[loop-cycle-1] feat: tool allowlist for autonomous operation (#69)

Add config/allowlist.yaml — YAML-driven gate that auto-approves bounded
tool calls when no human is present.

When Timmy runs with --autonomous or stdin is not a terminal, tool calls
are checked against allowlist: matched → auto-approved, else → rejected.

Changes:
  - config/allowlist.yaml: shell prefixes, deny patterns, path rules
  - tool_safety.py: is_allowlisted() checks tools against YAML rules
  - cli.py: --autonomous flag, _is_interactive() detection
  - 44 new allowlist tests, 8 updated CLI tests

Closes #69

src/timmy/cli.py

@@ -1,11 +1,12 @@
 import logging
 import subprocess
+import sys
 
 import typer
 
 from timmy.agent import create_timmy
 from timmy.prompts import STATUS_PROMPT
-from timmy.tool_safety import format_action_description, get_impact_level
+from timmy.tool_safety import format_action_description, get_impact_level, is_allowlisted
 
 logger = logging.getLogger(__name__)
 
@@ -30,15 +31,26 @@ _MODEL_SIZE_OPTION = typer.Option(
 )
 
 
-def _handle_tool_confirmation(agent, run_output, session_id: str):
+def _is_interactive() -> bool:
+    """Return True if stdin is a real terminal (human present)."""
+    return hasattr(sys.stdin, "isatty") and sys.stdin.isatty()
+
+
+def _handle_tool_confirmation(agent, run_output, session_id: str, *, autonomous: bool = False):
     """Prompt user to approve/reject dangerous tool calls.
 
     When Agno pauses a run because a tool requires confirmation, this
     function displays the action, asks for approval via stdin, and
     resumes or rejects the run accordingly.
 
+    When autonomous=True (or stdin is not a terminal), tool calls are
+    checked against config/allowlist.yaml instead of prompting.
+    Allowlisted calls are auto-approved; everything else is auto-rejected.
+
     Returns the final RunOutput after all confirmations are resolved.
     """
+    interactive = _is_interactive() and not autonomous
+
     max_rounds = 10  # safety limit
     for _ in range(max_rounds):
         status = getattr(run_output, "status", None)
@@ -58,22 +70,34 @@ def _handle_tool_confirmation(agent, run_output, session_id: str):
             tool_name = getattr(te, "tool_name", "unknown")
             tool_args = getattr(te, "tool_args", {}) or {}
 
-            description = format_action_description(tool_name, tool_args)
-            impact = get_impact_level(tool_name)
+            if interactive:
+                # Human present — prompt for approval
+                description = format_action_description(tool_name, tool_args)
+                impact = get_impact_level(tool_name)
 
-            typer.echo()
-            typer.echo(typer.style("Tool confirmation required", bold=True))
-            typer.echo(f"  Impact: {impact.upper()}")
-            typer.echo(f"  {description}")
-            typer.echo()
+                typer.echo()
+                typer.echo(typer.style("Tool confirmation required", bold=True))
+                typer.echo(f"  Impact: {impact.upper()}")
+                typer.echo(f"  {description}")
+                typer.echo()
 
-            approved = typer.confirm("Allow this action?", default=False)
-            if approved:
-                req.confirm()
-                logger.info("CLI: approved %s", tool_name)
+                approved = typer.confirm("Allow this action?", default=False)
+                if approved:
+                    req.confirm()
+                    logger.info("CLI: approved %s", tool_name)
+                else:
+                    req.reject(note="User rejected from CLI")
+                    logger.info("CLI: rejected %s", tool_name)
             else:
-                req.reject(note="User rejected from CLI")
-                logger.info("CLI: rejected %s", tool_name)
+                # Autonomous mode — check allowlist
+                if is_allowlisted(tool_name, tool_args):
+                    req.confirm()
+                    logger.info("AUTO-APPROVED (allowlist): %s", tool_name)
+                else:
+                    req.reject(note="Auto-rejected: not in allowlist")
+                    logger.info(
+                        "AUTO-REJECTED (not allowlisted): %s %s", tool_name, str(tool_args)[:100]
+                    )
 
         # Resume the run so the agent sees the confirmation result
         try:
@@ -133,11 +157,21 @@ def chat(
         "--session-id",
         help="Use a specific session ID for this conversation",
     ),
+    autonomous: bool = typer.Option(
+        False,
+        "--autonomous",
+        "-a",
+        help="Autonomous mode: auto-approve allowlisted tools, reject the rest (no stdin prompts)",
+    ),
 ):
     """Send a message to Timmy.
 
     Conversation history persists across invocations. Use --new to start fresh,
     or --session-id to use a specific session.
+
+    Use --autonomous for non-interactive contexts (scripts, dev loops). Tool
+    calls are checked against config/allowlist.yaml — allowlisted operations
+    execute automatically, everything else is safely rejected.
     """
     import uuid
 
@@ -153,7 +187,7 @@ def chat(
     run_output = timmy.run(message, stream=False, session_id=session_id)
 
     # Handle paused runs — dangerous tools need user approval
-    run_output = _handle_tool_confirmation(timmy, run_output, session_id)
+    run_output = _handle_tool_confirmation(timmy, run_output, session_id, autonomous=autonomous)
 
     # Print the final response
     content = run_output.content if hasattr(run_output, "content") else str(run_output)