bone-agent 1.3.0

package/src/utils/safe_commands.py

@@ -0,0 +1,243 @@
+"""Structured command safety system for auto-approval.
+
+Replaces the flat ALLOWED_COMMANDS whitelist with a command+subcommand
+granularity system that distinguishes read-only operations from mutations.
+
+Design principles:
+- No args = not safe (for commands with subcommand variants)
+- Gate anything that has potential to be unsafe
+- Deny-by-default: commands not in the dict require approval
+- Compound flags use longest-prefix matching
+"""
+
+import os
+import shlex
+from utils.validation import CHAINING_OPERATORS
+
+
+# ---------------------------------------------------------------------------
+# SAFE_COMMAND_RULES
+# ---------------------------------------------------------------------------
+# Maps command names to their safety profile:
+#   None  → always safe (inherently read-only, e.g., ps, pwd)
+#   set() → only safe for listed subcommands/flags
+#
+# Platform normalization strips .exe suffix and lowercases before lookup.
+
+SAFE_COMMAND_RULES: dict[str, frozenset | None] = {
+    # --- Always safe (truly read-only, no mutating subcommands) ---
+    "pwd": None,
+    "which": None,
+    "whereis": None,
+    "uname": None,
+    "hostname": None,
+    "uptime": None,
+    "date": None,
+    "cal": None,
+    "whoami": None,
+    "id": None,
+    "env": frozenset({"--version", "--help"}),
+    "printenv": frozenset({"--version", "--help"}),
+    "lscpu": None,
+    "lsblk": None,
+    "file": None,
+    "stat": None,
+    "md5sum": None,
+    "sha256sum": None,
+    "free": None,
+    "df": None,
+    "du": None,
+    "dmesg": None,
+    "ltrace": None,
+    "ps": None,
+    "pgrep": None,
+    "pidof": None,
+    "lsof": None,
+    "ping": None,
+    "nslookup": None,
+    "dig": None,
+    "ss": None,
+    "ifconfig": None,
+    "netstat": None,
+    "journalctl": None,
+    "apt-cache": None,
+    "apt-show": None,
+    "dpkg-query": None,
+
+    # --- Subcommand-gated (safe only for specific read-only operations) ---
+    "git": frozenset({
+        "status", "log", "diff", "show", "branch",
+        "remote", "tag",
+        "rev-parse", "shortlog", "describe", "symbolic-ref",
+        "reflog", "name-rev", "blame", "annotate",
+        "for-each-ref", "ls-files", "ls-tree", "ls-remote",
+    }),
+    "pip": frozenset({"show", "list", "--version", "check", "debug", "index", "inspect"}),
+    "pip3": frozenset({"show", "list", "--version", "check", "debug", "index", "inspect"}),
+    "npm": frozenset({"list", "ls", "view", "version", "outdated", "pack", "info", "doctor", "audit"}),
+    "node": frozenset({"--version"}),
+    "python": frozenset({"--version"}),
+    "python3": frozenset({"--version"}),
+    "pacman": frozenset({
+        "-Q", "-Qi", "-Ql", "-Qo", "-Qs", "-Qt",
+        "-F", "-Si", "-Ss", "-Fl", "-G",
+    }),
+    "dpkg": frozenset({"-l", "-s", "-S", "-L", "-p", "--verify", "--audit"}),
+    "rpm": frozenset({"-q", "-qa", "-qi", "-ql", "-qf", "--queryformat"}),
+    "dnf": frozenset({"list", "info", "search", "check-update", "repoquery"}),
+    "yum": frozenset({"list", "info", "search", "check-update"}),
+    "systemctl": frozenset({
+        "status", "list-units", "list-unit-files", "show",
+        "is-active", "is-enabled", "cat", "list-timers",
+        "list-sockets", "list-jobs",
+    }),
+    "service": frozenset({"--status-all"}),  # "service <name> status" handled by _is_safe_service_command
+    "ip": frozenset({"addr", "address", "link", "route", "neigh", "maddr", "rule", "netns"}),
+
+    # --- Windows equivalents ---
+    "where": None,
+    "systeminfo": None,
+    "Get-Process": None,
+    "Get-Service": None,
+    "Get-ChildItem": None,
+    "Get-Content": None,
+    "Get-Location": None,
+    "Test-Connection": None,
+    "Get-NetIPAddress": None,
+}
+
+
+# Sub-subcommand deny lists for commands where the first arg passes safety
+# but later args can be mutating. Checked AFTER first-arg matching.
+# If any token appears in the deny list, the command is rejected.
