[Feature]: Temporary time-bound exec security escalation via /trust and /untrust

[keylimesoda]

Temporary time-bound exec security escalation via /trust and /untrust commands.

Problem to solve

Existing exec approval workflows (deny/allowlist/full) are binary and permanent per session. Users who want exec.security=full for a focused coding session must either:

1. Set it permanently with /exec security=full and remember to revert (most forget)
2. Leave approvals enabled and endure per-command confirmation friction that disrupts flow

This leads to a common anti-pattern: users disable exec approvals entirely, defeating the security model. There is no existing middle ground between "always approve" and "always allow."

Proposed solution

Add /trust [minutes] and /untrust slash commands:

• /trust [minutes] — temporarily sets exec.security=full for the current session (1-480 minutes, default 15)
• /untrust — revokes trust immediately
• Anti-stacking: refuses to extend while active (must /untrust first then /trust again)
• In-memory only: trust is lost on process restart (fail-closed by design)
• Single decision point in resolveExecOverrides for all surfaces (CLI, TUI, Discord, Telegram, Slack, WhatsApp, web)
• Uses existing rejectUnauthorizedCommand gate for authorization

This follows the same temporary escalation pattern used by sudo timeouts and OAuth token expiry — granting elevated access for a bounded window with automatic revocation.

Alternatives considered

1. Per-command approval with "approve all for N minutes" — requires deeper changes to the approval flow and UI across all surfaces
2. Config-level timeout on /exec security=full — would change existing /exec semantics and require migration
3. Allowlist-based auto-approval — doesn't address the "I want full access for this task" use case. There is some work to do someday to make Safebins environmental rather than filter-based someday.

Impact

• Affected: All users who interact with exec approvals across any surface
• Severity: Medium — current friction leads users to disable approvals entirely
• Frequency: Every coding session where exec is needed
• Consequence: Improved usable security surface — users can grant temporary full access instead of permanently disabling protections

Evidence/examples

• sudo: grants root for a configurable timeout window (default 5-15 minutes)
• AWS STS: temporary credentials with explicit TTL
• GitHub fine-grained PATs: time-bounded access tokens
• Mobile biometric unlock: trust device for N minutes after authentication

Additional information

[overclucker]

Self escalation is high risk. A CI/CD can handle escalation more safely.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Issue #47695 is superseded by open PR #47696, which directly tracks the same /trust and /untrust temporary exec-security escalation feature. Current main does not implement the feature, so this is a tracker consolidation, not an implemented-on-main close.

What I checked:

• Superseding PR: Provided GitHub context shows open PR feat: add /trust and /untrust commands for temporary exec security elevation #47696 titled "feat: add /trust and /untrust commands for temporary exec security elevation". Its body says "Closes [Feature]: Temporary time-bound exec security escalation via /trust and /untrust #47695" and describes the same /trust [minutes], /untrust, in-memory expiry, anti-stacking, authorization gate, and test scope requested by this issue.
• Current exec command surface: Current main defines the built-in exec control as key exec with text alias /exec and arguments for host/security/ask/node; no /trust or /untrust command is present in this registry section. (src/auto-reply/commands-registry.shared.ts:808, d228463120a5)
• Current exec override resolution: Exec overrides currently resolve from inline directives, session entry, or agent defaults. There is no temporary trust-window source in the resolution chain on current main. (src/auto-reply/reply/get-reply-exec-overrides.ts:7, d228463120a5)
• Current docs: The slash-command docs list /exec host=<auto|sandbox|gateway|node> security=<deny|allowlist|full> ask=<off|on-miss|always> node=<id> as the supported exec-default control; /trust and /untrust are not documented there. Public docs: docs/tools/slash-commands.md. (docs/tools/slash-commands.md:102, d228463120a5)
• Related security discussion: The existing issue comment raises a security concern about self-escalation. That review belongs with the concrete implementation in PR feat: add /trust and /untrust commands for temporary exec security elevation #47696, while broader approval-fatigue/security-by-intent work is separately tracked in issue Security by Intent: Progressive Permission Pattern Generalization to Eliminate Privilege Escalation and Approval Fatigue #48532.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against d228463120a5.