@hunyed15/codecgc 0.1.8 → 0.1.9

package/INSTALLATION.md

@@ -48,11 +48,16 @@ cgc-install --mode local --workspace .
 .mcp.json
 model-routing.yaml
 .claude/
-  settings.json
+  settings.local.json
   hooks/
     route-edit.ps1
   commands/
     cgc*.md
+.codex/
+  codecgcrc.json
+.gemini/
+  policies/
+    codecgc-policy.toml
 codecgc/
   START_HERE.md
   features/

package/README.md

@@ -14,6 +14,8 @@ Claude /cgc -> CodeCGC MCP -> CodeCGC runtime -> Codex 或 Gemini 执行器
 
 CLI 仍然保留，用于本地调试、CI 检查和 MCP 不可用时的回退执行。普通用户优先使用 Claude 内的 `/cgc`，或在命令行使用 `cgc`，不需要记住所有内部子命令。
 
+安全边界：Claude 可以维护需求、规划、文档、审查和工作流状态；产品代码实现必须经由 CodeCGC 路由到 Codex 或 Gemini。项目 hook 会拦截 `Edit`、`Write`、`MultiEdit`、`Bash` 和 `PowerShell`，防止 Claude 用直接编辑或 shell 写入绕过路由。
+
 ## 安装
 
 全局安装 CLI：
@@ -53,11 +55,16 @@ cgc-doctor
 .mcp.json
 model-routing.yaml
 .claude/
-  settings.json
+  settings.local.json
   hooks/
     route-edit.ps1
   commands/
     cgc*.md
+.codex/
+  codecgcrc.json
+.gemini/
+  policies/
+    codecgc-policy.toml
 codecgc/
   START_HERE.md
   features/
@@ -72,7 +79,7 @@ codecgc/
   fixtures/
 ```
 
-在 CodeCGC 源码仓库中，`.mcp.json`、`.claude/settings.json`、`.claude/commands/`、`codecgc/START_HERE.md` 以及实时 workflow 输出目录会被忽略，因为它们是机器相关或项目安装生成的内容。
+在 CodeCGC 源码仓库中，`.mcp.json`、`.claude/settings.local.json`、`.claude/commands/`、`.codex/`、`.gemini/`、`codecgc/START_HERE.md` 以及实时 workflow 输出目录会被忽略，因为它们是机器相关或项目安装生成的内容。
 
 源码仓库会保留可发布运行时、参考文档、命令模板、测试 fixtures，以及 `.claude/hooks/route-edit.ps1` 这个 hook 模板。
 
@@ -149,7 +156,7 @@ python scripts\audit_codecgc_release_readiness.py --format json
 npm pack --dry-run --json
 ```
 
-`cgc-release-readiness` 会通过临时项目安装探针验证发布包可用性。源码仓库本身不需要提交项目级 `.mcp.json` 或 `.claude/settings.json`。
+`cgc-release-readiness` 会通过临时项目安装探针验证发布包可用性。源码仓库本身不需要提交项目级 `.mcp.json`、`.claude/settings.local.json`、`.codex/` 或 `.gemini/`。
 
 如果运行环境限制默认临时目录写入，可以显式指定探针目录：
 

package/codecgc/reference/execution-model.md

@@ -44,7 +44,9 @@ CodeCGC 把“工作流控制”和“代码执行”明确分层。
 运行时 guardrail 主要声明在：
 
 - `.mcp.json`
-- `.claude/settings.json`
+- `.claude/settings.local.json`
+- `.codex/codecgcrc.json`
+- `.gemini/policies/codecgc-policy.toml`
 - `.claude/hooks/route-edit.ps1`
 
 这些文件一起负责“不能越界”。

package/codecgc/reference/policy-routing.md

@@ -44,11 +44,12 @@ This creates project-local `.mcp.json`, `.claude/`, `model-routing.yaml`, and th
 `scripts/codecgc_policy.py` evaluates the policy for every entry point that needs write ownership:
 
 - Claude hook guardrail via `.claude/hooks/route-edit.ps1` for `Edit`, `Write`, and `MultiEdit`
+- Claude shell guardrail via the same hook for `Bash` and `PowerShell`
 - task payload construction via `scripts/build_codecgc_task.py`
 - build/fix/test wrappers before executor dispatch
 - status and doctor checks through `model-routing.yaml` validation
 
-The hook is intentionally thin. It only forwards Claude edit requests to the shared policy checker.
+The hook is intentionally thin. It forwards Claude edit requests to the shared policy checker, and it only allows Claude shell commands that are CodeCGC entry commands, read-only inspection commands, or test/check commands. Direct shell writes, destructive commands, redirection, pipes, and chained shell commands are denied so Claude cannot bypass CodeCGC routing.
 
