refactor(core): replace manual syncPlanModeTools with declarative policy rules (#20596)

packages/core/src/policy/policies/plan.toml

@@ -5,20 +5,21 @@
 #
 # Priority bands (tiers):
 # - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
-# - Workspace policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
-# - User policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
-# - Admin policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Extension policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
+# - Workspace policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+# - User policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Admin policies (TOML): 5 + priority/1000 (e.g., priority 100 → 5.100)
 #
-# This ensures Admin > User > Workspace > Default hierarchy is always preserved,
+# This ensures Admin > User > Workspace > Extension > Default hierarchy is always preserved,
 # while allowing user-specified priorities to work within each tier.
 #
-# Settings-based and dynamic rules (all in user tier 3.x):
-#   3.95: Tools that the user has selected as "Always Allow" in the interactive UI
-#   3.9:  MCP servers excluded list (security: persistent server blocks)
-#   3.4:  Command line flag --exclude-tools (explicit temporary blocks)
-#   3.3:  Command line flag --allowed-tools (explicit temporary allows)
-#   3.2:  MCP servers with trust=true (persistent trusted servers)
-#   3.1:  MCP servers allowed list (persistent general server allows)
+# Settings-based and dynamic rules (all in user tier 4.x):
+#   4.95: Tools that the user has selected as "Always Allow" in the interactive UI
+#   4.9:  MCP servers excluded list (security: persistent server blocks)
+#   4.4:  Command line flag --exclude-tools (explicit temporary blocks)
+#   4.3:  Command line flag --allowed-tools (explicit temporary allows)
+#   4.2:  MCP servers with trust=true (persistent trusted servers)
+#   4.1:  MCP servers allowed list (persistent general server allows)
 #
 # TOML policy priorities (before transformation):
 #   10: Write tools default to ASK_USER (becomes 1.010 in default tier)
@@ -26,6 +27,33 @@
 #   70: Plan mode explicit ALLOW override (becomes 1.070 in default tier)
 #   999: YOLO mode allow-all (becomes 1.999 in default tier)
 
+# Mode Transitions (into/out of Plan Mode)
+
+[[rule]]
+toolName = "enter_plan_mode"
+decision = "ask_user"
+priority = 50
+
+[[rule]]
+toolName = "enter_plan_mode"
+decision = "deny"
+priority = 70
+modes = ["plan"]
+deny_message = "You are already in Plan Mode."
+
+[[rule]]
+toolName = "exit_plan_mode"
+decision = "ask_user"
+priority = 70
+modes = ["plan"]
+
+[[rule]]
+toolName = "exit_plan_mode"
+decision = "deny"
+priority = 50
+deny_message = "You are not currently in Plan Mode. Use enter_plan_mode first to design a plan."
+
+
 # Catch-All: Deny everything by default in Plan mode.
 
 [[rule]]
@@ -50,7 +78,7 @@ priority = 70
 modes = ["plan"]
 
 [[rule]]
-toolName = ["ask_user", "exit_plan_mode", "save_memory"]
+toolName = ["ask_user", "save_memory"]
 decision = "ask_user"
 priority = 70
 modes = ["plan"]

packages/core/src/policy/policies/read-only.toml

@@ -5,20 +5,21 @@
 #
 # Priority bands (tiers):
 # - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
-# - Workspace policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
-# - User policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
-# - Admin policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Extension policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
+# - Workspace policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+# - User policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Admin policies (TOML): 5 + priority/1000 (e.g., priority 100 → 5.100)
 #
-# This ensures Admin > User > Workspace > Default hierarchy is always preserved,
+# This ensures Admin > User > Workspace > Extension > Default hierarchy is always preserved,
 # while allowing user-specified priorities to work within each tier.
 #
-# Settings-based and dynamic rules (all in user tier 3.x):
-#   3.95: Tools that the user has selected as "Always Allow" in the interactive UI
-#   3.9:  MCP servers excluded list (security: persistent server blocks)
-#   3.4:  Command line flag --exclude-tools (explicit temporary blocks)
-#   3.3:  Command line flag --allowed-tools (explicit temporary allows)
-#   3.2:  MCP servers with trust=true (persistent trusted servers)
-#   3.1:  MCP servers allowed list (persistent general server allows)
+# Settings-based and dynamic rules (all in user tier 4.x):
+#   4.95: Tools that the user has selected as "Always Allow" in the interactive UI
+#   4.9:  MCP servers excluded list (security: persistent server blocks)
+#   4.4:  Command line flag --exclude-tools (explicit temporary blocks)
+#   4.3:  Command line flag --allowed-tools (explicit temporary allows)
+#   4.2:  MCP servers with trust=true (persistent trusted servers)
+#   4.1:  MCP servers allowed list (persistent general server allows)
 #
 # TOML policy priorities (before transformation):
 #   10: Write tools default to ASK_USER (becomes 1.010 in default tier)

