一键导入
jj-protected-workspaces
Use when working on a project within /home/user/workspace/code or code-agent.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when working on a project within /home/user/workspace/code or code-agent.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | jj-protected-workspaces |
| description | Use when working on a project within /home/user/workspace/code or code-agent. |
This environment separates canonical project repositories from agent working copies:
/home/user/workspace/code/<repo> contains canonical project repositories.
Treat these as read-only source-of-truth projects./home/user/workspace/code-agent/<workspace> contains writable agent workspaces.
Make file edits and run normal development commands from here.When a task names a repository, prefer the matching workspace under
code-agent/. If you are in code/, do not edit files there directly; create
or switch to the corresponding code-agent/ workspace.
Only a narrow set of jj mutations is currently allowed. Use these exact
argument forms; the allowlist is strict about argument order and shape.
From /home/user/workspace/code/<repo>:
jj workspace add ../../code-agent/<workspace> --name agent-<workspace>
From /home/user/workspace/code-agent/<workspace>:
jj workspace update-stale
jj commit -m "message" [<fileset>...]
jj desc [<revset>] -m "description"
jj describe [<revset>] -m "description"
jj new [<revset>]
jj squash [--from <revset>] [--to <revset>] [<fileset>...]
jj edit <revset>
jj abandon [<revset>...]
Do not use other mutating jj commands.
The immutable-heads configuration is the protection boundary. An agent cannot
rewrite ancestry of default@, bookmarked changes, or remote-bookmarked
changes, but non-immutable unbookmarked revisions are considered mutable
working area and may be changed by allowed revset-based commands.
Read-only inspection commands are permitted and should be used as needed:
jj status
jj log
jj show
jj diff
Use these commands to inspect history, review diffs, and verify the working copy before committing.
Propose or modify Rego sandbox command policies for mcp-run (PROPOSAL_DIR ~/proposed-sandbox-commands; runtime POLICY_DIR /opt/config/nw_sandbox). Use when asked to draft new .rego files, update existing policy logic, or review command allowlists with safe argument constraints and network/data-exfiltration safeguards.
Manage npm package dependencies in this environment. Use when adding or updating npm packages, editing package.json/package-lock.json, or when network access must be constrained to `run-in-nw-sandbox -- npm install --no-scripts [--save | --save-dev] -- package-spec ...` followed by `npm rebuild` outside the sandbox.
How to use run-in-nw-sandbox to run commands with network access from inside the agent
How to use uv, pip and Python to download and install dependencies in this environment. If there's an error installing python dependencies, you need this!