 ## Shared Paths
 

package/codecgc/reference/project-structure.md

@@ -29,8 +29,10 @@ The source repository should not commit project-local install output. These file
 
 ```text
 .mcp.json
-.claude/settings.json
+.claude/settings.local.json
 .claude/commands/
+.codex/codecgcrc.json
+.gemini/policies/codecgc-policy.toml
 codecgc/START_HERE.md
 codecgc/features/
 codecgc/issues/
@@ -52,11 +54,16 @@ Keep `codecgc/fixtures/`, `codecgc/reference/`, `codecgc/roadmap/`, and `codecgc
 .mcp.json
 model-routing.yaml
 .claude/
-  settings.json
+  settings.local.json
   hooks/
     route-edit.ps1
   commands/
     cgc*.md
+.codex/
+  codecgcrc.json
+.gemini/
+  policies/
+    codecgc-policy.toml
 codecgc/
   features/
   issues/

package/codecgc/reference/quickstart.md

@@ -31,9 +31,11 @@ The project install syncs:
 ```text
 .mcp.json
 model-routing.yaml
-.claude/settings.json
+.claude/settings.local.json
 .claude/hooks/route-edit.ps1
 .claude/commands/cgc*.md
+.codex/codecgcrc.json
+.gemini/policies/codecgc-policy.toml
 codecgc/START_HERE.md
 codecgc/
 ```

package/codecgc/reference/troubleshooting.md

@@ -45,7 +45,7 @@ The generated file is `codecgc/START_HERE.md`. It should use project-relative pa
 
 ## Claude Hook Blocks A Write
 
-The hook is a guardrail. It blocks Claude direct writes to product source paths that should belong to Codex or Gemini.
+The hook is a guardrail. It blocks Claude direct writes to product source paths that should belong to Codex or Gemini, including direct shell writes through `Bash` or `PowerShell`.
 
 Expected behavior:
 
@@ -56,6 +56,8 @@ Expected behavior:
 
 If a write was blocked incorrectly, inspect `model-routing.yaml` first. It is the project-local policy source.
 
+For shell commands, use `/cgc` or `cgc` for implementation work. The hook only allows CodeCGC entry commands, read-only inspection commands, and test/check commands.
+
 ## Codex Or Gemini Is Unavailable
 
 Run:

package/codecgc/templates/claude/settings.local.json

@@ -0,0 +1,27 @@
+{
+  "permissions": {
+    "allow": [
+      "WebSearch",
+      "Read(**)",
+      "Edit(**)",
+      "Update(**)",
+      "Write(**)",
+      "mcp__*",
+      "mcp__codecgc__*",
+      "mcp__codex__*",
+      "mcp__gemini__*",
+      "Bash(*)",
+      "PowerShell(*)",
+      "Edit *",
+      "Reading *",
+      "Added *",
+      "mcp__memos-mcp__add_message"
+    ]
+  },
+  "enabledMcpjsonServers": [
+    "codex",
+    "gemini",
+    "codecgc"
+  ],
+  "enableAllProjectMcpServers": true
+}

package/codecgc/templates/codex/codecgcrc.json

@@ -0,0 +1,22 @@
+{
+  "schema": 1,
+  "owner": "CodeCGC",
+  "scope": "project",
+  "executor": "codex",
+  "role": "backend implementation and backend tests",
+  "enforcement": {
+    "primary": "CodeCGC MCP backend path validation",
+    "codex_cli": "sandbox and approval flags supplied by codexmcp",
+    "routing_policy": "model-routing.yaml"
+  },
+  "allowed_path_kinds": [
+    "backend"
+  ],
+  "denied_path_kinds": [
+    "frontend"
+  ],
+  "notes": [
+    "Codex CLI project execpolicy discovery is version dependent; CodeCGC treats this file as the project-local policy contract used by its MCP wrapper and status checks.",
+    "Do not edit frontend files, styling files, UI components, or mixed shared paths without a split plan."
+  ]
+}

package/codecgc/templates/gemini/codecgc-policy.toml

@@ -0,0 +1,47 @@
+# CodeCGC project-local Gemini policy.
+#
+# This file is passed explicitly by GeminiMCP through `gemini --policy`.
+# It is intentionally project-local so each repository can review and tune it.
+
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = [
+  "rm -rf",
+  "del ",
+  "rmdir ",
+  "Remove-Item",
+  "git reset --hard",
+  "git clean"
+]
+decision = "deny"
+priority = 900
+denyMessage = "CodeCGC blocks destructive shell commands in Gemini executor sessions."
+
+[[rule]]
+toolName = [
+  "write_file",
+  "replace"
+]
+decision = "allow"
+priority = 500
+modes = ["autoEdit"]
+
+[rule.safety_checker]
+type = "in-process"
+name = "allowed-path"
+required_context = ["environment"]
+
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = [
+  "npm test",
+  "npm run test",
+  "pnpm test",
+  "pnpm run test",
+  "yarn test",
+  "git diff",
+  "git status"
+]
+decision = "allow"
+priority = 300
+modes = ["autoEdit"]

package/codexmcp/src/codexmcp/server.py

@@ -51,6 +51,8 @@ FRONTEND_FILE_SUFFIXES = (
     ".svelte",
 )
 
+PROJECT_CODEX_POLICY_RELATIVE_PATH = Path(".codex") / "codecgcrc.json"
+
 
 def _empty_str_to_none(value: str | None) -> str | None:
     """Convert empty strings to None for optional UUID parameters."""
@@ -64,6 +66,45 @@ def _normalize_path_text(path_value: Path | str) -> str:
     return str(path_value).replace("\\", "/").strip()
 
 
+def _load_project_codex_policy_context(cd: Path) -> str:
+    """Load the CodeCGC project-local Codex policy contract as prompt context."""
+    policy_path = cd / PROJECT_CODEX_POLICY_RELATIVE_PATH
+    if not policy_path.is_file():
+        return ""
+
+    try:
+        payload = json.loads(policy_path.read_text(encoding="utf-8"))
+    except Exception:
+        return ""
+
+    if not isinstance(payload, dict):
+        return ""
+
+    enforcement = payload.get("enforcement")
+    if not isinstance(enforcement, dict):
+        enforcement = {}
+
+    allowed_path_kinds = payload.get("allowed_path_kinds")
+    denied_path_kinds = payload.get("denied_path_kinds")
+    notes = payload.get("notes")
+
+    lines = [
+        "Project CodeCGC Codex policy contract:",
+        f"- Role: {payload.get('role', 'backend implementation and backend tests')}",
+        f"- Routing policy: {enforcement.get('routing_policy', 'model-routing.yaml')}",
+        f"- Primary enforcement: {enforcement.get('primary', 'CodeCGC MCP backend path validation')}",
+        f"- Codex CLI guardrail: {enforcement.get('codex_cli', 'sandbox and approval flags supplied by codexmcp')}",
+    ]
+    if isinstance(allowed_path_kinds, list):
+        lines.append("- Allowed path kinds: " + ", ".join(str(item) for item in allowed_path_kinds))
+    if isinstance(denied_path_kinds, list):
+        lines.append("- Denied path kinds: " + ", ".join(str(item) for item in denied_path_kinds))
+    if isinstance(notes, list):
+        lines.extend(f"- {str(item)}" for item in notes if str(item).strip())
+    lines.append("Follow this project policy before making any code change.")
+    return "\n".join(lines).strip()
+
+
 def _is_probably_frontend_path(path_value: Path | str) -> bool:
     """Best-effort check to keep backend-only Codex tasks away from frontend files."""
     normalized = _normalize_path_text(path_value).lower().lstrip("./")
@@ -255,6 +296,10 @@ def _execute_codex_session(
     if session_id:
         cmd.extend(["resume", str(session_id)])
 
+    policy_context = _load_project_codex_policy_context(cd)
+    if policy_context:
+        prompt = f"{policy_context}\n\nUser task:\n{prompt}"
+
     if os.name == "nt":
         prompt = windows_escape(prompt)
     cmd += ["--", prompt]

package/geminimcp/src/geminimcp/server.py

@@ -18,6 +18,10 @@ from mcp.server.fastmcp import FastMCP
 from pydantic import BeforeValidator, Field
 import shutil
 
+DEFAULT_GEMINI_APPROVAL_MODE = "auto_edit"
+DEFAULT_GEMINI_TIMEOUT_SECONDS = 600
+PROJECT_GEMINI_POLICY_RELATIVE_PATH = Path(".gemini") / "policies" / "codecgc-policy.toml"
+
 mcp = FastMCP("Gemini MCP Server-from guda.studio")
 
