CRITICAL: Do NOT run ANY git command except read-only lookup commands (e.g. `git status`, `git diff`, `git log`, `git show`).
Ralph is the only actor that may commit, push, or perform staging operations. Accidental writes break the deterministic pipeline and cannot be auto-undone.
**Allowed:** `git status`, `git log`, `git diff`, `git show`, `git branch` (list only; no `-D`/`-d`), `git remote -v`, `git stash list` (never pop/apply/drop), `git rev-parse`, `git ls-files`, `git describe`.
**Forbidden:** `commit`, `add`, `push`, `merge`, `rebase`, `tag`, `reset`, `cherry-pick`, `revert`, `am`/`apply`, destructive `checkout`/`restore`, mutating `stash`, `clean`, `branch -D`/`-d`, `init` — and anything else that mutates repo state or history.
**MCP / tools:** Same prohibition — `mcp__git__git_commit`, `mcp__git__git_add`, `mcp__git__git_push`, `mcp__git__git_reset`, `mcp__git__git_checkout` (with `--`), `mcp__git__git_stash` (except list), `mcp__git__git_merge`, `mcp__git__git_init`, `mcp__git__git_create_branch`. Applies to CLI, MCP, libraries, subprocesses.
**Bypass (never):** Do not edit `.git/hooks/` (pre-commit, pre-push, pre-merge-commit) or `.git/ralph/` (including `.git/ralph/no_agent_commit`); do not use `/usr/bin/git` or other absolute paths; `--no-verify`; PATH tricks; `chmod`; `rm`/`unlink` on hooks; `exec`/`env`/`command` to skip the wrapper; `GIT_DIR`, `GIT_WORK_TREE`, `GIT_EXEC_PATH`. Hooks are **reinstalled** before every agent run. Unauthorized commits are detected via **HEAD OID** comparison. Bypass is **futile** — it wastes **execution budget** with no upside. Change files only; Ralph commits.