Add dangerous command blocking and cron agent scheduling

Dangerous command approval: run_command skill now checks commands
against 9 regex patterns (rm -rf /, dd, mkfs, fork bombs, shutdown,
device writes, etc.) and blocks execution with a clear message.
Defense-in-depth layer on top of VM isolation.

Cron agents: templates support schedule (5-field cron) and
schedule_timeout (seconds, default 300) fields. Overseer checks
every 60s, spawns {name}-cron agents on match, auto-destroys after
timeout. Inline cron parser supports *, ranges, lists, and steps.
No npm dependencies added.

ROADMAP.md

@@ -56,12 +56,12 @@ Priority order by gain/complexity ratio.
 
 - [ ] **Context compression** — when conversation history exceeds threshold, LLM-summarize middle turns. Protect head (system prompt) and tail (recent messages). Keeps agents coherent in long conversations.
 - [ ] **Skill learning** — after complex multi-tool tasks, agent creates a new SKILL.md + run.py in workspace/skills. Next boot, new skill is available. Self-improving agents.
-- [ ] **Scheduled/cron agents** — template gets a `schedule` field. Overseer spawns agent on schedule, agent does its task, reports to #agents, self-destructs.
+- [x] **Scheduled/cron agents** — templates support `schedule` (5-field cron) and `schedule_timeout` fields. Overseer checks every 60s, spawns and auto-destroys.
 - [ ] **!logs command** — tail agent interaction history from workspace.
 
 ### Lower priority (good ideas, higher complexity or less immediate need)
 
-- [ ] **Dangerous command approval** — pattern-based detection (rm -rf, git reset, etc.) with allowlist. Agent asks for confirmation before destructive commands.
+- [x] **Dangerous command approval** — pattern-based detection (rm -rf, dd, mkfs, fork bombs, shutdown, etc.) blocks execution in run_command skill.
 - [ ] **Parallel tool execution** — detect independent tool calls, run concurrently. Needs safety heuristics (read-only, non-overlapping paths).
 - [ ] **Cost tracking** — Ollama returns token counts. Log per-interaction: duration, model, tokens, skill used.
 - [ ] **Execution recording** — full audit trail of all tool calls and results.

TODO.md

@@ -30,8 +30,8 @@
 
 ### Bigger items
 - [ ] Skill learning — agents create new skills from experience
-- [ ] Cron agents — scheduled agent spawns
+- [x] Cron agents — scheduled agent spawns (5-field cron in templates, auto-destroy timeout)
-- [ ] Dangerous command approval — pattern detection + allowlist
+- [x] Dangerous command approval — pattern detection blocks rm -rf /, dd, mkfs, fork bombs, etc.
 - [ ] Parallel tool execution — concurrent independent tool calls
 
 ## Polish

skills/run_command/run.py

@@ -2,10 +2,36 @@
 import subprocess
 import sys
 import json
+import re
+
+DANGEROUS_PATTERNS = [
+    (re.compile(r'\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?-[a-zA-Z]*r[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
+    (re.compile(r'\brm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?-[a-zA-Z]*f[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
+    (re.compile(r'\bdd\s+if='), "raw disk write (dd)"),
+    (re.compile(r'\bmkfs\b'), "filesystem format"),
+    (re.compile(r':\(\)\s*\{[^}]*:\s*\|\s*:'), "fork bomb"),
+    (re.compile(r'>\s*/dev/[sh]d[a-z]'), "device write"),
+    (re.compile(r'\bchmod\s+(-[a-zA-Z]*R[a-zA-Z]*\s+)?777\s+/(\s|$)'), "recursive chmod 777 on /"),
+    (re.compile(r'\b(shutdown|reboot|halt|poweroff)\b'), "system shutdown/reboot"),
+    (re.compile(r'\bkill\s+-9\s+(-1|1)\b'), "kill init or all processes"),
+]
+
+
+def check_dangerous(cmd):
+    for pattern, desc in DANGEROUS_PATTERNS:
+        if pattern.search(cmd):
+            return desc
+    return None
+
 
 args = json.loads(sys.stdin.read())
 command = args.get("command", "")
 
