ansible/fireclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add dangerous command blocking and cron agent scheduling

Browse Source 
Dangerous command approval: run_command skill now checks commands
against 9 regex patterns (rm -rf /, dd, mkfs, fork bombs, shutdown,
device writes, etc.) and blocks execution with a clear message.
Defense-in-depth layer on top of VM isolation.

Cron agents: templates support schedule (5-field cron) and
schedule_timeout (seconds, default 300) fields. Overseer checks
every 60s, spawns {name}-cron agents on match, auto-destroys after
timeout. Inline cron parser supports *, ranges, lists, and steps.
No npm dependencies added.
This commit is contained in:
ansible
2026-04-08 19:26:23 +00:00
parent c827d341ab
commit abc91bc149
5 changed files with 116 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ROADMAP.md
View File

@@ -56,12 +56,12 @@ Priority order by gain/complexity ratio.
- [ ] **Context compression** — when conversation history exceeds threshold, LLM-summarize middle turns. Protect head (system prompt) and tail (recent messages). Keeps agents coherent in long conversations.
- [ ] **Skill learning** — after complex multi-tool tasks, agent creates a new SKILL.md + run.py in workspace/skills. Next boot, new skill is available. Self-improving agents.
- [ ] **Scheduled/cron agents** — template gets a `schedule` field. Overseer spawns agent on schedule, agent does its task, reports to #agents, self-destructs.
- [x] **Scheduled/cron agents** — templates support `schedule` (5-field cron) and `schedule_timeout` fields. Overseer checks every 60s, spawns and auto-destroys.
- [ ] **!logs command** — tail agent interaction history from workspace.
### Lower priority (good ideas, higher complexity or less immediate need)
- [ ] **Dangerous command approval** — pattern-based detection (rm -rf, git reset, etc.) with allowlist. Agent asks for confirmation before destructive commands.
- [x] **Dangerous command approval** — pattern-based detection (rm -rf, dd, mkfs, fork bombs, shutdown, etc.) blocks execution in run_command skill.
- [ ] **Parallel tool execution** — detect independent tool calls, run concurrently. Needs safety heuristics (read-only, non-overlapping paths).
- [ ] **Cost tracking** — Ollama returns token counts. Log per-interaction: duration, model, tokens, skill used.
- [ ] **Execution recording** — full audit trail of all tool calls and results.

4
TODO.md
View File

@@ -30,8 +30,8 @@
### Bigger items
- [ ] Skill learning — agents create new skills from experience
- [ ] Cron agents — scheduled agent spawns
- [ ] Dangerous command approval — pattern detection + allowlist
- [x] Cron agents — scheduled agent spawns (5-field cron in templates, auto-destroy timeout)
- [x] Dangerous command approval — pattern detection blocks rm -rf /, dd, mkfs, fork bombs, etc.
- [ ] Parallel tool execution — concurrent independent tool calls
## Polish

26
skills/run_command/run.py
View File

@@ -2,10 +2,36 @@
import subprocess
import sys
import json
import re
DANGEROUS_PATTERNS = [
(re.compile(r'\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?-[a-zA-Z]*r[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
(re.compile(r'\brm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?-[a-zA-Z]*f[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
(re.compile(r'\bdd\s+if='), "raw disk write (dd)"),
(re.compile(r'\bmkfs\b'), "filesystem format"),
(re.compile(r':\(\)\s*\{[^}]*:\s*\|\s*:'), "fork bomb"),
(re.compile(r'>\s*/dev/[sh]d[a-z]'), "device write"),
(re.compile(r'\bchmod\s+(-[a-zA-Z]*R[a-zA-Z]*\s+)?777\s+/(\s|$)'), "recursive chmod 777 on /"),
(re.compile(r'\b(shutdown|reboot|halt|poweroff)\b'), "system shutdown/reboot"),
(re.compile(r'\bkill\s+-9\s+(-1|1)\b'), "kill init or all processes"),
]
def check_dangerous(cmd):
for pattern, desc in DANGEROUS_PATTERNS:
if pattern.search(cmd):
return desc
return None
args = json.loads(sys.stdin.read())
command = args.get("command", "")
blocked = check_dangerous(command)
if blocked:
print(f'[blocked: command matches dangerous pattern "{blocked}". This command was not executed.]')
sys.exit(0)
try:
result = subprocess.run(
["bash", "-c", command],