+_IP_MUTATING_VERBS = frozenset({
+    "set", "add", "delete", "replace", "flush", "change",
+})
+
+# Commands that need deep token scanning mapped to their deny sets.
+_DEEP_SCAN_RULES: dict[str, frozenset] = {
+    "ip": _IP_MUTATING_VERBS,
+}
+
+
+def _tokenize(command: str) -> list[str]:
+    """Tokenize a command string using platform-appropriate splitting."""
+    use_posix = os.name != "nt"
+    try:
+        return shlex.split(command, posix=use_posix)
+    except ValueError:
+        return command.split()
+
+
+def _normalize_command_name(name: str) -> str:
+    """Normalize a command name for lookup.
+
+    Strips .exe suffix and lowercases. Does NOT normalize PowerShell
+    cmdlet casing (case-insensitive lookup handles that).
+    """
+    if name.lower().endswith(".exe"):
+        name = name[:-4]
+    return name.lower()
+
+
+def _matches_safe_subcommand(arg: str, safe_set: frozenset) -> bool:
+    """Check if an argument matches any entry in the safe subcommand set.
+
+    Uses longest-prefix matching for flag-style arguments:
+    e.g., if '-Qi' is safe, then '-Qil' also matches.
+    For word-style subcommands (e.g., git 'status'), exact match only.
+
+    Comparison is case-insensitive.
+    """
+    arg_lower = arg.lower()
+
+    # Build lowercase version of safe_set for case-insensitive comparison
+    safe_lower = {s.lower() for s in safe_set}
+
+    # Exact match
+    if arg_lower in safe_lower:
+        return True
+
+    # Longest-prefix match for flags (arguments starting with -)
+    if arg_lower.startswith("-"):
+        # Try progressively shorter prefixes
+        for length in range(len(arg_lower) - 1, 1, -1):
+            prefix = arg_lower[:length]
+            if prefix in safe_lower:
+                return True
+
+    return False
+
+
+def is_safe_command(command: str) -> bool:
+    """Check if a command should be auto-approved (safe, read-only).
+
+    A command is auto-approved when:
+    1. It contains no chaining/redirection operators
+    2. The command name is in SAFE_COMMAND_RULES
+    3. If gated (has a set of safe subcommands), the first argument
+       matches an entry in the set
+    4. If always-safe (None), it's approved with or without args
+
+    Args:
+        command: Command string to validate
+
+    Returns:
+        bool: True if the command is safe to auto-approve
+    """
+    command = command.strip()
+    if not command:
+        return False
+
+    # Strip "powershell " prefix if present (legacy support for Windows users)
+    if command.lower().startswith("powershell "):
+        command = command[len("powershell "):].strip()
+
+    # Reject any command containing chaining/redirection operators
+    if CHAINING_OPERATORS.search(command):
+        return False
+
+    # Tokenize and get command name
+    tokens = _tokenize(command)
+    if not tokens:
+        return False
+
+    cmd_name = _normalize_command_name(tokens[0])
+
+    # Look up in rules (deny-by-default)
+    if cmd_name not in SAFE_COMMAND_RULES:
+        # Unknown command — require approval
+        return False
+
+    rule = SAFE_COMMAND_RULES[cmd_name]
+    if rule is None:
+        # Always-safe command (e.g., ps, pwd)
+        return True
+
+    if not rule:
+        # Empty frozenset — no safe subcommands defined, deny
+        return False
+
+    # Gated command — need at least one subcommand arg
+    if len(tokens) < 2:
+        return False
+
+    # Check first argument against safe subcommand set
+    first_arg = tokens[1]
+
+    # Special case: "service <name> status" — the safe subcommand is the LAST arg
+    if cmd_name == "service" and len(tokens) >= 3 and tokens[-1].lower() == "status":
+        return True
+
+    if not _matches_safe_subcommand(first_arg, rule):
+        return False
+
+    # Deep scan: for commands with known mutating sub-subcommands,
+    # reject if any remaining token matches the deny list.
+    deny_set = _DEEP_SCAN_RULES.get(cmd_name)
+    if deny_set and len(tokens) > 2:
+        for tok in tokens[2:]:
+            if tok.lower() in deny_set:
+                return False
+
+    return True

package/src/utils/settings.py

@@ -0,0 +1,174 @@
+"""Centralized configuration for bone-agent."""
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Set
+
+# Load config from llm.config
+# Note: src/ is added to sys.path in main.py, so we can import directly
+from llm.config import _CONFIG
+
+# Styles and themes
+from pygments.styles.monokai import MonokaiStyle
+
+
+class MonokaiDarkBGStyle(MonokaiStyle):
+    """Monokai style with dark background for code highlighting."""
