feat(safety): gate sensitive tools behind elevation and immutable denylist

2026-02-17 23:51:04 -08:00
parent 9345a864f4
commit 540f6780e6
10 changed files with 279 additions and 3 deletions
@@ -593,6 +593,21 @@ hooks:
    - notify
 ```
 For unrestricted deployments, pair hooks with agent-level sensitive gating:
 ```yaml
 agents:
  # deny_without_elevation | confirm_without_elevation
  sensitive_mode: deny_without_elevation
  immutable_denylist:
    - tool: shell.exec
      args_pattern: "git push origin main"
      reason: "direct main pushes are blocked"
    - tool: shell.exec
      args_pattern: "git reset --hard"
      reason: "destructive hard reset is blocked"
 ```
 ## Browser Automation Tools
 Flynn ships these browser tools:
@@ -5077,6 +5077,25 @@
      ],
      "test_status": "pnpm test:run src/session/manager.test.ts src/gateway/handlers/handlers.test.ts + pnpm typecheck passing"
    },
    "sensitive-tool-gating-with-elevation": {
      "status": "completed",
      "date": "2026-02-18",
      "updated": "2026-02-18",
      "summary": "Implemented fail-closed sensitive tool gating for unrestricted deployments by adding `agents.sensitive_mode` and `agents.immutable_denylist`, enforcing immutable deny rules in `ToolExecutor`, requiring `/elevate` before host execution of sensitive tools in deny mode, and preserving explicit per-call confirmation during elevation. Added schema and executor regression coverage and documented operator configuration.",
      "files_modified": [
        "src/config/schema.ts",
        "src/config/schema.test.ts",
        "src/tools/policy.ts",
        "src/tools/executor.ts",
        "src/tools/executor.test.ts",
        "src/daemon/tools.ts",
        "src/daemon/routing.ts",
        "src/gateway/session-bridge.ts",
        "README.md",
        "docs/plans/state.json"
      ],
      "test_status": "pnpm test:run src/tools/executor.test.ts src/config/schema.test.ts + pnpm typecheck passing"
    },
    "native-agent-model-timeout-hardening": {
      "status": "completed",
      "date": "2026-02-18",
@@ -5091,7 +5110,7 @@
    }
  },
  "overall_progress": {
-    "total_test_count": 1889,
+    "total_test_count": 1895,
    "all_tests_passing": true,
    "p0_completion": "3/3 (100%)",
    "p1_completion": "4/4 (100%)",
@@ -1395,6 +1395,13 @@ describe('configSchema — agents truthfulness/autonomy', () => {
    const result = configSchema.parse(minimalConfig);
    expect(result.agents.truthfulness_mode).toBe('standard');
    expect(result.agents.autonomy_level).toBe('standard');
    expect(result.agents.sensitive_mode).toBe('deny_without_elevation');
    expect(result.agents.immutable_denylist).toEqual(
      expect.arrayContaining([
        expect.objectContaining({ tool: 'shell.exec', args_pattern: 'git push origin main' }),
        expect.objectContaining({ tool: 'shell.exec', args_pattern: 'git reset --hard' }),
      ]),
    );
  });
  it('accepts explicit truthfulness and autonomy modes', () => {
@@ -1403,11 +1410,19 @@ describe('configSchema — agents truthfulness/autonomy', () => {
      agents: {
        truthfulness_mode: 'strict',
        autonomy_level: 'conservative',
        sensitive_mode: 'confirm_without_elevation',
        immutable_denylist: [
          { tool: 'shell.exec', args_pattern: 'rm -rf /', reason: 'too destructive' },
        ],
      },
    });
    expect(result.agents.truthfulness_mode).toBe('strict');
    expect(result.agents.autonomy_level).toBe('conservative');
    expect(result.agents.sensitive_mode).toBe('confirm_without_elevation');
    expect(result.agents.immutable_denylist).toEqual([
