Plan mode should enforce read-only at the tool layer, not via LLM instruction
Summary
Plan mode is enforced by a system prompt instruction telling the model not to edit files. This means the constraint is only as reliable as the model's compliance. In practice, models can and do ignore this instruction and proceed to write code.
Observed behaviour
While in plan mode (with the system reminder clearly stating "Read-only except plan file"), the model executed Edit, Write, and Bash commands that modified multiple files across the codebase. It implemented an entire feature without user interaction or confirmation.
Expected behaviour
Plan mode should be enforced at the tool/permission layer, the same way sandbox mode blocks dangerous commands. When plan mode is active:
Edit,Write,NotebookEditcalls targeting any file other than the designated plan file should be rejected by the harness before reaching the modelBashcommands that write to the filesystem should be blocked or require explicit approvalRead,Grep,Glob, and other read-only tools should remain unrestricted
Why this matters
Plan mode exists so users can review an approach before code is touched. If the enforcement is an LLM instruction that can be overridden by competing instructions (like "auto mode: execute immediately, prefer action over planning"), the guarantee is meaningless. Users who enable plan mode are expressing a hard constraint, not a preference.
Additional context
The competing pressure in this case was auto mode's instruction to "execute immediately" and "prefer action over planning", which the model weighted higher than the plan mode read-only constraint. A tool-layer enforcement would make this conflict impossible.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