diff --git a/codex/LESSONS.md b/codex/LESSONS.md
index 59d73b1..229ca28 100644
--- a/codex/LESSONS.md
+++ b/codex/LESSONS.md
@@ -25,6 +25,13 @@ Use this format:
 - Fix: manage `config.toml` and `rules/default.rules` together, and treat the rules file as the durable source of truth for allow/deny behavior
 - Prevention: when migrating or backing up Codex settings, always include the `rules/` directory rather than assuming approvals are embedded in `config.toml`
 
+### 2026-03-24 - Prefix rules cannot safely express semantic allowlists
+- Context: dotfiles task to expand Codex approvals for AWS CLI usage
+- Symptom: request was to allow all non-destructive `aws` commands, but the rule engine only matched literal command-token prefixes
+- Root cause: `prefix_rule(...)` does not understand higher-level semantics like “read-only” or broad verb classes across every AWS service
+- Fix: add an explicit read-only allowlist for common AWS CLI commands instead of allowing `aws` broadly
+- Prevention: when approval policy depends on command semantics rather than exact prefixes, prefer curated safe command families over broad program-level allow rules
+
 ### 2026-03-15 - Quote extras specifiers in zsh pip installs
 - Context: prediction_markets_poc backend validation from a disposable venv
 - Symptom: `python -m pip install -e /path/to/backend[dev]` failed with `zsh: no matches found`
diff --git a/codex/rules/default.rules b/codex/rules/default.rules
index 79df761..0a572de 100644
--- a/codex/rules/default.rules
+++ b/codex/rules/default.rules
@@ -86,6 +86,141 @@ prefix_rule(pattern=["docker", "compose", "ps"], decision="allow", justification
 prefix_rule(pattern=["docker", "compose", "logs"], decision="allow", justification="Compose log inspection is safe.")
 prefix_rule(pattern=["docker", "compose", "config"], decision="allow", justification="Compose config rendering is safe.")
 
+prefix_rule(pattern=["aws", "--version"], decision="allow", justification="AWS CLI version inspection is safe.")
+prefix_rule(pattern=["aws", "help"], decision="allow", justification="AWS CLI help output is safe.")
+prefix_rule(pattern=["aws", "configure", "list"], decision="allow", justification="AWS CLI config inspection is safe.")
+prefix_rule(pattern=["aws", "configure", "get"], decision="allow", justification="AWS CLI config inspection is safe.")
+prefix_rule(pattern=["aws", "configure", "list-profiles"], decision="allow", justification="AWS CLI profile inspection is safe.")
+prefix_rule(pattern=["aws", "sts", "get-caller-identity"], decision="allow", justification="AWS identity inspection is safe.")
+prefix_rule(pattern=["aws", "sts", "decode-authorization-message"], decision="allow", justification="AWS identity troubleshooting is safe.")
+prefix_rule(pattern=["aws", "sso", "login"], decision="allow", justification="Refreshing AWS SSO credentials is a safe local auth action.")
+prefix_rule(pattern=["aws", "sso", "list-accounts"], decision="allow", justification="AWS account discovery is safe.")
+prefix_rule(pattern=["aws", "sso", "list-account-roles"], decision="allow", justification="AWS role discovery is safe.")
+prefix_rule(pattern=["aws", "s3", "ls"], decision="allow", justification="S3 listing is safe.")
+prefix_rule(pattern=["aws", "s3api", "list-buckets"], decision="allow", justification="S3 bucket listing is safe.")
+prefix_rule(pattern=["aws", "s3api", "get-bucket-location"], decision="allow", justification="S3 bucket metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "get-bucket-versioning"], decision="allow", justification="S3 bucket metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "get-bucket-encryption"], decision="allow", justification="S3 bucket metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "get-public-access-block"], decision="allow", justification="S3 bucket metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "head-bucket"], decision="allow", justification="S3 bucket metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "head-object"], decision="allow", justification="S3 object metadata inspection is safe.")
+prefix_rule(pattern=["aws", "s3api", "list-objects"], decision="allow", justification="S3 object listing is safe.")
