From 3ab4ff1d8f770a75da665b9502a4ff9d3b8d9519 Mon Sep 17 00:00:00 2001
From: Gio Della-Libera <giodl73@gmail.com>
Date: Tue, 2 Jun 2026 13:11:06 -0700
Subject: [PATCH] fix(policy): reject unsupported tools policy stubs

---
 extensions/policy/src/doctor/register.test.ts | 10 +++++++++
 extensions/policy/src/doctor/register.ts      | 22 -------------------
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/extensions/policy/src/doctor/register.test.ts b/extensions/policy/src/doctor/register.test.ts
index d6085e8bc597..bc301dbed2bf 100644
--- a/extensions/policy/src/doctor/register.test.ts
+++ b/extensions/policy/src/doctor/register.test.ts
@@ -1005,6 +1005,16 @@ describe("registerPolicyDoctorChecks", () => {
         policy: { tools: { execPolicy: { allowHosts: ["sandbox"] } } },
         target: "oc://policy.jsonc/tools/execPolicy",
       },
+      {
+        label: "tools settings",
+        policy: { tools: { settings: {} } },
+        target: "oc://policy.jsonc/tools/settings",
+      },
+      {
+        label: "tools entries",
+        policy: { tools: { entries: [] } },
+        target: "oc://policy.jsonc/tools/entries",
+      },
       {
         label: "tools profile",
         policy: { tools: { profiles: { deny: ["full"] } } },
diff --git a/extensions/policy/src/doctor/register.ts b/extensions/policy/src/doctor/register.ts
index 4d2fbbccb56d..9082e2dd0fe0 100644
--- a/extensions/policy/src/doctor/register.ts
+++ b/extensions/policy/src/doctor/register.ts
@@ -1667,26 +1667,6 @@ export function policyContainerShapeFindings(
     ];
   }
   if (isRecord(policy.tools)) {
-    if (policy.tools.settings !== undefined && !isRecord(policy.tools.settings)) {
-      return [
-        policyShapeFinding(
-          policyPath,
-          `oc://${policyDocName}/tools/settings`,
-          `${policyPath} tools.settings must be an object.`,
-          `Fix ${policyPath} so tools.settings is an object.`,
-        ),
-      ];
-    }
-    if (policy.tools.entries !== undefined && !Array.isArray(policy.tools.entries)) {
-      return [
-        policyShapeFinding(
-          policyPath,
-          `oc://${policyDocName}/tools/entries`,
-          `${policyPath} tools.entries must be an array.`,
-          `Fix ${policyPath} so tools.entries is an array.`,
-        ),
-      ];
-    }
     const postureFinding = toolPosturePolicyShapeFinding(policy.tools, {
       policyDocName,
       policyPath,
@@ -2568,12 +2548,10 @@ function toolPosturePolicyShapeFinding(
     "alsoAllow",
     "denyTools",
     "elevated",
-    "entries",
     "exec",
     "fs",
     "profiles",
     "requireMetadata",
-    "settings",
   ];
   const unsupportedTopLevel = unsupportedPolicyKey(tools, allowedTopLevel);
   if (unsupportedTopLevel !== undefined) {