refactor(security): unify elevated mode handling across surfaces
This commit is contained in:
William Valentin
@@ -158,6 +158,26 @@ Behavior:
|
||||
|
||||
Note: today, only `shell.exec` and `process.start` are replaced with sandboxed implementations. Other high-risk tools are blocked-by-default in skill contexts unless host mode is explicitly allowed.
|
||||
|
||||
## Elevated Mode (Break Glass)
|
||||
|
||||
Flynn supports a time-bounded `/elevate` escape hatch for host execution of sensitive tools.
|
||||
|
||||
- Session keys: `elevation.until_ms`, `elevation.id`, `elevation.reason`
|
||||
- Command UX requires explicit confirmation (`--yes` / `--confirm`)
|
||||
- Expiry is automatic (TTL-based) and emits audit events
|
||||
|
||||
Implementation is centralized in `src/security/elevation.ts` and reused by:
|
||||
|
||||
- `src/daemon/routing.ts` (channel command fast path)
|
||||
- `src/gateway/handlers/agent.ts` (websocket/gateway command fast path)
|
||||
- `src/frontends/tui/minimal.ts` and `src/frontends/tui/components/App.tsx` (TUI command surfaces)
|
||||
- `src/backends/native/agent.ts` (per-tool-call elevation context resolution)
|
||||
|
||||
Tool enforcement remains in `src/tools/executor.ts`:
|
||||
|
||||
- host-sensitive tools are denied when elevation is required but inactive
|
||||
- elevated host high-risk calls still require explicit confirmation via hooks
|
||||
|
||||
## Prompt Injection Mitigation
|
||||
|
||||
Flynn uses a practical defense-in-depth approach:
|
||||
|
||||
Reference in New Issue
Block a user