0be354a920
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
1.1 KiB
Scope — files denylist
You MUST NOT Edit or Write any file whose path matches a glob in your
task's scope.files-denylist list. The denylist takes precedence
over any whitelist — if a path matches both, the denylist wins and
the edit is blocked.
Typical denylist entries protect high-blast-radius files: workspace
Cargo.toml, Cargo.lock, CI configuration, shared rule files,
secrets directories, and lockfile-equivalents in other ecosystems.
Changing these demands a separate review and a different role.
Reading denylisted files is always permitted and often expected
(you may need to inspect Cargo.toml to understand a crate's
dependencies, for example). The restriction applies only to mutating
tools.
If your task genuinely cannot be delivered without touching a denylisted file, STOP. Do not try to work around the restriction. Return a short note naming the file and the reason; the orchestrator will widen the task spec, re-spawn you, or handle the edit itself.
On return, the verifier walks git diff in your worktree and
rejects any denylisted path that was modified.