feat(security): enforce elevated mode and sandbox execution

2026-02-15 17:02:05 -08:00
parent b574d170d1
commit ab89378fce
4 changed files with 152 additions and 8 deletions
@@ -5,6 +5,7 @@ import type { ToolRegistry } from '../../tools/registry.js';
 import type { ToolExecutor } from '../../tools/executor.js';
 import type { ToolResult } from '../../tools/types.js';
 import type { ToolPolicyContext } from '../../tools/policy.js';
+import { auditLogger } from '../../audit/index.js';
 import type { Attachment } from '../../channels/types.js';
 import type { OutboundAttachmentCollector } from './attachments.js';
 import { buildUserMessage, getMessageText } from '../../models/media.js';
@@ -266,8 +267,48 @@ export class NativeAgent {
          const internalName = this.toolRegistry!.getByApiName(tc.name)?.name ?? tc.name;
          this.onToolUse?.({ type: 'start', tool: internalName, args: tc.args });

+          let elevationUntilMs: number | undefined;
+          let elevationReason: string | undefined;
+          let elevationId: string | undefined;
+
+          if (this.session) {
+            const untilRaw = this.session.getConfig('elevation.until_ms');
+            const idRaw = this.session.getConfig('elevation.id');
+            const reasonRaw = this.session.getConfig('elevation.reason');
+            if (untilRaw && idRaw) {
+              const untilMs = Number.parseInt(untilRaw, 10);
+              if (Number.isFinite(untilMs)) {
+                const now = Date.now();
+                if (untilMs > now) {
+                  elevationUntilMs = untilMs;
+                  elevationId = idRaw;
+                  elevationReason = reasonRaw ?? undefined;
+                } else {
+                  // Auto-expire elevation.
+                  this.session.deleteConfig('elevation.until_ms');
+                  this.session.deleteConfig('elevation.reason');
+                  this.session.deleteConfig('elevation.id');
+                  auditLogger?.securityElevationExpired({
+                    session_id: this.session.id,
+                    channel: this._toolPolicyContext?.channel ?? 'unknown',
+                    sender: this._toolPolicyContext?.sender ?? 'unknown',
+                    elevation_id: idRaw,
+                    until_ms: untilMs,
+                    reason: reasonRaw ?? undefined,
+                  });
+                }
+              }
+            }
+          }
+
          const perCallContext: ToolPolicyContext | undefined = this._toolPolicyContext
-            ? { ...this._toolPolicyContext, untrustedContent: untrustedContentSeen }
+            ? {
+              ...this._toolPolicyContext,
+              untrustedContent: untrustedContentSeen,
+              elevatedHostUntilMs: elevationUntilMs,
+              elevatedHostReason: elevationReason,
+              elevatedHostId: elevationId,
+            }
            : undefined;

          const result = await this.toolExecutor!.execute(internalName, tc.args, perCallContext);