+prefix_rule(pattern=["aws", "s3api", "list-objects-v2"], decision="allow", justification="S3 object listing is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-instances"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-images"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-volumes"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-snapshots"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-subnets"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-vpcs"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-security-groups"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-route-tables"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-network-interfaces"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-addresses"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-internet-gateways"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ec2", "describe-nat-gateways"], decision="allow", justification="EC2 inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "list-clusters"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "describe-clusters"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "list-services"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "describe-services"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "list-tasks"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "describe-tasks"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "ecs", "describe-task-definition"], decision="allow", justification="ECS inspection is safe.")
+prefix_rule(pattern=["aws", "eks", "list-clusters"], decision="allow", justification="EKS inspection is safe.")
+prefix_rule(pattern=["aws", "eks", "describe-cluster"], decision="allow", justification="EKS inspection is safe.")
+prefix_rule(pattern=["aws", "eks", "list-nodegroups"], decision="allow", justification="EKS inspection is safe.")
+prefix_rule(pattern=["aws", "eks", "describe-nodegroup"], decision="allow", justification="EKS inspection is safe.")
+prefix_rule(pattern=["aws", "lambda", "list-functions"], decision="allow", justification="Lambda inspection is safe.")
+prefix_rule(pattern=["aws", "lambda", "get-function"], decision="allow", justification="Lambda inspection is safe.")
+prefix_rule(pattern=["aws", "lambda", "get-function-configuration"], decision="allow", justification="Lambda inspection is safe.")
+prefix_rule(pattern=["aws", "lambda", "list-event-source-mappings"], decision="allow", justification="Lambda inspection is safe.")
+prefix_rule(pattern=["aws", "rds", "describe-db-instances"], decision="allow", justification="RDS inspection is safe.")
+prefix_rule(pattern=["aws", "rds", "describe-db-clusters"], decision="allow", justification="RDS inspection is safe.")
+prefix_rule(pattern=["aws", "rds", "describe-db-snapshots"], decision="allow", justification="RDS inspection is safe.")
+prefix_rule(pattern=["aws", "rds", "describe-db-cluster-snapshots"], decision="allow", justification="RDS inspection is safe.")
+prefix_rule(pattern=["aws", "cloudformation", "list-stacks"], decision="allow", justification="CloudFormation inspection is safe.")
+prefix_rule(pattern=["aws", "cloudformation", "describe-stacks"], decision="allow", justification="CloudFormation inspection is safe.")
+prefix_rule(pattern=["aws", "cloudformation", "list-stack-resources"], decision="allow", justification="CloudFormation inspection is safe.")
+prefix_rule(pattern=["aws", "cloudformation", "get-template"], decision="allow", justification="CloudFormation inspection is safe.")
+prefix_rule(pattern=["aws", "cloudformation", "validate-template"], decision="allow", justification="CloudFormation validation is safe.")
+prefix_rule(pattern=["aws", "logs", "describe-log-groups"], decision="allow", justification="CloudWatch Logs inspection is safe.")
+prefix_rule(pattern=["aws", "logs", "describe-log-streams"], decision="allow", justification="CloudWatch Logs inspection is safe.")
+prefix_rule(pattern=["aws", "logs", "get-log-events"], decision="allow", justification="CloudWatch Logs inspection is safe.")
+prefix_rule(pattern=["aws", "logs", "filter-log-events"], decision="allow", justification="CloudWatch Logs inspection is safe.")
+prefix_rule(pattern=["aws", "logs", "tail"], decision="allow", justification="CloudWatch Logs inspection is safe.")
+prefix_rule(pattern=["aws", "cloudwatch", "describe-alarms"], decision="allow", justification="CloudWatch inspection is safe.")
+prefix_rule(pattern=["aws", "cloudwatch", "list-metrics"], decision="allow", justification="CloudWatch inspection is safe.")
+prefix_rule(pattern=["aws", "cloudwatch", "get-metric-data"], decision="allow", justification="CloudWatch inspection is safe.")
+prefix_rule(pattern=["aws", "cloudwatch", "get-metric-statistics"], decision="allow", justification="CloudWatch inspection is safe.")
+prefix_rule(pattern=["aws", "dynamodb", "list-tables"], decision="allow", justification="DynamoDB inspection is safe.")
+prefix_rule(pattern=["aws", "dynamodb", "describe-table"], decision="allow", justification="DynamoDB inspection is safe.")
