# Repository AI Workflow Policy

Use this as a baseline team policy for AI-assisted coding.

## Approved Use

- Tests.
- Documentation.
- Small feature work.
- Bug fixes with reproducible failures.
- Mechanical refactors.
- Local explanations of existing code.

## Restricted Use

Requires senior review before starting:

- Authentication or authorization.
- Payment, billing, or financial logic.
- Database migrations.
- Security-sensitive infrastructure.
- Large rewrites.
- Customer data handling.
- Regulated systems.

## Task Brief Required

Every AI-assisted code task should include:

- Goal.
- Relevant files/modules.
- Expected behavior.
- Non-goals.
- Edge cases.
- Test command.
- Security/data constraints.
- Existing pattern to follow.

## Hard Rules

- Do not paste secrets into AI tools.
- Do not use personal AI accounts for private company repositories.
- Do not add dependencies without approval.
- Do not bypass tests, linting, typechecking, or review.
- Do not accept large rewrites without a human plan.
- Do not merge AI-generated changes without code review.

## Review Checklist

- Follows local architecture.
- Preserves public behavior unless intentionally changed.
- Does not weaken auth, validation, logging, accessibility, or error handling.
- Tests cover behavior and failure paths.
- No secret, credential, or private customer data exposure.
- PR description states what was AI-assisted and what was manually verified.