Initial commit

.codex/security.md

@@ -0,0 +1,39 @@
+# Security rules
+
+These rules are always active.
+
+Codex MUST NOT:
+
+- commit secrets, tokens, passwords, private keys, API keys, or real credentials;
+- disable authentication, authorization, TLS verification, CSRF protection, input validation, or security checks unless explicitly requested and documented in an ADR;
+- introduce privileged containers unless explicitly justified in an ADR;
+- use `latest` container tags;
+- add unnecessary open ports;
+- log credentials, tokens, session IDs, cookies, authorization headers, or sensitive payloads;
+- weaken file permissions without justification;
+- introduce dependencies without explaining why they are needed;
+- ignore security-sensitive errors;
+- store secrets in plain YAML, JSON, TOML, dotenv, shell scripts, Dockerfiles, or documentation.
+
+Codex MUST:
+
+- prefer least privilege for users, containers, services, and filesystem permissions;
+- prefer reproducible builds;
+- treat CI/CD, Docker, Ansible, deployment, reverse proxy, and authentication files as security-sensitive;
+- document security-relevant assumptions;
+- flag unclear security requirements before implementing risky behavior;
+- update `docs/security.md` when security behavior changes.
+
+## Security-sensitive changes
+
+The following changes require explicit attention and may require an ADR:
+
+- authentication or authorization changes;
+- network exposure changes;
+- TLS/certificate behavior changes;
+- Docker privilege, capabilities, users, volumes, or network changes;
+- Ansible privilege escalation changes;
+- logging changes involving user data or sensitive data;
+- dependency additions;
+- deployment topology changes;
+- backup, restore, retention, or data deletion behavior changes.