Chapter 8: Paperclip production rollout

Updated: 2026-06-08 ยท POC completion summary and next-session handoff for production Paperclip adoption.

Decision: the Paperclip proof of concept is complete enough to move from evaluation into a staged production rollout. Paperclip should become the primary local control plane for PM and Dev orchestration; Codex remains the coding executor; GitHub remains the durable source of truth; Telegram/OpenClaw becomes the intake and notification layer, not an unrestricted command runner.

What changed since Chapter 7

Chapter 7 recommended proving the execution layer before using Paperclip. That work has now happened. The supervised runner and watchdog passed self-test, failure-injection, status, and alert-suppression checks. Paperclip was then installed locally under guardrails, launched Codex successfully, completed PM-only and docs-only pilots, and produced a useful first real-work analysis on the SafetyGraphics modernization queue.

The recommendation therefore changes from "delay Paperclip until the runner is proven" to "roll Paperclip forward as the production control plane, while preserving the runner contracts, GitHub audit trail, and Telegram safety boundaries that made the POC reliable."

Proof completed

AreaResultEvidence
Supervised runnerPassed.P009 delivered runner ledger scaffold, watchdog failure tests, PM audit/docs PR flow, and allowlisted Telegram/OpenClaw runner actions. Main self-test, status, and check commands passed from Telegram.
Paperclip source/security gatePassed with guardrails.P008 #33 concluded conditional go: no install until local disposable/loopback-only constraints were accepted, telemetry disabled, no credentials, no OpenClaw auth, and no auto-pairing.
Local Paperclip installPassed after unsandboxed retry.Initial embedded PostgreSQL bootstrap failed in the sandbox on shmget. Direct local install worked under guardrails on 127.0.0.1:3100.
PM-only pilotPassed.Paperclip task P008 #34 used a local Codex agent to audit loopback-only operation, absence of real credentials/OpenClaw auth, PM-only workflow suitability, and requirements before broader rollout.
Productionized local baselinePassed.Paperclip root is /Users/obot/.openclaw/paperclip; source commit 76c88e585513dd19bce916ad555a8fee42ff7ded; service local.obot.paperclip; health endpoint returns OK on http://127.0.0.1:3100/api/health; telemetry remains disabled.
Codex runtime baselinePassed.Paperclip-launched Codex used --sandbox workspace-write, scoped network proxy access to 127.0.0.1/localhost, and successfully reached the Paperclip loopback API from inside a run.
Docs-only Dev pilotPassed.CodexDocsDev created and merged docs-only PRs, then hardened its contract so successful runs post evidence and PATCH the Paperclip task to done without operator repair.
No-edit compliancePassed.A no-edit Paperclip/Codex task completed with no repository changes and a clean worktree.
Real-work pilotPartially passed.CodexSafetyDev produced useful P004 SafetyGraphics issue analysis after correction, but the first artifact landed as a PR when it should have been an issue comment. The PR was closed unmerged and the note was moved to the issue.

Current operating model

ComponentProduction roleBoundary
PaperclipLocal control plane for tasks, agents, state, run visibility, and eventually scheduling.Keep loopback-only initially. Do not expose publicly. Remote access, if needed, should be reviewed separately.
CodexPrimary PM/Dev executor launched by Paperclip.Use dedicated workdirs, explicit agent instructions, scoped network proxy, and repo-level task authority.
GitHubDurable source of truth for issues, PRs, comments, review gates, and public evidence.Merges remain human-gated. Analysis notes default to issue comments unless a repo artifact is explicitly requested.
Telegram/OpenClawHuman front door and notification channel.Map messages to allowlisted actions. Do not forward arbitrary chat text into command execution.
Supervised runner contractsFallback and safety pattern for liveness, status, and alerts.Keep the run-record/status/watchdog discipline even as Paperclip becomes the control plane.

