config/allowlist.yaml

# ── Tool Allowlist — autonomous operation gate ─────────────────────────────
#
# When Timmy runs without a human present (non-interactive terminal, or
# --autonomous flag), tool calls matching these patterns execute without
# confirmation.  Anything NOT listed here is auto-rejected.
#
# This file is the ONLY gate for autonomous tool execution.
# GOLDEN_TIMMY in approvals.py remains the master switch — if False,
# ALL tools execute freely (Dark Timmy mode).  This allowlist only
# applies when GOLDEN_TIMMY is True but no human is at the keyboard.
#
# Edit with care.  This is sovereignty in action.
# ────────────────────────────────────────────────────────────────────────────

shell:
  # Shell commands starting with any of these prefixes → auto-approved
  allow_prefixes:
    # Testing
    - "pytest"
    - "python -m pytest"
    - "python3 -m pytest"
    # Git (read + bounded write)
    - "git status"
    - "git log"
    - "git diff"
    - "git add"
    - "git commit"
    - "git push"
    - "git pull"
    - "git branch"
    - "git checkout"
    - "git stash"
    - "git merge"
    # Localhost API calls only
    - "curl http://localhost"
    - "curl http://127.0.0.1"
    - "curl -s http://localhost"
    - "curl -s http://127.0.0.1"
    # Read-only inspection
    - "ls"
    - "cat "
    - "head "
    - "tail "
    - "find "
    - "grep "
    - "wc "
    - "echo "
    - "pwd"
    - "which "
    - "ollama list"
    - "ollama ps"

  # Commands containing ANY of these → always blocked, even if prefix matches
  deny_patterns:
    - "rm -rf /"
    - "sudo "
    - "> /dev/"
    - "| sh"
    - "| bash"
    - "| zsh"
    - "mkfs"
    - "dd if="
    - ":(){:|:&};:"

write_file:
  # Only allow writes to paths under these prefixes
  allowed_path_prefixes:
    - "~/Timmy-Time-dashboard/"
    - "/tmp/"

python:
  # Python execution auto-approved (sandboxed by Agno's PythonTools)
  auto_approve: true

plan_and_execute:
  # Multi-step plans auto-approved — individual tool calls are still gated
  auto_approve: true
[loop-cycle-1] feat: tool allowlist for autonomous operation (#69) Add config/allowlist.yaml — YAML-driven gate that auto-approves bounded tool calls when no human is present. When Timmy runs with --autonomous or stdin is not a terminal, tool calls are checked against allowlist: matched → auto-approved, else → rejected. Changes: - config/allowlist.yaml: shell prefixes, deny patterns, path rules - tool_safety.py: is_allowlisted() checks tools against YAML rules - cli.py: --autonomous flag, _is_interactive() detection - 44 new allowlist tests, 8 updated CLI tests Closes #69 2026-03-14 17:39:48 -04:00			`# ── Tool Allowlist — autonomous operation gate ─────────────────────────────`
			`#`
			`# When Timmy runs without a human present (non-interactive terminal, or`
			`# --autonomous flag), tool calls matching these patterns execute without`
			`# confirmation. Anything NOT listed here is auto-rejected.`
			`#`
			`# This file is the ONLY gate for autonomous tool execution.`
			`# GOLDEN_TIMMY in approvals.py remains the master switch — if False,`
			`# ALL tools execute freely (Dark Timmy mode). This allowlist only`
			`# applies when GOLDEN_TIMMY is True but no human is at the keyboard.`
			`#`
			`# Edit with care. This is sovereignty in action.`
			`# ────────────────────────────────────────────────────────────────────────────`

			`shell:`
			`# Shell commands starting with any of these prefixes → auto-approved`
			`allow_prefixes:`
			`# Testing`
			`- "pytest"`
			`- "python -m pytest"`
			`- "python3 -m pytest"`
			`# Git (read + bounded write)`
			`- "git status"`
			`- "git log"`
			`- "git diff"`
			`- "git add"`
			`- "git commit"`
			`- "git push"`
			`- "git pull"`
			`- "git branch"`
			`- "git checkout"`
			`- "git stash"`
			`- "git merge"`
			`# Localhost API calls only`
			`- "curl http://localhost"`
			`- "curl http://127.0.0.1"`
			`- "curl -s http://localhost"`
			`- "curl -s http://127.0.0.1"`
			`# Read-only inspection`
			`- "ls"`
			`- "cat "`
			`- "head "`
			`- "tail "`
			`- "find "`
			`- "grep "`
			`- "wc "`
			`- "echo "`
			`- "pwd"`
			`- "which "`
			`- "ollama list"`
			`- "ollama ps"`

			`# Commands containing ANY of these → always blocked, even if prefix matches`
			`deny_patterns:`
			`- "rm -rf /"`
			`- "sudo "`
			`- "> /dev/"`
			`- "\| sh"`
			`- "\| bash"`
			`- "\| zsh"`
			`- "mkfs"`
			`- "dd if="`
			`- ":(){:\|:&};:"`

			`write_file:`
			`# Only allow writes to paths under these prefixes`
			`allowed_path_prefixes:`
			`- "~/Timmy-Time-dashboard/"`
			`- "/tmp/"`

			`python:`
			`# Python execution auto-approved (sandboxed by Agno's PythonTools)`
			`auto_approve: true`

			`plan_and_execute:`
			`# Multi-step plans auto-approved — individual tool calls are still gated`
			`auto_approve: true`