forgejo_admin/westside-ai-assistant
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Read-only lockdown: remove write tools, update Nemo system prompt #20

New issue
Open
opened 2026-03-29 20:12:35 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-29 20:12:35 +00:00
Owner
Copy link

Type

Feature

Lineage

Standalone — safety scoping for V1 launch.

Repo

forgejo_admin/westside-ai-assistant

User Story

As Marcus (admin)
I want Nemo to only be able to look up information, not modify anything
So that I can trust the bot in the GroupMe group without worrying about accidental data changes

Context

V1 is read-only. All 7 write tools (update_player, assign_player_to_team, remove_player_from_team, toggle_player_visibility, create_team, checkin_player, bulk_assign_tryout_numbers) must be removed from the active tool set. The confirmation.py module stays in the codebase (dormant) for future write support. The system prompt must explicitly state Nemo is read-only and what it CAN do when Marcus asks "what can you do?"

File Targets

Files the agent should modify:

  • app/ai.py (or app/tool_registry.py if #18 merges first) — remove all write tool definitions from the active set. Keep handler code in repo for future use.
  • prompts/system.md (or inline SYSTEM_PROMPT if #18 hasn't merged) — update to: "You are Nemo, the Westside basketball program assistant. You help Marcus look up program information — player details, team rosters, payment status, and program stats. You CANNOT make changes to any data. If Marcus asks you to update, create, or delete anything, explain that you're read-only and suggest he use the web app at westsidekingsandqueens.tail5b443a.ts.net. When asked 'what can you do?', list your exact capabilities."

Files the agent should NOT touch:

  • app/confirmation.py — keep dormant, don't delete
  • app/basketball.py — keep all functions (reads AND writes), only the tool exposure changes

Acceptance Criteria

  • Only 7 read tools are exposed to the AI model (no write tools in tool definitions)
  • System prompt explicitly states read-only and lists capabilities
  • "What can you do?" produces a controlled, accurate capability list
  • Asking to "update player height" gets a polite refusal with web app link
  • basketball.py write functions remain in codebase (not deleted)
  • confirmation.py remains in codebase (not deleted)

Test Expectations

  • Unit test: tool definitions contain only read operations (7 tools)
  • Unit test: no tool named update_, assign_, remove_, toggle_, create_, checkin_, bulk_* in active set
  • Unit test: system prompt contains "read-only" or "cannot make changes"
  • Run command: pytest tests/ -v

Constraints

  • This ticket can be done independently of #18 (restructure) — if #18 hasn't merged, modify ai.py inline. If #18 has merged, modify tool_registry.py and prompts/system.md.
  • Write tool handler code stays in the codebase — just not registered/exposed
  • System prompt must include the web app URL for write operations

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-westside-ai-assistant — parent project
  • story-westside-ai-assistant-read-ops — this IS the V1 story
  • story-westside-ai-assistant-safety — read-only is the safety model
### Type Feature ### Lineage Standalone — safety scoping for V1 launch. ### Repo `forgejo_admin/westside-ai-assistant` ### User Story As Marcus (admin) I want Nemo to only be able to look up information, not modify anything So that I can trust the bot in the GroupMe group without worrying about accidental data changes ### Context V1 is read-only. All 7 write tools (update_player, assign_player_to_team, remove_player_from_team, toggle_player_visibility, create_team, checkin_player, bulk_assign_tryout_numbers) must be removed from the active tool set. The confirmation.py module stays in the codebase (dormant) for future write support. The system prompt must explicitly state Nemo is read-only and what it CAN do when Marcus asks "what can you do?" ### File Targets Files the agent should modify: - `app/ai.py` (or `app/tool_registry.py` if #18 merges first) — remove all write tool definitions from the active set. Keep handler code in repo for future use. - `prompts/system.md` (or inline SYSTEM_PROMPT if #18 hasn't merged) — update to: "You are Nemo, the Westside basketball program assistant. You help Marcus look up program information — player details, team rosters, payment status, and program stats. You CANNOT make changes to any data. If Marcus asks you to update, create, or delete anything, explain that you're read-only and suggest he use the web app at westsidekingsandqueens.tail5b443a.ts.net. When asked 'what can you do?', list your exact capabilities." Files the agent should NOT touch: - `app/confirmation.py` — keep dormant, don't delete - `app/basketball.py` — keep all functions (reads AND writes), only the tool exposure changes ### Acceptance Criteria - [ ] Only 7 read tools are exposed to the AI model (no write tools in tool definitions) - [ ] System prompt explicitly states read-only and lists capabilities - [ ] "What can you do?" produces a controlled, accurate capability list - [ ] Asking to "update player height" gets a polite refusal with web app link - [ ] basketball.py write functions remain in codebase (not deleted) - [ ] confirmation.py remains in codebase (not deleted) ### Test Expectations - [ ] Unit test: tool definitions contain only read operations (7 tools) - [ ] Unit test: no tool named update_*, assign_*, remove_*, toggle_*, create_*, checkin_*, bulk_* in active set - [ ] Unit test: system prompt contains "read-only" or "cannot make changes" - Run command: `pytest tests/ -v` ### Constraints - This ticket can be done independently of #18 (restructure) — if #18 hasn't merged, modify ai.py inline. If #18 has merged, modify tool_registry.py and prompts/system.md. - Write tool handler code stays in the codebase — just not registered/exposed - System prompt must include the web app URL for write operations ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - `story-westside-ai-assistant-read-ops` — this IS the V1 story - `story-westside-ai-assistant-safety` — read-only is the safety model
forgejo_admin commented 2026-03-29 22:35:33 +00:00
Author
Owner
Copy link

Scope Review: READY

Review note: review-685-2026-03-28

Scope is solid. All file targets verified against the live codebase. Template is complete (11/11 sections). 7 write tool names in the issue match the 7 write tools in app/ai.py exactly. Conditional logic for #18 dependency is correct (#18 is still open, so the ai.py inline path applies).

One pre-existing [SCOPE] item carried forward from prior reviews:

  • arch-A2 note does not exist in pal-e-docs (not a blocker for this ticket)
## Scope Review: READY Review note: `review-685-2026-03-28` Scope is solid. All file targets verified against the live codebase. Template is complete (11/11 sections). 7 write tool names in the issue match the 7 write tools in `app/ai.py` exactly. Conditional logic for #18 dependency is correct (#18 is still open, so the `ai.py` inline path applies). One pre-existing `[SCOPE]` item carried forward from prior reviews: - arch-A2 note does not exist in pal-e-docs (not a blocker for this ticket)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#20
No description provided.