Target Paperclip org structure

Recommendation: start with a four-agent company: one COO orchestrator plus three focused direct reports. The Testing agent should be separate from Development from day one, even if its initial contract is basic, because it creates an independent acceptance gate before work is presented as ready.
AgentReports toPrimary responsibilityInitial authority
COOHuman board / JeremyOverall project movement. Receives Telegram/operator prompts, chooses the next workflow, coordinates PM/Dev/Test, monitors blocked work, and reports concise status back to the operator.May create/assign Paperclip tasks, request scheduled runs, ask agents for clarification, and summarize results. Does not merge PRs or broaden scope without approval.
PMCOOMaintains the queue. Reviews GitHub issues for clarity, compliance with the operating framework, acceptance criteria, sequencing, labels/status, and Paperclip/GitHub sync correctness.May update Paperclip tasks and GitHub issue comments/metadata under the Obot account. Should default to issue comments for analysis and ask COO for scope decisions.
DevelopmentCOOImplements approved work. Reads the GitHub/Paperclip task, asks the PM or COO for clarification when requirements are incomplete, writes code/docs, runs checks, and opens PRs.May create branches and PRs in approved Obot repositories. Does not merge. Does not invent new requirements when issue acceptance criteria are unclear.
TestingCOOIndependently verifies Development output against the issue requirements and the project documentation framework. Produces acceptance notes, missing-test findings, or requested changes.May inspect PRs, run available tests/checks, comment findings, and mark Paperclip verification tasks done/blocked. Does not modify implementation unless explicitly assigned a fix task.

This structure keeps the first production company small but real: the COO owns momentum, the PM owns issue quality and queue hygiene, Development owns implementation, and Testing owns acceptance evidence. Additional skills, tools, or specialist agents can be added later only when a repeated bottleneck is visible.

Daily operating loop

  1. The COO runs once per day on schedule and may also be prompted manually through Telegram/OpenClaw.
  2. The COO asks the PM to review the next candidate in the GitHub/Paperclip queue.
  3. The PM confirms the issue is ready, updates GitHub/Paperclip metadata or comments, and either recommends Dev start or returns a clarification/blocker to the COO.
  4. If the task is ready, the COO assigns Development a scoped Paperclip task linked to the GitHub issue.
  5. Development implements the issue, opens a PR, posts evidence, and requests Testing review.
  6. Testing verifies the PR against the issue requirements and posts an acceptance note or requested changes.
  7. The COO summarizes the outcome to Telegram after durable GitHub/Paperclip artifacts exist.

The first scheduled version should run PM-only/no-edit. After that passes reliably, allow the COO to start Dev tasks for explicitly ready issues. Merge remains human-gated.

Lessons from the POC

Rollout phases

Phase 0 โ€” Freeze and back up the POC baseline

Phase 1 โ€” Version the local operating contracts

Phase 2 โ€” Add GitHub integration carefully

Phase 3 โ€” Add Telegram/OpenClaw control

Phase 4 โ€” Turn on scheduled autonomy

Phase 5 โ€” Apply to representative project work

Production go/no-go gates

GatePass condition
Health and restartPaperclip starts cleanly, health endpoint is OK, and restart steps are documented.
Backup and recoveryConfiguration and task data can be backed up and restored or recreated without guesswork.
Loopback/security posturePaperclip remains loopback-only unless a separate remote-access design is approved.
Task dispositionAgents post evidence and mark tasks done/blocked/failed without operator repair.
No-edit complianceNo-edit verification tasks leave target repos clean.
Artifact placementAnalysis notes go to issue comments; PRs contain only intentional repo changes.
Org handoffCOO, PM, Development, and Testing roles exist with explicit handoff contracts and no direct Telegram-to-Dev bypass.
GitHub permissionsAny token/App is limited, documented, auditable, and merge-incapable.
Telegram safetyTelegram triggers only allowlisted Paperclip actions and never forwards arbitrary text as executable command input.

Known risks

Do not do

Next-session handoff

Starting point: assume the POC is complete and Paperclip is the selected production control plane. The next session should implement the rollout, not re-evaluate frameworks.
  1. Create a production Paperclip rollout issue/task that references this chapter as the operating plan.
  2. Back up the current Paperclip install, data, service configuration, and agent instructions.
  3. Move or copy agent instructions and task templates into a controlled local configuration location.
  4. Create the initial org: COO orchestrator with PM, Development, and Testing direct reports.
  5. Evaluate and configure GitHub Issues sync for selected Obot repositories using the sequestered Obot GitHub identity.
  6. Implement allowlisted Telegram/OpenClaw commands that address the COO for Paperclip health, status, queue review, approved task start, failure check, and latest-artifact summary.
  7. Add the first scheduled COO โ†’ PM queue review as read-only/no-edit.
  8. Run one scheduled representative P004/P005 analysis task and require the artifact to land as a GitHub issue comment unless a PR is explicitly requested.
  9. After the PM-only schedule passes, run one full COO โ†’ PM โ†’ Development โ†’ Testing pilot against a small ready issue, with merge held for human approval.

Decisions Jeremy still owns