+    background_color = "#141414"
+
+
+_HEADING_RE = re.compile(r'^(#{1,6})\s+(.+)$', re.MULTILINE)
+
+
+def left_align_headings(text: str) -> str:
+    """Strip markdown heading markers to avoid Rich's centering."""
+    return _HEADING_RE.sub(lambda m: m.group(2), text)
+
+
+@dataclass
+class ServerSettings:
+    """Local llama-server configuration."""
+    ngl_layers: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("ngl_layers", 30))
+    ctx_size: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("ctx_size", 8192))
+    n_predict: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("n_predict", 8192))
+    rope_scale: float = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("rope_scale", 1.0))
+    health_check_timeout_sec: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("health_check_timeout_sec", 120))
+    health_check_interval_sec: float = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("health_check_interval_sec", 1.0))
+
+
+@dataclass
+class ToolSettings:
+    """Tool execution limits and defaults."""
+    max_tool_calls: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_tool_calls", 100))
+    command_timeout_sec: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("command_timeout_sec", 30))
+    enable_parallel_execution: bool = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("enable_parallel_execution", True))
+    max_parallel_workers: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_parallel_workers", 10))
+    max_command_output_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_command_output_lines", 100))
+    max_shell_output_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_shell_output_lines", 200))
+    max_file_preview_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_file_preview_lines", 200))
+    disabled_tools: list = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("disabled_tools", []))
+
+@dataclass
+class FileSettings:
+    """File scanning and reading limits."""
+    max_file_bytes: int = field(default_factory=lambda: _CONFIG.get("FILE_SETTINGS", {}).get("max_file_bytes", 200_000))
+    max_total_bytes: int = field(default_factory=lambda: _CONFIG.get("FILE_SETTINGS", {}).get("max_total_bytes", 1_500_000))
+    exclude_dirs: Set[str] = None
+
+    def __post_init__(self):
+        if self.exclude_dirs is None:
+            config_exclude = _CONFIG.get("FILE_SETTINGS", {}).get("exclude_dirs")
+            if config_exclude:
+                self.exclude_dirs = set(config_exclude)
+            else:
+                self.exclude_dirs = {".git", ".venv", "llama.cpp", "bin", "__pycache__"}
+
+
+@dataclass
+class ToolCompactionSettings:
+    """Per-message tool result compaction settings."""
+    enable_per_message_compaction: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("enable_per_message_compaction", True))
+    uncompacted_tail_tokens: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("uncompacted_tail_tokens", 40_000))
+    min_tool_blocks: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("min_tool_blocks", 5))
+    compact_failed_tools: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("compact_failed_tools", True))
+
+
+@dataclass
+class SubAgentSettings:
+    """Sub-agent token limits and behavior configuration."""
+    soft_limit_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("soft_limit_tokens", 300_000))
+    hard_limit_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("hard_limit_tokens", 500_000))
+    enable_compaction: bool = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("enable_compaction", True))
+    compact_trigger_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("compact_trigger_tokens", 50_000))
+    allowed_tools: list = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("allowed_tools", ["rg", "read_file", "list_directory", "web_search"]))
+    dump_context_on_hard_limit: bool = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("dump_context_on_hard_limit", True))
+
+
+# Context compaction settings
+@dataclass
+class ContextSettings:
+    """Context compaction thresholds and defaults."""
+    compact_trigger_tokens: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("compact_trigger_tokens", 100_000))
+    max_context_window: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("max_context_window", 200_000))
+    log_conversations: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("log_conversations", False))
+    conversations_dir: str = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("conversations_dir", "conversations"))
+    notify_auto_compaction: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("notify_auto_compaction", True))
+    tool_compaction: ToolCompactionSettings = field(default_factory=ToolCompactionSettings)
+    hard_limit_tokens: int = field(init=False, repr=False)
+
+    def __post_init__(self):
+        _ctx = _CONFIG.get("CONTEXT_SETTINGS", {})
+        if "hard_limit_tokens" in _ctx:
+            self.hard_limit_tokens = _ctx["hard_limit_tokens"]
+        else:
+            self.hard_limit_tokens = int(self.max_context_window * 0.9)
+
+
+@dataclass
+class ObsidianSettings:
+    """Obsidian vault integration settings.
+
+    Supports runtime updates via update() method for /obsidian commands.