packages/core/src/policy/policies/write.toml

@@ -5,20 +5,21 @@
 #
 # Priority bands (tiers):
 # - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
-# - Workspace policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
-# - User policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
-# - Admin policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Extension policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
+# - Workspace policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+# - User policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Admin policies (TOML): 5 + priority/1000 (e.g., priority 100 → 5.100)
 #
-# This ensures Admin > User > Workspace > Default hierarchy is always preserved,
+# This ensures Admin > User > Workspace > Extension > Default hierarchy is always preserved,
 # while allowing user-specified priorities to work within each tier.
 #
-# Settings-based and dynamic rules (all in user tier 3.x):
-#   3.95: Tools that the user has selected as "Always Allow" in the interactive UI
-#   3.9:  MCP servers excluded list (security: persistent server blocks)
-#   3.4:  Command line flag --exclude-tools (explicit temporary blocks)
-#   3.3:  Command line flag --allowed-tools (explicit temporary allows)
-#   3.2:  MCP servers with trust=true (persistent trusted servers)
-#   3.1:  MCP servers allowed list (persistent general server allows)
+# Settings-based and dynamic rules (all in user tier 4.x):
+#   4.95: Tools that the user has selected as "Always Allow" in the interactive UI
+#   4.9:  MCP servers excluded list (security: persistent server blocks)
+#   4.4:  Command line flag --exclude-tools (explicit temporary blocks)
+#   4.3:  Command line flag --allowed-tools (explicit temporary allows)
+#   4.2:  MCP servers with trust=true (persistent trusted servers)
+#   4.1:  MCP servers allowed list (persistent general server allows)
 #
 # TOML policy priorities (before transformation):
 #   10: Write tools default to ASK_USER (becomes 1.010 in default tier)

packages/core/src/policy/policies/yolo.toml

@@ -5,20 +5,21 @@
 #
 # Priority bands (tiers):
 # - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
-# - Workspace policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
-# - User policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
-# - Admin policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Extension policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
+# - Workspace policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+# - User policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
+# - Admin policies (TOML): 5 + priority/1000 (e.g., priority 100 → 5.100)
 #
-# This ensures Admin > User > Workspace > Default hierarchy is always preserved,
+# This ensures Admin > User > Workspace > Extension > Default hierarchy is always preserved,
 # while allowing user-specified priorities to work within each tier.
 #
-# Settings-based and dynamic rules (all in user tier 3.x):
-#   3.95: Tools that the user has selected as "Always Allow" in the interactive UI
-#   3.9:  MCP servers excluded list (security: persistent server blocks)
-#   3.4:  Command line flag --exclude-tools (explicit temporary blocks)
-#   3.3:  Command line flag --allowed-tools (explicit temporary allows)
-#   3.2:  MCP servers with trust=true (persistent trusted servers)
-#   3.1:  MCP servers allowed list (persistent general server allows)
+# Settings-based and dynamic rules (all in user tier 4.x):
+#   4.95: Tools that the user has selected as "Always Allow" in the interactive UI
+#   4.9:  MCP servers excluded list (security: persistent server blocks)
+#   4.4:  Command line flag --exclude-tools (explicit temporary blocks)
+#   4.3:  Command line flag --allowed-tools (explicit temporary allows)
+#   4.2:  MCP servers with trust=true (persistent trusted servers)
+#   4.1:  MCP servers allowed list (persistent general server allows)
 #
 # TOML policy priorities (before transformation):
 #   10: Write tools default to ASK_USER (becomes 1.010 in default tier)
@@ -36,6 +37,15 @@ decision = "ask_user"
 priority = 999
 modes = ["yolo"]
 
+# Plan mode transitions are blocked in YOLO mode to maintain state consistency
+# and because planning currently requires human interaction (plan approval),
+# which conflicts with YOLO's autonomous nature.
+[[rule]]
+toolName = ["enter_plan_mode", "exit_plan_mode"]
+decision = "deny"
+priority = 999
+modes = ["yolo"]
+
 # Allow everything else in YOLO mode
 [[rule]]
 decision = "allow"