#21136: fix(security): harden agent autonomy controls

## Summary - **Rate guard + audit logging for `elevated=full` exec bypass** — Adds a fixed-window rate limiter (30 cmds/60s) and immutable stderr audit trail for every command run under `elevated=full` mode, mitigating abuse of the unrestricted exec path (CWE-250) - **Restricted tool set for external untrusted content** — Adds `EXTERNAL_CONTENT_RESTRICTED_TOOLS` and `isToolRestrictedForExternalContent()` to `external-content.ts`, providing structural enforcement primitives beyond advisory text markers for prompt injection defense - **Audit logging for plugin hook prompt/tool modifications** — Logs when `before_prompt_build` replaces the system prompt and when `before_tool_call` modifies tool parameters, making silent plugin mutations visible - **Block auto-discovered plugins when allowlist is empty** — Non-bundled, non-operator-configured plugins from global/workspace directories are now blocked when `plugins.allow` is empty, preventing untrusted code from auto-loading with full main-process access - **Defense-in-depth audit logging for dangerous ACP tool calls** — Server-side translator now logs when tools in `DANGEROUS_ACP_TOOLS` are invoked over ACP, complementing the existing client-side approval gate ## Test plan - [x] All 17 `loader.test.ts` tests pass (including the 3 that initially failed due to over-aggressive blocking of operator-configured plugins) - [x] Full test suite: 6419 passed, 8 failed (all 8 failures are pre-existing Windows symlink EPERM issues unrelated to these changes) - [x] Build succeeds with no type errors - [ ] Manual verification of audit log output for elevated exec and ACP dangerous tool invocations - [ ] Verify non-bundled plugins in global/workspace dirs are blocked when `plugins.allow` is empty - [ ] Verify operator-configured plugins (`plugins.load.paths`) still load normally 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR implements comprehensive security hardening for agent autonomy controls across five key areas. The changes add multiple layers of defense-in-depth protection against abuse of privileged operations. **Key changes:** - **Rate limiting for `elevated=full` exec**: Adds 30 commands/60s rate limit with immutable stderr audit logging for every elevated command execution - **Plugin auto-load blocking**: Blocks auto-discovered plugins (global/workspace) when `plugins.allow` is empty, while correctly allowing operator-configured plugins via `plugins.load.paths` - **External content tool restrictions**: Introduces `EXTERNAL_CONTENT_RESTRICTED_TOOLS` set and helper function to provide structural enforcement against prompt injection attacks - **Plugin hook audit logging**: Logs when plugins modify system prompts or tool parameters via `before_prompt_build` and `before_tool_call` hooks - **ACP dangerous tool logging**: Server-side audit trail when dangerous tools are invoked over the Agent Client Protocol **Issues found:** - The `elevated=full` rate limiter at `bash-tools.exec.ts:61-62` uses module-level mutable state with non-atomic increment operations, creating potential race conditions under concurrent load <h3>Confidence Score: 4/5</h3> - This PR is largely safe to merge with one notable concurrency issue in the rate limiter that should be addressed - The PR implements multiple defense-in-depth security hardening measures (audit logging, rate limiting, plugin blocking). All implementations are sound except for the rate limiter which uses non-atomic module-level state that could have race conditions under concurrent load. The plugin loader fix correctly distinguishes between operator-configured (`config`) and auto-discovered plugins. The audit logging additions are properly placed and immutable (stderr). The external content restrictions are well-designed structural primitives. - Pay close attention to `src/agents/bash-tools.exec.ts` - the rate limiter implementation needs review for concurrency safety _{Last reviewed commit: 75b5c5e} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->