refactor(security): unify elevated mode handling across surfaces
This commit is contained in:
William Valentin
@@ -38,10 +38,10 @@ A gap item is considered implemented when:
|
||||
|
||||
- QMD backend (experimental) — completed on 2026-02-16
|
||||
|
||||
### Security (MISSING)
|
||||
### Security
|
||||
|
||||
- Skill/plugin code safety scanner (static analysis)
|
||||
- Elevated mode (explicit host-exec escape hatch)
|
||||
- Skill/plugin code safety scanner (static analysis) — completed on 2026-02-16
|
||||
- Elevated mode (explicit host-exec escape hatch) — completed on 2026-02-16, hardening pass completed on 2026-02-19 (shared elevation module + parity refactor)
|
||||
|
||||
### Skills Ecosystem (MISSING)
|
||||
|
||||
@@ -246,6 +246,8 @@ Optional second insertion:
|
||||
|
||||
## Milestone 4 (P2): Elevated Mode (Break Glass)
|
||||
|
||||
Status: completed (2026-02-16), hardened and unified on 2026-02-19.
|
||||
|
||||
### Scope
|
||||
|
||||
Add a user-visible, auditable, time-bounded mechanism to permit host execution of high-risk tools.
|
||||
@@ -265,6 +267,7 @@ Constraints:
|
||||
### Tests
|
||||
|
||||
- Unit tests for TTL expiry and denial without elevation.
|
||||
- Cross-surface parity tests for command behavior (`daemon`/`gateway`/`tui`) and shared helper tests (`src/security/elevation.test.ts`).
|
||||
|
||||
---
|
||||
|
||||
@@ -329,9 +332,6 @@ These are substantial UX/ecosystem projects or highly platform-specific; defer u
|
||||
|
||||
## Suggested Next Execution Order
|
||||
|
||||
1) Credential System v2 (API + OAuth/token)
|
||||
2) Vercel AI Gateway provider
|
||||
3) Skill safety scanner
|
||||
4) Elevated mode
|
||||
5) Matrix adapter
|
||||
6) Deployment targets
|
||||
1) Auth profile rotation/stickiness before provider fallback
|
||||
2) Queue/run-control polish (interrupt preemption telemetry + UX)
|
||||
3) Daily memory continuity tuning (if continuity quality is still lacking)
|
||||
|
||||
@@ -5756,6 +5756,25 @@
|
||||
"docs/plans/state.json"
|
||||
],
|
||||
"test_status": "pnpm test:run src/frontends/tui/minimal.test.ts passing"
|
||||
},
|
||||
"elevation-hardening-unification": {
|
||||
"status": "completed",
|
||||
"date": "2026-02-19",
|
||||
"updated": "2026-02-19",
|
||||
"summary": "Unified elevated mode behavior into a shared `src/security/elevation.ts` module and refactored daemon, gateway, native agent, and TUI surfaces to use it. This removes duplicated TTL/expiry parsing and keeps `/elevate` semantics/auditing consistent across execution paths.",
|
||||
"files_modified": [
|
||||
"src/security/elevation.ts",
|
||||
"src/security/elevation.test.ts",
|
||||
"src/daemon/routing.ts",
|
||||
"src/gateway/handlers/agent.ts",
|
||||
"src/backends/native/agent.ts",
|
||||
"src/frontends/tui/minimal.ts",
|
||||
"src/frontends/tui/components/App.tsx",
|
||||
"docs/security/SAFE_PERSONAL_AGENT.md",
|
||||
"docs/plans/2026-02-15-openclaw-gap-roadmap.md",
|
||||
"docs/plans/state.json"
|
||||
],
|
||||
"test_status": "pnpm test:run src/security/elevation.test.ts src/gateway/handlers/agent.test.ts src/frontends/tui/minimal.test.ts src/backends/native/agent.test.ts src/daemon/routing.test.ts src/commands/builtin/index.test.ts + pnpm typecheck passing"
|
||||
}
|
||||
},
|
||||
"overall_progress": {
|
||||
|
||||
Reference in New Issue
Block a user