260224:1606 20260224:1600 V1.8.0

2026-02-24 16:06:15 +07:00
parent 97cc41f489
commit 158179d4a5
255 changed files with 5339 additions and 2094 deletions
--- a/.agent/rules/01-code-execution.md
+++ b/.agent/rules/01-code-execution.md
@@ -1,15 +1,38 @@
 ---
 trigger: always_on
 description: Control which shell commands the agent may run automatically.
-allowAuto: ["pnpm test:watch", "pnpm test:debug", "pnpm test:e2e", "git status"]
-denyAuto: ["rm -rf", "Remove-Item", "git push --force", "curl | bash"]
+allowAuto:
+  - 'pnpm test:watch'
+  - 'pnpm test:debug'
+  - 'pnpm test:e2e'
+  - 'git status'
+  - 'git log --oneline'
+  - 'git diff'
+  - 'git branch'
+  - 'tsc --noEmit'
+denyAuto:
+  - 'rm -rf'
+  - 'Remove-Item'
+  - 'git push --force'
+  - 'git reset --hard'
+  - 'git clean -fd'
+  - 'curl | bash'
+  - 'docker compose down'
+  - 'DROP TABLE'
+  - 'TRUNCATE'
+  - 'DELETE FROM'
 alwaysReview: true
-scopes: ["backend/src/**", "backend/test/**", "frontend/app/**"]
+scopes:
+  - 'backend/src/**'
+  - 'backend/test/**'
+  - 'frontend/app/**'
 ---

 # Execution Rules

 - Only auto-execute commands that are explicitly listed in `allowAuto`.
- Commands in denyAuto must always be blocked, even if manually requested.
- All shell operations that create, modify, or delete files in `backend/src/` or `backend/test/` or `frontend/app/` require human review.
- Alert if environment variables related to DB connection or secrets would be displayed or logged.
+- Commands in `denyAuto` must always be blocked, even if manually requested.
+- All shell operations that create, modify, or delete files in `backend/src/`, `backend/test/`, or `frontend/app/` require human review.
+- Alert before running any SQL that modifies data (INSERT/UPDATE/DELETE/DROP/TRUNCATE).
+- Alert if environment variables related to DB connection or secrets (DATABASE_URL, JWT_SECRET, passwords) would be displayed or logged.
+- Never auto-execute commands that expose sensitive credentials via MCP tools or shell output.