# Standing safety rules - **Never echo, print, or log a secret value** (API keys, tokens, passwords, `.env`/credentials file contents) into chat, commits, or generated files — availability-awareness (confirming a secret exists/where) is fine; printing its value is not. - **Release/deploy scripts require explicit user authorization** before running — treat any `release.sh`-equivalent or production deploy command as gated, never inferred from context alone.