Agent Identity & GitHub User Plan
1. GitHub Per-Agent Accounts: Free Tier Analysis
Recommendation: Each agent should have its own GitHub user account.
Public Repos
| Constraint | Impact |
|---|---|
| Collaborators | Unlimited on free org plans — no cost per agent |
| API rate limits | 5,000 req/hr per authenticated user — separate accounts = isolated limits |
| Actions minutes | 2,000 min/month pooled at org level (shared, not per-user) |
| Packages storage | 500 MB shared at org level |
| GitHub ToS | Machine/bot accounts are allowed if clearly labeled |
Verdict: No meaningful limits. Separate accounts are actually beneficial for rate-limit isolation and clear audit trails.
Private Repos
| Constraint | Impact |
|---|---|
| Collaborators (Free org) | Unlimited — GitHub removed the 3-collaborator limit on free private repos in Jan 2024 |
| Collaborators (Teams plan, $4/user/month) | Each agent account = an additional paid seat |
| Collaborators (Enterprise, $21/user/month) | Each agent account = an additional paid seat |
| Visibility | Each agent must be explicitly invited to private repos or added as an org member |
| Actions minutes (private repos) | Consume from the same org pool; macOS runners cost 10x, Windows 2x |
| Secrets & environments | Each agent can be scoped to specific environments and secrets via org/repo settings |
| Fine-grained PATs | Recommended — scope each agent’s token to only the repos they need |
| Branch protection | Agent accounts interact with branch protection rules like any user — can be required reviewers, can be excluded from force-push, etc. |
Verdict for private repos: On GitHub Free org plans, there is no per-seat cost — agent accounts are free for both public and private repos. On Teams/Enterprise plans, each agent account adds a seat (21/month). If seat cost is a concern on paid plans, an alternative is using a single shared bot account with fine-grained PATs per agent (sacrificing individual audit trails).
Decision: Individual Accounts (Confirmed)
CascadeGuard is on GitHub Free — no seat cost for either public or private repos. Plan of record:
- Create individual GitHub accounts per agent — zero cost, full rate-limit isolation, clear audit trails.
- Use fine-grained personal access tokens (not classic PATs) scoped to the specific repos each agent needs. This limits blast radius if a token leaks.
- Add each agent as an org collaborator (or invite to specific private repos) so they have push access.
- Note: The workspace-root repo lives under
craigedmunds(personal), not thecascadeguardorg. Agent accounts will need explicit collaborator invites for private repos under the personal namespace.
2. Agent Identity Structure
Each agent gets an identity file at /workspace/.ai/agents/cascadeguard/<agent-urlKey>/identity.yaml:
name: "<full name>"
nickname: "<casual name>"
role: "<official role>"
agent_url_key: "<paperclip agent urlKey>"
personality:
traits: ["detail-oriented", "pragmatic", ...]
communication_style: "<description>"
interests: ["distributed systems", "rock climbing", ...]
quirks: ["always references RFC numbers", ...]
github:
username: "<github-username>"
display_name: "<GitHub display name>"
commit_style: "<how they write commit messages>"
pr_style: "<how they write PR descriptions>"
review_style: "<how they approach code reviews>"3. Current Agent Identities
| Agent | Name | Nickname | GitHub Username | Personality Vibe |
|---|---|---|---|---|
| CEO | Marcus Chen | Marc | marcus-cascadeguard | Visionary, decisive, warm strategist |
| CTO | Priya Raghavan | Priya | priya-cascadeguard | Systems thinker, pragmatic perfectionist |
| Full-Stack Engineer | Tomás Rivera | Tom | tomas-cascadeguard | Creative, user-empathy driven, fast iterator |
| Lead Platform Engineer | Kai Nakamura | Kai | kai-cascadeguard | Methodical, reliability-obsessed, docs-first |
| Product Owner | Sana Okafor | Sana | sana-cascadeguard | Organized, user-advocate, diplomatically persistent |
| DevSecOps Engineer | Jordan Asante | J | jordan-cascadeguard | Vigilant, analytical, teach-by-showing |
Full identity files are in .ai/agents/cascadeguard/<agent-urlKey>/identity.yaml.
4. Identity Creation Skill for Hiring
Create a Paperclip skill agent-identity-creator that:
- Triggers during agent hiring flow
- Generates a personality profile based on the agent’s role, capabilities, and team dynamics
- Writes the
identity.yamlto the correct path - Optionally outputs GitHub machine user setup instructions
5. Implementation Steps
- Step 1: Create
/workspace/.ai/agents/cascadeguard/directory structure - Step 2: Design and write identity profiles for all 6 current agents
- Step 3: Write this plan covering both public and private repo implications
- Step 4: Create an
AGENTS-IDENTITY.mdguide documenting the identity schema - Step 5: Create the
agent-identity-creatorPaperclip skill - Step 6: Document GitHub machine user setup process (account creation, PAT scoping, org invitation)
- Step 7: Update agent instructions to reference identity files for communication style
6. Resolved & Remaining Questions
Resolved
- Plan type: GitHub Free — no seat costs. ✅
- Repo ownership: workspace-root is under
craigedmundspersonal account, CascadeGuard repos undercascadeguardorg.
Still Open
- Should we create actual GitHub accounts now, or just define identities and create accounts when needed?
- How distinct should personalities be? (Subtle professional differences vs. very distinct characters?)
- Do we want a shared email pattern (e.g.,
agent-cto@cascadeguard.com) or use GitHub’s noreply addresses?