+blocked = check_dangerous(command)
+if blocked:
+    print(f'[blocked: command matches dangerous pattern "{blocked}". This command was not executed.]')
+    sys.exit(0)
+
 try:
     result = subprocess.run(
         ["bash", "-c", command],

src/agent-manager.ts

@@ -45,7 +45,7 @@ export interface AgentInfo {
   startedAt: string;
 }
 
-interface AgentTemplate {
+export interface AgentTemplate {
   name: string;
   nick: string;
   model: string;
@@ -62,6 +62,9 @@ interface AgentTemplate {
   compress_keep?: number;
   max_tool_rounds?: number;
   max_response_lines?: number;
+  // Cron scheduling
+  schedule?: string;          // 5-field cron expression, e.g. "0 8 * * *"
+  schedule_timeout?: number;  // seconds before auto-destroy (default 300)
 }
 
 const AGENTS_FILE = join(CONFIG.baseDir, "agents.json");

src/overseer.ts

@@ -7,7 +7,9 @@ import {
   listTemplates,
   reconcileAgents,
   reloadAgent,
+  loadTemplate,
   type AgentInfo,
+  type AgentTemplate,
 } from "./agent-manager.js";
 import { CONFIG } from "./config.js";
 
@@ -37,6 +39,37 @@ function formatAgentList(agents: AgentInfo[]): string[] {
   );
 }
 
+function fieldMatches(field: string, value: number): boolean {
+  if (field === "*") return true;
+  return field.split(",").some((part) => {
+    if (part.includes("/")) {
+      const [range, stepStr] = part.split("/");
+      const step = parseInt(stepStr);
+      if (range === "*") return value % step === 0;
+      const [min, max] = range.split("-").map(Number);
+      return value >= min && value <= max && (value - min) % step === 0;
+    }
+    if (part.includes("-")) {
+      const [min, max] = part.split("-").map(Number);
+      return value >= min && value <= max;
+    }
+    return parseInt(part) === value;
+  });
+}
+
+function matchesCron(expr: string, date: Date): boolean {
+  const fields = expr.trim().split(/\s+/);
+  if (fields.length !== 5) return false;
+  const checks: [string, number][] = [
+    [fields[0], date.getMinutes()],
+    [fields[1], date.getHours()],
+    [fields[2], date.getDate()],
+    [fields[3], date.getMonth() + 1],
+    [fields[4], date.getDay()],
+  ];
+  return checks.every(([field, value]) => fieldMatches(field, value));
+}
+
 export async function runOverseer(config: OverseerConfig) {
   // Reconcile agent state on startup
   log("Reconciling agent state...");
@@ -338,5 +371,54 @@ export async function runOverseer(config: OverseerConfig) {
 
   setInterval(healthCheck, HEALTH_CHECK_INTERVAL);
 
+  // Cron agent scheduler — check every 60s
+  const CRON_CHECK_INTERVAL = 60_000;
+  const cronCheck = async () => {
+    const templates = listTemplates();
+    for (const tmplName of templates) {
+      try {
+        const template = loadTemplate(tmplName);
+        if (!template.schedule) continue;
+
+        const now = new Date();
+        if (!matchesCron(template.schedule, now)) continue;
+
+        const cronName = `${template.name}-cron`;
+
+        // Skip if already running
+        const running = listAgents();
+        if (running.some((a) => a.name === cronName)) continue;
+
+        log(`Cron trigger: spawning "${cronName}" from template "${tmplName}"`);
+        bot.say(config.channel, `Cron: spawning "${cronName}" from template "${tmplName}"`);
+
+        const info = await startAgent(tmplName, { name: cronName });
+        knownAgents.add(cronName);
+
+        // Schedule auto-destroy
+        const timeout = (template.schedule_timeout ?? 300) * 1000;
+        setTimeout(async () => {
+          try {
+            const current = listAgents();
+            if (current.some((a) => a.name === cronName)) {
+              log(`Cron timeout: destroying "${cronName}" after ${timeout / 1000}s`);
+              bot.say(config.channel, `Cron: destroying "${cronName}" (timeout ${timeout / 1000}s)`);
+              await stopAgent(cronName);
+              knownAgents.delete(cronName);
+            }
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            log(`Error destroying cron agent "${cronName}": ${msg}`);
+          }
+        }, timeout);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        log(`Cron error for template "${tmplName}": ${msg}`);
+      }
+    }
+  };
+
+  setInterval(cronCheck, CRON_CHECK_INTERVAL);
+
   log("Overseer started. Waiting for commands...");
 }