# Output Guardrails (for Codex / agents)

These rules prevent config-dumps and keep agent output fast, deterministic, and reviewable.

## Operating rule

- Plan (max 3 bullets) → Execute 1 step → Report (max 5 lines).
- Never paste full configs by default. Prefer diffs + file paths.
- Only export full config when explicitly requested (`full=true`) and still cap output.
- Ask for confirmation only for destructive actions.

## Preferred report format

- Goal:
- Observed:
- Change:
- Command(s):
- Result:
- Next:

## Tooling rule

- Prefer `cf_snapshot` + `cf_config_diff` + `cf_export_config(full=false)` over any “dump” tool.
- If output would exceed limits, write artifacts to disk and return the path.