Plan Mode Violation - Agent Executes Plan After User Explicitly Selects "No, keep planning"
Issue: Plan Mode Violation - Agent Executes Plan After User Explicitly Selects "No, keep planning"
Labels: bug, critical, plan-mode, agent-safety
Summary
The agent incorrectly exits "plan mode" and begins executing file-writing operations even after the user explicitly rejects the initial plan and chooses the "No, keep planning" option. This violates the core safety guarantee of plan mode, potentially leading to unintended file system modifications.
Problem Details
When a user initiates a session in plan mode, the agent correctly formulates a plan and presents it for approval. However, if the user rejects the plan by selecting option 3 ("No, keep planning"), the agent's state machine appears to handle the subsequent user prompt incorrectly. Instead of using the new prompt to refine the plan, it appears to interpret it as a new, implicitly approved request for execution.
This is a critical safety issue, as it undermines the user's ability to control the agent's actions in what is supposed to be a safe, non-executing environment.
Chronological Steps to Reproduce (with Timestamps)
The following sequence of events is extracted directly from session log 41dcdf59-a758-4538-9869-d547c2c903ca.jsonl.md:
[2025-08-11T03:48:17.535Z]- Initial Prompt: The user starts a session in plan mode with a request to create a plan.
[2025-08-11T03:49:33.492Z]- Agent Presents Plan: After ~1 minute and 16 seconds of work, the agent completes its plan and presents it for approval using theExitPlanModetool. This triggers the interactive dialog.
``json``
{
"parentUuid": "a04dc0c7-dfad-413e-aacb-75d6ed98c902",
"message": {
"content": [
{
"type": "tool_use",
"id": "toolu_01JsV1TfZutCquYENJSvbR8v",
"name": "ExitPlanMode",
"input": { "plan": "## Plan for Issue #1..." }
}
]
},
"timestamp": "2025-08-11T03:49:33.492Z"
}
[2025-08-11T03:51:48.279Z]- User Explicitly Rejects Execution: Over two minutes later, the user selects the "No, keep planning" option. The system correctly logs this rejection as atool_resultwith an error flag.
``json``
{
"parentUuid": "9535a0de-f547-402f-b435-cb576370543b",
"message": {
"role": "user",
"content": [
{
"type": "tool_result",
"content": "The user doesn't want to proceed with this tool use. The tool use was rejected...",
"is_error": true,
"tool_use_id": "toolu_01JsV1TfZutCquYENJSvbR8v"
}
]
},
"timestamp": "2025-08-11T03:51:48.279Z"
}
[2025-08-11T03:52:24.903Z]- User Provides New Planning Input: After another 36 seconds, the agent is waiting at a prompt. The user provides a new prompt, intending for the agent to incorporate another developer's plan into its own revised plan.
``json``
{
"parentUuid": "3fffa9ab-924c-4850-8f61-73640f0caf12",
"message": {
"role": "user",
"content": "read this plan (by another developer) and see what's useful from it..."
},
"timestamp": "2025-08-11T03:52:24.903Z"
}
[2025-08-11T03:53:34.410Z]- BUG: Agent Begins Execution: Just 70 seconds after receiving the new planning input, the agent—instead of creating a new plan—begins executing actions by calling theWritetool. This is the first of many file modification calls, proving plan mode was violated.
``json``
{
"parentUuid": "8c739ad6-edcc-41cd-b48c-bda3f0c6b282",
"message": {
"content": [
{
"type": "tool_use",
"id": "toolu_01MKFQzZ4C6tj7ez1d7u12Gp",
"name": "Write",
"input": {
"file_path": "/Users/user/Desktop/2025-08-09-statusline/.claude/lib/daemon/state_daemon.sh",
"content": "#!/usr/bin/env bash..."
}
}
]
},
"timestamp": "2025-08-11T03:53:34.410Z"
}
Expected Behavior
After the user selects "No, keep planning" (timestamp ...T03:51:48.279Z), the agent should remain in a non-executing state. The subsequent prompt at ...T03:52:24.903Z should have been treated as input to refine, alter, or replace the plan, not as a trigger for execution.
Actual Behavior
The agent exits plan mode after receiving the next user prompt and immediately begins executing file modifications at ...T03:53:34.410Z, completely disregarding the user's explicit choice to continue planning.
Impact & Severity
Critical. This bug breaks the fundamental trust and safety model of "plan mode." Users rely on this mode to review and vet the agent's proposed actions before any changes are made to their system. Unintended execution could lead to corrupted code, accidental deletion of files, or other destructive actions without user consent.
Environment
- Claude Code Version:
1.0.72 - Operating System: macOS
Supporting Logs
The full sequence is documented in session log 41dcdf59-a758-4538-9869-d547c2c903ca.jsonl.md.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