 # Mirror of model-routing.yaml backend_paths — keep these hints in sync with
@@ -49,6 +53,14 @@ def _normalize_path_text(path_value: Path | str) -> str:
     return str(path_value).replace("\\", "/").strip()
 
 
+def _resolve_project_gemini_policy(cd: Path) -> Path | None:
+    """Return the CodeCGC project-local Gemini policy if the workspace installed it."""
+    policy_path = cd / PROJECT_GEMINI_POLICY_RELATIVE_PATH
+    if policy_path.is_file():
+        return policy_path
+    return None
+
+
 def _is_probably_backend_path(path_value: Path | str) -> bool:
     """Best-effort check to keep frontend-only Gemini tasks away from backend files."""
     normalized = _normalize_path_text(path_value).lower().lstrip("./")
@@ -126,7 +138,29 @@ def _validate_frontend_target_paths(target_paths: List[Path]) -> tuple[bool, Lis
     return True, policy_checks, ""
 
 
-def run_shell_command(cmd: list[str], cwd: str | None = None) -> Generator[str, None, None]:
+def _terminate_process_tree(process: subprocess.Popen[str]) -> None:
+    """Terminate a process and its children best-effort."""
+    if process.poll() is not None:
+        return
+
+    if os.name == "nt":
+        subprocess.run(
+            ["taskkill", "/PID", str(process.pid), "/T", "/F"],
+            stdin=subprocess.DEVNULL,
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            check=False,
+        )
+        return
+
+    process.kill()
+
+
+def run_shell_command(
+    cmd: list[str],
+    cwd: str | None = None,
+    timeout_seconds: int = DEFAULT_GEMINI_TIMEOUT_SECONDS,
+) -> Generator[str, None, None]:
     """Execute a command and stream its output line-by-line.
 
     Args:
@@ -158,6 +192,8 @@ def run_shell_command(cmd: list[str], cwd: str | None = None) -> Generator[str,
 
     output_queue: queue.Queue[str | None] = queue.Queue()
     GRACEFUL_SHUTDOWN_DELAY = 0.3
+    started_at = time.monotonic()
+    timed_out = False
 
     def is_turn_completed(line: str) -> bool:
         """Check if the line indicates turn completion via JSON parsing."""
@@ -185,6 +221,11 @@ def run_shell_command(cmd: list[str], cwd: str | None = None) -> Generator[str,
 
     # Yield lines while process is running
     while True:
+        if timeout_seconds > 0 and time.monotonic() - started_at > timeout_seconds:
+            timed_out = True
+            _terminate_process_tree(process)
+            break
+
         try:
             line = output_queue.get(timeout=0.5)
             if line is None:
@@ -197,7 +238,7 @@ def run_shell_command(cmd: list[str], cwd: str | None = None) -> Generator[str,
     try:
         process.wait(timeout=5)
     except subprocess.TimeoutExpired:
-        process.kill()
+        _terminate_process_tree(process)
         process.wait()
     thread.join(timeout=5)
 
@@ -209,6 +250,13 @@ def run_shell_command(cmd: list[str], cwd: str | None = None) -> Generator[str,
         except queue.Empty:
             break
 
+    if timed_out:
+        raise TimeoutError(
+            f"Gemini CLI timed out after {timeout_seconds} seconds. "
+            "This usually means the CLI was waiting for interactive approval, "
+            "network/authentication, or a long-running tool call."
+        )
+
 
 def _execute_gemini_session(
     *,
@@ -218,6 +266,7 @@ def _execute_gemini_session(
     session_id: str,
     return_all_messages: bool,
     model: str,
+    timeout_seconds: int = DEFAULT_GEMINI_TIMEOUT_SECONDS,
 ) -> Dict[str, Any]:
     """Execute Gemini CLI and return the parsed MCP response payload."""
     if not cd.exists():
@@ -229,7 +278,21 @@ def _execute_gemini_session(
     if os.name == "nt":
         prompt = windows_escape(prompt)
 
-    cmd = ["gemini", "--skip-trust", "--prompt", prompt, "-o", "stream-json"]
+    effective_timeout_seconds = int(timeout_seconds or 0) or DEFAULT_GEMINI_TIMEOUT_SECONDS
+    cmd = [
+        "gemini",
+        "--skip-trust",
+        "--approval-mode",
+        DEFAULT_GEMINI_APPROVAL_MODE,
+        "--prompt",
+        prompt,
+        "-o",
+        "stream-json",
+    ]
+
+    project_policy = _resolve_project_gemini_policy(cd)
+    if project_policy is not None:
+        cmd.extend(["--policy", project_policy.absolute().as_posix()])
 
     if sandbox:
         cmd.extend(["--sandbox"])
@@ -246,27 +309,36 @@ def _execute_gemini_session(
     err_message = ""
     thread_id: Optional[str] = None
 
-    for line in run_shell_command(cmd, cwd=cd.absolute().as_posix()):
-        try:
-            line_dict = json.loads(line.strip())
-            all_messages.append(line_dict)
-            item_type = line_dict.get("type", "")
-            item_role = line_dict.get("role", "")
-            if item_type == "message" and item_role == "assistant":
-                if (
-                    "The --prompt (-p) flag has been deprecated and will be removed in a future version. Please use a positional argument for your prompt. See gemini --help for more information.\n"
-                    in line_dict.get("content", "")
-                ):
-                    continue
-                agent_messages = agent_messages + line_dict.get("content", "")
-            if line_dict.get("session_id") is not None:
-                thread_id = line_dict.get("session_id")
-        except json.JSONDecodeError:
-            err_message += "\n\n[json decode error] " + line
-            continue
-        except Exception as error:
-            err_message += "\n\n[unexpected error] " + f"Unexpected error: {error}. Line: {line!r}"
-            break
+    try:
+        for line in run_shell_command(
+            cmd,
+            cwd=cd.absolute().as_posix(),
+            timeout_seconds=effective_timeout_seconds,
+        ):
+            try:
+                line_dict = json.loads(line.strip())
+                all_messages.append(line_dict)
+                item_type = line_dict.get("type", "")
+                item_role = line_dict.get("role", "")
+                if item_type == "message" and item_role == "assistant":
+                    if (
+                        "The --prompt (-p) flag has been deprecated and will be removed in a future version. Please use a positional argument for your prompt. See gemini --help for more information.\n"
+                        in line_dict.get("content", "")
+                    ):
+                        continue
+                    agent_messages = agent_messages + line_dict.get("content", "")
+                if line_dict.get("session_id") is not None:
+                    thread_id = line_dict.get("session_id")
+            except json.JSONDecodeError:
+                err_message += "\n\n[json decode error] " + line
+                continue
+            except Exception as error:
+                err_message += "\n\n[unexpected error] " + f"Unexpected error: {error}. Line: {line!r}"
+                success = False
+                break
+    except TimeoutError as error:
+        success = False
+        err_message += "\n\n[timeout] " + str(error)
 
     if thread_id is None:
         success = False
@@ -359,6 +431,10 @@ async def gemini(
         str,
         "The model to use for the gemini session. This parameter is strictly prohibited unless explicitly specified by the user.",
     ] = "",
+    timeout_seconds: Annotated[
+        int,
+        Field(description="Maximum Gemini CLI process runtime in seconds. Defaults to 600."),
+    ] = DEFAULT_GEMINI_TIMEOUT_SECONDS,
