refactor(security): unify elevated mode handling across surfaces

docs/plans/2026-02-15-openclaw-gap-roadmap.md

@@ -38,10 +38,10 @@ A gap item is considered implemented when:
 
 - QMD backend (experimental) — completed on 2026-02-16
 
-### Security (MISSING)
+### Security
 
-- Skill/plugin code safety scanner (static analysis)
-- Elevated mode (explicit host-exec escape hatch)
+- Skill/plugin code safety scanner (static analysis) — completed on 2026-02-16
+- Elevated mode (explicit host-exec escape hatch) — completed on 2026-02-16, hardening pass completed on 2026-02-19 (shared elevation module + parity refactor)
 
 ### Skills Ecosystem (MISSING)
 
@@ -246,6 +246,8 @@ Optional second insertion:
 
 ## Milestone 4 (P2): Elevated Mode (Break Glass)
 
+Status: completed (2026-02-16), hardened and unified on 2026-02-19.
+
 ### Scope
 
 Add a user-visible, auditable, time-bounded mechanism to permit host execution of high-risk tools.
@@ -265,6 +267,7 @@ Constraints:
 ### Tests
 
 - Unit tests for TTL expiry and denial without elevation.
+- Cross-surface parity tests for command behavior (`daemon`/`gateway`/`tui`) and shared helper tests (`src/security/elevation.test.ts`).
 
 ---
 
@@ -329,9 +332,6 @@ These are substantial UX/ecosystem projects or highly platform-specific; defer u
 
 ## Suggested Next Execution Order
 
-1) Credential System v2 (API + OAuth/token)
-2) Vercel AI Gateway provider
-3) Skill safety scanner
-4) Elevated mode
-5) Matrix adapter
-6) Deployment targets
+1) Auth profile rotation/stickiness before provider fallback
+2) Queue/run-control polish (interrupt preemption telemetry + UX)
+3) Daily memory continuity tuning (if continuity quality is still lacking)

docs/plans/state.json

@@ -5756,6 +5756,25 @@
         "docs/plans/state.json"
       ],
       "test_status": "pnpm test:run src/frontends/tui/minimal.test.ts passing"
+    },
+    "elevation-hardening-unification": {
+      "status": "completed",
+      "date": "2026-02-19",
+      "updated": "2026-02-19",
+      "summary": "Unified elevated mode behavior into a shared `src/security/elevation.ts` module and refactored daemon, gateway, native agent, and TUI surfaces to use it. This removes duplicated TTL/expiry parsing and keeps `/elevate` semantics/auditing consistent across execution paths.",
+      "files_modified": [
+        "src/security/elevation.ts",
+        "src/security/elevation.test.ts",
+        "src/daemon/routing.ts",
+        "src/gateway/handlers/agent.ts",
+        "src/backends/native/agent.ts",
+        "src/frontends/tui/minimal.ts",
+        "src/frontends/tui/components/App.tsx",
+        "docs/security/SAFE_PERSONAL_AGENT.md",
+        "docs/plans/2026-02-15-openclaw-gap-roadmap.md",
+        "docs/plans/state.json"
+      ],
+      "test_status": "pnpm test:run src/security/elevation.test.ts src/gateway/handlers/agent.test.ts src/frontends/tui/minimal.test.ts src/backends/native/agent.test.ts src/daemon/routing.test.ts src/commands/builtin/index.test.ts + pnpm typecheck passing"
     }
   },
   "overall_progress": {

docs/security/SAFE_PERSONAL_AGENT.md

@@ -158,6 +158,26 @@ Behavior:
 
 Note: today, only `shell.exec` and `process.start` are replaced with sandboxed implementations. Other high-risk tools are blocked-by-default in skill contexts unless host mode is explicitly allowed.
 
+## Elevated Mode (Break Glass)
+
+Flynn supports a time-bounded `/elevate` escape hatch for host execution of sensitive tools.
+
+- Session keys: `elevation.until_ms`, `elevation.id`, `elevation.reason`
+- Command UX requires explicit confirmation (`--yes` / `--confirm`)
+- Expiry is automatic (TTL-based) and emits audit events
+
+Implementation is centralized in `src/security/elevation.ts` and reused by:
+
+- `src/daemon/routing.ts` (channel command fast path)
+- `src/gateway/handlers/agent.ts` (websocket/gateway command fast path)
+- `src/frontends/tui/minimal.ts` and `src/frontends/tui/components/App.tsx` (TUI command surfaces)
+- `src/backends/native/agent.ts` (per-tool-call elevation context resolution)
+
+Tool enforcement remains in `src/tools/executor.ts`:
+
+- host-sensitive tools are denied when elevation is required but inactive
+- elevated host high-risk calls still require explicit confirmation via hooks
+
 ## Prompt Injection Mitigation
 
 Flynn uses a practical defense-in-depth approach: