Security and conformance
The conformance posture is authoritative, not scaffold: okami.policy.yaml defines the real rules and CI runs okami policy check as a gate. Philosophy: subscription-…
Go / No-Go (approval)
The agent can edit any file on request; sensitive actions (identity, .env, rm -rf, git push, sudo, publish) stop and ask for approval. classify() gives a category + risk. The prompt offers 4 options: allow once · allow session · always allow (persists) · deny. Fail-closed with no response.
| mode | behavior |
|---|---|
| manual | always asks for approval (default) |
| smart | auto-approves low risk, asks for the rest |
| off | no prompts |
| yolo | session bypass (-y / --yolo) |
The policy
okami.policy.yaml is the project's real posture (no secrets — just rules). CI runs it as a gate:
| rule | posture |
|---|---|
| approvals.mode_allow | manual, smart — yolo/off fail |
| providers.allow | only lmstudio, codex, claude, minimax, mimo |
| secrets.forbid_literal_in_yaml | a literal secret in YAML fails |
| channels.forbid_open_ingress | allow_all fails → use allow_chats |
| gateway.require_token | HTTP API requires OKAMI_API_TOKEN |
| mcp.max_trust | third-party MCP goes through go/no-go |
okami policy check # evaluate config+workspace (CI gate)
okami policy check --strict # PRODUCTION/GA posture (hostile environment)
okami doctor --lint # posture lint (pass/warn/fail)Secrets and shell
run_shell and shell_ok run with sanitized_env(): keys, tokens and secrets are stripped from the environment. So neither prompt injection nor generated code can exfiltrate a credential via the shell.
Sandbox and production
Docker by default for real isolation; sandbox: { backend: docker }. For public deploy, run okami policy check --strict: exposed without Docker FAILS (it doesn't degrade). In dev the posture is friendly so it won't break your machine.

