feat(security): add /elevate command and audit events

src/audit/logger.ts

@@ -23,6 +23,7 @@ import type {
   HeartbeatRecoverEvent,
   GmailPollEvent,
   GmailNewEmailEvent,
+  SecurityElevationEvent,
 } from './types.js';
 import { AuditRotator } from './rotation.js';
 
@@ -124,6 +125,21 @@ export class AuditLogger {
     });
   }
 
+  securityElevationEnabled(event: SecurityElevationEvent): void {
+    if (!this.shouldLog('tools', 'info')) {return;}
+    this.write({ level: 'info', event_type: 'security.elevation.enabled', event: event as unknown as Record<string, unknown> });
+  }
+
+  securityElevationDisabled(event: SecurityElevationEvent): void {
+    if (!this.shouldLog('tools', 'info')) {return;}
+    this.write({ level: 'info', event_type: 'security.elevation.disabled', event: event as unknown as Record<string, unknown> });
+  }
+
+  securityElevationExpired(event: SecurityElevationEvent): void {
+    if (!this.shouldLog('tools', 'info')) {return;}
+    this.write({ level: 'info', event_type: 'security.elevation.expired', event: event as unknown as Record<string, unknown> });
+  }
+
   // ── Session Events ───────────────────────────────────────────
 
   sessionCreate(event: SessionCreateEvent): void {

src/audit/types.ts

@@ -3,6 +3,8 @@ export type AuditLevel = 'debug' | 'info' | 'warn' | 'error';
 export type AuditEventType =
   // Tool execution
   | 'tool.start' | 'tool.success' | 'tool.error' | 'tool.denied' | 'tool.approval'
+  // Security
+  | 'security.elevation.enabled' | 'security.elevation.disabled' | 'security.elevation.expired'
   // Skills scan
   | 'skills.scan.pass' | 'skills.scan.fail'
   // Skills installer
@@ -134,6 +136,16 @@ export interface SkillsScanEvent {
   issue_codes: string[];
 }
 
+export interface SecurityElevationEvent {
+  session_id: string;
+  channel: string;
+  sender: string;
+  elevation_id: string;
+  until_ms?: number;
+  ttl_ms?: number;
+  reason?: string;
+}
+
 export interface SessionCreateEvent {
   session_id: string;
   frontend: string;