# Policy Examples

Agent Spine hook policy starts with `.codex/policy.json`.

Reusable JSON examples live under `examples/policies/`:

- `examples/policies/node-typescript.policy.json`
- `examples/policies/monorepo-infra.policy.json`
- `examples/policies/rust-python.policy.json`

## Default Secret Policy

```json
{
  "sensitive_basenames": [".env", "credentials.json", "id_rsa"],
  "sensitive_suffixes": [".env", ".key", ".pem"],
  "sensitive_dir_parts": ["secrets"]
}
```

## Cloud Repository

Use this shape when the repository contains deployment and cloud configuration:

```json
{
  "sensitive_basenames": [
    ".env",
    "credentials.json",
    "service-account.json",
    "terraform.tfvars"
  ],
  "sensitive_suffixes": [".env", ".key", ".pem", ".p12", ".pfx", ".tfvars"],
  "sensitive_dir_parts": ["secrets", "credentials", "private"]
}
```

## Product Monorepo

Use this shape when multiple apps share local config directories:

```json
{
  "sensitive_basenames": [".env", ".env.local", "id_rsa"],
  "sensitive_suffixes": [".env", ".key", ".pem"],
  "sensitive_dir_parts": ["secrets", "apps-secrets", "deploy-secrets"]
}
```

## Safe Exclusion Globs

The pre-tool policy allows explicit exclusion globs such as:

```bash
rg --files -g '!secrets/**' -g '!.env'
```

Direct reads of matching secret paths remain blocked.

## Node And TypeScript

```json
{
  "sensitive_basenames": [".env", ".env.local", ".npmrc"],
  "sensitive_suffixes": [".env", ".key", ".pem"],
  "sensitive_dir_parts": ["secrets", "deploy-secrets"],
  "dangerous_commands": {
    "block_recursive_rm": true,
    "block_force_push": true,
    "block_recursive_chmod": true,
    "max_nested_shell_depth": 4
  }
}
```

## Python

```json
{
  "sensitive_basenames": [".env", ".env.local", "credentials.json"],
  "sensitive_suffixes": [".env", ".key", ".pem", ".p12"],
  "sensitive_dir_parts": ["secrets", "credentials"],
  "dangerous_commands": {
    "block_recursive_rm": true,
    "block_force_push": true,
    "block_recursive_chmod": true,
    "max_nested_shell_depth": 4
  }
}
```

## Rust Services

```json
{
  "sensitive_basenames": [".env", ".env.local", "kubeconfig"],
  "sensitive_suffixes": [".env", ".key", ".pem", ".toml.local"],
  "sensitive_dir_parts": ["secrets", "private"],
  "dangerous_commands": {
    "block_recursive_rm": true,
    "block_force_push": true,
    "block_recursive_chmod": true,
    "max_nested_shell_depth": 4
  }
}
```

## Infrastructure

```json
{
  "sensitive_basenames": [".env", "terraform.tfvars", "kubeconfig"],
  "sensitive_suffixes": [".tfvars", ".key", ".pem", ".p12", ".pfx"],
  "sensitive_dir_parts": ["secrets", "credentials", "private"],
  "dangerous_commands": {
    "block_recursive_rm": true,
    "block_force_push": true,
    "block_recursive_chmod": true,
    "max_nested_shell_depth": 4
  }
}
```