chg: dev: update project docs

Add remote server access rules to ``AGENTS.md``. Update workflow
doc with clarification step and fix numbering.

AGENTS.md

@@ -52,19 +52,23 @@ migrations or service integrations, include coverage that exercises
 failure paths. For granular checks, `./vendor/bin/phpunit --filter
 FooTest` is acceptable, but always run the full suite before pushing.
 
-## Commit & Pull Request Guidelines
+## Pull Request Guidelines
-
-Commits in this repo mix Conventional Commit prefixes (`new:`, `fix:`,
-`chg:`); `fix: prevent null totals`. Keep messages in the imperative
-mood and reference ticket IDs when available.
 
 Pull requests must describe scope, list schema or configuration
-changes, and note any manual follow-up (cron, storage links,
+changes, and note any manual follow-up (cron, storage links, queues).
-queues).
 
 Attach screenshots or terminal logs when touching UI or console
 output, and ensure CI scripts (when available) pass.
 
+## Remote Server Access
+
+- **BLOCKING**: NEVER execute state-changing commands on remote
+  servers without explicit per-command user approval. Only READ
+  operations are allowed by default (logs, status, select queries,
+  configuration inspection). Write operations include but are not
+  limited to: `migrate`, `seed`, write queries, file modifications,
+  service restarts, deployments. No exceptions.
+
 ## Environment & Security Notes
 
 Copy `.env.example` to `.env` and run `php artisan key:generate`