refactor(security): unify elevated mode handling across surfaces

2026-02-19 11:41:53 -08:00
parent 7cb647cbb8
commit baa53f91d9
10 changed files with 467 additions and 403 deletions
@@ -5,10 +5,10 @@ import type { ToolRegistry } from '../../tools/registry.js';
 import type { ToolExecutor } from '../../tools/executor.js';
 import type { ToolResult } from '../../tools/types.js';
 import type { ToolPolicyContext } from '../../tools/policy.js';
-import { auditLogger } from '../../audit/index.js';
 import type { Attachment } from '../../channels/types.js';
 import type { OutboundAttachmentCollector } from './attachments.js';
 import { buildUserMessage } from '../../models/media.js';
+import { getElevationWindow } from '../../security/elevation.js';

 export interface ToolUseEvent {
  type: 'start' | 'end';
@@ -325,32 +325,21 @@ export class NativeAgent {
          let elevationId: string | undefined;

          if (this.session) {
-            const untilRaw = this.session.getConfig('elevation.until_ms');
-            const idRaw = this.session.getConfig('elevation.id');
-            const reasonRaw = this.session.getConfig('elevation.reason');
-            if (untilRaw && idRaw) {
-              const untilMs = Number.parseInt(untilRaw, 10);
-              if (Number.isFinite(untilMs)) {
-                const now = Date.now();
-                if (untilMs > now) {
-                  elevationUntilMs = untilMs;
-                  elevationId = idRaw;
-                  elevationReason = reasonRaw ?? undefined;
-                } else {
-                  // Auto-expire elevation.
-                  this.session.deleteConfig('elevation.until_ms');
-                  this.session.deleteConfig('elevation.reason');
-                  this.session.deleteConfig('elevation.id');
-                  auditLogger?.securityElevationExpired({
-                    session_id: this.session.id,
-                    channel: this._toolPolicyContext?.channel ?? 'unknown',
-                    sender: this._toolPolicyContext?.sender ?? 'unknown',
-                    elevation_id: idRaw,
-                    until_ms: untilMs,
-                    reason: reasonRaw ?? undefined,
-                  });
-                }
-              }
+            const elevation = getElevationWindow({
+              get: (key) => this.session!.getConfig(key),
+              set: (key, value) => this.session!.setConfig(key, value),
+              delete: (key) => this.session!.deleteConfig(key),
+            }, {
+              auditContext: {
+                sessionId: this.session.id,
+                channel: this._toolPolicyContext?.channel ?? 'unknown',
+                sender: this._toolPolicyContext?.sender ?? 'unknown',
+              },
+            });
+            if (elevation.window) {
+              elevationUntilMs = elevation.window.untilMs;
+              elevationId = elevation.window.id;
+              elevationReason = elevation.window.reason;
            }
          }