Repository-level AI Policy File (AI-POLICY.txt) for Client Compliance

[denniscoorn-paqt]

We work with multiple clients who have different contractual requirements about AI code generation. Some clients explicitly prohibit AI coding agents due to NDAs, regulatory compliance, or IP concerns. Others actively encourage it.

Currently, there's no way to signal these restrictions at the repository level before a coding agent starts operating. This creates risk:

• Developers accidentally use Codex in repos where clients contractually prohibit AI
• No audit trail when violations occur
• All-or-nothing approach: either block AI system-wide or allow it everywhere

This is different from .codexignore (which controls which files are read) or custom instructions (which guide the LLM behavior). We need a pre-execution check that happens before any LLM interaction.

Proposed Solution

Introduce an AI-POLICY.txt file (similar to robots.txt) that Codex CLI checks during initialization:

# AI-POLICY.txt
Coding-agent: *
Disallow: /

Reason: NDA with client prohibits AI code generation
Contact: [email protected]

Behavior

1. Developer runs codex in a repository
2. Before any API calls, CLI checks for AI-POLICY.txt
3. If Disallow: / is present, show warning:

   ⚠️  AI Policy Restriction Detected
   
   This repository prohibits coding agent usage.
   Reason: NDA with client prohibits AI code generation
   Contact: [email protected]
   
   Proceed anyway? (y/N)
   

4. Log the decision for audit purposes

Why This Approach?

• Repository-scoped: Different repos can have different policies (critical for agencies/consultancies)
• Pre-execution: Check happens before LLM is involved
• Soft enforcement: Like robots.txt - a gentleman's agreement with audit trail
• Human-readable: Legal teams and clients can verify the policy
• Version-controlled: Policy visible to all team members

Use Cases

• Development agencies: Managing 15+ client projects with varying AI usage policies
• Enterprise teams: Regulatory compliance in healthcare, finance, government sectors
• Gradual AI adoption: Some projects allow AI, others don't - need per-repo control

Downsides Of Existing Solutions?

Solution	Why It Doesn't Work
Custom instructions	LLM already running; no "stop and think" moment
.codexignore	Controls file access, not usage authorization
System-wide config	Too broad - affects all repos, not individual projects

Bottom line: A simple, clear signal that says "this specific repository has contractual restrictions on AI usage" before any code is generated would be a very useful feature to have.

Thoughts? Would this be useful for others managing multi-client or compliance-sensitive projects?

[aapiskukko]

I think this would be a very useful feature. Without a pre-check like this, many companies will probably hesitate to adopt the tool.