more strict rules on reading .env

AGENTS.md

@@ -1,5 +1,23 @@
 # Agent Guidelines for Docker Infrastructure Monorepo
 
+## CRITICAL: Forbidden Files
+
+**NEVER read, access, or attempt to open the following files under ANY circumstances:**
+
+- `.env` and ALL variants (`.env.local`, `.env.development`, `.env.production`, `.env.*`)
+- `.secrets/` directories at any level
+- Any file in a `secrets/` directory at any level
+- Credential files: `credentials.json`, `credentials.yml`, `credentials.yaml`
+- Key files: `*.pem`, `*.key`, `*.p12`, `*.pfx`, `id_rsa`, `id_ecdsa`, `id_ed25519`
+- Files named `token`, `tokens`, `.token`, `.tokens`, `password`, `passwords`
+
+**What to do instead:**
+- Use `.env.example` files to understand required environment variables
+- Ask the user to provide values explicitly if needed
+- Use placeholder values when demonstrating code
+
+This is a hard rule. No exceptions. No "just checking". If you need env info, read the `.env.example` file or ask the user.
+
 ## Repository Structure
 
 This is a Docker Compose monorepo for personal infrastructure hosting. The main focus is Docker services, with local tools in `local/`.
@@ -115,8 +133,7 @@ For full OpenClaw guidelines, see `local/openclaw/AGENTS.md`.
 
 ## Security Best Practices
 
-- **NEVER read, access, or attempt to open `.env` files or `.secrets/` directories** - These contain sensitive data
-- `.env` and `.secrets/` directories are gitignored everywhere
+- See **CRITICAL: Forbidden Files** section above — this is the highest priority rule in this repo
 - Never commit credentials, API keys, or certificates
 - Use Cloudflare Tunnel for external access (no port forwarding)
 - Placeholders in documentation (e.g., `user@example.com`)