640 B
640 B
Script Policy
Scripts should be deterministic, non-destructive by default, and reviewable.
Minimum expectations:
- expose a command-line entrypoint or clear function boundary
- prefer
argparseand--helpfor operator-facing scripts - keep
python3 scripts/name.py --helpsafe, non-mutating, and fast enough for trust smoke checks - avoid hidden interactive prompts unless the command is explicitly interactive
- state network or filesystem side effects in nearby docs or trust metadata
- declare allowed network hosts in
security/network_policy.jsonbefore team distribution - emit structured JSON when used by
scripts/yao.py