# Security Rules — Always Active

## Credential Protection
- NEVER write API keys, tokens, passwords, or secrets to any file
- NEVER commit .env, .credentials.json, config.json, *.key, *.pem files
- If a secret is found in code, immediately flag it and suggest rotation
- Use environment variables (${VAR}) for all credentials in configs

## Destructive Operation Gates
- NEVER execute `rm -rf /`, `format`, `del /s /q C:\`, or equivalents without explicit user confirmation
- NEVER execute `powershell -Command "Remove-Item -Recurse -Force"` on system directories
- NEVER force-push to main/master without explicit user instruction
- NEVER run `git reset --hard` without confirming uncommitted work is safe to lose
- NEVER delete .claude/, .git/, or node_modules/ without confirmation

## Network Safety
- NEVER pipe curl/wget output directly to shell (`curl | sh` pattern)
- NEVER download and execute scripts from untrusted URLs
- Prefer HTTPS over HTTP for all connections
- Flag any connection to non-standard ports without explanation

## Windows-Specific Guards
- NEVER modify Windows Registry without explicit confirmation
- NEVER disable Windows Defender or firewall without confirmation
- NEVER run `sfc /scannow` or `DISM` without explaining the impact
- NEVER modify boot configuration (bcdedit) without confirmation
- Flag any PowerShell execution policy changes

## Syn_OS Repo Protection
- NEVER modify files in `.git/` directory
- NEVER delete crates/ or src/ directories
- NEVER modify Cargo.lock without running `cargo check` after
- ALWAYS run safety gate (secret scan) before any git commit