Agent Identity & GitHub User Plan
Issue: CAS-69 Status: In Progress Date: 2026-04-03
1. GitHub Per-Agent Accounts: Free Tier Analysis
Recommendation: Each agent should have its own GitHub user account.
Public Repos
| Constraint | Impact |
|---|---|
| Collaborators | Unlimited on free org plans — no cost per agent |
| API rate limits | 5,000 req/hr per authenticated user — separate accounts = isolated limits |
| Actions minutes | 2,000 min/month pooled at org level (shared, not per-user) |
| Packages storage | 500 MB shared at org level |
| GitHub ToS | Machine/bot accounts are allowed if clearly labeled |
Verdict: No meaningful limits. Separate accounts are actually beneficial for rate-limit isolation and clear audit trails.
Private Repos
| Constraint | Impact |
|---|---|
| Collaborators (Free org) | Unlimited — GitHub removed the 3-collaborator limit on free private repos in Jan 2024 |
| Collaborators (Teams plan, $4/user/month) | Each agent account = an additional paid seat |
| Collaborators (Enterprise, $21/user/month) | Each agent account = an additional paid seat |
| Visibility | Each agent must be explicitly invited to private repos or added as an org member |
| Actions minutes (private repos) | Consume from the same org pool; macOS runners cost 10x, Windows 2x |
| Secrets & environments | Each agent can be scoped to specific environments and secrets via org/repo settings |
| Fine-grained PATs | Recommended — scope each agent’s token to only the repos they need |
| Branch protection | Agent accounts interact with branch protection rules like any user — can be required reviewers, can be excluded from force-push, etc. |
Verdict for private repos: On GitHub Free org plans, there is no per-seat cost — agent accounts are free for both public and private repos. On Teams/Enterprise plans, each agent account adds a seat (21/month). If seat cost is a concern on paid plans, an alternative is using a single shared bot account with fine-grained PATs per agent (sacrificing individual audit trails).
Decision: Individual Accounts (Confirmed)
CascadeGuard is on GitHub Free — no seat cost for either public or private repos. Plan of record:
- Create individual GitHub accounts per agent — zero cost, full rate-limit isolation, clear audit trails.
- Use fine-grained personal access tokens (not classic PATs) scoped to the specific repos each agent needs. This limits blast radius if a token leaks.
- Add each agent as an org collaborator (or invite to specific private repos) so they have push access.
- Note: The workspace-root repo lives under
craigedmunds(personal), not thecascadeguardorg. Agent accounts will need explicit collaborator invites for private repos under the personal namespace.
Private Repo Considerations
- Token scope: Fine-grained PATs must list specific repos. For private repos, the agent’s PAT needs explicit repo access.
- Org membership vs outside collaborator: Adding agents as org members gives blanket repo access; adding as outside collaborators on specific repos is more restrictive (recommended).
- Secret management: Agent PATs stored as Kubernetes secrets, injected via adapter config. Never committed to repos.
- Audit trail: Each agent’s commits, PRs, and reviews appear under their own GitHub identity, making cross-repo audit straightforward for both public and private repos.
2. Agent Identity Structure
Each agent gets an identity file at /workspace/agents/cascadeguard/<agent-urlKey>.yaml:
name: "<full name>"
pronouns: "<pronouns>"
role: "<official role>"
title: "<title>"
github_username: "<github-username>"
paperclip_key: "<paperclip agent urlKey>"
personality:
summary: "<one-paragraph description>"
traits: ["detail-oriented", "pragmatic", ...]
interests: ["distributed systems", "rock climbing", ...]
communication_style:
tone: "<description>"
commit_messages: "<how they write commit messages>"
pr_reviews: "<how they approach code reviews>"
ticket_comments: "<how they write issue comments>"
emoji_usage: "<frequency>"
avatar:
description: "<visual description for avatar generation>"3. Current Agent Identities
| Agent | Name | GitHub Username | Personality Vibe |
|---|---|---|---|
| CEO | Marcus Chen | cascadeguard-marcus | Visionary, decisive, warm strategist |
| CTO | Sable Okafor | cascadeguard-sable | Systems thinker, pragmatic perfectionist |
| Full-Stack Engineer | Tomás Rivera | cascadeguard-tomas | Creative, user-empathy driven, fast iterator |
| Lead Platform Engineer | Kai Nakamura | cascadeguard-kai | Methodical, reliability-obsessed, docs-first |
| Product Owner | Sana Okafor | cascadeguard-sana | Organized, user-advocate, diplomatically persistent |
| DevSecOps Engineer | Jordan Asante | cascadeguard-jordan | Vigilant, analytical, teach-by-showing |
Full identity files at agents/cascadeguard/<role>.yaml.
4. Identity Creation Skill for Hiring
Create a Paperclip skill agent-identity-creator that:
- Triggers during agent hiring flow
- Generates a personality profile based on the agent’s role, capabilities, and team dynamics
- Writes the
identity.yamlto the correct path - Outputs GitHub machine user setup instructions
5. Implementation Steps
- Create identity directory structure
- Design and write identity profiles for all 6 current agents
- Write plan covering both public and private repo implications
- Create an
AGENTS-IDENTITY.mdguide documenting the identity schema - Create the
agent-identity-creatorPaperclip skill - Document GitHub machine user setup process (account creation, PAT scoping, org invitation)
- Update agent instructions to reference identity files for communication style
- Create actual GitHub accounts and configure PATs
6. Open Questions
- Should we create actual GitHub accounts now, or just define identities and create accounts when needed?
- How distinct should personalities be? (Subtle professional differences vs. very distinct characters?)
- Do we want a shared email pattern (e.g.,
agent-cto@cascadeguard.com) or use GitHub’s noreply addresses?