feat(security): enforce elevated mode and sandbox execution

src/tools/executor.test.ts

@@ -262,4 +262,68 @@ describe('ToolExecutor', () => {
     expect(result.success).toBe(false);
     expect(result.error).toContain('refusing to pass');
   });
+
+  it('denies host high-risk tools for sandboxed skills unless elevation is active', async () => {
+    const registry = new ToolRegistry();
+    registry.register({
+      name: 'shell.exec',
+      description: 'shell',
+      inputSchema: { type: 'object', properties: {} },
+      execute: async () => ({ success: true, output: 'ok' }),
+    });
+    const hooks = new HookEngine({ confirm: [], log: [], silent: [] });
+    const executor = new ToolExecutor(registry, hooks);
+
+    const denied = await executor.execute('shell.exec', { command: 'echo hi' }, {
+      skillName: 'test-skill',
+      skillPermissions: { execution_environment: 'sandbox' },
+      executionEnvironment: 'host',
+      autonomyLevel: 'autonomous',
+    });
+    expect(denied.success).toBe(false);
+    expect(denied.error).toContain('execution_environment=host');
+
+    const allowedPromise = executor.execute('shell.exec', { command: 'echo hi' }, {
+      skillName: 'test-skill',
+      skillPermissions: { execution_environment: 'sandbox' },
+      executionEnvironment: 'host',
+      elevatedHostUntilMs: Date.now() + 60_000,
+      elevatedHostId: 'e1',
+      autonomyLevel: 'autonomous',
+    });
+    const pending = hooks.getPendingConfirmations();
+    expect(pending).toHaveLength(1);
+    hooks.resolveConfirmation(pending[0].id, { approved: true });
+
+    const allowed = await allowedPromise;
+    expect(allowed.success).toBe(true);
+  });
+
+  it('executes shell.exec in sandbox when executionEnvironment is sandbox', async () => {
+    const registry = new ToolRegistry();
+    registry.register({
+      name: 'shell.exec',
+      description: 'host shell',
+      inputSchema: { type: 'object', properties: {} },
+      execute: async () => { throw new Error('host should not run'); },
+    });
+    const hooks = new HookEngine({ confirm: [], log: [], silent: [] });
+    const executor = new ToolExecutor(registry, hooks);
+
+    const fakeSandbox = {
+      exec: async () => ({ stdout: 'sandbox-out', stderr: '' }),
+    } as any;
+    const fakeManager = {
+      getOrCreate: async () => fakeSandbox,
+    } as any;
+    executor.setSandboxManager(fakeManager);
+
+    const result = await executor.execute('shell.exec', { command: 'echo hi' }, {
+      executionEnvironment: 'sandbox',
+      sessionId: 's1',
+      autonomyLevel: 'autonomous',
+    });
+    expect(result.success).toBe(true);
+    expect(result.output).toContain('sandbox-out');
+  });
 });

src/tools/executor.ts

@@ -7,6 +7,8 @@ import { auditLogger } from '../audit/index.js';
 import { randomUUID } from 'crypto';
 import { matchesAnyPattern, patternToRegex } from './policy.js';
 import { redactForAudit, containsSecretLikeKeys } from '../audit/redact.js';
+import type { SandboxManager } from '../sandbox/index.js';
+import { createSandboxedProcessStartTool, createSandboxedShellTool } from '../sandbox/index.js';
 
 export interface ToolExecutorConfig {
   defaultTimeoutMs?: number;
@@ -18,6 +20,7 @@ export class ToolExecutor {
   private hooks: HookEngine;
   private defaultTimeoutMs: number;
   private maxOutputBytes: number;
+  private sandboxManager?: SandboxManager;
 
   constructor(registry: ToolRegistry, hooks: HookEngine, config?: ToolExecutorConfig) {
     this.registry = registry;
@@ -26,9 +29,26 @@ export class ToolExecutor {
     this.maxOutputBytes = config?.maxOutputBytes ?? 51_200;
   }
 
