feat(safety): gate sensitive tools behind elevation and immutable denylist

docs/plans/state.json

@@ -5077,6 +5077,25 @@
       ],
       "test_status": "pnpm test:run src/session/manager.test.ts src/gateway/handlers/handlers.test.ts + pnpm typecheck passing"
     },
+    "sensitive-tool-gating-with-elevation": {
+      "status": "completed",
+      "date": "2026-02-18",
+      "updated": "2026-02-18",
+      "summary": "Implemented fail-closed sensitive tool gating for unrestricted deployments by adding `agents.sensitive_mode` and `agents.immutable_denylist`, enforcing immutable deny rules in `ToolExecutor`, requiring `/elevate` before host execution of sensitive tools in deny mode, and preserving explicit per-call confirmation during elevation. Added schema and executor regression coverage and documented operator configuration.",
+      "files_modified": [
+        "src/config/schema.ts",
+        "src/config/schema.test.ts",
+        "src/tools/policy.ts",
+        "src/tools/executor.ts",
+        "src/tools/executor.test.ts",
+        "src/daemon/tools.ts",
+        "src/daemon/routing.ts",
+        "src/gateway/session-bridge.ts",
+        "README.md",
+        "docs/plans/state.json"
+      ],
+      "test_status": "pnpm test:run src/tools/executor.test.ts src/config/schema.test.ts + pnpm typecheck passing"
+    },
     "native-agent-model-timeout-hardening": {
       "status": "completed",
       "date": "2026-02-18",
@@ -5091,7 +5110,7 @@
     }
   },
   "overall_progress": {
-    "total_test_count": 1889,
+    "total_test_count": 1895,
     "all_tests_passing": true,
     "p0_completion": "3/3 (100%)",
     "p1_completion": "4/4 (100%)",