agents: drop bw bundles, add bw verify to read-only allowlist

bw bundles is not a subcommand of the installed fork (the actual list is apply/debug/diff/groups/hash/ipmi/items/lock/metadata/ nodes/plot/pw/repo/run/stats/test/verify/zen). bw verify is read-only and was missing from the list. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 20:25:43 +02:00 · 2026-05-10 20:25:43 +02:00 · 422a275d97
commit 422a275d97
parent 3ed0264be6
1 changed files with 2 additions and 2 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -16,8 +16,8 @@ Five rules; follow these and you won't break things:

 1. **Read-only by default.** Never run `bw apply`, `bw run`, or
   `bw lock` without explicit user request — even with `-i`. Stick
-   to `bw test`, `bw nodes`, `bw groups`, `bw bundles`,
-   `bw items`, `bw metadata`, `bw hash`, `bw debug`. See
+   to `bw test`, `bw nodes`, `bw groups`, `bw items`,
+   `bw metadata`, `bw hash`, `bw verify`, `bw debug`. See
   [`docs/agents/commands.md`](docs/agents/commands.md) and the
   fork's [safety envelope](https://github.com/CroneKorkN/bundlewrap/blob/main/AGENTS.md).
 2. **Never echo decrypted secrets.** Don't print, paste, or log the