From 61fd71dc293abe29adbdebd2781f1204cda87ab4 Mon Sep 17 00:00:00 2001
From: Adib234 <30782825+Adib234@users.noreply.github.com>
Date: Mon, 16 Mar 2026 20:34:30 -0400
Subject: [PATCH] fix(plan): allowlist get_internal_docs in Plan Mode (#22668)

---
 docs/cli/plan-mode.md                                     | 3 ++-
 packages/cli/src/config/policy-engine.integration.test.ts | 6 ++++++
 packages/core/src/policy/policies/plan.toml               | 3 ++-
 packages/core/src/policy/policies/read-only.toml          | 2 +-
 packages/core/src/tools/tool-names.ts                     | 3 +++
 5 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/cli/plan-mode.md b/docs/cli/plan-mode.md
index b46acaf966..379eb71030 100644
--- a/docs/cli/plan-mode.md
+++ b/docs/cli/plan-mode.md
@@ -120,7 +120,8 @@ These are the only allowed tools:
   [`list_directory`](../tools/file-system.md#1-list_directory-readfolder),
   [`glob`](../tools/file-system.md#4-glob-findfiles)
 - **Search:** [`grep_search`](../tools/file-system.md#5-grep_search-searchtext),
-  [`google_web_search`](../tools/web-search.md)
+  [`google_web_search`](../tools/web-search.md),
+  [`get_internal_docs`](../tools/internal-docs.md)
 - **Research Subagents:**
   [`codebase_investigator`](../core/subagents.md#codebase-investigator),
   [`cli_help`](../core/subagents.md#cli-help-agent)
diff --git a/packages/cli/src/config/policy-engine.integration.test.ts b/packages/cli/src/config/policy-engine.integration.test.ts
index 71d5f49e59..847b47bbe3 100644
--- a/packages/cli/src/config/policy-engine.integration.test.ts
+++ b/packages/cli/src/config/policy-engine.integration.test.ts
@@ -346,6 +346,12 @@ describe('Policy Engine Integration Tests', () => {
       expect(
         (await engine.check({ name: 'list_directory' }, undefined)).decision,
       ).toBe(PolicyDecision.ALLOW);
+      expect(
+        (await engine.check({ name: 'get_internal_docs' }, undefined)).decision,
+      ).toBe(PolicyDecision.ALLOW);
+      expect(
+        (await engine.check({ name: 'cli_help' }, undefined)).decision,
+      ).toBe(PolicyDecision.ALLOW);
 
       // Other tools should be denied via catch all
       expect(
diff --git a/packages/core/src/policy/policies/plan.toml b/packages/core/src/policy/policies/plan.toml
index f7e59c5049..e0c70dc219 100644
--- a/packages/core/src/policy/policies/plan.toml
+++ b/packages/core/src/policy/policies/plan.toml
@@ -80,7 +80,8 @@ toolName = [
   "google_web_search",
   "activate_skill",
   "codebase_investigator",
-  "cli_help"
+  "cli_help",
+  "get_internal_docs"
 ]
 decision = "allow"
 priority = 70
diff --git a/packages/core/src/policy/policies/read-only.toml b/packages/core/src/policy/policies/read-only.toml
index ad996864b2..8435e49d0b 100644
--- a/packages/core/src/policy/policies/read-only.toml
+++ b/packages/core/src/policy/policies/read-only.toml
@@ -53,6 +53,6 @@ decision = "allow"
 priority = 50
 
 [[rule]]
-toolName = ["codebase_investigator", "cli_help"]
+toolName = ["codebase_investigator", "cli_help", "get_internal_docs"]
 decision = "allow"
 priority = 50
\ No newline at end of file
diff --git a/packages/core/src/tools/tool-names.ts b/packages/core/src/tools/tool-names.ts
index 91b0574d9e..e818881662 100644
--- a/packages/core/src/tools/tool-names.ts
+++ b/packages/core/src/tools/tool-names.ts
@@ -266,6 +266,9 @@ export const PLAN_MODE_TOOLS = [
   WEB_SEARCH_TOOL_NAME,
   ASK_USER_TOOL_NAME,
   ACTIVATE_SKILL_TOOL_NAME,
+  GET_INTERNAL_DOCS_TOOL_NAME,
+  'codebase_investigator',
+  'cli_help',
 ] as const;
 
 /**