Universal rules for all developers and AI agents, across all projects. These are non-negotiable — they apply regardless of team, pipeline mode, or domain.
- Never delete repositories, services, or databases
- Never
rm -rfon broad paths (/,~,.,/Users, etc.) - Never
git push --force(use--force-with-leaseif necessary) - Never
git reset --hard,git clean -f,git branch -D main - Never
DROP DATABASE,DROP TABLE,TRUNCATE TABLE - Never pipe remote content to shell (
curl | bash) - Never
chmod 777,pkill -9,killall -9 - Never commit secrets (.env files, API keys, credentials)
- Stop and ask if a destructive action seems genuinely necessary
- Prefer
git worktreeover stash - If stashing:
git stash push -m "descriptive message" - Never drop a stash after failed pop
- Verify restoration after switching back
- Never report data loss without full verification.
- Dashboard counts != database counts (dashboards show filtered views).
- Express uncertainty: "Let me verify further before concluding."
Projects may add domain-specific safety rules (PHI handling, PCI compliance, etc.). See each project's safety documentation.
Domain overlays in this repo:
overlays/healthcare/safety-addendum.md— HIPAA, PHI, patient data