Add Codex repository guidance and validation

infra-run/README.md

@@ -38,6 +38,14 @@ The goal is to show operational judgment, not to ship a universal automation pro
 - Disk-full read-only scripts can be run against local paths for basic behavior checks.
 - Ansible YAML and role structure can be linted locally.
 
+## Running Safely
+
+- Start with the relevant README or runbook before executing a script.
+- Prefer read-only discovery scripts before remediation scripts.
+- Use dry-run mode unless a script explicitly documents safe local behavior.
+- Only use `--execute` after reviewing inputs, affected systems, rollback options, and post-checks.
+- For Ansible, start with `--check --diff` against a lab inventory.
+
 ## Lab-Safe Examples
 
 - Veritas and GPFS scripts default to dry-run behavior where they plan destructive or platform-changing operations.
@@ -59,12 +67,10 @@ Short version:
 From the repository root:
 
 ```bash
-find infra-run/scripts/bash -name '*.sh' -print0 | xargs -0 shellcheck -x -P infra-run/scripts/bash/disk-full -P infra-run/scripts/bash/gpfs -P infra-run/scripts/bash/veritas
-yamllint .
-cd infra-run/ansible && ansible-lint playbooks roles
+./scripts/validate-repo.sh
 ```
 
-If `ansible-lint` reports collection-related issues, install the collections listed in [ansible/collections/requirements.yml](./ansible/collections/requirements.yml) and rerun it. Treat lint as a starting point; platform testing still requires actual target systems.
+Focused checks are available in `scripts/check-bash.sh`, `scripts/check-ansible.sh`, and `scripts/check-docs.sh`. If `ansible-lint` reports collection-related issues, install the collections listed in [ansible/collections/requirements.yml](./ansible/collections/requirements.yml) and rerun it. Treat lint as a starting point; platform testing still requires actual target systems.
 
 ## Supporting Notes
 
@@ -72,3 +78,4 @@ If `ansible-lint` reports collection-related issues, install the collections lis
 - [TESTED.md](./TESTED.md) lists what was checked locally and what was not.
 - [KNOWN_LIMITATIONS.md](./KNOWN_LIMITATIONS.md) documents technical limits and operational cautions.
 - [ROADMAP.md](./ROADMAP.md) tracks planned additions without presenting them as completed work.
+- [../AGENTS.md](../AGENTS.md) and [../docs/codex](../docs/codex/) document repository working rules and review expectations.

infra-run/ansible/README.md

@@ -34,3 +34,5 @@ flowchart TD
 - Roles are selected baseline examples intended for portfolio and lab use, not a drop-in compliance certification.
 - Defaults are sanitized and configurable through inventory or `--extra-vars`.
 - Run platform-specific playbooks against appropriate test hosts before adapting them to managed environments.
+- Prefer `--check --diff` for review runs before applying changes.
+- Validate from the repository root with `./scripts/check-ansible.sh`.

infra-run/scripts/README.md

@@ -21,3 +21,4 @@ flowchart TD
 
 - The repository currently emphasizes Bash because it maps directly to day-to-day Linux operations.
 - The structure leaves room for higher-level helpers without mixing concerns.
+- Bash tooling should remain safe by default, readable, and validated with `../../scripts/check-bash.sh` from the repository root.

infra-run/scripts/bash/README.md

@@ -39,6 +39,14 @@ cd infra-run/scripts/bash/os-healthcheck
 ./network_troubleshoot.sh google.com
 ```
 
+## Standards
+
+- Scripts use Bash and should keep `#!/usr/bin/env bash` plus strict mode.
+- Read-only checks should report missing tools without hiding the problem.
+- Change-capable scripts must default to dry-run behavior and require explicit `--execute`.
+- Output should use `OK`, `WARNING`, and `CRITICAL` where practical.
+- Validate changed scripts with `./scripts/check-bash.sh` from the repository root.
+
 ## Exit Codes
 
 `disk_check.sh`: