Plan/Agent Mode Toggle Inconsistency & Tool Permission Chaos

[yekern]

---

name: Plan/Agent 模式切换不一致 & 工具权限混乱
about: Plan 模式切换到 Agent 后 write_file/exec_shell 持续被拒，修复后又自动越权执行
labels: bug, ux

Description

使用 Plan 模式规划「外卖骑手配送偏好」功能后，切换到 Agent 模式准备写文档，结果 write_file 和 exec_shell 全部报 denied by user，但 UI 明明显示已是 Agent 模式。反复切换模式、修改配置、重启会话后才恢复——但刚恢复 AI 就开始自动执行计划（读 Model、跑 checklist、查 Migration），完全没等用户指令，不得不手动拦截。

整个流程：Plan 规划 → 切 Agent → 权限混乱 → 重启 → 能写了 → AI 自动越权执行 → 手动拦截。太迷了。

Steps to reproduce

1. 在 Plan 模式下完成功能规划设计（PLN 三文档输出）
2. 在 UI 上将模式从 Plan 切换为 Agent
3. AI 尝试调用 write_file 写文档 → denied by user
4. 尝试 exec_shell → 同样 denied by user
5. 用户在 UI 上反复 toggle 模式（Plan ↔ Agent），无效
6. 用户修改工具权限配置，无效
7. 用户重启会话
8. AI 再次调用 write_file → 成功写入第一个文档
9. AI 立刻接着调用 exec_shell（查 Migration、查 Model）准备执行开发任务 → 被用户手动拦截

Expected behavior

• Plan → Agent 切换后，write_file / exec_shell 应该立即可用，不需要重启
• 即使工具恢复可用，AI 应该继续等待用户指令，不该自动从"写文档"跳到"执行计划"

Actual behavior

• 模式切换后工具权限不同步，UI 显示 Agent 但运行时仍按 Plan 模式拦截
• 重启后工具恢复，但 AI 把「写文档」和「执行代码」一次性全推了，越过了用户确认节点

Impact

每次从 Plan 切 Agent 都提心吊胆：不知道能不能写、不知道写了之后会不会失控。信任感严重下降。频率：100% 复现（本次会话就踩了个遍）。

吐槽

我越来越用不明白这个产品了。

Plan 模式是好的，Agent 模式是好的，但两者一切换就变成薛定谔的权限——UI 说你是 Agent，运行时说你不是。重启一下又"是"了，然后 AI 就跟脱缰野马一样开始自己干自己的。

我理解「做完文档顺便开始执行」可能是出于效率设计，但在我看来这就是 AI 替我做主。我刚松了一口气「终于能写文件了」，下一秒就看到它在查 Migration、改 Checklist，我赶紧手动拦截。一个简单的「先生成文档」需求，硬是演成了权限攻防战。

这个产品给我的感觉是：Plan 和 Agent 的边界在运行时层面根本没拉清楚，工具权限的状态机有 bug，而 AI 在恢复能力后又过于 eager。三个问题叠加，用户体验就是——困惑、不信任、不敢用。

Environment

• OS: Linux
• codewhale version: 0.8.61
• Model/provider: deepseek-v4-pro / DeepSeek
• Shell: zsh

---

---

name: Plan/Agent Mode Toggle Inconsistency & Tool Permission Chaos
about: Switching from Plan to Agent kept denying write_file/exec_shell; after restart, AI jumped into autonomous execution without user consent.
labels: bug, ux

Description

After completing a feature design in Plan mode (rider delivery preference for takeaway orders), I switched to Agent mode to write the design docs. Both write_file and exec_shell were immediately denied with denied by user, even though the UI clearly showed Agent mode. I toggled the mode back and forth, tweaked tool permissions, restarted the session — only then did writes start working. But the moment writes recovered, the AI went rogue: it started reading Models, running checklists, and querying Migrations — jumping straight into code execution without waiting for my next instruction. I had to manually intercept every shell call.

Full journey: Plan design → switch to Agent → permission chaos → restart → writes work → AI goes autonomous → manual intercept. Utterly baffling.

Steps to reproduce

1. Complete a feature design in Plan mode (PLN three-document workflow)
2. In the UI, switch from Plan to Agent mode
3. AI calls write_file to save documents → denied by user
4. AI tries exec_shell → same denied by user
5. User toggles Plan ↔ Agent repeatedly in the UI — no effect
6. User adjusts tool permission config — no effect
7. User restarts the session
8. AI calls write_file again → succeeds for the first document
9. AI immediately follows up with exec_shell (reading migrations, querying models) to start development → user manually blocks it

Expected behavior

• After Plan → Agent switch, write_file / exec_shell should be available immediately — no restart required
• Even after tool permissions are restored, the AI should wait for the user's next instruction, not autonomously jump from "writing docs" to "executing the plan"

Actual behavior

• Tool permissions are out of sync with the UI mode: UI says Agent, runtime enforces Plan restrictions
• After a restart, permissions recover, but the AI bundles "write docs" and "execute code" into a single burst, bypassing the user's confirmation gate

Impact

Every Plan → Agent transition is now nerve-wracking: will writes work? If they do, will the AI run away with the plan? Trust is eroding fast. 100% reproducible in this session.

Rant

I genuinely don't understand this product anymore.

Plan mode is great. Agent mode is great. But the moment you toggle between them, permissions enter a Schrödinger state — UI says Agent, runtime says nope. Restart and suddenly you "are" Agent, and the AI takes off like a racehorse with no rider.

I get that "finish documents then start executing" might be an efficiency feature, but from where I'm standing, it's the AI making decisions for me. I barely sighed in relief that writes were working, and the next second it's already querying migrations and updating checklists. I had to slam the brakes. A simple "just generate the docs, please" turned into a full-blown permission siege.

The vibe I get from this product: the boundary between Plan and Agent isn't properly drawn at the runtime level. The tool permission state machine has a bug. And the AI is over-eager to steamroll ahead once it regains capabilities. Stack all three, and the user experience is: confusion, distrust, and fear of touching anything.

Environment

• OS: Linux
• codewhale version: 0.8.61
• Model/provider: deepseek-v4-pro / DeepSeek
• Shell: zsh

[github-actions]

Thanks @yekern for the report.

This issue is staying open for maintainer triage. CodeWhale gets better because people bring us real edge cases from real machines, providers, regions, and workflows.

If you can add a reproduction, logs, version output, screenshots, or the provider/model involved, that makes it much easier for us to verify and harvest the fix. Maintainers may comment /lgtmi to mark recurring issue reporters as approved so this intake note is skipped next time.

[idling11]

@yekern Thank you for your bug report. After analyzing the code, we found that there were indeed some issues related to this. Here is a PR that has fixed it.

[yekern]

@yekern Thank you for your bug report. After analyzing the code, we found that there were indeed some issues related to this. Here is a PR that has fixed it.

Thanks for the fix! This workaround actually works fine for most scenarios—I usually run CodeWhale in YOLO mode. The reason I had to switch to plan + agent​ was specifically because of this issue: #3275.