+  setSandboxManager(manager?: SandboxManager): void {
+    this.sandboxManager = manager;
+  }
+
+  private isElevationActive(context?: ToolPolicyContext): boolean {
+    const untilMs = context?.elevatedHostUntilMs;
+    return typeof untilMs === 'number' && Number.isFinite(untilMs) && untilMs > Date.now();
+  }
+
+  private resolveEffectiveExecutionEnvironment(toolName: string, context?: ToolPolicyContext): 'host' | 'sandbox' {
+    const base = context?.executionEnvironment ?? 'host';
+    if (this.isHighRiskTool(toolName) && this.isElevationActive(context)) {
+      return 'host';
+    }
+    return base;
+  }
+
   async execute(toolName: string, args: unknown, context?: ToolPolicyContext): Promise<ToolResult> {
     const executionId = randomUUID();
-    const executionEnvironment = context?.executionEnvironment;
+    const executionEnvironment = this.resolveEffectiveExecutionEnvironment(toolName, context);
     const skillName = context?.skillName;
 
     const tool = this.registry.getByApiName(toolName);
@@ -69,7 +89,7 @@ export class ToolExecutor {
     }
 
     // Capability enforcement: filesystem + network constraints
-    const capabilityViolation = this.checkCapabilityConstraints(tool.name, args, context);
+    const capabilityViolation = this.checkCapabilityConstraints(tool.name, args, context, executionEnvironment);
     if (capabilityViolation) {
       auditLogger?.toolDenied({
         tool_name: tool.name,
@@ -127,7 +147,12 @@ export class ToolExecutor {
     const baseAction = this.hooks.getAction(toolName);
     const autonomyLevel = context?.autonomyLevel ?? 'standard';
     const autonomyDecision = resolveAutonomy(toolName, baseAction, autonomyLevel);
-    const finalAction = autonomyDecision.action;
+    let finalAction = autonomyDecision.action;
+
+    // Elevated mode must always require explicit confirmation for host high-risk tool calls.
+    if (executionEnvironment === 'host' && this.isHighRiskTool(toolName) && this.isElevationActive(context)) {
+      finalAction = 'confirm';
+    }
 
     // Log autonomy override if applicable
     if (autonomyDecision.overridden) {
@@ -201,7 +226,19 @@ export class ToolExecutor {
 
     try {
       const result = await Promise.race([
-        tool.execute(args),
+        (async () => {
+          if (executionEnvironment === 'sandbox' && this.sandboxManager) {
+            const sandboxSessionId = context?.sessionId ?? `${context?.channel ?? 'unknown'}:${context?.sender ?? 'unknown'}`;
+            const sandbox = await this.sandboxManager.getOrCreate(sandboxSessionId);
+            if (toolName === 'shell.exec') {
+              return createSandboxedShellTool(sandbox).execute(args);
+            }
+            if (toolName === 'process.start') {
+              return createSandboxedProcessStartTool(sandbox).execute(args);
+            }
+          }
+          return tool.execute(args);
+        })(),
         new Promise<ToolResult>((_, reject) =>
           setTimeout(() => reject(new Error(`Tool '${toolName}' timed out after ${this.defaultTimeoutMs}ms`)), this.defaultTimeoutMs),
         ),
@@ -286,7 +323,7 @@ export class ToolExecutor {
     ].includes(toolName);
   }
 
-  private checkCapabilityConstraints(toolName: string, args: unknown, context?: ToolPolicyContext): string | null {
+  private checkCapabilityConstraints(toolName: string, args: unknown, context: ToolPolicyContext | undefined, effectiveEnv: 'host' | 'sandbox'): string | null {
     const perms = context?.skillPermissions;
     if (!perms) {
       if (context?.skillName && this.isHighRiskTool(toolName)) {
@@ -297,9 +334,8 @@ export class ToolExecutor {
 
     // Sandbox enforcement for high-risk tools unless explicitly allowed.
     if (this.isHighRiskTool(toolName)) {
-      const env = context?.executionEnvironment ?? 'host';
       const requested = perms.execution_environment ?? 'sandbox';
-      if (context?.skillName && env === 'host' && requested !== 'host') {
+      if (context?.skillName && effectiveEnv === 'host' && requested !== 'host' && !this.isElevationActive(context)) {
         return 'high-risk tool execution on host is not allowed for this skill (requires execution_environment=host)';
       }
     }