 ) -> Dict[str, Any]:
     """Execute a gemini CLI session and return the results."""
     return await asyncio.to_thread(
@@ -370,6 +446,7 @@ async def gemini(
             session_id=SESSION_ID,
             return_all_messages=return_all_messages,
             model=model,
+            timeout_seconds=timeout_seconds,
         )
     )
 
@@ -421,6 +498,10 @@ async def implement_frontend_task(
         str,
         "Optional model override. Only use when explicitly requested by the user.",
     ] = "",
+    timeout_seconds: Annotated[
+        int,
+        Field(description="Maximum Gemini CLI process runtime in seconds. Defaults to 600."),
+    ] = DEFAULT_GEMINI_TIMEOUT_SECONDS,
 ) -> Dict[str, Any]:
     """Execute a frontend-only Gemini task with CodeCGC policy checks."""
     valid, policy_checks, validation_error = _validate_frontend_target_paths(target_paths)
@@ -447,6 +528,7 @@ async def implement_frontend_task(
             session_id=SESSION_ID,
             return_all_messages=return_all_messages,
             model=model,
+            timeout_seconds=timeout_seconds,
         )
     )
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hunyed15/codecgc",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Claude-hosted multi-model workflow product shell for CodeCGC.",
   "license": "MIT",
   "type": "commonjs",
@@ -64,6 +64,7 @@
     "codecgc/compound/",
     "codecgc/reference/",
     "codecgc/roadmap/",
+    "codecgc/templates/",
     "codecgcmcp/pyproject.toml",
     "codecgcmcp/README.md",
     "codecgcmcp/src/codecgcmcp/*.py",

package/scripts/audit_codecgc_package_runtime.py

@@ -22,6 +22,9 @@ RUNTIME_ENTRYPOINTS = [
 
 RUNTIME_STATIC_REQUIREMENTS = [
     ".claude/hooks/route-edit.ps1",
+    "codecgc/templates/claude/settings.local.json",
+    "codecgc/templates/codex/codecgcrc.json",
+    "codecgc/templates/gemini/codecgc-policy.toml",
     "model-routing.yaml",
     "requirements.txt",
     "scripts/codecgc_runtime/__init__.py",

package/scripts/build_codecgc_task.py

@@ -209,6 +209,7 @@ def load_explicit_task_payload(args: argparse.Namespace) -> dict[str, Any]:
         "codex_sandbox": args.codex_sandbox or "workspace-write",
         "gemini_sandbox": bool(args.gemini_sandbox),
         "return_all_messages": bool(args.return_all_messages),
+        "timeout_seconds": int(getattr(args, "timeout_seconds", 0) or 0),
         "source": None,
     }
 
@@ -345,6 +346,10 @@ def build_tool_call(args: argparse.Namespace, routing: dict[str, Any]) -> dict[s
             + json.dumps(policy_result, ensure_ascii=False)
         )
 
+    effective_timeout_seconds = int(payload_inputs.get("timeout_seconds", 0)) or int(
+        getattr(args, "timeout_seconds", 0) or 0
+    )
+
     if kind == "frontend":
         tool_name = "implement_frontend_task"
         tool_args: dict[str, Any] = {
@@ -358,6 +363,7 @@ def build_tool_call(args: argparse.Namespace, routing: dict[str, Any]) -> dict[s
             "sandbox": payload_inputs["gemini_sandbox"],
             "return_all_messages": payload_inputs["return_all_messages"],
             "model": payload_inputs["model"],
+            "timeout_seconds": effective_timeout_seconds,
         }
     elif kind == "backend":
         tool_name = "implement_backend_task"
@@ -382,6 +388,7 @@ def build_tool_call(args: argparse.Namespace, routing: dict[str, Any]) -> dict[s
         "target": kind,
         "tool_name": tool_name,
         "tool_args": tool_args,
+        "timeout_seconds": effective_timeout_seconds,
         "route_notes": route_notes,
         "policy": policy_result,
         "routing_file": payload_inputs["routing_file"],

package/scripts/codecgc_policy.py

@@ -2,6 +2,8 @@ from __future__ import annotations
 
 import argparse
 import json
+import re
+import shlex
 import sys
 from dataclasses import dataclass
 from fnmatch import fnmatch
@@ -29,6 +31,71 @@ class PathDecision:
     recommended_action: str
 
 
+@dataclass(frozen=True)
+class HookRequest:
+    tool_name: str
+    file_path: str
+    command: str
+
+
+EDIT_TOOL_NAMES = {"Edit", "Write", "MultiEdit"}
+SHELL_TOOL_NAMES = {"Bash", "PowerShell"}
+SHELL_DENIED_COMMAND_PATTERNS = (
+    r"\brm\s+-[^\n\r]*[rf]",
+    r"\bdel\s+",
+    r"\brmdir\s+",
+    r"\bremove-item\b",
+    r"\bset-content\b",
+    r"\badd-content\b",
+    r"\bout-file\b",
+    r"\bnew-item\b",
+    r"\bcopy-item\b",
+    r"\bmove-item\b",
+    r"\bgit\s+reset\s+--hard\b",
+    r"\bgit\s+clean\b",
+    r"\bpython\s+-c\b",
+    r"\bnode\s+-e\b",
+    r"\bpowershell(\.exe)?\s+-(command|encodedcommand)\b",
+    r"\bcmd(\.exe)?\s+/c\b",
+)
+SHELL_ALLOWED_COMMAND_PREFIXES = (
+    "git status",
+    "git diff",
+    "git log",
+    "git show",
+    "git branch",
+    "git rev-parse",
+    "git ls-files",
+    "git remote",
+    "rg",
+    "ls",
+    "dir",
+    "pwd",
+    "get-content",
+    "get-childitem",
+    "select-string",
+    "test-path",
+    "resolve-path",
+    "pytest",
+    "python -m pytest",
+    "python -m compileall",
+    "npm test",
+    "npm run test",
+    "npm run lint",
+    "npm run typecheck",
+    "npm run check",
+    "pnpm test",
+    "pnpm run test",
+    "pnpm run lint",
+    "pnpm run typecheck",
+    "yarn test",
+    "yarn lint",
+    "codex --help",
+    "gemini --help",
+    "gemini --version",
+)
+
+
 def normalize_path_text(path_text: str) -> str:
     normalized = str(path_text or "").replace("\\", "/").strip()
     while normalized.startswith("./"):
@@ -207,18 +274,111 @@ def validate_executor_target(kind: str, target_paths: list[str], policy: dict[st
     return result
 
 
-def parse_hook_payload(text: str) -> tuple[str, str]:
+def parse_hook_request(text: str) -> HookRequest:
     if not text.strip():
-        return "", ""
+        return HookRequest(tool_name="", file_path="", command="")
     payload = json.loads(text)
     if not isinstance(payload, dict):
-        return "", ""
+        return HookRequest(tool_name="", file_path="", command="")
     tool_name = str(payload.get("tool_name", "")).strip()
     tool_input = payload.get("tool_input", {})
     if not isinstance(tool_input, dict):
-        return tool_name, ""
+        return HookRequest(tool_name=tool_name, file_path="", command="")
     file_path = str(tool_input.get("file_path") or tool_input.get("path") or "").strip()
-    return tool_name, file_path
+    command = str(tool_input.get("command") or tool_input.get("script") or "").strip()
+    return HookRequest(tool_name=tool_name, file_path=file_path, command=command)
+
+
+def parse_hook_payload(text: str) -> tuple[str, str]:
+    request = parse_hook_request(text)
+    return request.tool_name, request.file_path
+
+
+def has_unquoted_shell_control_operator(command: str) -> bool:
+    in_single = False
+    in_double = False
+    escaped = False
+    for index, char in enumerate(command):
+        if escaped:
+            escaped = False
+            continue
+        if char == "\\":
+            escaped = True
+            continue
+        if char == "'" and not in_double:
+            in_single = not in_single
+            continue
+        if char == '"' and not in_single:
+            in_double = not in_double
+            continue
+        if in_single or in_double:
+            continue
+        if char in {"|", ";", ">", "<", "`", "&"}:
+            return True
+        if char == "$" and index + 1 < len(command) and command[index + 1] == "(":
+            return True
