Fix: Enable write_file in Plan Mode via workspace policy

2026-04-02 17:31:05 -07:00 · 2026-02-18 05:27:04 +00:00
parent c1dfcd9a2d
commit 12ee556f3b
11 changed files with 300 additions and 17728 deletions
--- a/packages/cli/src/config/config.ts
+++ b/packages/cli/src/config/config.ts
@@ -713,9 +713,46 @@ export async function loadCliConfig(
    effectiveSettings,
    approvalMode,
    workspacePoliciesDir,
+    cwd,
  );
  policyEngineConfig.nonInteractive = !interactive;

+  // FIX: Ensure tools allowed by high-priority policy are NOT excluded from the registry.
+  // This allows users to re-enable tools like write_file in Plan Mode via policy.
+  // We ALSO need to remove the conflicting 'Settings (Tools Excluded)' rule from policyEngineConfig,
+  // otherwise PolicyEngine will still consider it excluded.
+  const policyAllowedTools = new Set<string>();
+  if (policyEngineConfig.rules) {
+    for (const rule of policyEngineConfig.rules) {
+      // Logic mirrors promptProvider.ts: Priority > 1.1 means user/admin tier (or high priority default)
+      if (
+        (rule.priority ?? 0) > 1.1 &&
+        (rule.decision === 'allow' || rule.decision === 'ask_user') &&
+        rule.toolName
+      ) {
+        policyAllowedTools.add(rule.toolName);
+      }
+    }
+
+    // Filter out conflicting Settings Exclude rules
+    policyEngineConfig.rules = policyEngineConfig.rules.filter((rule) => {
+      if (
+        rule.source === 'Settings (Tools Excluded)' &&
+        rule.toolName &&
+        policyAllowedTools.has(rule.toolName)
+      ) {
+        return false;
+      }
+      return true;
+    });
+  }
+
+  // If a tool is explicitly allowed by a high-priority policy, remove it from the exclusion list
+  // so it gets registered in ToolRegistry.
+  const finalExcludeTools = excludeTools.filter(
+    (t) => !policyAllowedTools.has(t),
+  );
+
  const defaultModel = PREVIEW_GEMINI_MODEL_AUTO;
  const specifiedModel =
    argv.model || process.env['GEMINI_MODEL'] || settings.model?.name;
@@ -776,8 +813,12 @@ export async function loadCliConfig(
    coreTools: settings.tools?.core || undefined,
    allowedTools: allowedTools.length > 0 ? allowedTools : undefined,
    policyEngineConfig,
+<<<<<<< HEAD
    policyUpdateConfirmationRequest,
    excludeTools,
+=======
+    excludeTools: finalExcludeTools,
+>>>>>>> 45fcd9869 (Fix: Enable write_file in Plan Mode via workspace policy)
    toolDiscoveryCommand: settings.tools?.discoveryCommand,
    toolCallCommand: settings.tools?.callCommand,
    mcpServerCommand,
--- a/packages/cli/src/config/policy.ts
+++ b/packages/cli/src/config/policy.ts
@@ -24,6 +24,7 @@ export async function createPolicyEngineConfig(
  settings: Settings,
  approvalMode: ApprovalMode,
  workspacePoliciesDir?: string,
+  workspaceDir?: string,
 ): Promise<PolicyEngineConfig> {
  // Explicitly construct PolicySettings from Settings to ensure type safety
  // and avoid accidental leakage of other settings properties.
@@ -35,7 +36,12 @@ export async function createPolicyEngineConfig(
    workspacePoliciesDir,
  };

-  return createCorePolicyEngineConfig(policySettings, approvalMode);
+  return createCorePolicyEngineConfig(
+    policySettings,
+    approvalMode,
+    undefined,
+    workspaceDir,
+  );
 }

 export function createPolicyUpdater(