[loop-cycle-1] feat: tool allowlist for autonomous operation (#69)

Add config/allowlist.yaml — YAML-driven gate that auto-approves bounded
tool calls when no human is present.

When Timmy runs with --autonomous or stdin is not a terminal, tool calls
are checked against allowlist: matched → auto-approved, else → rejected.

Changes:
  - config/allowlist.yaml: shell prefixes, deny patterns, path rules
  - tool_safety.py: is_allowlisted() checks tools against YAML rules
  - cli.py: --autonomous flag, _is_interactive() detection
  - 44 new allowlist tests, 8 updated CLI tests

Closes #69

src/timmy/tool_safety.py

@@ -5,13 +5,19 @@ Classifies tools into tiers based on their potential impact:
   Requires user confirmation before execution.
 - SAFE: Read-only or purely computational. Executes without confirmation.
 
-Also provides shared helpers for extracting hallucinated tool calls from
-model output and formatting them for human review. Used by both the
-Discord vendor and the dashboard chat route.
+Also provides:
+- Allowlist checker: reads config/allowlist.yaml to auto-approve bounded
+  tool calls when no human is present (autonomous mode).
+- Shared helpers for extracting hallucinated tool calls from model output
+  and formatting them for human review.
 """
 
 import json
+import logging
 import re
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
 
 # ---------------------------------------------------------------------------
 # Tool classification
@@ -71,6 +77,133 @@ def requires_confirmation(tool_name: str) -> bool:
     return True
 
 
+# ---------------------------------------------------------------------------
+# Allowlist — autonomous tool approval
+# ---------------------------------------------------------------------------
+
+_ALLOWLIST_PATHS = [
+    Path(__file__).resolve().parent.parent.parent / "config" / "allowlist.yaml",
+    Path.home() / "Timmy-Time-dashboard" / "config" / "allowlist.yaml",
+]
+
+_allowlist_cache: dict | None = None
+
+
+def _load_allowlist() -> dict:
+    """Load and cache allowlist.yaml. Returns {} if not found."""
+    global _allowlist_cache
+    if _allowlist_cache is not None:
+        return _allowlist_cache
+
+    try:
+        import yaml
+    except ImportError:
+        logger.debug("PyYAML not installed — allowlist disabled")
+        _allowlist_cache = {}
+        return _allowlist_cache
+
+    for path in _ALLOWLIST_PATHS:
+        if path.is_file():
+            try:
+                with open(path) as f:
+                    _allowlist_cache = yaml.safe_load(f) or {}
+                logger.info("Loaded tool allowlist from %s", path)
+                return _allowlist_cache
+            except Exception as exc:
+                logger.warning("Failed to load allowlist %s: %s", path, exc)
+
+    _allowlist_cache = {}
+    return _allowlist_cache
+
+
+def reload_allowlist() -> None:
+    """Force a reload of the allowlist config (e.g., after editing YAML)."""
+    global _allowlist_cache
+    _allowlist_cache = None
+    _load_allowlist()
+
+
+def is_allowlisted(tool_name: str, tool_args: dict | None = None) -> bool:
+    """Check if a specific tool call is allowlisted for autonomous execution.
+
+    Returns True only when the tool call matches an explicit allowlist rule.
+    Returns False for anything not covered — safe-by-default.
+    """
+    allowlist = _load_allowlist()
+    if not allowlist:
+        return False
+
+    rule = allowlist.get(tool_name)
+    if rule is None:
+        return False
+
+    tool_args = tool_args or {}
+
+    # Simple auto-approve flag
+    if rule.get("auto_approve") is True:
+        return True
+
+    # Shell: prefix + deny pattern matching
+    if tool_name == "shell":
+        return _check_shell_allowlist(rule, tool_args)
+
+    # write_file: path prefix check
+    if tool_name == "write_file":
+        return _check_write_file_allowlist(rule, tool_args)
+
+    return False
+
+
+def _check_shell_allowlist(rule: dict, tool_args: dict) -> bool:
+    """Check if a shell command matches the allowlist."""
+    # Extract the command string — Agno ShellTools uses "args" (list or str)
+    cmd = tool_args.get("command") or tool_args.get("args", "")
+    if isinstance(cmd, list):
+        cmd = " ".join(cmd)
+    cmd = cmd.strip()
+
+    if not cmd:
+        return False
+
+    # Check deny patterns first — these always block
+    deny_patterns = rule.get("deny_patterns", [])
+    for pattern in deny_patterns:
+        if pattern in cmd:
+            logger.warning("Shell command blocked by deny pattern %r: %s", pattern, cmd[:100])
+            return False
+
+    # Check allow prefixes
+    allow_prefixes = rule.get("allow_prefixes", [])
+    for prefix in allow_prefixes:
+        if cmd.startswith(prefix):
+            logger.info("Shell command auto-approved by prefix %r: %s", prefix, cmd[:100])
+            return True
+
+    return False
+
+
+def _check_write_file_allowlist(rule: dict, tool_args: dict) -> bool:
+    """Check if a write_file target is within allowed paths."""
+    path_str = tool_args.get("file_name") or tool_args.get("path", "")
+    if not path_str:
+        return False
+
+    # Resolve ~ to home
+    if path_str.startswith("~"):
+        path_str = str(Path(path_str).expanduser())
+
+    allowed_prefixes = rule.get("allowed_path_prefixes", [])
+    for prefix in allowed_prefixes:
+        # Resolve ~ in the prefix too
+        if prefix.startswith("~"):
+            prefix = str(Path(prefix).expanduser())
+        if path_str.startswith(prefix):
+            logger.info("write_file auto-approved for path: %s", path_str)
+            return True
+
+    return False
+
+
 # ---------------------------------------------------------------------------
 # Tool call extraction from model output
 # ---------------------------------------------------------------------------