feat(safety): gate sensitive tools behind elevation and immutable denylist

src/tools/policy.ts

@@ -150,6 +150,17 @@ function matchesAnyPattern(toolName: string, patterns: string[]): boolean {
 // ── Policy context ──────────────────────────────────────────────────
 
 /** Identifies the runtime context for tool policy resolution. */
+export type SensitiveMode = 'deny_without_elevation' | 'confirm_without_elevation';
+
+export interface ImmutableDenyRule {
+  /** Tool name glob pattern (e.g. shell.exec, process.*). */
+  tool: string;
+  /** Optional case-insensitive substring matched against serialized args. */
+  argsPattern?: string;
+  /** Optional human-readable denial reason. */
+  reason?: string;
+}
+
 export interface ToolPolicyContext {
   /** Model tier name (e.g. 'fast', 'default', 'complex', 'local'). */
   agent?: string;
@@ -186,6 +197,11 @@ export interface ToolPolicyContext {
   elevatedHostReason?: string;
   /** Correlation id for elevation window. */
   elevatedHostId?: string;
+
+  /** Sensitive operation mode for host-executed sensitive tools. */
+  sensitiveMode?: SensitiveMode;
+  /** Immutable denylist enforced before hooks/autonomy checks. */
+  immutableDenylist?: ImmutableDenyRule[];
 }
 
 function resolveSkillAllowedNames(allToolNames: string[], permissions?: SkillPermissions): Set<string> | null {