.ts`
- `packages/shared/src/types/company.ts`
- `packages/shared/src/validators/company.ts`
- UI company API type usage and company advanced settings form
## 4.2 `agents`
Add columns:
- `permissions` jsonb not null default `{}`
- status value expansion to include `pending_approval`
Sync required:
- `packages/db/src/schema/agents.ts`
- `packages/shared/src/constants.ts` (`AGENT_STATUSES`)
- `packages/shared/src/types/agent.ts`
- `packages/shared/src/validators/agent.ts`
- status badges, filters, and lifecycle controls in UI
## 4.3 `approvals`
Keep approval as central governance record; extend workflow support:
- add status `revision_requested`
- ensure payload for hire approvals contains:
- `agentId`
- `requestedByAgentId`
- `requestedConfigurationSnapshot`
## 4.4 New `approval_comments` table
Add discussion thread for approvals:
- `id`, `company_id`, `approval_id`, `author_agent_id`, `author_user_id`, `body`, timestamps
Purpose:
- review comments
- revision requests
- rationale for approve/reject
- permanent audit trail
## 5. API and AuthZ Plan
## 5.1 Permission helpers
Add server-side authz helpers:
- `assertCanCreateAgents(req, companyId)`
- `assertCanManageAgentPermissions(req, companyId)`
Rules:
- Board always passes.
- Agent passes `can_create_agents` check if self permission true and same company.
- Permission management by CEO or board.
## 5.2 Hire creation flow
Add route:
- `POST /api/companies/:companyId/agent-hires`
Behavior:
- Requires `can_create_agents` (or board).
- Creates agent row first.
- If company setting requires approval:
- create agent with `status=pending_approval`
- create `approvals(type=hire_agent,status=pending,payload.agentId=...)`
- return both agent + approval
- If setting disabled:
- create agent as `idle`
- no approval record required
Board may continue using direct create route, but this route becomes canonical for CEO/agent-led hiring.
## 5.3 Approval workflow endpoints
Add/extend:
- `GET /api/approvals/:id`
- `POST /api/approvals/:id/request-revision`
- `POST /api/approvals/:id/resubmit`
- `GET /api/approvals/:id/comments`
- `POST /api/approvals/:id/comments`
Update existing approve/reject semantics:
- approve of hire transitions linked agent `pending_approval -> idle`
- reject keeps linked agent in non-active state (`pending_approval` or `terminated`/purged later)
## 5.4 Agent permission management endpoints
Add:
- `PATCH /api/agents/:id/permissions`
Supports initial key only:
- `{ "canCreateAgents": boolean }`
## 5.5 Read config endpoints (protected)
Add permission-gated config-read endpoints:
- `GET /api/companies/:companyId/agent-configurations`
- `GET /api/agents/:id/configuration`
Access:
- board
- CEO
- any agent with `can_create_agents`
Security:
- redact obvious secret values from adapter config (`env`, API keys, tokens, JWT-looking values)
- include redaction marker in response
## 5.6 Reflection endpoints for adapter configuration
Add plain-text reflection routes:
- `GET /llms/agent-configuration.txt`
- `GET /llms/agent-configuration/:adapterType.txt`
Index file includes:
- installed adapter list for this Paperclip instance
- per-adapter doc URLs
- brief "how to hire" API sequence links
Per-adapter file includes:
- required/optional config keys
- defaults
- field descriptions
- safety notes
- example payloads
Auth:
- same gate as config-read endpoints (board/CEO/`can_create_agents`).
## 6. Adapter Protocol Extension
Extend `ServerAdapterModule` contract to expose config docs:
- `agentConfigurationDoc` (string) or `getAgentConfigurationDoc()`
Implement in:
- `packages/adapters/claude-local`
- `packages/adapters/codex-local`
- `server/src/adapters/registry.ts`
This is required so reflection is generated from installed adapters, not hardcoded.
## 7. UI Plan
## 7.1 Company advanced settings
In Companies UI, add advanced settings panel/modal with:
- toggle: "Require board approval for new agent hires" (default on)
Not shown in onboarding flow.