+    return False
+
+
+def normalize_shell_command_for_prefix(command: str) -> str:
+    try:
+        parts = shlex.split(command, posix=False)
+    except ValueError:
+        parts = command.split()
+    if not parts:
+        return ""
+
+    first = parts[0].strip().strip("'\"")
+    first_name = Path(first.replace("\\", "/")).name.lower()
+    for suffix in (".cmd", ".ps1", ".exe", ".bat"):
+        if first_name.endswith(suffix):
+            first_name = first_name[: -len(suffix)]
+            break
+    rest = " ".join(str(item).strip().strip("'\"").lower() for item in parts[1:])
+    return f"{first_name} {rest}".strip()
+
+
+def shell_prefix_matches(command: str, prefix: str) -> bool:
+    return command == prefix or command.startswith(f"{prefix} ")
+
+
+def is_codecgc_cli_shell_command(normalized_command: str) -> bool:
+    first = normalized_command.split(" ", 1)[0]
+    return first == "cgc" or first == "codecgc" or first.startswith("cgc-")
+
+
+def evaluate_shell_command(command: str, tool_name: str = "Bash") -> dict[str, Any]:
+    normalized_tool_name = str(tool_name or "").strip()
+    if not str(command or "").strip():
+        return {"allowed": True, "reason": "", "recommended_action": ""}
+
+    if has_unquoted_shell_control_operator(command):
+        return {
+            "allowed": False,
+            "reason": f"{normalized_tool_name} commands with shell control operators are not allowed for Claude",
+            "recommended_action": "route write work through /cgc or run a single read-only check",
+        }
+
+    lowered = command.lower()
+    if any(re.search(pattern, lowered) for pattern in SHELL_DENIED_COMMAND_PATTERNS):
+        return {
+            "allowed": False,
+            "reason": f"{normalized_tool_name} command looks like a direct write or destructive shell operation",
+            "recommended_action": "route implementation through /cgc so CodeCGC can dispatch Codex or Gemini",
+        }
+
+    normalized_command = normalize_shell_command_for_prefix(command)
+    if is_codecgc_cli_shell_command(normalized_command):
+        return {"allowed": True, "reason": "", "recommended_action": ""}
+
+    if any(shell_prefix_matches(normalized_command, prefix) for prefix in SHELL_ALLOWED_COMMAND_PREFIXES):
+        return {"allowed": True, "reason": "", "recommended_action": ""}
+
+    return {
+        "allowed": False,
+        "reason": f"{normalized_tool_name} command is outside the CodeCGC Claude shell allowlist",
+        "recommended_action": "use /cgc for write work, or use an allowed read-only/test command",
+    }
 
 
 def build_hook_response(allowed: bool, reason: str) -> dict[str, Any]:
@@ -247,11 +407,23 @@ def main() -> int:
         policy = load_policy(policy_path)
 
         if args.hook_check:
-            tool_name, file_path = parse_hook_payload(sys.stdin.read())
-            if tool_name not in {"Edit", "Write", "MultiEdit"} or not file_path:
+            request = parse_hook_request(sys.stdin.read())
+            if request.tool_name in SHELL_TOOL_NAMES:
+                result = evaluate_shell_command(request.command, request.tool_name)
+                if result["allowed"]:
+                    print_json(build_hook_response(True, ""))
+                    return 0
+                hook_reason = f"CodeCGC: {result['reason']}."
+                recommended = str(result.get("recommended_action", "")).strip()
+                if recommended:
+                    hook_reason += f" {recommended}."
+                print_json(build_hook_response(False, hook_reason))
+                return 0
+
+            if request.tool_name not in EDIT_TOOL_NAMES or not request.file_path:
                 print_json(build_hook_response(True, ""))
                 return 0
-            result = evaluate_paths([file_path], actor=args.actor, operation=args.operation, policy=policy)
+            result = evaluate_paths([request.file_path], actor=args.actor, operation=args.operation, policy=policy)
             decision = result["decisions"][0]
             reason = decision.get("reason", "")
             recommended = decision.get("recommended_action", "")

package/scripts/codecgc_runtime/routing_template.py

@@ -34,7 +34,9 @@ DEFAULT_SHARED_PATHS = [
 DEFAULT_ORCHESTRATION_PATHS = [
     "codecgc/**",
     ".claude/commands/**",
-    ".claude/settings.json",
+    ".claude/settings.local.json",
+    ".codex/codecgcrc.json",
+    ".gemini/policies/**",
     ".mcp.json",
     "model-routing.yaml",
 ]

package/scripts/install_codecgc.py

@@ -25,10 +25,14 @@ SETTINGS_PATH = CLAUDE_DIR / "settings.json"
 MCP_CONFIG_PATH = WORKSPACE / ".mcp.json"
 PROJECT_HOOK_PATH = HOOKS_DIR / "route-edit.ps1"
 PROJECT_ROUTING_PATH = WORKSPACE / "model-routing.yaml"
-EDIT_GUARDRAIL_MATCHER = "Edit|Write|MultiEdit"
-LEGACY_EDIT_GUARDRAIL_MATCHERS = {"Edit|Write"}
+PROJECT_TEMPLATES_DIR = WORKSPACE / "codecgc" / "templates"
+EDIT_GUARDRAIL_MATCHER = "Edit|Write|MultiEdit|Bash|PowerShell"
+LEGACY_EDIT_GUARDRAIL_MATCHERS = {"Edit|Write", "Edit|Write|MultiEdit"}
 PROJECT_ONBOARDING_RELATIVE_PATH = "codecgc/START_HERE.md"
 PROJECT_ONBOARDING_MARKER = "<!-- codecgc:onboarding:v1 -->"
+CLAUDE_SETTINGS_TEMPLATE = PROJECT_TEMPLATES_DIR / "claude" / "settings.local.json"
+CODEX_POLICY_TEMPLATE = PROJECT_TEMPLATES_DIR / "codex" / "codecgcrc.json"
+GEMINI_POLICY_TEMPLATE = PROJECT_TEMPLATES_DIR / "gemini" / "codecgc-policy.toml"
 
 
 DEFAULT_HOOKS = {
@@ -98,16 +102,24 @@ def get_workspace_paths(override_workspace: str = "") -> dict[str, Path]:
     root = resolve_workspace_root(override_workspace)
     claude_dir = root / ".claude"
     hooks_dir = claude_dir / "hooks"
+    codex_dir = root / ".codex"
+    gemini_dir = root / ".gemini"
     return {
         "root": root,
         "claude_dir": claude_dir,
         "hooks_dir": hooks_dir,
-        "settings": claude_dir / "settings.json",
+        "settings": claude_dir / "settings.local.json",
+        "legacy_settings": claude_dir / "settings.json",
         "mcp": root / ".mcp.json",
         "hook_script": hooks_dir / "route-edit.ps1",
         "commands_dir": claude_dir / "commands",
         "routing_file": root / "model-routing.yaml",
         "onboarding_file": root / PROJECT_ONBOARDING_RELATIVE_PATH,
+        "codex_dir": codex_dir,
+        "codex_policy": codex_dir / "codecgcrc.json",
+        "gemini_dir": gemini_dir,
+        "gemini_policies_dir": gemini_dir / "policies",
+        "gemini_policy": gemini_dir / "policies" / "codecgc-policy.toml",
     }
 
 
@@ -123,6 +135,12 @@ def load_text_file(path: Path) -> str:
     return path.read_text(encoding="utf-8")
 
 
+def copy_template_file(template_path: Path, target_path: Path) -> Path:
+    target_path.parent.mkdir(parents=True, exist_ok=True)
+    shutil.copyfile(template_path, target_path)
+    return target_path
+
+
 def ensure_workspace_workflow_dirs(workspace_root: Path) -> list[str]:
     created_or_existing: list[str] = []
     for relative_path in PROJECT_WORKFLOW_DIRS:
@@ -174,9 +192,11 @@ cgc "新增一个登录页面，放在 src/components/LoginForm.tsx"
 ```text
 .mcp.json
 model-routing.yaml
-.claude/settings.json
+.claude/settings.local.json
 .claude/hooks/route-edit.ps1
 .claude/commands/cgc*.md
+.codex/codecgcrc.json
+.gemini/policies/codecgc-policy.toml
 codecgc/features/
 codecgc/issues/
 codecgc/execution/
@@ -657,6 +677,16 @@ def write_json_file(path: Path, payload: dict[str, Any]) -> Path:
     return path
 
