agent/.codex/rules/core-agent.rules

# Core Agent — Codex Rules
# Controls which commands can run outside the sandbox

# Go toolchain — always safe
prefix_rule(
    pattern = ["go", ["build", "test", "vet", "fmt", "mod", "get", "work"]],
    decision = "allow",
    justification = "Go development tools are safe read/build operations",
    match = [["go", "build", "./..."], ["go", "test", "./pkg/agentic"]],
    not_match = [["go", "run", "main.go"]],
)

# Core agent binary
prefix_rule(
    pattern = ["core-agent", ["mcp", "--version"]],
    decision = "allow",
    justification = "Core agent MCP server and version check",
)

# Git read operations
prefix_rule(
    pattern = ["git", ["status", "log", "diff", "branch", "tag", "remote", "fetch", "rev-parse", "ls-remote"]],
    decision = "allow",
    justification = "Read-only git operations are safe",
)

# Git write — prompt for approval
prefix_rule(
    pattern = ["git", ["add", "commit", "merge", "rebase", "stash"]],
    decision = "prompt",
    justification = "Git write operations need human approval",
)

# Git push — forbidden (use PR workflow)
prefix_rule(
    pattern = ["git", "push"],
    decision = "forbidden",
    justification = "Never push directly — use PR workflow via agentic_create_pr",
)

# Git destructive — forbidden
prefix_rule(
    pattern = ["git", ["reset", "clean"], "--force"],
    decision = "forbidden",
    justification = "Destructive git operations are never allowed",
)

# Curl — prompt (network access)
prefix_rule(
    pattern = ["curl"],
    decision = "prompt",
    justification = "Network requests need approval",
)

# SSH — forbidden
prefix_rule(
    pattern = ["ssh"],
    decision = "forbidden",
    justification = "Direct SSH is forbidden — use Ansible via deployment skills",
)

# rm -rf — forbidden
prefix_rule(
    pattern = ["rm", "-rf"],
    decision = "forbidden",
    justification = "Recursive force delete is never allowed",
)
feat: add Codex extension — agents, skills, rules, config Parallel to the Claude Code plugin (claude/), core-agent now supports Codex with full feature parity: - .codex/config.toml — model, profiles (review/quick/implement/lem), MCP server, local model providers (Ollama/LM Studio) - .codex/agents/ — reviewer, migrator, fixer (AX-aware) - .codex/rules/ — Starlark rules for sandbox control - .agents/skills/ — 9 skills matching Claude plugin - AGENTS.md — Codex project instructions (like CLAUDE.md) Supports --oss mode for local models (LEM via Ollama). Same binary, two entry points. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-22 06:20:59 +00:00			`# Core Agent — Codex Rules`
			`# Controls which commands can run outside the sandbox`

			`# Go toolchain — always safe`
			`prefix_rule(`
			`pattern = ["go", ["build", "test", "vet", "fmt", "mod", "get", "work"]],`
			`decision = "allow",`
			`justification = "Go development tools are safe read/build operations",`
			`match = [["go", "build", "./..."], ["go", "test", "./pkg/agentic"]],`
			`not_match = [["go", "run", "main.go"]],`
			`)`

			`# Core agent binary`
			`prefix_rule(`
			`pattern = ["core-agent", ["mcp", "--version"]],`
			`decision = "allow",`
			`justification = "Core agent MCP server and version check",`
			`)`

			`# Git read operations`
			`prefix_rule(`
			`pattern = ["git", ["status", "log", "diff", "branch", "tag", "remote", "fetch", "rev-parse", "ls-remote"]],`
			`decision = "allow",`
			`justification = "Read-only git operations are safe",`
			`)`

			`# Git write — prompt for approval`
			`prefix_rule(`
			`pattern = ["git", ["add", "commit", "merge", "rebase", "stash"]],`
			`decision = "prompt",`
			`justification = "Git write operations need human approval",`
			`)`

			`# Git push — forbidden (use PR workflow)`
			`prefix_rule(`
			`pattern = ["git", "push"],`
			`decision = "forbidden",`
			`justification = "Never push directly — use PR workflow via agentic_create_pr",`
			`)`

			`# Git destructive — forbidden`
			`prefix_rule(`
			`pattern = ["git", ["reset", "clean"], "--force"],`
			`decision = "forbidden",`
			`justification = "Destructive git operations are never allowed",`
			`)`

			`# Curl — prompt (network access)`
			`prefix_rule(`
			`pattern = ["curl"],`
			`decision = "prompt",`
			`justification = "Network requests need approval",`
			`)`

			`# SSH — forbidden`
			`prefix_rule(`
			`pattern = ["ssh"],`
			`decision = "forbidden",`
			`justification = "Direct SSH is forbidden — use Ansible via deployment skills",`
			`)`

			`# rm -rf — forbidden`
			`prefix_rule(`
			`pattern = ["rm", "-rf"],`
			`decision = "forbidden",`
			`justification = "Recursive force delete is never allowed",`
			`)`