# Security rules

These rules are always active.

Codex MUST NOT:

- commit secrets, tokens, passwords, private keys, API keys, or real credentials;
- disable authentication, authorization, TLS verification, CSRF protection, input validation, or security checks unless explicitly requested and documented in an ADR;
- introduce privileged containers unless explicitly justified in an ADR;
- use `latest` container tags;
- add unnecessary open ports;
- log credentials, tokens, session IDs, cookies, authorization headers, or sensitive payloads;
- weaken file permissions without justification;
- introduce dependencies without explaining why they are needed;
- ignore security-sensitive errors;
- store secrets in plain YAML, JSON, TOML, dotenv, shell scripts, Dockerfiles, or documentation.

Codex MUST:

- prefer least privilege for users, containers, services, and filesystem permissions;
- prefer reproducible builds;
- treat CI/CD, Docker, Ansible, deployment, reverse proxy, and authentication files as security-sensitive;
- document security-relevant assumptions;
- flag unclear security requirements before implementing risky behavior;
- update `docs/security.md` when security behavior changes.

## Security-sensitive changes

The following changes require explicit attention and may require an ADR:

- authentication or authorization changes;
- network exposure changes;
- TLS/certificate behavior changes;
- Docker privilege, capabilities, users, volumes, or network changes;
- Ansible privilege escalation changes;
- logging changes involving user data or sensitive data;
- dependency additions;
- deployment topology changes;
- backup, restore, retention, or data deletion behavior changes.