+prefix_rule(pattern=["aws", "dynamodb", "get-item"], decision="allow", justification="DynamoDB read queries are safe.")
+prefix_rule(pattern=["aws", "dynamodb", "batch-get-item"], decision="allow", justification="DynamoDB read queries are safe.")
+prefix_rule(pattern=["aws", "dynamodb", "query"], decision="allow", justification="DynamoDB read queries are safe.")
+prefix_rule(pattern=["aws", "dynamodb", "scan"], decision="allow", justification="DynamoDB read queries are safe.")
+prefix_rule(pattern=["aws", "sqs", "list-queues"], decision="allow", justification="SQS inspection is safe.")
+prefix_rule(pattern=["aws", "sqs", "get-queue-attributes"], decision="allow", justification="SQS inspection is safe.")
+prefix_rule(pattern=["aws", "sns", "list-topics"], decision="allow", justification="SNS inspection is safe.")
+prefix_rule(pattern=["aws", "sns", "get-topic-attributes"], decision="allow", justification="SNS inspection is safe.")
+prefix_rule(pattern=["aws", "sns", "list-subscriptions"], decision="allow", justification="SNS inspection is safe.")
+prefix_rule(pattern=["aws", "sns", "list-subscriptions-by-topic"], decision="allow", justification="SNS inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "get-user"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "get-role"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "get-policy"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "get-policy-version"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-users"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-roles"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-policies"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-attached-role-policies"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-instance-profiles"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "iam", "list-account-aliases"], decision="allow", justification="IAM inspection is safe.")
+prefix_rule(pattern=["aws", "kms", "list-keys"], decision="allow", justification="KMS inspection is safe.")
+prefix_rule(pattern=["aws", "kms", "describe-key"], decision="allow", justification="KMS inspection is safe.")
+prefix_rule(pattern=["aws", "kms", "list-aliases"], decision="allow", justification="KMS inspection is safe.")
+prefix_rule(pattern=["aws", "kms", "get-key-policy"], decision="allow", justification="KMS inspection is safe.")
+prefix_rule(pattern=["aws", "route53", "list-hosted-zones"], decision="allow", justification="Route53 inspection is safe.")
+prefix_rule(pattern=["aws", "route53", "list-resource-record-sets"], decision="allow", justification="Route53 inspection is safe.")
+prefix_rule(pattern=["aws", "route53", "get-health-check"], decision="allow", justification="Route53 inspection is safe.")
+prefix_rule(pattern=["aws", "elbv2", "describe-load-balancers"], decision="allow", justification="ELB inspection is safe.")
+prefix_rule(pattern=["aws", "elbv2", "describe-target-groups"], decision="allow", justification="ELB inspection is safe.")
+prefix_rule(pattern=["aws", "elbv2", "describe-target-health"], decision="allow", justification="ELB inspection is safe.")
+prefix_rule(pattern=["aws", "autoscaling", "describe-auto-scaling-groups"], decision="allow", justification="Auto Scaling inspection is safe.")
+prefix_rule(pattern=["aws", "acm", "list-certificates"], decision="allow", justification="ACM inspection is safe.")
+prefix_rule(pattern=["aws", "acm", "describe-certificate"], decision="allow", justification="ACM inspection is safe.")
+prefix_rule(pattern=["aws", "apigateway", "get-rest-apis"], decision="allow", justification="API Gateway inspection is safe.")
+prefix_rule(pattern=["aws", "apigateway", "get-stages"], decision="allow", justification="API Gateway inspection is safe.")
+prefix_rule(pattern=["aws", "apigatewayv2", "get-apis"], decision="allow", justification="API Gateway inspection is safe.")
+prefix_rule(pattern=["aws", "apigatewayv2", "get-stages"], decision="allow", justification="API Gateway inspection is safe.")
+prefix_rule(pattern=["aws", "organizations", "list-accounts"], decision="allow", justification="Organizations inspection is safe.")
+prefix_rule(pattern=["aws", "organizations", "describe-account"], decision="allow", justification="Organizations inspection is safe.")
+prefix_rule(pattern=["aws", "organizations", "list-roots"], decision="allow", justification="Organizations inspection is safe.")
