refactor(security): unify elevated mode handling across surfaces
This commit is contained in:
William Valentin
+19
-102
@@ -26,7 +26,7 @@ import { matchReactionPrompt } from '../automation/reactions.js';
|
||||
import { loadSkillRegistryCatalog } from '../skills/index.js';
|
||||
import type { SkillInstaller, SkillRegistry, SkillRegistryEntry, SkillRegistrySource } from '../skills/index.js';
|
||||
import { auditLogger } from '../audit/index.js';
|
||||
import { randomUUID } from 'crypto';
|
||||
import { getElevationStatusMessage, setElevationFromInput } from '../security/elevation.js';
|
||||
import { dirname, resolve } from 'path';
|
||||
|
||||
function buildProviderConfigMap(config: Config): Partial<Record<ModelProvider, ModelConfig>> {
|
||||
@@ -813,115 +813,32 @@ export function createMessageRouter(deps: {
|
||||
},
|
||||
|
||||
getElevation: () => {
|
||||
const untilRaw = session.getConfig('elevation.until_ms');
|
||||
const reason = session.getConfig('elevation.reason') ?? '';
|
||||
const id = session.getConfig('elevation.id') ?? '';
|
||||
if (!untilRaw || !id) {
|
||||
return 'Elevated mode: off';
|
||||
}
|
||||
const untilMs = Number.parseInt(untilRaw, 10);
|
||||
if (!Number.isFinite(untilMs)) {
|
||||
return 'Elevated mode: off';
|
||||
}
|
||||
const now = Date.now();
|
||||
if (untilMs <= now) {
|
||||
session.deleteConfig('elevation.until_ms');
|
||||
session.deleteConfig('elevation.reason');
|
||||
session.deleteConfig('elevation.id');
|
||||
auditLogger?.securityElevationExpired({
|
||||
session_id: session.id,
|
||||
return getElevationStatusMessage({
|
||||
get: (key) => session.getConfig(key),
|
||||
set: (key, value) => session.setConfig(key, value),
|
||||
delete: (key) => session.deleteConfig(key),
|
||||
}, {
|
||||
showExpiredSuffix: true,
|
||||
auditContext: {
|
||||
sessionId: session.id,
|
||||
channel: msg.channel,
|
||||
sender: msg.senderId,
|
||||
elevation_id: id,
|
||||
until_ms: untilMs,
|
||||
reason: reason || undefined,
|
||||
});
|
||||
return 'Elevated mode: off (expired)';
|
||||
}
|
||||
const remainingMs = untilMs - now;
|
||||
const remainingSec = Math.ceil(remainingMs / 1000);
|
||||
return `Elevated mode: on (${remainingSec}s remaining)${reason ? ` — ${reason}` : ''}`;
|
||||
},
|
||||
});
|
||||
},
|
||||
|
||||
setElevation: (input: string) => {
|
||||
const raw = input.trim();
|
||||
const parts = raw.split(/\s+/);
|
||||
const hasYes = parts.includes('--yes') || parts.includes('--confirm');
|
||||
const filtered = parts.filter(p => p !== '--yes' && p !== '--confirm');
|
||||
|
||||
if (filtered.length === 0) {
|
||||
return 'Usage: /elevate <duration> <reason...> --yes | /elevate off --yes';
|
||||
}
|
||||
|
||||
if (filtered[0] === 'off') {
|
||||
if (!hasYes) {
|
||||
return 'Refusing to disable elevation without explicit confirmation. Use: /elevate off --yes';
|
||||
}
|
||||
const existingId = session.getConfig('elevation.id') ?? randomUUID();
|
||||
const existingUntil = session.getConfig('elevation.until_ms');
|
||||
const existingReason = session.getConfig('elevation.reason') ?? '';
|
||||
session.deleteConfig('elevation.until_ms');
|
||||
session.deleteConfig('elevation.reason');
|
||||
session.deleteConfig('elevation.id');
|
||||
auditLogger?.securityElevationDisabled({
|
||||
session_id: session.id,
|
||||
return setElevationFromInput({
|
||||
get: (key) => session.getConfig(key),
|
||||
set: (key, value) => session.setConfig(key, value),
|
||||
delete: (key) => session.deleteConfig(key),
|
||||
}, input, {
|
||||
auditContext: {
|
||||
sessionId: session.id,
|
||||
channel: msg.channel,
|
||||
sender: msg.senderId,
|
||||
elevation_id: existingId,
|
||||
until_ms: existingUntil ? Number.parseInt(existingUntil, 10) : undefined,
|
||||
reason: existingReason || undefined,
|
||||
});
|
||||
return 'Elevated mode: off';
|
||||
}
|
||||
|
||||
if (!hasYes) {
|
||||
return 'Refusing to enable elevation without explicit confirmation. Use: /elevate <duration> <reason...> --yes';
|
||||
}
|
||||
|
||||
const dur = filtered[0];
|
||||
const reason = filtered.slice(1).join(' ').trim();
|
||||
const ttlMs = (() => {
|
||||
const m = dur.match(/^(\d+)([smhd])$/i);
|
||||
if (!m) {
|
||||
return null;
|
||||
}
|
||||
const n = Number.parseInt(m[1], 10);
|
||||
if (!Number.isFinite(n) || n <= 0) {
|
||||
return null;
|
||||
}
|
||||
const unit = m[2].toLowerCase();
|
||||
if (unit === 's') {return n * 1000;}
|
||||
if (unit === 'm') {return n * 60_000;}
|
||||
if (unit === 'h') {return n * 3_600_000;}
|
||||
if (unit === 'd') {return n * 86_400_000;}
|
||||
return null;
|
||||
})();
|
||||
|
||||
if (!ttlMs) {
|
||||
return 'Invalid duration. Use one of: 30s, 10m, 1h, 1d';
|
||||
}
|
||||
|
||||
const untilMs = Date.now() + ttlMs;
|
||||
const id = randomUUID();
|
||||
session.setConfig('elevation.until_ms', String(untilMs));
|
||||
session.setConfig('elevation.id', id);
|
||||
if (reason) {
|
||||
session.setConfig('elevation.reason', reason);
|
||||
} else {
|
||||
session.deleteConfig('elevation.reason');
|
||||
}
|
||||
|
||||
auditLogger?.securityElevationEnabled({
|
||||
session_id: session.id,
|
||||
channel: msg.channel,
|
||||
sender: msg.senderId,
|
||||
elevation_id: id,
|
||||
until_ms: untilMs,
|
||||
ttl_ms: ttlMs,
|
||||
reason: reason || undefined,
|
||||
},
|
||||
});
|
||||
|
||||
return `Elevated mode: on until ${new Date(untilMs).toISOString()}`;
|
||||
},
|
||||
|
||||
getQueue: () => {
|
||||
|
||||
Reference in New Issue
Block a user