# Forbid Codex from changing Git repository state in this project. # # Read-only Git inspection, such as `git status`, `git diff`, `git log`, and # `git show`, is intentionally not matched by this policy. prefix_rule( pattern = ["git", [ "add", "am", "apply", "bisect", "branch", "checkout", "cherry-pick", "clean", "commit", "fetch", "merge", "mv", "notes", "pull", "push", "rebase", "reflog", "replace", "reset", "restore", "revert", "rm", "stash", "submodule", "switch", "tag", "update-index", "update-ref", "worktree", ]], decision = "forbidden", justification = "Git commands that change the index, refs, branches, remotes, commits, or working tree are reserved for the user.", match = [ "git add .", "git commit -m test", "git pull --rebase", "git reset --hard HEAD", "git restore --staged AGENTS.md", ], not_match = [ "git diff -- AGENTS.md", "git log --oneline -5", "git show HEAD", "git status --short", ], ) prefix_rule( pattern = ["git", [ "-C", "-c", "--bare", "--config-env", "--exec-path", "--git-dir", "--git-dir=.git", "--git-dir=/home/w0rp/ale/.git", "--namespace", "--no-optional-locks", "--no-pager", "--paginate", "-P", "--super-prefix", "--work-tree", "--work-tree=.", "--work-tree=/home/w0rp/ale", ]], decision = "forbidden", justification = "Git global options can obscure or bypass repository state changes; run read-only Git commands from the repository root instead.", match = [ "git -C /home/w0rp/ale status --short", "git --git-dir .git status", "git --git-dir=.git status", "git --no-pager add .", "git --work-tree . status", ], not_match = [ "git diff -- AGENTS.md", "git log --oneline -5", "git show HEAD", "git status --short", ], )