      { tool: 'shell.exec', args_pattern: 'rm -rf /', reason: 'too destructive' },
    ]);
  });
  it('rejects invalid truthfulness_mode', () => {
@@ -1427,6 +1442,15 @@ describe('configSchema — agents truthfulness/autonomy', () => {
      },
    })).toThrow();
  });
  it('rejects invalid sensitive_mode', () => {
    expect(() => configSchema.parse({
      ...minimalConfig,
      agents: {
        sensitive_mode: 'allow_everything',
      },
    })).toThrow();
  });
 });
 describe('configSchema — skills registry source', () => {
@@ -436,6 +436,12 @@ const automationSchema = z.object({
 const truthfulnessModeSchema = z.enum(['strict', 'standard', 'relaxed']);
 const autonomyLevelSchema = z.enum(['conservative', 'standard', 'autonomous']);
 const sensitiveModeSchema = z.enum(['deny_without_elevation', 'confirm_without_elevation']);
 const immutableDenyRuleSchema = z.object({
  tool: z.string().min(1),
  args_pattern: z.string().min(1).optional(),
  reason: z.string().min(1).optional(),
 });
 const agentsSchema = z.object({
  primary_tier: z.enum(['fast', 'default', 'complex', 'local']).default('default'),
@@ -460,6 +466,26 @@ const agentsSchema = z.object({
  truthfulness_mode: truthfulnessModeSchema.default('standard'),
  /** Autonomy level for tool execution: conservative | standard | autonomous. */
  autonomy_level: autonomyLevelSchema.default('standard'),
  /** Sensitive host-action behavior for high-impact tools. */
  sensitive_mode: sensitiveModeSchema.default('deny_without_elevation'),
  /** Immutable denylist enforced even during elevated mode. */
  immutable_denylist: z.array(immutableDenyRuleSchema).default([
    {
      tool: 'shell.exec',
      args_pattern: 'git push origin main',
      reason: 'direct push to main is blocked by immutable policy',
    },
    {
      tool: 'shell.exec',
      args_pattern: 'git reset --hard',
      reason: 'destructive hard reset is blocked by immutable policy',
    },
    {
      tool: 'shell.exec',
      args_pattern: 'git clean -fd',
      reason: 'destructive clean is blocked by immutable policy',
    },
  ]),
 }).default({});
 const embeddingProviderSchema = z.enum(['openai', 'gemini', 'ollama', 'llamacpp', 'voyage']);
@@ -950,3 +976,5 @@ export type AuditConfig = z.infer<typeof auditSchema>;
 export type AuditLevel = z.infer<typeof auditLevelSchema>;
 export type TruthfulnessMode = z.infer<typeof truthfulnessModeSchema>;
 export type AutonomyLevel = z.infer<typeof autonomyLevelSchema>;
 export type SensitiveMode = z.infer<typeof sensitiveModeSchema>;
 export type ImmutableDenyRule = z.infer<typeof immutableDenyRuleSchema>;
@@ -273,6 +273,12 @@ export function createMessageRouter(deps: {
        sender: senderId,
        tier: effectiveTier,
        autonomyLevel: deps.config.agents.autonomy_level ?? 'standard',
        sensitiveMode: deps.config.agents.sensitive_mode,
        immutableDenylist: deps.config.agents.immutable_denylist.map((rule) => ({
          tool: rule.tool,
          argsPattern: rule.args_pattern,
          reason: rule.reason,
        })),
        skillName: activeSkillName,
        skillPermissions: activeSkill?.manifest.permissions,
        allowedSecretScopes: activeSkill?.manifest.permissions?.secrets,
@@ -91,7 +91,14 @@ export function initTools(deps: ToolsDeps): ToolsResult {
    console.log('Browser tools disabled (set browser.enabled=true to register browser.* tools)');
  }
-  const toolExecutor = new ToolExecutor(toolRegistry, hookEngine);
+  const toolExecutor = new ToolExecutor(toolRegistry, hookEngine, {
    sensitiveMode: config.agents.sensitive_mode,
    immutableDenylist: config.agents.immutable_denylist.map((rule) => ({
      tool: rule.tool,