5
src/agent-manager.ts
View File

@@ -45,7 +45,7 @@ export interface AgentInfo {
startedAt: string;
}
interface AgentTemplate {
export interface AgentTemplate {
name: string;
nick: string;
model: string;
@@ -62,6 +62,9 @@ interface AgentTemplate {
compress_keep?: number;
max_tool_rounds?: number;
max_response_lines?: number;
// Cron scheduling
schedule?: string; // 5-field cron expression, e.g. "0 8 * * *"
schedule_timeout?: number; // seconds before auto-destroy (default 300)
}
const AGENTS_FILE = join(CONFIG.baseDir, "agents.json");

82
src/overseer.ts
View File

@@ -7,7 +7,9 @@ import {
listTemplates,
reconcileAgents,
reloadAgent,
loadTemplate,
type AgentInfo,
type AgentTemplate,
} from "./agent-manager.js";
import { CONFIG } from "./config.js";
@@ -37,6 +39,37 @@ function formatAgentList(agents: AgentInfo[]): string[] {
);
}
function fieldMatches(field: string, value: number): boolean {
if (field === "*") return true;
return field.split(",").some((part) => {
if (part.includes("/")) {
const [range, stepStr] = part.split("/");
const step = parseInt(stepStr);
if (range === "*") return value % step === 0;
const [min, max] = range.split("-").map(Number);
return value >= min && value <= max && (value - min) % step === 0;
}
if (part.includes("-")) {
const [min, max] = part.split("-").map(Number);
return value >= min && value <= max;
}
return parseInt(part) === value;
});
}
function matchesCron(expr: string, date: Date): boolean {
const fields = expr.trim().split(/\s+/);
if (fields.length !== 5) return false;
const checks: [string, number][] = [
[fields[0], date.getMinutes()],
[fields[1], date.getHours()],
[fields[2], date.getDate()],
[fields[3], date.getMonth() + 1],
[fields[4], date.getDay()],
];
return checks.every(([field, value]) => fieldMatches(field, value));
}
export async function runOverseer(config: OverseerConfig) {
// Reconcile agent state on startup
log("Reconciling agent state...");
@@ -338,5 +371,54 @@ export async function runOverseer(config: OverseerConfig) {
setInterval(healthCheck, HEALTH_CHECK_INTERVAL);
// Cron agent scheduler — check every 60s
const CRON_CHECK_INTERVAL = 60_000;
const cronCheck = async () => {
const templates = listTemplates();
for (const tmplName of templates) {
try {
const template = loadTemplate(tmplName);
if (!template.schedule) continue;
const now = new Date();
if (!matchesCron(template.schedule, now)) continue;
const cronName = `${template.name}-cron`;
// Skip if already running
const running = listAgents();
if (running.some((a) => a.name === cronName)) continue;
log(`Cron trigger: spawning "${cronName}" from template "${tmplName}"`);
bot.say(config.channel, `Cron: spawning "${cronName}" from template "${tmplName}"`);
const info = await startAgent(tmplName, { name: cronName });
knownAgents.add(cronName);
// Schedule auto-destroy
const timeout = (template.schedule_timeout ?? 300) * 1000;
setTimeout(async () => {
try {
const current = listAgents();
if (current.some((a) => a.name === cronName)) {
log(`Cron timeout: destroying "${cronName}" after ${timeout / 1000}s`);
bot.say(config.channel, `Cron: destroying "${cronName}" (timeout ${timeout / 1000}s)`);
await stopAgent(cronName);
knownAgents.delete(cronName);
}
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
log(`Error destroying cron agent "${cronName}": ${msg}`);
}
}, timeout);
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
log(`Cron error for template "${tmplName}": ${msg}`);
}
}
};
setInterval(cronCheck, CRON_CHECK_INTERVAL);
log("Overseer started. Waiting for commands...");
}