feat(policy): allow 'modes' in user and admin policies (#15977)

packages/core/src/policy/toml-loader.test.ts

@@ -172,7 +172,7 @@ allow_redirection = true
       expect(result.errors).toHaveLength(0);
     });
 
-    it('should return error if modes property is used for Tier 2 and Tier 3 policies', async () => {
+    it('should support modes property for Tier 2 and Tier 3 policies', async () => {
       await fs.writeFile(
         path.join(tempDir, 'tier2.toml'),
         `
@@ -187,13 +187,10 @@ modes = ["autoEdit"]
       const getPolicyTier = (_dir: string) => 2; // Tier 2
       const result = await loadPoliciesFromToml([tempDir], getPolicyTier);
 
-      // It still transforms the rule, but it should also report an error
       expect(result.rules).toHaveLength(1);
       expect(result.rules[0].toolName).toBe('tier2-tool');
-      expect(result.rules[0].modes).toBeUndefined(); // Should be restricted
-      expect(result.errors).toHaveLength(1);
-      expect(result.errors[0].errorType).toBe('rule_validation');
-      expect(result.errors[0].message).toContain('Restricted property "modes"');
+      expect(result.rules[0].modes).toEqual(['autoEdit']);
+      expect(result.errors).toHaveLength(0);
     });
 
     it('should handle TOML parse errors', async () => {

packages/core/src/policy/toml-loader.ts

@@ -293,7 +293,6 @@ export async function loadPoliciesFromToml(
 
         // Validate shell command convenience syntax
         const tomlRules = validationResult.data.rule ?? [];
-        const tomlCheckers = validationResult.data.safety_checker ?? [];
 
         for (let i = 0; i < tomlRules.length; i++) {
           const rule = tomlRules[i];
@@ -310,36 +309,6 @@ export async function loadPoliciesFromToml(
             });
             // Continue to next rule, don't skip the entire file
           }
-
-          if (tier > 1 && rule.modes && rule.modes.length > 0) {
-            errors.push({
-              filePath,
-              fileName: file,
-              tier: tierName,
-              ruleIndex: i,
-              errorType: 'rule_validation',
-              message: 'Restricted property "modes"',
-              details: `Rule #${i + 1}: The "modes" property is currently reserved for Tier 1 (system) policies and cannot be used in ${tierName} policies.`,
-              suggestion: 'Remove the "modes" property from this rule.',
-            });
-          }
-        }
-
-        for (let i = 0; i < tomlCheckers.length; i++) {
-          const checker = tomlCheckers[i];
-          if (tier > 1 && checker.modes && checker.modes.length > 0) {
-            errors.push({
-              filePath,
-              fileName: file,
-              tier: tierName,
-              ruleIndex: i,
-              errorType: 'rule_validation',
-              message: 'Restricted property "modes" in safety checker',
-              details: `Safety Checker #${i + 1}: The "modes" property is currently reserved for Tier 1 (system) policies and cannot be used in ${tierName} policies.`,
-              suggestion:
-                'Remove the "modes" property from this safety checker.',
-            });
-          }
         }
 
         // Transform rules
@@ -375,7 +344,7 @@ export async function loadPoliciesFromToml(
                   toolName: effectiveToolName,
                   decision: rule.decision,
                   priority: transformPriority(rule.priority, tier),
-                  modes: tier === 1 ? rule.modes : undefined,
+                  modes: rule.modes,
                   allowRedirection: rule.allow_redirection,
                 };
 
@@ -440,7 +409,7 @@ export async function loadPoliciesFromToml(
                   toolName: effectiveToolName,
                   priority: checker.priority,
                   checker: checker.checker as SafetyCheckerConfig,
-                  modes: tier === 1 ? checker.modes : undefined,
+                  modes: checker.modes,
                 };
 
                 if (argsPattern) {