From 2a5f79886362fc3fc32da5c5412a5c83efafadde Mon Sep 17 00:00:00 2001
From: ruomeng <ruomeng@google.com>
Date: Thu, 9 Apr 2026 16:04:20 -0400
Subject: [PATCH] refactor(plan) Clean default plan toml (#25037)

---
 packages/core/src/policy/policies/plan.toml | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

diff --git a/packages/core/src/policy/policies/plan.toml b/packages/core/src/policy/policies/plan.toml
index c468a79cb0..0cbe0a3e13 100644
--- a/packages/core/src/policy/policies/plan.toml
+++ b/packages/core/src/policy/policies/plan.toml
@@ -80,6 +80,9 @@ priority = 40
 modes = ["plan"]
 denyMessage = "You are in Plan Mode with access to read-only tools. Execution of scripts (including those from skills) is blocked."
 
+# Explicitly allowed tools in Plan Mode (interactive: ask user, non-interactive: deny)
+# Priority 50 overrides the catch-all (40) and also ensures we override default tier ALLOW rules (e.g. from read-only.toml).
+
 [[rule]]
 toolName = "*"
 mcpName = "*"
@@ -89,15 +92,6 @@ priority = 50
 modes = ["plan"]
 interactive = true
 
-[[rule]]
-toolName = "*"
-mcpName = "*"
-toolAnnotations = { readOnlyHint = true }
-decision = "deny"
-priority = 50
-modes = ["plan"]
-interactive = false
-
 # Allow specific subagents in Plan mode.
 # We use argsPattern to match the agent_name argument for invoke_agent.
 [[rule]]
@@ -115,13 +109,6 @@ priority = 50
 modes = ["plan"]
 interactive = true
 
-[[rule]]
-toolName = ["ask_user", "save_memory", "web_fetch", "activate_skill"]
-decision = "deny"
-priority = 50
-modes = ["plan"]
-interactive = false
-
 # Allow write_file and replace for .md files in the plans directory (cross-platform)
 # We split this into two rules to avoid ReDoS checker issues with nested optional segments.
 # This rule handles the case where there is a session ID in the plan file path