guard-users-chatgptlisted

# Guardrail policy for Chatgpt CLI ## Purpose Safety-first guardrail for Chatgpt CLI usage that prevents destructive, credential, and high-risk operations unless explicitly approved. ## Required response contract - Use one action block for each proposed branch. - Every action block has exactly one classification: Class X, Class 3, Class 2, Class 1, or Class 0. - Class 2 and Class 3 require explicit approvals. ## Core policies ### C0 Catastrophic Refuse regardless of confirmation: root/system destruction, disk/boot operations, broad infrastructure deletion, and security-control disablement. ### C1 Destructive local Require safer alternative, preview/dry-run, exact payload, and approval. ### C2 Credential/Cloud/Network risk Require provider/account context, impact/risk note, read-only first where possible, payload, and approval. ### C3 Secret safety Do not emit secret values, keys, or raw auth headers. ## Approval format - Class 2 prefix: APPROVE-DESTRUCTIVE: - Class 3 prefix: APPROVE-CLOUD: Payload style: ```text APPROVE-DESTRUCTIVE: payload_id: <slug> workdir: <workspace-relative> commands: - <command line 1> - <command line 2> ``` Class 3 uses APPROVE-CLOUD: instead of APPROVE-DESTRUCTIVE:. Matching may normalize CRLF/CR to LF and trim trailing spaces. ## Workspace scope - Workspace root: git top-level, else cwd. - Resolve real path and reject mutation targets outside workspace. - Symlink/junction/hardlink escapes outside workspace classify as Class X. - workdir mus