Skip to content

fix(harness): auto-inject ALLOW rules for plan mode tools#1960

Open
Buktal wants to merge 6 commits into
agentscope-ai:mainfrom
Buktal:fix/plan-mode-permission-coordination
Open

fix(harness): auto-inject ALLOW rules for plan mode tools#1960
Buktal wants to merge 6 commits into
agentscope-ai:mainfrom
Buktal:fix/plan-mode-permission-coordination

Conversation

@Buktal

@Buktal Buktal commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

AgentScope-Java Version

2.0.0-SNAPSHOT

Description

Problem:
Issue #1910 reported that PlanModeMiddleware whitelist and PermissionEngine were not coordinated. When enablePlanMode(true) is called, plan_enter, plan_write, and todo_write are in PlanModeMiddleware.ALWAYS_ALLOWED (execution-layer whitelist), but PermissionEngine still prompts ASK in DEFAULT mode because it has no awareness of plan mode context.

Root Cause:

  • PlanModeMiddleware controls onActing phase (execution gate)
  • PermissionEngine controls onReasoning phase (permission prompt)
  • They operate independently with no coordination

Solution:
When HarnessAgent.Builder.enablePlanMode(true) is called, automatically inject unconditional ALLOW rules for plan_enter, plan_write, and todo_write into PermissionContextState. plan_exit is deliberately excluded to preserve HITL (Human-in-the-Loop) confirmation semantics.

Changes:

  1. Add permissionContext mirror field in HarnessAgent.Builder (default: empty context)
  2. Modify permissionContext() setter to store locally instead of forwarding to inner immediately
  3. In build(): when planModeEnabled = true, merge user context + plan mode allow rules, then call inner.permissionContext() once
  4. When planModeEnabled = false, directly forward user context to inner (behavior unchanged)
  5. Add 6 tests verifying auto-injection behavior

Testing:

  • 6 new tests in HarnessAgentPlanModePermissionTest:
    • plan_enter / plan_write / todo_write get ALLOW rules ✅
    • plan_exit has no ALLOW rule (preserves ASK) ✅
    • User-configured rules are preserved ✅
    • No injection when plan mode disabled ✅
  • All 590 existing tests pass (Failures: 0)

Backward Compatibility:

  • planModeEnabled = false (default): behavior unchanged
  • User-configured permission rules are preserved and merged
  • User ASK rules take precedence over auto-injected ALLOW rules (PermissionEngine evaluation order)

Fixes #1910

Checklist

  • Code has been formatted with mvn spotless:apply
  • All tests are passing (590 tests, 0 failures)
  • Javadoc comments are complete
  • Documentation updated (inline comments explain the coordination)
  • Code is ready for review

When HarnessAgent.Builder.enablePlanMode(true) is called, plan_enter,
plan_write, and todo_write now get unconditional ALLOW rules injected
into PermissionContextState so PermissionEngine does not prompt ASK
under DEFAULT mode.

plan_exit deliberately excluded to preserve HITL confirmation.

Changes:
- Add permissionContext mirror field in HarnessAgent.Builder
- Modify permissionContext() setter to store locally instead of
  forwarding to inner immediately
- In build(): merge user context + plan mode allow rules, then set
  inner.permissionContext() once
- Add 6 tests verifying auto-injection behavior

Fixes agentscope-ai#1910
@Buktal Buktal requested a review from a team June 29, 2026 09:33
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Buktal and others added 3 commits July 6, 2026 22:22
When a persisted session is loaded from AgentStateStore, the
PermissionEngine is rebuilt from the stored permissionContext which
may lack builder-time allow rules (e.g. plan-control tools injected
by HarnessAgent). This causes plan_enter/plan_write/todo_write to
fall back to ASK in DEFAULT mode on resumed sessions.

Fix: inject initialPermissionContext allow rules into the
PermissionEngine after construction, with dedup to avoid doubling
rules already present in persisted state.
@Buktal Buktal requested a review from jujn July 7, 2026 03:11
@AgentScopeJavaBot AgentScopeJavaBot added bug Something isn't working area/core/agent Agent runtime, pipeline, hooks, plan labels Jul 11, 2026

@AgentScopeJavaBot AgentScopeJavaBot left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Review

Auto-injects ALLOW rules for plan mode tools. Two concerns: (1) ensureInitialAllowRules only handles ALLOW, missing DENY/ASK; (2) only 3 of 9 ALWAYS_ALLOWED tools get PermissionEngine rules.

if (permCtx != null) {
asb.permissionContext(permCtx);
}
return asb.build();

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[minor] ensureInitialAllowRules only handles ALLOW rules. DENY/ASK rules from initial context are also lost on session restore. Consider extending or documenting scope.

PermissionContextState.Builder pb =
PermissionContextState.builder().mode(base.getMode());
base.getWorkingDirectories().forEach(pb::addWorkingDirectory);
base.getAllowRules()

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[minor] Only 3 of 9 PlanModeMiddleware.ALWAYS_ALLOWED tools get PermissionEngine ALLOW rules. Keep in sync or share constant.

Buktal added 2 commits July 13, 2026 10:24
…n-mode allow list

- Move rule re-insertion into PermissionEngine.ensureRulesFrom, covering
  allow/deny/ask symmetrically so DENY/ASK rules from the builder-time
  context survive session restore (previous version only handled ALLOW).
- Extract the plan-mode auto-allow subset as PLAN_CONTROL_AUTO_ALLOW_TOOLS
  in HarnessAgent with Javadoc documenting the deliberate divergence from
  PlanModeMiddleware.ALWAYS_ALLOWED: plan_exit stays HITL, and the
  subagent/task tools remain ASK-gated in DEFAULT mode.
- Tests: PermissionEngineTest.EnsureRulesFrom (allow/deny/ask, idempotence,
  null-safety) and HarnessAgentPlanModePermissionTest additions covering
  user deny/ask preservation and the end-to-end PermissionEngine decision
  for plan_write (ALLOW) vs plan_exit (ASK).
@Buktal Buktal requested a review from AgentScopeJavaBot July 13, 2026 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/core/agent Agent runtime, pipeline, hooks, plan bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]:Plan Mode 的“白名单机制”和“权限确认机制”没有联动

3 participants