diff --git a/packages/core/src/agent/presets/plan.ts b/packages/core/src/agent/presets/plan.ts
index 78b8780..4c96525 100644
--- a/packages/core/src/agent/presets/plan.ts
+++ b/packages/core/src/agent/presets/plan.ts
@@ -16,29 +16,38 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
   mode: 'primary',
   // prompt 留空，由 SystemPrompt.plan() + SystemPrompt.provider() 组合
   tools: {
-    disabled: [
-      // 文件写入操作
-      'write_file',
-      'edit_file',
-      'delete_file',
-      'move_file',
-      'copy_file',
-      'create_directory',
-      'multi_edit',
-      // 注意：bash 不再禁用，改用细粒度权限控制
-      // Git 写操作
-      'git_add',
-      'git_commit',
-      'git_push',
-      'git_pull',
-      'git_checkout',
-      'git_stash',
-      // checkpoint 操作（会修改状态）
-      'checkpoint_create',
-      'checkpoint_restore',
-      'undo',
-      // 工具发现（Plan 模式不应动态发现新工具）
-      'tool_search',
+    enabled: [
+      // 文件读取（只读）
+      'read_file',
+      'list_directory',
+      'search_files',
+      'grep_content',
+      'get_file_info',
+      // Git 只读
+      'git_status',
+      'git_diff',
+      'git_log',
+      'git_branch',
+      // Shell（配合 bash 权限规则）
+      'bash',
+      // Checkpoint 只读
+      'checkpoint_list',
+      'checkpoint_diff',
+      // Task 调用子代理
+      'task',
+      'agent_output',
+      // Web 搜索
+      'web_search',
+      'web_extract',
+      // Todo 管理
+      'todoread',
+      'todowrite',
+      // Plan 模式响应
+      'plan_mode_respond',
+      // 代码分析
+      'repo_map',
+      'skill',
+      'skill_search',
     ],
   },
   permission: {
@@ -51,53 +60,9 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
     bash: {
       enabled: true,
       rules: [
-        // ============================================================
-        // 重要：deny 规则必须放在 allow 规则之前，确保优先匹配！
-        // ============================================================
+        // 只读操作 - 允许（其他命令默认 ask）
 
-        // ============ 危险命令 - 拒绝 ============
-        { pattern: 'rm *', action: 'deny' },
-        { pattern: 'rmdir *', action: 'deny' },
-        { pattern: 'mv *', action: 'deny' },
-        { pattern: 'cp *', action: 'deny' },
-        { pattern: 'mkdir *', action: 'deny' },
-        { pattern: 'touch *', action: 'deny' },
-        { pattern: 'chmod *', action: 'deny' },
-        { pattern: 'chown *', action: 'deny' },
-        { pattern: 'sudo *', action: 'deny' },
-        { pattern: 'su *', action: 'deny' },
-        { pattern: 'ln *', action: 'deny' },
-        { pattern: 'install *', action: 'deny' },
-        { pattern: 'truncate *', action: 'deny' },
-        { pattern: 'dd *', action: 'deny' },
-        { pattern: 'tee *', action: 'deny' },
-
-        // ============ 重定向操作 - 拒绝（必须在 cat/echo 等允许规则之前）============
-        { pattern: '* > *', action: 'deny' },
-        { pattern: '* >> *', action: 'deny' },
-        { pattern: '* << *', action: 'deny' }, // heredoc 重定向
-
-        // ============ Git 写操作 - 拒绝 ============
-        { pattern: 'git add *', action: 'deny' },
-        { pattern: 'git commit *', action: 'deny' },
-        { pattern: 'git push *', action: 'deny' },
-        { pattern: 'git pull *', action: 'deny' },
-        { pattern: 'git checkout *', action: 'deny' },
-        { pattern: 'git reset *', action: 'deny' },
-        { pattern: 'git rebase *', action: 'deny' },
-        { pattern: 'git merge *', action: 'deny' },
-        { pattern: 'git stash *', action: 'deny' },
-        { pattern: 'git clean *', action: 'deny' },
-
-        // ============ find 危险操作 - 拒绝 ============
-        { pattern: 'find * -delete*', action: 'deny' },
-        { pattern: 'find * -exec*', action: 'deny' },
-
-        // ============================================================
-        // 以下为只读操作的 allow 规则
-        // ============================================================
-
-        // ============ 文件查看 - 允许 ============
+        // ============ 文件查看 ============
         { pattern: 'ls', action: 'allow' },
         { pattern: 'ls *', action: 'allow' },
         { pattern: 'pwd', action: 'allow' },
@@ -107,14 +72,14 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
         { pattern: 'less *', action: 'allow' },
         { pattern: 'more *', action: 'allow' },
 
-        // ============ 搜索 - 允许 ============
+        // ============ 搜索 ============
         { pattern: 'find *', action: 'allow' },
         { pattern: 'grep *', action: 'allow' },
         { pattern: 'rg *', action: 'allow' },
         { pattern: 'tree', action: 'allow' },
         { pattern: 'tree *', action: 'allow' },
 
-        // ============ 文件信息 - 允许 ============
+        // ============ 文件信息 ============
         { pattern: 'wc *', action: 'allow' },
         { pattern: 'stat *', action: 'allow' },
         { pattern: 'file *', action: 'allow' },
@@ -123,14 +88,14 @@ export const planAgent: Omit<AgentInfo, 'name'> = {
         { pattern: 'which *', action: 'allow' },
         { pattern: 'whereis *', action: 'allow' },
 
-        // ============ 文本处理（只读）- 允许 ============
+        // ============ 文本处理（只读） ============
         { pattern: 'sort *', action: 'allow' },
         { pattern: 'uniq *', action: 'allow' },
         { pattern: 'cut *', action: 'allow' },
         { pattern: 'awk *', action: 'allow' },
         { pattern: 'sed -n *', action: 'allow' }, // 只允许 -n (不修改)
 
-        // ============ Git 只读 - 允许 ============
+        // ============ Git 只读 ============
         { pattern: 'git status', action: 'allow' },
         { pattern: 'git status *', action: 'allow' },
         { pattern: 'git diff', action: 'allow' },