core/agent
8
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions
agent/.codex/rules/core-agent.rules
Snider 7873e0ebf7 feat: add Codex extension — agents, skills, rules, config 
Parallel to the Claude Code plugin (claude/), core-agent now supports
Codex with full feature parity:

- .codex/config.toml — model, profiles (review/quick/implement/lem),
  MCP server, local model providers (Ollama/LM Studio)
- .codex/agents/ — reviewer, migrator, fixer (AX-aware)
- .codex/rules/ — Starlark rules for sandbox control
- .agents/skills/ — 9 skills matching Claude plugin
- AGENTS.md — Codex project instructions (like CLAUDE.md)

Supports --oss mode for local models (LEM via Ollama).
Same binary, two entry points.

Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-22 06:20:59 +00:00

67 lines
1.9 KiB
Text
Raw Blame History

# Core Agent — Codex Rules
# Controls which commands can run outside the sandbox
# Go toolchain — always safe
prefix_rule(
pattern = ["go", ["build", "test", "vet", "fmt", "mod", "get", "work"]],
decision = "allow",
justification = "Go development tools are safe read/build operations",
match = [["go", "build", "./..."], ["go", "test", "./pkg/agentic"]],
not_match = [["go", "run", "main.go"]],
)
# Core agent binary
prefix_rule(
pattern = ["core-agent", ["mcp", "--version"]],
decision = "allow",
justification = "Core agent MCP server and version check",
)
# Git read operations
prefix_rule(
pattern = ["git", ["status", "log", "diff", "branch", "tag", "remote", "fetch", "rev-parse", "ls-remote"]],
decision = "allow",
justification = "Read-only git operations are safe",
)
# Git write — prompt for approval
prefix_rule(
pattern = ["git", ["add", "commit", "merge", "rebase", "stash"]],
decision = "prompt",
justification = "Git write operations need human approval",
)
# Git push — forbidden (use PR workflow)
prefix_rule(
pattern = ["git", "push"],
decision = "forbidden",
justification = "Never push directly — use PR workflow via agentic_create_pr",
)
# Git destructive — forbidden
prefix_rule(
pattern = ["git", ["reset", "clean"], "--force"],
decision = "forbidden",
justification = "Destructive git operations are never allowed",
)
# Curl — prompt (network access)
prefix_rule(
pattern = ["curl"],
decision = "prompt",
justification = "Network requests need approval",
)
# SSH — forbidden
prefix_rule(
pattern = ["ssh"],
decision = "forbidden",
justification = "Direct SSH is forbidden — use Ansible via deployment skills",
)
# rm -rf — forbidden
prefix_rule(
pattern = ["rm", "-rf"],
decision = "forbidden",
justification = "Recursive force delete is never allowed",
)
Reference in a new issue View git blame Copy permalink