## 7.2 Agent permissions UI
In Agent Detail (board/CEO context):
- permissions section
- toggle for "Can create new agents"
## 7.3 Hire UX
Add "Hire Agent" flow (for CEO/authorized agents):
- choose role/name/title/reportsTo
- compose initial prompt/capabilities
- inspect adapter reflection docs
- inspect existing related agent configurations
- submit hire
State messaging:
- if approval required: show "Pending board approval"
- if not required: show active-ready state
## 7.4 Approvals UX
Add approval detail page and expand inbox integration:
- `/approvals/:approvalId`
- threaded comments
- revision request action
- approve/reject with decision note
- activity timeline (created, revisions, decisions)
## 7.5 Disapproved agent cleanup
Provide board-only destructive action in approval detail:
- "Delete disapproved agent"
- explicit confirmation dialog
- preserves approval + comment history (audit)
## 8. New Skill: `paperclip-create-agent`
Create new skill directory:
- `skills/paperclip-create-agent/SKILL.md`
- `skills/paperclip-create-agent/references/api-reference.md`
Skill responsibilities:
- Discover available adapter configuration via `/llms/agent-configuration*.txt`
- Read existing agent configurations (including self and related roles)
- Propose best-fit config for current environment
- Draft high-quality initial prompt for new agent
- Set manager/reporting line
- Execute hire API flow
- Handle revision loop with board comments
Also update `skills/paperclip/SKILL.md` to reference this skill for hiring workflows.
## 9. Enforcement and Invariants
New/updated invariants:
- `pending_approval` agents cannot:
- be invoked/woken
- be assigned issues
- create or use API keys
- transition to active lifecycle states except through hire approval
- approval transitions:
- `pending -> revision_requested | approved | rejected | cancelled`
- `revision_requested -> pending | rejected | cancelled`
- every mutation writes `activity_log` records.
## 10. Implementation Phases
## Phase 1: Contracts and migration
- DB schema updates (`companies`, `agents`, approvals status expansion, `approval_comments`)
- shared constants/types/validators updates
- migration generation and typecheck
## Phase 2: Server authz + hire flow
- permission resolver and authz guards
- `agent-hires` route
- limbo status enforcement in heartbeat/issue/key flows
- approval revision/comment endpoints
## Phase 3: Reflection and config-read APIs
- adapter protocol docs support
- `/llms/agent-configuration*.txt` routes
- protected config-read endpoints with redaction
## Phase 4: UI and skilling
- company advanced setting UI
- permission controls
- approval detail + comments/revision flow in inbox/approvals
- disapproved agent delete flow
- `paperclip-create-agent` skill + docs updates
## 11. Test Plan
Server tests:
- permission gate tests for hire/config-read/permission-update endpoints
- hire creation behavior with company setting on/off
- approval transitions including revision cycle
- pending_approval enforcement across wakeup/invoke/assignment/keys
- config redaction tests
UI tests:
- advanced setting toggle persistence
- approval detail comment/revision interactions
- hire flow states (pending vs immediate)
Repo verification before merge:
- `pnpm -r typecheck`
- `pnpm test:run`
- `pnpm build`
## 12. Risks and Mitigations
- Risk: leaking secrets through agent config reads.
- Mitigation: strict redaction pass + allowlist/denylist tests.
- Risk: status explosion complexity.
- Mitigation: single added status (`pending_approval`) with explicit transition guards.
- Risk: approval flow regressions.
- Mitigation: centralize transition logic in approval service and back it with tests.
## 13. Open Decisions (Default Recommendation)
1. Should board direct-create bypass approval setting?
Recommendation: yes, board is explicit governance override.
2. Should non-authorized agents still see basic agent metadata?
Recommendation: yes (name/role/status), but configuration fields stay restricted.
3. On rejection, should limbo agent remain `pending_approval` or move to `terminated`?
Recommendation: move to `terminated` on final reject; keep optional hard delete action for cleanup.
Reference in New Issue View Git Blame Copy Permalink