 
+def build_project_claude_settings(workspace_paths: dict[str, Path]) -> dict[str, Any]:
+    settings = load_json_file(CLAUDE_SETTINGS_TEMPLATE)
+    merged_settings, _ = merge_hook_settings(
+        settings,
+        build_workspace_hook_command(workspace_paths),
+    )
+    merged_settings, _ = merge_permission_settings(merged_settings, DEFAULT_ALLOWED_TOOLS)
+    return merged_settings
+
+
 def shell_quote(value: str) -> str:
     text = str(value)
     if not text:
@@ -851,16 +881,12 @@ def install_local_runtime(override_workspace: str = "") -> dict[str, Any]:
     workspace_paths["hooks_dir"].mkdir(parents=True, exist_ok=True)
     workflow_dirs = ensure_workspace_workflow_dirs(workspace_paths["root"])
 
-    settings = load_json_file(workspace_paths["settings"])
-    merged_settings, settings_changed = merge_hook_settings(
-        settings,
-        build_workspace_hook_command(workspace_paths),
+    write_json_file(
+        workspace_paths["settings"],
+        build_project_claude_settings(workspace_paths),
     )
-    merged_settings, permissions_changed = merge_permission_settings(merged_settings, DEFAULT_ALLOWED_TOOLS)
-    if settings_changed or not workspace_paths["settings"].exists():
-        write_json_file(workspace_paths["settings"], merged_settings)
-    elif permissions_changed:
-        write_json_file(workspace_paths["settings"], merged_settings)
+    codex_policy_path = copy_template_file(CODEX_POLICY_TEMPLATE, workspace_paths["codex_policy"])
+    gemini_policy_path = copy_template_file(GEMINI_POLICY_TEMPLATE, workspace_paths["gemini_policy"])
 
