Add local coding rules

---

Build: not run | Tests: not run

---
Build: pass | Tests: pass — Tests  861 passed (861)

.agent/rules.yaml

@@ -0,0 +1,41 @@
+version: 1
+source: local
+rules:
+  - id: no-hardcoded-secrets
+    severity: error
+    description: Never commit API keys, tokens, or passwords.
+    applies_to:
+      - "src/**"
+      - "setup/**"
+      - "scripts/**"
+      - "docs/**"
+      - "README.md"
+    enforcement: deny
+    patterns:
+      - "API_KEY="
+      - "TOKEN="
+      - "SECRET="
+
+  - id: deterministic-tooling
+    severity: warning
+    description: Prefer explicit versions and repeatable steps.
+    applies_to:
+      - "scripts/**"
+      - "setup/**"
+      - "docs/**"
+    enforcement: warn
+
+  - id: readable-operations
+    severity: warning
+    description: Operational docs must be actionable and concise.
+    applies_to:
+      - "doc/**"
+      - "docs/**"
+    enforcement: warn
+
+  - id: minimal-coupling
+    severity: recommendation
+    description: Prefer small, composable modules over hidden global state.
+    applies_to:
+      - "src/**"
+    enforcement: note

doc/AGENTIC-HARNESS-SPEC.md

@@ -22,6 +22,7 @@ terminal-first harness that replaces the Paperclip dashboard direction.
 
 ## Config Files
 
+- `.agent/rules.yaml` — local coding rules (human policy in `doc/CODING-RULES.md`)
 - `.agent/harness/teams.yaml` — dispatcher team definitions
 - `.agent/harness/chains.yaml` — sequential pipelines
 - `.agent/harness/safety.yaml` — allow/ask/deny rules and path policies

doc/CODING-RULES.md

@@ -0,0 +1,42 @@
+# Coding Rules (Local Source of Truth)
+
+This repo uses a local ruleset instead of Qodo. The human-readable policy lives
+here, and the machine-readable policy lives in `.agent/rules.yaml`.
+
+## Goals
+
+- Keep rules visible in git history.
+- Avoid external dependencies for enforcement.
+- Support future automation without blocking humans today.
+
+## Rule Levels
+
+- **error**: must comply
+- **warning**: should comply
+- **recommendation**: consider when relevant
+
+## Scope
+
+Rules apply to code and docs in this repo unless a rule explicitly limits scope.
+
+## Core Rules
+
+1. **No hardcoded secrets** (error)
+   - Never commit API keys, tokens, or passwords.
+   - Use environment variables and documented config files.
+
+2. **Deterministic tooling** (warning)
+   - Prefer explicit versions and repeatable steps.
+   - Avoid hidden side effects in scripts.
+
+3. **Readable operations** (warning)
+   - Operational docs must be actionable and concise.
+   - Avoid ambiguous instructions.
+
+4. **Minimal coupling** (recommendation)
+   - Prefer small, composable modules over hidden global state.
+
+## Enforcement
+
+Automation should read `.agent/rules.yaml`. This document is the rationale and
+human-facing source of truth.