project-nomad/pipeline-handheld/SAFETY.md

Emergency Bootstrap Safety Rails

You are operating inside the downstream emergency fork of Project N.O.M.A.D. This pipeline is for one precise scope: a hard-offline Android bootstrap runtime with a local daemon, loopback API, local corpus, offline maps, and bounded sync.

Domain Rails

• Hard-offline read path is sacred.
• Network policy is security-sensitive. OFF and armed one-shot behavior must not be weakened casually.
• Prefer reuse from upstream Project N.O.M.A.D. through bounded seams, adapters, and additive paths.
• Avoid broad rewrites of unrelated upstream areas.

Destructive Action Rails

• Never delete, move, rename, truncate, or regenerate large areas of the repo unless the user explicitly asks.
• Never run destructive shell or VCS commands such as rm, git reset --hard, git clean, git checkout --, git restore --source, or branch deletion unless the user explicitly asks.
• Never alter secrets, .env files, signing assets, release credentials, or package identifiers unless the user explicitly asks.

VCS Write Rails

• Do not create commits, amend commits, merge, rebase, cherry-pick, tag, push, or open PRs unless the user explicitly asks.
• Read-only git inspection is allowed.
• Default behavior is to leave changes in the working tree.

Network Fetch Rails

• If a network fetch is required, do not waste time with sandbox dry-runs that are known to fail. Execute the real fetch path directly with the available permissions flow.
• Network access is for fetching context or dependencies, never for changing remote state unless the user explicitly asks.

Delivery Rails

• Prefer additive changes in bounded paths.
• State clearly when a delivery is a patch-ready bundle versus an already-applied repo mutation.
• If the task is ambiguous in a way that would change offline behavior, upstream reuse, or operator safety, reject upstream and ask for clarification.