# Codex instructions for this repository This repository contains: - Docker Compose infrastructure - Terraform configuration - Ansible configuration ## General rules Prefer validation and linting over execution. Do not make assumptions about runtime access. Do not run destructive commands. Do not install repo changes unless explicitly requested. ## Docker / Compose rules This environment does not have Docker daemon access. Do not use commands that require `/var/run/docker.sock`. Allowed: - `docker compose config` - `docker compose -f config` - `./services-up.sh --profile all config` Not allowed: - `docker compose up` - `docker compose down` - `docker compose run` - `docker compose exec` - `docker build` - `docker pull` When validating Docker changes: 1. Prefer `./services-up.sh --profile all config` if available. 2. If that does not fit the task, use `docker compose -f ... config`. 3. Only create temporary placeholder env files if validation requires them. 4. Do not commit placeholder env files unless explicitly requested. ## Terraform rules Allowed: - `terraform fmt -check -recursive` - `terraform init -backend=false -input=false` - `terraform validate` - `tflint` Do not apply infrastructure changes unless explicitly requested. Do not run: - `terraform apply` - `terraform destroy` If `terraform init` fails because access to `registry.terraform.io` is forbidden, do not summarize the error vaguely. Report the exact stderr. Continue with: - `terraform fmt -check -recursive` - static review of changed `.tf` files Only run `terraform validate` when provider installation is available locally or registry access succeeds. ## Ansible rules Allowed: - `ansible-lint` - `ansible-playbook --syntax-check ` Do not run playbooks against real hosts unless explicitly requested. ## Shell / YAML rules Allowed: - `shellcheck` - `yamllint` - `yq` - `jq` ## Expected workflow When making changes: 1. Edit the smallest necessary set of files. 2. Run the safest available validation commands. 3. Report validation results clearly. 4. If validation is blocked by missing secrets, env files, or remote/provider access, say so explicitly instead of guessing.