# ── Tool Allowlist — autonomous operation gate ─────────────────────────────
#
# When Timmy runs without a human present (non-interactive terminal, or
# --autonomous flag), tool calls matching these patterns execute without
# confirmation.  Anything NOT listed here is auto-rejected.
#
# This file is the ONLY gate for autonomous tool execution.
# GOLDEN_TIMMY in approvals.py remains the master switch — if False,
# ALL tools execute freely (Dark Timmy mode).  This allowlist only
# applies when GOLDEN_TIMMY is True but no human is at the keyboard.
#
# Edit with care.  This is sovereignty in action.
# ────────────────────────────────────────────────────────────────────────────

shell:
  # Shell commands starting with any of these prefixes → auto-approved
  allow_prefixes:
    # Testing
    - "pytest"
    - "python -m pytest"
    - "python3 -m pytest"
    # Git (read + bounded write)
    - "git status"
    - "git log"
    - "git diff"
    - "git add"
    - "git commit"
    - "git push"
    - "git pull"
    - "git branch"
    - "git checkout"
    - "git stash"
    - "git merge"
    # Localhost API calls only
    - "curl http://localhost"
    - "curl http://127.0.0.1"
    - "curl -s http://localhost"
    - "curl -s http://127.0.0.1"
    # Read-only inspection
    - "ls"
    - "cat "
    - "head "
    - "tail "
    - "find "
    - "grep "
    - "wc "
    - "echo "
    - "pwd"
    - "which "
    - "ollama list"
    - "ollama ps"

  # Commands containing ANY of these → always blocked, even if prefix matches
  deny_patterns:
    - "rm -rf /"
    - "sudo "
    - "> /dev/"
    - "| sh"
    - "| bash"
    - "| zsh"
    - "mkfs"
    - "dd if="
    - ":(){:|:&};:"

write_file:
  # Only allow writes to paths under these prefixes
  allowed_path_prefixes:
    - "~/Timmy-Time-dashboard/"
    - "/tmp/"

python:
  # Python execution auto-approved (sandboxed by Agno's PythonTools)
  auto_approve: true

plan_and_execute:
  # Multi-step plans auto-approved — individual tool calls are still gated
  auto_approve: true