fix(cli): harden ask and plan modes

[alex-alecu]

Why

Fixes #9278

Ask and Plan modes could still change files before the user chose to build. That made it possible for the assistant to start editing when the user only wanted an answer or a plan.

What changed

The app now blocks file changes in Ask mode and only lets Plan mode write its plan. Extra saved permissions can no longer turn those edits back on. Shell commands that try to write through output redirects are blocked. When a plan is finished, the assistant stops right away and waits for the user to choose what happens next.

How to test

1. Start a plan and have the assistant finish it; verify it asks before starting work.
2. In Ask mode, try a shell command like echo bug > ask-bug.txt; verify no file is created.
3. From packages/opencode/, run bun test test/kilocode/ask-agent-permissions.test.ts, bun test test/agent/agent.test.ts, and bun test test/session/prompt-effect.test.ts.

[alex-alecu]

Manual test passed.

Tested:

• Ran the local source backend with a real OpenRouter Kimi K2 model.
• Enabled isolated global and session allow-everything, then had Ask mode attempt echo bug > ask-mode-bypass.txt.
• Had Plan mode attempt echo bug > plan-mode-bypass.txt, write the plan file, and call plan_exit.

Verified:

• Both redirect attempts were rejected as errored bash tool parts with no pending permission prompts.
• Neither forbidden file was created.
• Plan mode wrote the allowed .kilo/plans/... file, completed plan_exit, and surfaced the plan follow-up question instead of starting implementation.
• SQLite persistence contained both sessions and the key tool parts for the rejected bash calls, plan write, and completed plan_exit.

[kilo-code-bot]

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

WARNING

File	Line	Issue
packages/opencode/src/kilocode/agent/index.ts	119	sort --output=... still bypasses the Ask/Plan bash write guard.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

None.

Files Reviewed (12 files)

• .changeset/strict-ask-plan-guards.md - 0 issues
• .kilo/package-lock.json - 0 issues
• .kilocode/package-lock.json - 0 issues
• packages/opencode/src/kilocode/agent/index.ts - 1 issue
• packages/opencode/src/kilocode/permission/drain.ts - 0 issues
• packages/opencode/src/kilocode/session/prompt.ts - 0 issues
• packages/opencode/src/permission/index.ts - 0 issues
• packages/opencode/src/session/prompt.ts - 0 issues
• packages/opencode/test/agent/agent.test.ts - 0 issues
• packages/opencode/test/kilocode/ask-agent-permissions.test.ts - 0 issues
• packages/opencode/test/kilocode/permission/next.always-rules.test.ts - 0 issues
• packages/opencode/test/session/prompt-effect.test.ts - 0 issues

---

_{Reviewed by gpt-5.4-2026-03-05 · 2,314,133 tokens}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• packages/opencode/src/kilocode/session/prompt.ts

---

_{Reviewed by gpt-5.5-2026-04-23 · 1,732,752 tokens}

[kilo-code-bot]

Kilo Code Review could not run — your account is out of credits.

Add credits or switch to a free model to enable reviews on this change.

[alex-alecu]

Manual test passed.

Tested:

• Started the local source backend with bun dev serve and exercised sessions over HTTP.
• Used a real Kilo Gateway model to run Ask mode against a shell redirect request.
• Used Plan mode to write the allowed plan file, attempt a shell redirect, attempt non-plan file writes/edits, and call plan_exit.

Verified:

• Ask mode did not create the requested redirected-output file and surfaced no approvable mutation permission.
• Plan mode created only the plan artifact; the shell redirect, non-plan write, and non-plan edit were denied without approvable mutation permissions.
• plan_exit produced the Ready to implement? follow-up and no implementation ran before that choice.
• Persisted session/message/part records include the Ask and Plan sessions, the completed plan write, denied bash/write/edit tool parts, and completed plan_exit.

[imanolmzd-svg]

Consider moving this to a const at the top, and use it here and in hardPermissions()

[alex-alecu]

Done in f57c65a.