      argsPattern: rule.args_pattern,
      reason: rule.reason,
    })),
  });
  // Initialize tool policy from config
  const toolPolicy = new ToolPolicy(config.tools);
@@ -293,6 +293,12 @@ export class SessionBridge {
          agent: primaryTier,
          provider: config?.models.default.provider,
          autonomyLevel: config?.agents.autonomy_level ?? 'standard',
          sensitiveMode: config?.agents.sensitive_mode ?? 'deny_without_elevation',
          immutableDenylist: (config?.agents.immutable_denylist ?? []).map((rule) => ({
            tool: rule.tool,
            argsPattern: rule.args_pattern,
            reason: rule.reason,
          })),
        },
      });
@@ -348,6 +348,7 @@ describe('ToolExecutor', () => {
    const result = await executor.execute('shell.exec', { command: 'rm -rf /' }, {
      untrustedContent: true,
      executionEnvironment: 'host',
      sensitiveMode: 'confirm_without_elevation',
    });
    expect(result.success).toBe(false);
    expect(result.error).toContain('blocked');
@@ -388,6 +389,7 @@ describe('ToolExecutor', () => {
      skillPermissions: { execution_environment: 'sandbox' },
      executionEnvironment: 'host',
      autonomyLevel: 'autonomous',
      sensitiveMode: 'confirm_without_elevation',
    });
    expect(denied.success).toBe(false);
    expect(denied.error).toContain('execution_environment=host');
@@ -399,6 +401,7 @@ describe('ToolExecutor', () => {
      elevatedHostUntilMs: Date.now() + 60_000,
      elevatedHostId: 'e1',
      autonomyLevel: 'autonomous',
      sensitiveMode: 'confirm_without_elevation',
    });
    const pending = hooks.getPendingConfirmations();
    expect(pending).toHaveLength(1);
@@ -435,4 +438,74 @@ describe('ToolExecutor', () => {
    expect(result.success).toBe(true);
    expect(result.output).toContain('sandbox-out');
  });
  it('denies sensitive host tools without elevation in deny_without_elevation mode', async () => {
    const registry = new ToolRegistry();
    registry.register({
      name: 'shell.exec',
      description: 'shell',
      inputSchema: { type: 'object', properties: {} },
      execute: async () => ({ success: true, output: 'ok' }),
    });
    const hooks = new HookEngine({ confirm: [], log: [], silent: [] });
    const executor = new ToolExecutor(registry, hooks, { sensitiveMode: 'deny_without_elevation' });
    const result = await executor.execute('shell.exec', { command: 'echo hi' }, {
      executionEnvironment: 'host',
      autonomyLevel: 'autonomous',
    });
    expect(result.success).toBe(false);
    expect(result.error).toContain('requires /elevate');
  });
  it('allows sensitive host tools after elevation and requires confirmation', async () => {
    const registry = new ToolRegistry();
    registry.register({
      name: 'shell.exec',
      description: 'shell',
      inputSchema: { type: 'object', properties: {} },
      execute: async () => ({ success: true, output: 'ok' }),
    });
    const hooks = new HookEngine({ confirm: [], log: [], silent: [] });
    const executor = new ToolExecutor(registry, hooks, { sensitiveMode: 'deny_without_elevation' });
    const pendingResult = executor.execute('shell.exec', { command: 'echo hi' }, {
      executionEnvironment: 'host',
      autonomyLevel: 'autonomous',
      elevatedHostUntilMs: Date.now() + 60_000,
      elevatedHostId: 'elev-1',
    });
    const pending = hooks.getPendingConfirmations();
    expect(pending).toHaveLength(1);
    hooks.resolveConfirmation(pending[0].id, { approved: true });
    const result = await pendingResult;
    expect(result.success).toBe(true);
  });
  it('enforces immutable denylist even during elevation', async () => {
