// operate · 01

Security and conformance

The conformance posture is authoritative, not scaffold: okami.policy.yaml defines the real rules and CI runs okami policy check as a gate. Philosophy: subscription-…

Go / No-Go (approval)

The agent can edit any file on request; sensitive actions (identity, .env, rm -rf, git push, sudo, publish) stop and ask for approval. classify() gives a category + risk. The prompt offers 4 options: allow once · allow session · always allow (persists) · deny. Fail-closed with no response.

modebehavior
manualalways asks for approval (default)
smartauto-approves low risk, asks for the rest
offno prompts
yolosession bypass (-y / --yolo)

The policy

okami.policy.yaml is the project's real posture (no secrets — just rules). CI runs it as a gate:

ruleposture
approvals.mode_allowmanual, smart — yolo/off fail
providers.allowonly lmstudio, codex, claude, minimax, mimo
secrets.forbid_literal_in_yamla literal secret in YAML fails
channels.forbid_open_ingressallow_all fails → use allow_chats
gateway.require_tokenHTTP API requires OKAMI_API_TOKEN
mcp.max_trustthird-party MCP goes through go/no-go
okami policy check          # evaluate config+workspace (CI gate)
okami policy check --strict # PRODUCTION/GA posture (hostile environment)
okami doctor --lint         # posture lint (pass/warn/fail)

Secrets and shell

run_shell and shell_ok run with sanitized_env(): keys, tokens and secrets are stripped from the environment. So neither prompt injection nor generated code can exfiltrate a credential via the shell.

Sandbox and production

Docker by default for real isolation; sandbox: { backend: docker }. For public deploy, run okami policy check --strict: exposed without Docker FAILS (it doesn't degrade). In dev the posture is friendly so it won't break your machine.

Open this page in the interactive docs