policy: no build artifacts in repos

Build artifacts and code-derived data (compiled output, bundled JS,
minified CSS, generated code) must not be committed if they can be
generated during the build process. Go protobuf-generated files are
an exception since go get does not execute build steps.

prompts/REPO_POLICIES.md

@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-10
 ---
 
 This document covers repository structure, tooling, and workflow standards. Code
@@ -92,6 +92,14 @@ style conventions are in separate documents:
 - Never commit secrets. `.env` files, credentials, API keys, and private keys
   must be in `.gitignore`. No exceptions.
 
+- Build artifacts and code-derived data (compiled output, bundled JS, minified
+  CSS, generated code) must NOT be committed to the repository if they can be
+  generated during the build process. The Dockerfile or build system should
+  produce these artifacts at build time. Notable exception: Go
+  protobuf-generated files (`.pb.go`) may be committed because Go module
+  consumers use `go get` which downloads source code but does not execute build
+  steps.
+
 - `.gitignore` should be comprehensive from the start: OS files (`.DS_Store`),
   editor files (`.swp`, `*~`), language build artifacts, and `node_modules/`.
   Fetch the standard `.gitignore` from