+    """
+    vault_path: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("vault_path", ""))
+    enabled: bool = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("enabled", False))
+    exclude_folders: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("exclude_folders", ".obsidian,.trash,node_modules,.git,__pycache__"))
+    project_base: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("project_base", "Dev"))
+
+    def update(self, **kwargs):
+        """Update settings fields at runtime.
+
+        Args:
+            **kwargs: Field names and values to update
+        """
+        from dataclasses import fields
+        valid_keys = {f.name for f in fields(self)}
+        for key, value in kwargs.items():
+            if key in valid_keys:
+                setattr(self, key, value)
+
+    def is_configured(self) -> bool:
+        """Check if Obsidian integration is configured in settings.
+
+        Returns:
+            True if enabled and vault_path is set (does NOT validate disk)
+        """
+        return self.enabled and bool(self.vault_path)
+
+    def is_active(self) -> bool:
+        """Check if Obsidian integration is fully operational.
+
+        Validates the vault path exists on disk and contains .obsidian/.
+
+        Returns:
+            True if enabled, vault_path is set, and vault is valid on disk
+        """
+        if not self.enabled or not self.vault_path:
+            return False
+        root = Path(self.vault_path).resolve()
+        if not root.is_dir():
+            return False
+        return (root / ".obsidian").is_dir()
+
+    @property
+    def exclude_folders_list(self) -> list:
+        """Return exclude_folders as a pre-parsed list of strings.
+
+        Avoids repeated str.split(",") on every rg call.
+        """
+        return [f.strip() for f in self.exclude_folders.split(",") if f.strip()]
+
+
+# Global instances
+server_settings = ServerSettings()
+tool_settings = ToolSettings()
+file_settings = FileSettings()
+context_settings = ContextSettings()
+sub_agent_settings = SubAgentSettings()
+obsidian_settings = ObsidianSettings()
+
+# Tool execution constants
+MAX_TOOL_CALLS = tool_settings.max_tool_calls
+MAX_COMMAND_OUTPUT_LINES = tool_settings.max_command_output_lines
+MAX_SHELL_OUTPUT_LINES = tool_settings.max_shell_output_lines
+MAX_FILE_PREVIEW_LINES = tool_settings.max_file_preview_lines

package/src/utils/validation.py

@@ -0,0 +1,191 @@
+"""Command validation."""
+
+import os
+import re
+import shlex
+from urllib.parse import urlparse
+
+# Shell operators that indicate command chaining or redirection.
+# Shared between validation.py and shell.py — keep in one place to avoid drift.
+# Matches: &&, ||, ;, |, >, <, backticks, $(), ${}, newlines
+# NOTE: Alternations are sorted longest-first so that '&&' and '||' match
+# before '|' — reordering the raw list is safe because we sort at runtime.
+_RAW_CHAINING_PATTERNS = ["&&", "||", ";", "|", ">", "<", "`", "$(", "${", "\n", "\r"]
+CHAINING_OPERATORS = re.compile(
+    "|".join(re.escape(p) for p in sorted(_RAW_CHAINING_PATTERNS, key=len, reverse=True))
+)
+
+# Localhost patterns allowed over plain HTTP (no TLS needed for loopback)
+_LOCALHOST_HOSTS = frozenset({"localhost", "127.0.0.1", "::1", "0.0.0.0"})
+
+
+def validate_api_url(url: str) -> tuple[bool, str]:
+    """Validate an API base URL for security.
+
+    Enforces HTTPS for all non-localhost endpoints.
+    Rejects obviously malformed URLs.
+
+    Returns:
+        (is_valid, error_message)
+    """
+    try:
+        parsed = urlparse(url)
+    except Exception:
+        return False, f"Malformed URL: {url}"
+
+    if parsed.scheme not in ("http", "https"):
+        return False, f"Invalid URL scheme '{parsed.scheme}', expected http or https"
+
+    if parsed.scheme == "http" and parsed.hostname not in _LOCALHOST_HOSTS:
+        return False, (
+            f"Plain HTTP is not allowed for remote endpoints. "
+            f"Use HTTPS for {parsed.hostname or url}"
+        )
+
+    return True, ""
+
+
+# Commands that should be silently rejected in execute_command (redirect to native tools)
+# These are commands that have better native tool equivalents
+SILENT_COMMAND_BLOCKED = {
+    # Code search (use rg tool)
+    "rg", "rg.exe", "ripgrep",
+
+    # File reading (use read_file tool)
+    "cat", "get-content", "type",
+
+    # Directory listing (use list_directory tool)
+    "ls", "get-childitem", "dir",
+
+    # File creation (use create_file tool)
+    "touch", "new-item",
+
+    # File editing (use edit_file tool)
+    "set-content", "add-content", "echo", "tee",
+
+    # Additional shell commands that should use native tools
+    "grep", "find", "head", "tail", "sed", "awk", "sort", "uniq", "wc",
+}
+
+
+
+def check_for_silent_blocked_command(command):
+    """Check if command should be silently blocked (redirect to native tool).