+prefix_rule(pattern=["aws", "organizations", "list-organizational-units-for-parent"], decision="allow", justification="Organizations inspection is safe.")
+prefix_rule(pattern=["aws", "organizations", "list-accounts-for-parent"], decision="allow", justification="Organizations inspection is safe.")
+prefix_rule(pattern=["aws", "ecr", "describe-repositories"], decision="allow", justification="ECR inspection is safe.")
+prefix_rule(pattern=["aws", "ecr", "list-images"], decision="allow", justification="ECR inspection is safe.")
+prefix_rule(pattern=["aws", "ecr", "describe-images"], decision="allow", justification="ECR inspection is safe.")
+prefix_rule(pattern=["aws", "elasticache", "describe-cache-clusters"], decision="allow", justification="ElastiCache inspection is safe.")
+prefix_rule(pattern=["aws", "elasticache", "describe-replication-groups"], decision="allow", justification="ElastiCache inspection is safe.")
+prefix_rule(pattern=["aws", "redshift", "describe-clusters"], decision="allow", justification="Redshift inspection is safe.")
+prefix_rule(pattern=["aws", "ce", "get-cost-and-usage"], decision="allow", justification="Cost Explorer inspection is safe.")
+prefix_rule(pattern=["aws", "ce", "get-dimension-values"], decision="allow", justification="Cost Explorer inspection is safe.")
+prefix_rule(pattern=["aws", "cloudfront", "list-distributions"], decision="allow", justification="CloudFront inspection is safe.")
+prefix_rule(pattern=["aws", "cloudfront", "get-distribution"], decision="allow", justification="CloudFront inspection is safe.")
+prefix_rule(pattern=["aws", "cloudfront", "get-distribution-config"], decision="allow", justification="CloudFront inspection is safe.")
+prefix_rule(pattern=["aws", "backup", "list-backup-vaults"], decision="allow", justification="AWS Backup inspection is safe.")
+prefix_rule(pattern=["aws", "backup", "list-backup-plans"], decision="allow", justification="AWS Backup inspection is safe.")
+prefix_rule(pattern=["aws", "backup", "list-recovery-points-by-backup-vault"], decision="allow", justification="AWS Backup inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "describe-parameters"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "get-parameter"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "get-parameters"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "get-parameters-by-path"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "describe-instance-information"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "ssm", "list-documents"], decision="allow", justification="SSM inspection is safe.")
+prefix_rule(pattern=["aws", "secretsmanager", "list-secrets"], decision="allow", justification="Secrets Manager metadata inspection is safe.")
+prefix_rule(pattern=["aws", "secretsmanager", "describe-secret"], decision="allow", justification="Secrets Manager metadata inspection is safe.")
+prefix_rule(pattern=["aws", "cloudtrail", "lookup-events"], decision="allow", justification="CloudTrail inspection is safe.")
+prefix_rule(pattern=["aws", "cloudtrail", "describe-trails"], decision="allow", justification="CloudTrail inspection is safe.")
+prefix_rule(pattern=["aws", "cloudtrail", "get-trail-status"], decision="allow", justification="CloudTrail inspection is safe.")
+
 prefix_rule(pattern=["nix", "flake", "check"], decision="allow", justification="Flake validation is a safe default quality check.")
 prefix_rule(pattern=["nix", "flake", "show"], decision="allow", justification="Flake inspection is safe.")
 prefix_rule(pattern=["nix", "eval"], decision="allow", justification="Nix evaluation is safe.")
diff --git a/nix/configuration.nix b/nix/configuration.nix
index bcd387f..41bfda5 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -1,5 +1,12 @@
 { pkgs, lib, ... }:
 
+let
+  mkGreedyCask = name: {
+    inherit name;
+    greedy = true;
+  };
+in
+
 {
 	environment.shells = with pkgs; [ zsh ];
 
@@ -28,7 +35,7 @@
     brews = [
       "gemini-cli"
     ];
-    casks = [
+    casks = map mkGreedyCask [
       "signal"
       "opera"
       "iterm2"
@@ -41,10 +48,7 @@
       "obsidian"
       "goland"
       "intellij-idea"
-      {
-        name = "docker-desktop";
-        greedy = true;
-      }
+      "docker-desktop"
       "postman"
       "figma"
       "sf-symbols"