     if PROJECT_HOOK_PATH.resolve() != workspace_paths["hook_script"].resolve():
         shutil.copyfile(PROJECT_HOOK_PATH, workspace_paths["hook_script"])
@@ -880,6 +906,8 @@ def install_local_runtime(override_workspace: str = "") -> dict[str, Any]:
         "mcp_config": str(mcp_path),
         "routing_file": str(routing_path),
         "claude_settings": str(workspace_paths["settings"]),
+        "codex_policy": str(codex_policy_path),
+        "gemini_policy": str(gemini_policy_path),
         "hook_script": str(workspace_paths["hook_script"]),
         "commands_dir": str(workspace_paths["commands_dir"]),
         "onboarding_file": str(onboarding_file),
@@ -890,7 +918,9 @@ def install_local_runtime(override_workspace: str = "") -> dict[str, Any]:
             "Project-local model-routing.yaml was synchronized as the policy source of truth.",
             "Project-local codecgc workflow directories were initialized.",
             "Claude pre-edit guardrail hook was synchronized into the target workspace.",
-            "Claude MCP tool permissions were merged into project .claude/settings.json.",
+            "Claude project permissions were rendered from codecgc/templates/claude/settings.local.json.",
+            "Project-local Codex policy contract was synchronized into .codex/codecgcrc.json.",
+            "Project-local Gemini policy was synchronized into .gemini/policies/codecgc-policy.toml.",
             "Project-local Claude slash commands were synchronized into .claude/commands.",
             "Project-local codecgc/START_HERE.md was written as the first-run entry guide.",
             "This mode prepares project-level integration surfaces for the selected workspace.",
@@ -1026,6 +1056,8 @@ def build_install_mode_summary(result: dict[str, Any]) -> str:
             f"- MCP 配置: {result.get('mcp_config', '')}",
             f"- Routing 文件: {result.get('routing_file', '')}",
             f"- Claude 设置: {result.get('claude_settings', '')}",
+            f"- Codex 策略: {result.get('codex_policy', '')}",
+            f"- Gemini 策略: {result.get('gemini_policy', '')}",
             f"- Hook 脚本: {result.get('hook_script', '')}",
             f"- Slash Commands: {result.get('commands_dir', '')}",
             f"- 新手入口: {result.get('onboarding_file', '')}",
@@ -1084,9 +1116,14 @@ def collect_project_status(workspace_paths: dict[str, Path]) -> dict[str, Any]:
     expected_mcp = build_mcp_config(workspace_paths["root"])
     expected_hook_command = build_workspace_hook_command(workspace_paths)
     expected_hook_text = load_text_file(PROJECT_HOOK_PATH)
+    expected_settings = build_project_claude_settings(workspace_paths)
+    expected_codex_policy = load_text_file(CODEX_POLICY_TEMPLATE)
+    expected_gemini_policy = load_text_file(GEMINI_POLICY_TEMPLATE)
     current_settings = load_json_file(workspace_paths["settings"])
     current_mcp = load_json_file(workspace_paths["mcp"])
     current_hook_text = load_text_file(workspace_paths["hook_script"])
+    current_codex_policy = load_text_file(workspace_paths["codex_policy"])
+    current_gemini_policy = load_text_file(workspace_paths["gemini_policy"])
     routing_exists = workspace_paths["routing_file"].exists()
     policy_valid = policy_file_is_valid(workspace_paths["routing_file"]) if routing_exists else False
     workflow_dirs_ready = workspace_workflow_dirs_ready(workspace_paths["root"])
@@ -1094,8 +1131,15 @@ def collect_project_status(workspace_paths: dict[str, Path]) -> dict[str, Any]:
 
