원클릭으로
jj-protected-workspaces
Use when working on a project within /home/user/workspace/code or code-agent.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when working on a project within /home/user/workspace/code or code-agent.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Propose or modify Rego sandbox command policies for mcp-run (PROPOSAL_DIR ~/proposed-sandbox-commands; runtime POLICY_DIR /opt/config/nw_sandbox). Use when asked to draft new .rego files, update existing policy logic, or review command allowlists with safe argument constraints and network/data-exfiltration safeguards.
Manage npm package dependencies in this environment. Use when adding or updating npm packages, editing package.json/package-lock.json, or when network access must be constrained to `run-in-nw-sandbox -- npm install --no-scripts [--save | --save-dev] -- package-spec ...` followed by `npm rebuild` outside the sandbox.
How to use run-in-nw-sandbox to run commands with network access from inside the agent
How to use uv, pip and Python to download and install dependencies in this environment. If there's an error installing python dependencies, you need this!
| name | jj-protected-workspaces |
| description | Use when working on a project within /home/user/workspace/code or code-agent. |
This environment separates canonical project repositories from agent working copies:
/home/user/workspace/code/<repo> contains canonical project repositories.
Treat these as read-only source-of-truth projects./home/user/workspace/code-agent/<workspace> contains writable agent workspaces.
Make file edits and run normal development commands from here.When a task names a repository, prefer the matching workspace under
code-agent/. If you are in code/, do not edit files there directly; create
or switch to the corresponding code-agent/ workspace.
Only a narrow set of jj mutations is currently allowed. Use these exact
argument forms; the allowlist is strict about argument order and shape.
From /home/user/workspace/code/<repo>:
jj workspace add ../../code-agent/<workspace> --name agent-<workspace>
From /home/user/workspace/code-agent/<workspace>:
jj workspace update-stale
jj commit -m "message" [<fileset>...]
jj desc [<revset>] -m "description"
jj describe [<revset>] -m "description"
jj new [<revset>]
jj squash [--from <revset>] [--to <revset>] [<fileset>...]
jj edit <revset>
jj abandon [<revset>...]
Do not use other mutating jj commands.
The immutable-heads configuration is the protection boundary. An agent cannot
rewrite ancestry of default@, bookmarked changes, or remote-bookmarked
changes, but non-immutable unbookmarked revisions are considered mutable
working area and may be changed by allowed revset-based commands.
Read-only inspection commands are permitted and should be used as needed:
jj status
jj log
jj show
jj diff
Use these commands to inspect history, review diffs, and verify the working copy before committing.