Auto-approval & guardrails

Let agents keep moving with a rules engine, while a hard deny-list, audit trail and kill-switch keep you safe — at any autonomy level.

OFM can auto-answer repetitive confirmations so agents don’t stall — without giving up safety. You choose how much autonomy to grant; the guardrails hold regardless.

Autonomy levels

Set the level globally, or override it per project:

  • human — always ask. Nothing is auto-injected (beyond the hard deny-list below).
  • allowlist — the safe default. Only confirmations matching an explicit rule are auto-approved.
  • broad — auto-approve simple approvals by default (still subject to the deny-list).

The rules engine

A rule maps a confirmation pattern to allow or deny. Rules are evaluated by a strict pipeline (first match wins): kill-switch → hard deny-list → human level → user deny → allow rule → broad default → otherwise ask a human.

Rules can be scoped (global or per project), limited to a provider, and matched by exact action, action prefix, command regex, path glob, or choice kind.

Learning from the queue

Resolve a confirmation in the queue with “remember” and OFM creates a rule from it (conservative by default: project-scoped, provider-scoped, action-prefix). For bulk runs there is “remember for the whole campaign” — resolve a credit/permission prompt once and the other units auto-pass, which is essential at 200+ units.

Hard deny-list

A non-removable, compiled deny-list always wins — destructive commands (rm -rf, git push, git reset --hard, fork bombs, disk writes, piping the network into a shell, …). Depending on your setting, a hard-denied action is either auto-refused or surfaced to you with a red banner; it is never auto-approved.

Kill-switch (and pause engine)

Two independent switches:

  • Kill-switch — stops all auto-injection of confirmations. Agents keep running; you answer everything by hand.
  • Pause engine — (for Plan) stops scheduling new work; live sessions finish their current unit but nothing new is launched.

Honesty

The audit log explains every decision and lets you correct or disable a rule — but it does not undo effects an agent already produced on disk. Guardrails are about preventing and explaining, not time travel.

← Previous
Mission Control
Next →
Plan — overview