created AGENTS.md

AGENTS.md

@@ -0,0 +1,74 @@
+# Codex instructions for this repository
+
+This repository contains:
+- Docker Compose infrastructure
+- Terraform configuration
+- Ansible configuration
+
+## General rules
+
+Prefer validation and linting over execution.
+Do not make assumptions about runtime access.
+Do not run destructive commands.
+Do not install repo changes unless explicitly requested.
+
+## Docker / Compose rules
+
+This environment does not have Docker daemon access.
+Do not use commands that require `/var/run/docker.sock`.
+
+Allowed:
+- `docker compose config`
+- `docker compose -f <file> config`
+- `./services-up.sh --profile all config`
+
+Not allowed:
+- `docker compose up`
+- `docker compose down`
+- `docker compose run`
+- `docker compose exec`
+- `docker build`
+- `docker pull`
+
+When validating Docker changes:
+1. Prefer `./services-up.sh --profile all config` if available.
+2. If that does not fit the task, use `docker compose -f ... config`.
+3. Only create temporary placeholder env files if validation requires them.
+4. Do not commit placeholder env files unless explicitly requested.
+
+## Terraform rules
+
+Allowed:
+- `terraform fmt -check -recursive`
+- `terraform init -backend=false -input=false`
+- `terraform validate`
+- `tflint`
+
+Do not apply infrastructure changes unless explicitly requested.
+Do not run:
+- `terraform apply`
+- `terraform destroy`
+
+## Ansible rules
+
+Allowed:
+- `ansible-lint`
+- `ansible-playbook --syntax-check <playbook>`
+
+Do not run playbooks against real hosts unless explicitly requested.
+
+## Shell / YAML rules
+
+Allowed:
+- `shellcheck`
+- `yamllint`
+- `yq`
+- `jq`
+
+## Expected workflow
+
+When making changes:
+1. Edit the smallest necessary set of files.
+2. Run the safest available validation commands.
+3. Report validation results clearly.
+4. If validation is blocked by missing secrets, env files, or remote/provider access, say so explicitly instead of guessing.