# Core Agent — Codex Rules
# Controls which commands can run outside the sandbox

# Go toolchain — always safe
prefix_rule(
    pattern = ["go", ["build", "test", "vet", "fmt", "mod", "get", "work"]],
    decision = "allow",
    justification = "Go development tools are safe read/build operations",
    match = [["go", "build", "./..."], ["go", "test", "./pkg/agentic"]],
    not_match = [["go", "run", "main.go"]],
)

# Core agent binary
prefix_rule(
    pattern = ["core-agent", ["mcp", "--version"]],
    decision = "allow",
    justification = "Core agent MCP server and version check",
)

# Git read operations
prefix_rule(
    pattern = ["git", ["status", "log", "diff", "branch", "tag", "remote", "fetch", "rev-parse", "ls-remote"]],
    decision = "allow",
    justification = "Read-only git operations are safe",
)

# Git write — prompt for approval
prefix_rule(
    pattern = ["git", ["add", "commit", "merge", "rebase", "stash"]],
    decision = "prompt",
    justification = "Git write operations need human approval",
)

# Git push — forbidden (use PR workflow)
prefix_rule(
    pattern = ["git", "push"],
    decision = "forbidden",
    justification = "Never push directly — use PR workflow via agentic_create_pr",
)

# Git destructive — forbidden
prefix_rule(
    pattern = ["git", ["reset", "clean"], "--force"],
    decision = "forbidden",
    justification = "Destructive git operations are never allowed",
)

# Curl — prompt (network access)
prefix_rule(
    pattern = ["curl"],
    decision = "prompt",
    justification = "Network requests need approval",
)

# SSH — forbidden
prefix_rule(
    pattern = ["ssh"],
    decision = "forbidden",
    justification = "Direct SSH is forbidden — use Ansible via deployment skills",
)

# rm -rf — forbidden
prefix_rule(
    pattern = ["rm", "-rf"],
    decision = "forbidden",
    justification = "Recursive force delete is never allowed",
)