From 45cd51d3bffa69293acd5b642925df74ae57dbc0 Mon Sep 17 00:00:00 2001
From: Keith Schaab <keithsc@google.com>
Date: Mon, 6 Apr 2026 23:50:33 +0000
Subject: [PATCH] fix(policy): revert allowOverrides in plan mode to fix
 sandbox tests

---
 .../src/policy/policies/sandbox-default.toml  |  2 +-
 .../src/policy/sandboxPolicyManager.test.ts   | 37 +++++++++++++++++++
 .../core/src/policy/sandboxPolicyManager.ts   |  2 +-
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/packages/core/src/policy/policies/sandbox-default.toml b/packages/core/src/policy/policies/sandbox-default.toml
index 796902f0b4..994b775f11 100644
--- a/packages/core/src/policy/policies/sandbox-default.toml
+++ b/packages/core/src/policy/policies/sandbox-default.toml
@@ -2,7 +2,7 @@
 network = false
 readonly = true
 approvedTools = []
-allowOverrides = false
+allowOverrides = true
 
 [modes.default]
 network = false
diff --git a/packages/core/src/policy/sandboxPolicyManager.test.ts b/packages/core/src/policy/sandboxPolicyManager.test.ts
index 034ab68735..f10a3a2802 100644
--- a/packages/core/src/policy/sandboxPolicyManager.test.ts
+++ b/packages/core/src/policy/sandboxPolicyManager.test.ts
@@ -69,4 +69,41 @@ describe('SandboxPolicyManager', () => {
     const perms = manager.getCommandPermissions('npm');
     expect(perms.fileSystem?.read).toContain('/node_modules');
   });
+
+  describe('getModeConfig', () => {
+    it('should return default config for plan mode', () => {
+      const manager = new SandboxPolicyManager(configPath);
+      const config = manager.getModeConfig('plan');
+      expect(config.readonly).toBe(true);
+      expect(config.network).toBe(false);
+      // Regression test: allowOverrides must be true to support integration tests
+      // that use the sandbox manager manually with specific permissions.
+      expect(config.allowOverrides).toBe(true);
+    });
+
+    it('should return default config for default mode', () => {
+      const manager = new SandboxPolicyManager(configPath);
+      const config = manager.getModeConfig('default');
+      expect(config.readonly).toBe(false);
+      expect(config.network).toBe(false);
+      expect(config.allowOverrides).toBe(true);
+    });
+
+    it('should return default config for autoEdit mode', () => {
+      const manager = new SandboxPolicyManager(configPath);
+      const config = manager.getModeConfig('autoEdit');
+      expect(config.readonly).toBe(false);
+      expect(config.network).toBe(false);
+      expect(config.allowOverrides).toBe(true);
+    });
+
+    it('should return yolo config', () => {
+      const manager = new SandboxPolicyManager(configPath);
+      const config = manager.getModeConfig('yolo');
+      expect(config.readonly).toBe(false);
+      expect(config.network).toBe(true);
+      expect(config.allowOverrides).toBe(true);
+      expect(config.yolo).toBe(true);
+    });
+  });
 });
diff --git a/packages/core/src/policy/sandboxPolicyManager.ts b/packages/core/src/policy/sandboxPolicyManager.ts
index 8b3d9a5744..84b627eb92 100644
--- a/packages/core/src/policy/sandboxPolicyManager.ts
+++ b/packages/core/src/policy/sandboxPolicyManager.ts
@@ -64,7 +64,7 @@ export class SandboxPolicyManager {
                 network: false,
                 readonly: true,
                 approvedTools: [],
-                allowOverrides: false,
+                allowOverrides: true,
               },
               default: {
                 network: false,