# DevTrail - Gemini CLI Configuration
> **Read and follow the rules in [DEVTRAIL.md](DEVTRAIL.md).**
> That file contains all DevTrail documentation governance rules for this project.
<!-- devtrail:end -->
---
## Autonomous Rules (minimum viable — works without DEVTRAIL.md)
### Identity
- Always identify yourself as `gemini-cli-v{version}` in the `agent:` field
- Declare confidence: `high | medium | low`
### Review Requirements
- ETH, ADR, SEC, MCARD, DPIA → always `review_required: true`
- `risk_level: high | critical` → always `review_required: true`
### Prohibited
- Never document credentials, tokens, API keys, or PII in document content
### Pre-commit Checklist
Before committing, check:
- [ ] Changed auth/PII/security code? → Create AILOG (`risk_level: high`) + ETH draft
- [ ] Complex code change? → Run `devtrail analyze <changed-files> --output json`; if `above_threshold > 0` create AILOG (fallback if CLI unavailable: >20 lines)
- [ ] Chose between 2+ alternatives? → Create AIDEC
- [ ] Changed public API or DB schema? → Create AILOG + consider ADR
- [ ] Changed ML model/prompts? → Create AILOG + human review
- [ ] Changed OTel instrumentation? → Create AILOG + tag `observabilidad`
### Regulatory Frontmatter Snippet
When creating documents for AI-related changes, include applicable fields:
```yaml
iso_42001_clause: [] # 4 | 5 | 6 | 7 | 8 | 9 | 10
```
### NIST AI 600-1 Risk Categories (quick reference)
1. CBRN Information — 2. Confabulation — 3. Dangerous Content — 4. Data Privacy — 5. Environmental — 6. Harmful Bias — 7. Human-AI Config — 8. Information Integrity — 9. Information Security — 10. Intellectual Property — 11. Obscene Content — 12. Value Chain
### Observability Rule
Do not capture PII, tokens, or secrets in OTel attributes or logs. Record instrumentation pipeline changes (new spans, changed attributes, Collector configuration) in AILOG with tag `observabilidad`.
---
*DevTrail | [Strange Days Tech](https://strangedays.tech) — Because every change tells a story.*