     hook_registered = settings_have_hook_command(current_settings, expected_hook_command)
     permissions_registered = settings_have_allowed_tools(current_settings, DEFAULT_ALLOWED_TOOLS)
+    settings_matches = current_settings == expected_settings if workspace_paths["settings"].exists() else False
     mcp_matches = current_mcp == expected_mcp if workspace_paths["mcp"].exists() else False
     hook_file_matches = current_hook_text == expected_hook_text if workspace_paths["hook_script"].exists() else False
+    codex_policy_matches = (
+        current_codex_policy == expected_codex_policy if workspace_paths["codex_policy"].exists() else False
+    )
+    gemini_policy_matches = (
+        current_gemini_policy == expected_gemini_policy if workspace_paths["gemini_policy"].exists() else False
+    )
 
     missing = []
     if not routing_exists:
@@ -1106,6 +1150,8 @@ def collect_project_status(workspace_paths: dict[str, Path]) -> dict[str, Any]:
         missing.append("workflow_dirs")
     if not mcp_matches:
         missing.append("mcp_json")
+    if not settings_matches:
+        missing.append("claude_settings_local")
     if not hook_registered:
         missing.append("claude_settings_hook")
     if not permissions_registered:
@@ -1114,12 +1160,19 @@ def collect_project_status(workspace_paths: dict[str, Path]) -> dict[str, Any]:
         missing.append("hook_script")
     if not onboarding_ready:
         missing.append("onboarding_file")
+    if not codex_policy_matches:
+        missing.append("codex_policy")
+    if not gemini_policy_matches:
+        missing.append("gemini_policy")
 
     ready = not missing
     return {
         "mcp_json_path": str(workspace_paths["mcp"]),
         "routing_file_path": str(workspace_paths["routing_file"]),
         "claude_settings_path": str(workspace_paths["settings"]),
+        "legacy_claude_settings_path": str(workspace_paths["legacy_settings"]),
+        "codex_policy_path": str(workspace_paths["codex_policy"]),
+        "gemini_policy_path": str(workspace_paths["gemini_policy"]),
         "hook_script_path": str(workspace_paths["hook_script"]),
         "onboarding_file_path": str(workspace_paths["onboarding_file"]),
         "mcp_json_exists": workspace_paths["mcp"].exists(),
@@ -1129,12 +1182,18 @@ def collect_project_status(workspace_paths: dict[str, Path]) -> dict[str, Any]:
         "onboarding_ready": onboarding_ready,
         "workflow_dirs_expected": [str(workspace_paths["root"] / item) for item in PROJECT_WORKFLOW_DIRS],
         "claude_settings_exists": workspace_paths["settings"].exists(),
+        "legacy_claude_settings_exists": workspace_paths["legacy_settings"].exists(),
+        "codex_policy_exists": workspace_paths["codex_policy"].exists(),
+        "gemini_policy_exists": workspace_paths["gemini_policy"].exists(),
         "hook_exists": workspace_paths["hook_script"].exists(),
         "onboarding_exists": workspace_paths["onboarding_file"].exists(),
         "mcp_matches_expected": mcp_matches,
+        "claude_settings_matches_expected": settings_matches,
         "hook_registered": hook_registered,
         "permissions_registered": permissions_registered,
         "hook_file_matches_expected": hook_file_matches,
+        "codex_policy_matches_expected": codex_policy_matches,
+        "gemini_policy_matches_expected": gemini_policy_matches,
         "ready": ready,
         "missing_or_outdated": missing,
         "recommended_command": "" if ready else build_workspace_install_command(workspace_paths["root"]),