2026-01-04 05:21:12 +00:00
---
summary: "Elevated bash mode and /elevated directives"
read_when:
- Adjusting elevated mode defaults, allowlists, or slash command behavior
---
# Elevated Mode (/elevated directives)
## What it does
- Elevated mode allows the bash tool to run with elevated privileges when the feature is available and the sender is approved.
2026-01-08 23:17:02 +01:00
- **Optional for sandboxed agents**: elevated only changes behavior when the agent is running in a sandbox. If the agent already runs unsandboxed, elevated is effectively a no-op.
2026-01-04 05:21:12 +00:00
- Directive forms: `/elevated on` , `/elevated off` , `/elev on` , `/elev off` .
- Only `on|off` are accepted; anything else returns a hint and does not change state.
2026-01-08 22:57:08 +01:00
## What it controls (and what it doesn’
2026-01-09 12:44:23 +00:00
- **Global availability gate**: `tools.elevated` is global (not per-agent). If disabled or sender not allowlisted, elevated is unavailable everywhere.
2026-01-08 22:57:08 +01:00
- **Per-session state**: `/elevated on|off` sets the elevated level for the current session key.
- **Inline directive**: `/elevated on` inside a message applies to that message only.
2026-01-09 02:52:44 +01:00
- **Groups**: In group chats, elevated directives are only honored when the agent is mentioned. Command-only messages that bypass mention requirements are treated as mentioned.
2026-01-08 22:57:08 +01:00
- **Host execution**: elevated runs `bash` on the host (bypasses sandbox).
2026-01-08 23:17:02 +01:00
- **Unsandboxed agents**: when there is no sandbox to bypass, elevated does not change where `bash` runs.
2026-01-08 22:57:08 +01:00
- **Tool policy still applies**: if `bash` is denied by tool policy, elevated cannot be used.
2026-01-08 23:18:09 +01:00
Note:
- Sandbox on: `/elevated on` runs that `bash` command on the host.
- Sandbox off: `/elevated on` does not change execution (already on host).
2026-01-08 23:17:02 +01:00
## When elevated matters
- Only impacts `bash` when the agent is running sandboxed (it drops the sandbox for that command).
- For unsandboxed agents, elevated does not change execution; it only affects gating, logging, and status.
2026-01-04 05:21:12 +00:00
## Resolution order
1. Inline directive on the message (applies only to that message).
2. Session override (set by sending a directive-only message).
2026-01-09 12:44:23 +00:00
3. Global default (`agents.defaults.elevatedDefault` in config).
2026-01-04 05:21:12 +00:00
## Setting a session default
- Send a message that is **only** the directive (whitespace allowed), e.g. `/elevated on` .
- Confirmation reply is sent (`Elevated mode enabled.` / `Elevated mode disabled.` ).
- If elevated access is disabled or the sender is not on the approved allowlist, the directive replies `elevated is not available right now.` and does not change session state.
2026-01-08 03:22:14 +01:00
- Send `/elevated` (or `/elevated:` ) with no argument to see the current elevated level.
2026-01-04 05:21:12 +00:00
## Availability + allowlists
2026-01-09 12:44:23 +00:00
- Feature gate: `tools.elevated.enabled` (default can be off via config even if the code supports it).
- Sender allowlist: `tools.elevated.allowFrom` with per-provider allowlists (e.g. `discord` , `whatsapp` ).
2026-01-04 05:21:12 +00:00
- Both must pass; otherwise elevated is treated as unavailable.
2026-01-09 12:44:23 +00:00
- Discord fallback: if `tools.elevated.allowFrom.discord` is omitted, the `discord.dm.allowFrom` list is used as a fallback. Set `tools.elevated.allowFrom.discord` (even `[]` ) to override.
2026-01-04 05:21:12 +00:00
## Logging + status
- Elevated bash calls are logged at info level.
- Session status includes elevated mode (e.g. `elevated=on` ).