    const registry = new ToolRegistry();
    registry.register({
      name: 'shell.exec',
      description: 'shell',
      inputSchema: { type: 'object', properties: {} },
      execute: async () => ({ success: true, output: 'ok' }),
    });
    const hooks = new HookEngine({ confirm: [], log: [], silent: [] });
    const executor = new ToolExecutor(registry, hooks, {
      sensitiveMode: 'deny_without_elevation',
      immutableDenylist: [
        { tool: 'shell.exec', argsPattern: 'git reset --hard', reason: 'blocked by policy' },
      ],
    });
    const result = await executor.execute('shell.exec', { command: 'git reset --hard HEAD~1' }, {
      executionEnvironment: 'host',
      elevatedHostUntilMs: Date.now() + 60_000,
      elevatedHostId: 'elev-2',
      autonomyLevel: 'autonomous',
    });
    expect(result.success).toBe(false);
    expect(result.error).toContain('blocked by policy');
  });
 });
@@ -1,7 +1,7 @@
 import type { ToolResult } from './types.js';
 import type { ToolRegistry } from './registry.js';
 import type { HookEngine } from '../hooks/engine.js';
-import type { ToolPolicyContext } from './policy.js';
+import type { ImmutableDenyRule, SensitiveMode, ToolPolicyContext } from './policy.js';
 import { resolveAutonomy } from '../hooks/autonomy.js';
 import { auditLogger } from '../audit/index.js';
 import { randomUUID } from 'crypto';
@@ -13,6 +13,8 @@ import { createSandboxedProcessStartTool, createSandboxedShellTool } from '../sa
 export interface ToolExecutorConfig {
  defaultTimeoutMs?: number;
  maxOutputBytes?: number;
  sensitiveMode?: SensitiveMode;
  immutableDenylist?: ImmutableDenyRule[];
 }
 export interface ToolExecutionObserverEvent {
@@ -27,6 +29,8 @@ export class ToolExecutor {
  private hooks: HookEngine;
  private defaultTimeoutMs: number;
  private maxOutputBytes: number;
  private sensitiveMode: SensitiveMode;
  private immutableDenylist: ImmutableDenyRule[];
  private sandboxManager?: SandboxManager;
  private executionObserver?: (event: ToolExecutionObserverEvent) => void;
@@ -35,6 +39,8 @@ export class ToolExecutor {
    this.hooks = hooks;
    this.defaultTimeoutMs = config?.defaultTimeoutMs ?? 30_000;
    this.maxOutputBytes = config?.maxOutputBytes ?? 51_200;
    this.sensitiveMode = config?.sensitiveMode ?? 'deny_without_elevation';
    this.immutableDenylist = config?.immutableDenylist ?? [];
  }
  setSandboxManager(manager?: SandboxManager): void {
@@ -79,6 +85,21 @@ export class ToolExecutor {
    const argsRedaction = redactForAudit(args);
    const immutableDenyReason = this.evaluateImmutableDenylist(tool.name, args, context);
    if (immutableDenyReason) {
      auditLogger?.toolDenied({
        tool_name: tool.name,
        reason: immutableDenyReason,
        denial_type: 'policy',
        execution_id: executionId,
        execution_environment: executionEnvironment,
        skill_name: skillName,
        redactions_applied: argsRedaction.redactions,
        session_id: context?.sessionId,
      });
      return { success: false, output: '', error: `Tool '${tool.name}' denied: ${immutableDenyReason}` };
    }
    // Secret scope enforcement
    const requiredScopes = tool.requiredSecretScopes ?? [];
    const allowedScopes = this.resolveAllowedSecretScopes(context);
@@ -132,6 +153,22 @@ export class ToolExecutor {
      return { success: false, output: '', error: `Tool '${tool.name}' blocked: ${guard}` };
    }
    if (this.shouldDenyWithoutElevation(tool.name, executionEnvironment, context)) {
      const mode = context?.sensitiveMode ?? this.sensitiveMode;
