allow arbitrary bash by default

Author: dsyme

docs/ci-doctor.md

@@ -12,7 +12,7 @@ gh aw add ci-doctor -r githubnext/agentics --pr
 
 This creates a pull request to add the workflow to your repository. After merging the PR, the workflow will automatically trigger when monitored CI workflows fail. You cannot start this workflow manually as it responds to workflow failure events.
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 

docs/daily-accessibility-review.md

@@ -16,7 +16,9 @@ This creates an issue in your repository recording accessibility problems found.
 gh aw run daily-accessibility-review
 ```
 
-**Checklist**
+**Mandatory Checklist**
+
+* [ ] I understand that, by default, the agentic portion of this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 
@@ -57,7 +59,3 @@ After editing run `gh aw compile` to update the workflow and commit all changes
 - By default this workflow will trigger for at most 48 hours, after which it will stop triggering. 
 - This allows you to experiment with the workflow for a limited time before deciding whether to keep it active.
 
-## YOLO
-
-- If you're sufficiently isolated (e.g. operating in a fresh fork of an open source project, with Actions and Issues enabled ), you can enable all Bash commands by using `Bash: [":*"]` in the workflow file and then running `gh aw compile` to update the workflow. This may be useful for time-limited experiments.
-

docs/daily-dependency-updates.md

@@ -18,11 +18,11 @@ gh aw run daily-dependency-updates
 
 ❗IMPORTANT: GitHub Actions runs will **not** trigger on commits pushed by this workflow and will **not** tell you that CI has not been run unless you have enabled a specific custom check for this condition. **You must open/close the PR or hit "Update branch" if offered to trigger CI.Yes it's painful and yes it's just something you need to be aware of.
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] I have read the notes on coding tasks in the [main README](../README.md) and understand the implications.
 
-* [ ] I am a repository admin or have sufficient permissions, and am happy for this workflow to push new branches to the repository.
+* [ ] I am a repository admin or have sufficient permissions, and am happy for the safe-outputs portion of this workflow to push new branches to the repository.
 
 * [ ] I have enabled "Allow GitHub Actions to create and approve pull requests" in the repository settings under "Actions > General"
 

docs/daily-perf-improver.md

@@ -24,11 +24,13 @@ gh aw run daily-perf-improver --repeat 180
 
 ❗IMPORTANT: GitHub Actions runs will **not** trigger on commits pushed by this workflow and will **not** tell you that CI has not been run unless you have enabled a specific custom check for this condition. **You must open/close the PR or hit "Update branch" if offered to trigger CI.Yes it's painful and yes it's just something you need to be aware of.
 
-**Checklist**
+**Mandatory Checklist**
+
+* [ ] I understand that, by default, the agentic portion of this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.
 
 * [ ] I have read the notes on coding tasks in the [main README](../README.md) and understand the implications.
 
-* [ ] I am a repository admin or have sufficient permissions, and am happy for this workflow to push new branches to the repository.
+* [ ] I am a repository admin or have sufficient permissions, and am happy for the safe-outputs portion of this workflow to push new branches to the repository.
 
 * [ ] I have enabled "Allow GitHub Actions to create and approve pull requests" in the repository settings under "Actions > General"
 
@@ -88,15 +90,3 @@ After editing run `gh aw compile` to update the workflow and commit all changes
 - By default this workflow will trigger for at most 48 hours, after which it will stop triggering. 
 - This allows you to experiment with the workflow for a limited time before deciding whether to keep it active.
 
-## YOLO
-
-If you're sufficiently isolated (e.g. operating in a fresh fork of an open source project, with Actions and Issues enabled ), you can enable all Bash commands. This is not recommended for production use, but may be useful for time-limited experiments in isolated forks.
-
-`.github/workflows/agentics/build-tools.md`:
-
-```yaml
----
-tools:
-  bash: ["*"] # YOLO mode - all bash commands allowed or list specific tools
----
-```

docs/daily-plan.md

@@ -16,7 +16,7 @@ This creates a pull request to add the workflow to your repository. After mergin
 gh aw run daily-plan
 ```
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 

