feat: Add SupraWall Secured Marketing Starter (Zero Hardcoded Secrets)

suprawall-secured-starter/.env.example

@@ -0,0 +1,3 @@
+# Your SupraWall temporary API key or production Master Key.
+# Get this by running: paperclipai plugin install suprawall-vault
+SUPRAWALL_API_KEY=sw_temp_xxx

suprawall-secured-starter/README.md

@@ -0,0 +1,66 @@
+# SupraWall Secured Marketing Company Template
+
+This is a production-ready [Paperclip](https://paperclipai.com) company template that uses the [SupraWall plugin](https://github.com/wiserautomation/suprawall-plugins-) to secure all external API keys and credentials.
+
+**Zero hardcoded credentials exist in this repository.**
+
+Instead of storing long-lived OpenAI, GitHub, or Stripe keys in a `.env` file where any agent can access them, this template delegates credential management to the SupraWall Vault engine.
+
+## How it works
+
+1. An agent starts a task.
+2. The agent asks SupraWall for permission to use a tool (e.g., "Twitter").
+3. SupraWall verifies the agent's role (e.g., `marketing`).
+4. SupraWall intercepts the HTTP request, injects the real Twitter API key at the network layer, and returns the response to the agent.
+5. The agent **never sees the raw API key**, preventing credential theft via prompt injection.
+
+## Quickstart
+
+### 1. Install the Plugin
+
+First, install the SupraWall Vault plugin:
+
+```bash
+paperclipai plugin install suprawall-vault
+```
+
+This will guide you through creating a free SupraWall dashboard account and will automatically generate your temporary API keys.
+
+### 2. Configure Environment
+
+Copy the example environment file:
+
+```bash
+cp .env.example .env
+```
+
+Add the `SUPRAWALL_API_KEY` you received during the plugin installation.
+
+### 3. Hire the Agents
+
+This template comes with four preconfigured agents. Hire them via the CLI:
+
+```bash
+paperclipai hire agents/ceo.json
+paperclipai hire agents/marketing.json
+paperclipai hire agents/engineering.json
+paperclipai hire agents/finance.json
+```
+
+## Built-in Role Policies
+
+The SupraWall engine automatically maps the following default permissions based on the agent's `role` property:
+
+| Agent Role | Granted Scopes |
+| :--- | :--- |
+| **ceo** | `read:all` |
+| **marketing** | `linkedin`, `twitter`, `google_ads` |
+| **engineering** | `github`, `supabase`, `vercel` |
+| **finance** | `stripe` |
+
+If a `marketing` agent tries to use the `stripe` tool, the SupraWall API will automatically block the request and log an audit event in your dashboard.
+
+## Learn More
+
+* [SupraWall Vault Documentation](https://docs.supra-wall.com/paperclip)
+* [Paperclip Documentation](https://github.com/paperclipai/paperclip)

suprawall-secured-starter/agents/ceo.json

@@ -0,0 +1,18 @@
+{
+  "name": "CEO Agent",
+  "role": "ceo",
+  "description": "Orchestrates company strategy and has read-only access to all dashboards.",
+  "adapter": {
+    "type": "http",
+    "url": "https://api.supra-wall.com/v1/agent/invoke",
+    "headers": {
+      "Authorization": "Bearer {{SUPRAWALL_API_KEY}}"
+    },
+    "body": {
+      "agentId": "{{agent.id}}",
+      "companyId": "{{company.id}}",
+      "role": "ceo",
+      "runId": "{{run.id}}"
+    }
+  }
+}

suprawall-secured-starter/agents/engineering.json

@@ -0,0 +1,18 @@
+{
+  "name": "Engineering Agent",
+  "role": "engineering",
+  "description": "Handles infrastructure and code deployment. Requires access to GitHub and Vercel.",
+  "adapter": {
+    "type": "http",
+    "url": "https://api.supra-wall.com/v1/agent/invoke",
+    "headers": {
+      "Authorization": "Bearer {{SUPRAWALL_API_KEY}}"
+    },
+    "body": {
+      "agentId": "{{agent.id}}",
+      "companyId": "{{company.id}}",
+      "role": "engineering",
+      "runId": "{{run.id}}"
+    }
+  }
+}

suprawall-secured-starter/agents/finance.json

@@ -0,0 +1,18 @@
+{
+  "name": "Finance Agent",
+  "role": "finance",
+  "description": "Handles billing and payments. Requires access to Stripe.",
+  "adapter": {
+    "type": "http",
+    "url": "https://api.supra-wall.com/v1/agent/invoke",
+    "headers": {
+      "Authorization": "Bearer {{SUPRAWALL_API_KEY}}"
+    },
+    "body": {
+      "agentId": "{{agent.id}}",
+      "companyId": "{{company.id}}",
+      "role": "finance",
+      "runId": "{{run.id}}"
+    }
+  }
+}

suprawall-secured-starter/agents/marketing.json

@@ -0,0 +1,18 @@
+{
+  "name": "Marketing Agent",
+  "role": "marketing",
+  "description": "Handles outbound campaigns. Requires access to social platforms and analytics.",
+  "adapter": {
+    "type": "http",
+    "url": "https://api.supra-wall.com/v1/agent/invoke",
+    "headers": {
+      "Authorization": "Bearer {{SUPRAWALL_API_KEY}}"
+    },
+    "body": {
+      "agentId": "{{agent.id}}",
+      "companyId": "{{company.id}}",
+      "role": "marketing",
+      "runId": "{{run.id}}"
+    }
+  }
+}

suprawall-secured-starter/company.json

@@ -0,0 +1,15 @@
+{
+  "name": "SupraWall Secured Marketing Company",
+  "description": "A production-grade agent company with zero hardcoded API keys. All credentials (LinkedIn, Twitter, Hubspot, Google Ads) are securely injected at runtime by the SupraWall Vault, ensuring total least-privilege security.",
+  "version": "1.0.0",
+  "author": "SupraWall Contributors",
+  "plugins": [
+    "suprawall-vault"
+  ],
+  "agents": [
+    "agents/ceo.json",
+    "agents/marketing.json",
+    "agents/finance.json",
+    "agents/engineering.json"
+  ]
+}