+
+    Args:
+        command: Command string to validate
+
+    Returns:
+        tuple: (is_blocked, reprompt_message)
+               is_blocked is True if command should be silently blocked
+               reprompt_message contains guidance for the AI on what tool to use
+    """
+    command = command.strip()
+    if not command:
+        return False, None
+
+    # Strip "powershell " prefix if present
+    if command.lower().startswith("powershell "):
+        command = command[len("powershell "):].strip()
+
+    # For chained commands, only skip silent blocking if the FIRST command
+    # is not a blocked tool. e.g. "cd /var/log && tail -f" is allowed, but
+    # "cat file && echo done" is still redirected to read_file.
+    if CHAINING_OPERATORS.search(command):
+        first_segment = CHAINING_OPERATORS.split(command, maxsplit=1)[0].strip()
+        first_tokens = _tokenize_segment(first_segment)
+        if first_tokens and first_tokens[0].lower() not in SILENT_COMMAND_BLOCKED:
+            return False, None
+        # else: fall through to blocked check below
+
+    # Tokenize and get command name
+    tokens = _tokenize_segment(command)
+    if not tokens:
+        return False, None
+
+    cmd_name = tokens[0].lower()
+
+    # Check if command is in the silent blocked list
+    if cmd_name in SILENT_COMMAND_BLOCKED:
+        tool_map = {
+            "rg": "rg tool", "rg.exe": "rg tool", "ripgrep": "rg tool",
+            "cat": "read_file tool", "get-content": "read_file tool", "type": "read_file tool",
+            "ls": "list_directory tool", "get-childitem": "list_directory tool", "dir": "list_directory tool",
+            "touch": "create_file tool", "new-item": "create_file tool",
+            "set-content": "edit_file tool", "add-content": "edit_file tool", "echo": "edit_file tool", "tee": "edit_file tool",
+            "grep": "rg tool for code search, or read_file tool for searching within a file",
+            "find": "list_directory tool with recursive=True for listing files, or rg tool for searching content",
+            "head": "read_file tool with start_line=1 and max_lines=N",
+            "tail": "read_file tool with start_line and max_lines parameters",
+            "sed": "edit_file tool for text replacements",
+            "awk": "read_file tool followed by post-processing, or use rg tool for pattern matching",
+            "sort": "read_file tool then process results",
+            "uniq": "read_file tool then process results",
+            "wc": "read_file tool shows line counts",
+        }
+        tool_suggestion = tool_map.get(cmd_name, "appropriate native tool")
+        reprompt_msg = (
+            f"Use the {tool_suggestion} instead of '{cmd_name}'. "
+            f"Native tools provide better integration with the system."
+        )
+        return True, reprompt_msg
+
+    return False, None
+
+
+
+def _tokenize_segment(segment):
+    use_posix = os.name != "nt"
+    try:
+        return shlex.split(segment, posix=use_posix)
+    except ValueError:
+        return segment.split()
+
+
+def check_command(command):
+    """Perform basic structural validation on a command.
+
+    Rejects empty commands and nested powershell invocations.
+    Approval and safety checks are handled upstream by the caller.
+
+    Args:
+        command: Command string to validate
+
+    Returns:
+        tuple: (is_valid, reason) - is_valid is True if the command
+               has a non-empty structure. reason is set on rejection.
+    """
+    command = command.strip()
+    if not command:
+        return False, "empty command"
+
+    # Strip "powershell " prefix if present (legacy support for Windows users)
+    if command.lower().startswith("powershell "):
+        command = command[len("powershell "):].strip()
+
+    # After stripping prefix, reject if it still starts with "powershell"
+    if command.lower().startswith("powershell"):
+        return False, "nested powershell invocation"
+
+    # Basic validation - ensure command has content
+    tokens = _tokenize_segment(command)
+    if not tokens:
+        return False, "empty command"
+
+    # Allow all other commands
+    return True, None
+
+
+def is_auto_approved_command(command):
+    """Check if a command should be auto-approved (safe, read-only commands).
+
+    Delegates to the structured safety system in utils.safe_commands.
+
+    Args:
+        command: Command string to validate
+
+    Returns:
+        bool: True if command is safe to auto-approve
+    """
+    from utils.safe_commands import is_safe_command
+    return is_safe_command(command)