docs/daily-qa.md

@@ -16,7 +16,9 @@ This creates a pull request to add the workflow to your repository. After mergin
 gh aw run daily-qa
 ```
 
-**Checklist**
+**Mandatory Checklist**
+
+* [ ] I understand that, by default, the agentic portion of this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 
@@ -57,8 +59,3 @@ After editing run `gh aw compile` to update the workflow and commit all changes
 
 - By default this workflow will trigger for at most 48 hours, after which it will stop triggering. 
 - This allows you to experiment with the workflow for a limited time before deciding whether to keep it active.
-
-## YOLO
-
-- If you're sufficiently isolated (e.g. operating in a fresh fork of an open source project, with Actions and Issues enabled ), you can enable all Bash commands by using `Bash: [":*"]` in the workflow file and then running `gh aw compile` to update the workflow. This may be useful for time-limited experiments.
-

docs/daily-team-status.md

@@ -16,7 +16,7 @@ This creates a pull request to add the workflow to your repository. After mergin
 gh aw run daily-team-status
 ```
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 

docs/daily-test-improver.md

@@ -18,11 +18,13 @@ gh aw run daily-test-improver
 
 ❗IMPORTANT: GitHub Actions runs will **not** trigger on commits pushed by this workflow and will **not** tell you that CI has not been run unless you have enabled a specific custom check for this condition. **You must open/close the PR or hit "Update branch" if offered to trigger CI.Yes it's painful and yes it's just something you need to be aware of.
 
-**Checklist**
+**Mandatory Checklist**
+
+* [ ] I understand that, by default, the agentic portion of this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.
 
 * [ ] I have read the notes on coding tasks in the [main README](../README.md) and understand the implications.
 
-* [ ] I am a repository admin or have sufficient permissions, and am happy for this workflow to push new branches to the repository.
+* [ ] I am a repository admin or have sufficient permissions, and am happy for the safe-outputs portion of this workflow to push new branches to the repository.
 
 * [ ] I have enabled "Allow GitHub Actions to create and approve pull requests" in the repository settings under "Actions > General"
 
@@ -75,8 +77,3 @@ After editing run `gh aw compile` to update the workflow and commit all changes
 
 - By default this workflow will trigger for at most 48 hours, after which it will stop triggering. 
 - This allows you to experiment with the workflow for a limited time before deciding whether to keep it active.
-
-## YOLO
-
-- If you're sufficiently isolated (e.g. operating in a fresh fork of an open source project, with Actions and Issues enabled ), you can enable all Bash commands by using `Bash: [":*"]` in the workflow file and then running `gh aw compile` to update the workflow. This may be useful for time-limited experiments.
-

docs/issue-triage.md

@@ -12,7 +12,7 @@ gh aw add issue-triage -r githubnext/agentics --pr
 
 This creates a pull request to add the workflow to your repository. You can't start a run of this workflow directly as it is triggered in the context of an issue.
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] If in a fork, enable GitHub Actions and Issues in the fork settings
 

docs/pr-fix.md

@@ -32,11 +32,13 @@ To trigger the workflow on a specific pull request, add a comment with the comma
 
 IMPORTANT: GitHub Actions runs will **not** trigger on commits pushed by this workflow and will **not** tell you that CI has not been run unless you have enabled a specific custom check for this condition. **You must open/close the PR or hit "Update branch" if offered to trigger CI.Yes it's painful and yes it's just something you need to be aware of.
 
-**Checklist**
+**Mandatory Checklist**
 
 * [ ] I have read the notes on coding tasks in the [main README](../README.md) and understand the implications.
 
-* [ ] I am a repository admin or have sufficient permissions, and am happy for this workflow to push new branches to the repository.
+* [ ] I understand that, by default, the agentic portion of this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.
+
+* [ ] I am a repository admin or have sufficient permissions, and am happy for the safe-outputs portion of this workflow to push new branches to the repository.
 
 * [ ] I have enabled "Allow GitHub Actions to create and approve pull requests" in the repository settings under "Actions > General"