      const reason = `sensitive tool requires /elevate before host execution (mode=${mode})`;
      auditLogger?.toolDenied({
        tool_name: tool.name,
        reason,
        denial_type: 'policy',
        execution_id: executionId,
        execution_environment: executionEnvironment,
        skill_name: skillName,
        redactions_applied: argsRedaction.redactions,
        session_id: context?.sessionId,
      });
      return { success: false, output: '', error: `Tool '${tool.name}' denied: ${reason}` };
    }
    // Policy check (defense in depth — tools should also be filtered at listing time)
    const policy = this.registry.getPolicy();
    if (policy) {
@@ -375,6 +412,51 @@ export class ToolExecutor {
    ].includes(toolName);
  }
  private isSensitiveTool(toolName: string): boolean {
    if (toolName === 'shell.exec' || toolName === 'process.start' || toolName === 'process.kill') {
      return true;
    }
    if (toolName.startsWith('browser.')) {
      return true;
    }
    return ['message.send', 'cron.create', 'cron.delete'].includes(toolName);
  }
  private shouldDenyWithoutElevation(toolName: string, executionEnvironment: 'host' | 'sandbox', context?: ToolPolicyContext): boolean {
    const mode = context?.sensitiveMode ?? this.sensitiveMode;
    if (mode !== 'deny_without_elevation') {
      return false;
    }
    if (executionEnvironment !== 'host') {
      return false;
    }
    if (!this.isSensitiveTool(toolName)) {
      return false;
    }
    return !this.isElevationActive(context);
  }
  private evaluateImmutableDenylist(toolName: string, args: unknown, context?: ToolPolicyContext): string | null {
    const rules = context?.immutableDenylist ?? this.immutableDenylist;
    if (!rules || rules.length === 0) {
      return null;
    }
    const serializedArgs = JSON.stringify(args ?? {}).toLowerCase();
    for (const rule of rules) {
      if (!matchesAnyPattern(toolName, [rule.tool])) {
        continue;
      }
      if (rule.argsPattern && !serializedArgs.includes(rule.argsPattern.toLowerCase())) {
        continue;
      }
      return rule.reason ?? `blocked by immutable denylist rule (${rule.tool}${rule.argsPattern ? ` / ${rule.argsPattern}` : ''})`;
    }
    return null;
  }
  private checkCapabilityConstraints(toolName: string, args: unknown, context: ToolPolicyContext | undefined, effectiveEnv: 'host' | 'sandbox'): string | null {
    const perms = context?.skillPermissions;
    if (!perms) {
@@ -150,6 +150,17 @@ function matchesAnyPattern(toolName: string, patterns: string[]): boolean {
 // ── Policy context ──────────────────────────────────────────────────
 /** Identifies the runtime context for tool policy resolution. */
 export type SensitiveMode = 'deny_without_elevation' | 'confirm_without_elevation';
 export interface ImmutableDenyRule {
  /** Tool name glob pattern (e.g. shell.exec, process.*). */
  tool: string;
  /** Optional case-insensitive substring matched against serialized args. */
  argsPattern?: string;
  /** Optional human-readable denial reason. */
  reason?: string;
 }
 export interface ToolPolicyContext {
  /** Model tier name (e.g. 'fast', 'default', 'complex', 'local'). */
  agent?: string;
@@ -186,6 +197,11 @@ export interface ToolPolicyContext {
  elevatedHostReason?: string;
  /** Correlation id for elevation window. */
  elevatedHostId?: string;
  /** Sensitive operation mode for host-executed sensitive tools. */
  sensitiveMode?: SensitiveMode;
  /** Immutable denylist enforced before hooks/autonomy checks. */
  immutableDenylist?: ImmutableDenyRule[];
 }
 function resolveSkillAllowedNames(allToolNames: string[], permissions?: SkillPermissions): Set<string> | null {