Skip to content

Add sandbox unsandboxed auto-approval setting#315410

Merged
dileepyavan merged 4 commits into
microsoft:mainfrom
dileepyavan:DileepY/313210
May 11, 2026
Merged

Add sandbox unsandboxed auto-approval setting#315410
dileepyavan merged 4 commits into
microsoft:mainfrom
dileepyavan:DileepY/313210

Conversation

@dileepyavan
Copy link
Copy Markdown
Member

@dileepyavan dileepyavan commented May 9, 2026
edited
Loading

fixes #313210

Summary

Adds a dedicated setting for auto-approving agent terminal commands that run outside the sandbox and wires the sandbox settings together across command preparation, sandbox wrapping, automatic retry, and tests.

This change makes the terminal sandbox approval behavior explicit for three related controls:

chat.agent.sandbox.allowUnsandboxedCommands

  • Setting ID: AgentSandboxSettingId.AgentSandboxAllowUnsandboxedCommands
  • Default: true
  • What it does: Controls whether agent mode terminal commands may run outside the sandbox after user confirmation when the model explicitly requests unsandboxed execution or when sandbox restrictions would otherwise block the command, such as blocked network domains.
  • When enabled: Explicit unsandboxed execution requests and blocked-domain fallback commands can be rewritten to run outside the sandbox, subject to confirmation unless another setting auto-approves them.
  • When disabled: Explicit unsandboxed execution requests are ignored and commands remain sandboxed. Blocked-domain commands also stay sandboxed and do not trigger the unsandboxed fallback confirmation flow.

chat.agent.sandbox.autoApproveUnsandboxedCommands

  • Setting ID: AgentSandboxSettingId.AgentSandboxAutoApproveUnsandboxedCommands
  • Default: false
  • What it does: Controls whether agent terminal commands that run outside the sandbox are auto-approved.
  • Activation requirements: This only applies when sandboxing is enabled and chat.agent.sandbox.allowUnsandboxedCommands is also enabled.
  • When enabled: Explicit unsandboxed execution requests, blocked-domain unsandboxed fallbacks, and automatic unsandboxed retries can proceed without showing the user confirmation/elicitation prompt.
  • When disabled: Commands that leave the sandbox continue to use the existing confirmation flow.

chat.agent.sandbox.allowAutoApprove

  • Setting ID: AgentSandboxSettingId.AgentSandboxAllowAutoApprove
  • Default: true
  • What it does: Controls whether agent terminal commands that stay inside the sandbox are auto-approved.
  • When enabled: Sandbox-wrapped terminal commands can bypass the normal terminal approval prompt because they remain constrained by the sandbox.
  • When disabled: Sandbox-wrapped commands fall back to the existing terminal approval flow and normal terminal auto-approval rules.

Implementation details

  • Adds the new AgentSandboxAutoApproveUnsandboxedCommands setting ID and contributes its configuration schema and policy metadata.
  • Exports the new setting through terminal contrib setting exports.
  • Gates explicit unsandboxed execution and blocked-domain unsandboxed fallback on chat.agent.sandbox.allowUnsandboxedCommands.
  • Adds auto-approval behavior for commands leaving the sandbox when chat.agent.sandbox.autoApproveUnsandboxedCommands is enabled.
  • Applies the unsandboxed auto-approval setting to automatic retry outside the sandbox so retry elicitations can be skipped when configured.
  • Keeps sandboxed-command auto-approval controlled separately by chat.agent.sandbox.allowAutoApprove.

Tests

  • Added/updated terminal tool coverage for:
    • not retrying outside the sandbox when unsandboxed commands are disabled
    • auto-retrying without elicitation when unsandboxed command auto-approval is enabled
    • ignoring explicit unsandboxed execution requests when unsandboxed commands are disabled
    • auto-approving explicit unsandboxed execution requests when unsandboxed auto-approval is enabled
    • auto-approving blocked-domain unsandboxed fallback when unsandboxed auto-approval is enabled
    • auto-approving sandboxed commands when sandbox auto-approval is enabled
    • using the existing approval flow when sandbox auto-approval is disabled
  • Added sandbox service coverage for keeping explicit unsandbox requests and blocked-domain commands sandboxed when unsandboxed commands are disabled.

Validation

  • npm run transpile-client

Copilot AI review requested due to automatic review settings May 9, 2026 00:30
@dileepyavan dileepyavan requested review from alexdima and chrmarti May 9, 2026 00:32
Copilot AI reviewed May 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit configuration for whether agent terminal commands may leave the sandbox and whether sandboxed/unsandboxed commands can be auto-approved, wiring those settings through command preparation, sandbox wrapping, auto-retry behavior, and tests.

Changes:

  • Introduces new sandbox settings for allowing unsandboxed commands and for auto-approving sandboxed vs unsandboxed executions.
  • Updates run_in_terminal to respect the new settings across explicit unsandbox requests, blocked-domain fallbacks, and automatic unsandbox retries.
  • Expands unit tests for both the tool and the sandbox service to validate the new configuration combinations.
Show a summary per file
File Description
src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/electron-browser/runInTerminalTool.test.ts Adds coverage for unsandbox gating and separate auto-approval behavior for sandboxed vs unsandboxed runs and retries.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/browser/terminalSandboxService.test.ts Verifies sandbox wrapping stays enforced when unsandboxed commands are disabled (explicit requests and blocked-domain cases).
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts Gates unsandboxed fallback behavior on the new “allow unsandboxed commands” setting.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalChatAgentToolsConfiguration.ts Contributes configuration schema + policy metadata for the new sandbox settings.
src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts Applies the new settings to auto-approval decisions and to automatic unsandbox retry elicitation.
src/vs/workbench/contrib/terminal/terminalContribExports.ts Exposes the new sandbox setting IDs via terminal contrib exports.
src/vs/platform/sandbox/common/settings.ts Defines new AgentSandboxSettingId values for the added settings.

Copilot's findings

  • Files reviewed: 7/7 changed files
  • Comments generated: 2

Comment thread src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts
Comment thread src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts Outdated
dileepyavan and others added 2 commits May 8, 2026 17:46
@dileepyavan
Potential fix for pull request finding
b4e1f68 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@dileepyavan
Update sandbox policy data
453b510
@austindyoung austindyoung mentioned this pull request May 9, 2026
Open
@dileepyavan dileepyavan requested a review from alexdima as a code owner May 11, 2026 05:28
@dileepyavan dileepyavan enabled auto-merge (squash) May 11, 2026 05:29
@dileepyavan dileepyavan merged commit 8ead54a into microsoft:main May 11, 2026
25 checks passed
@vs-code-engineering vs-code-engineering Bot added this to the 1.121.0 milestone May 11, 2026
@dileepyavan dileepyavan mentioned this pull request May 11, 2026
Merged
Copilot AI pushed a commit that referenced this pull request May 11, 2026
@dileepyavan
Add sandbox unsandboxed auto-approval setting (#315410)
9667880 
* Add sandbox unsandboxed auto-approval setting

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Update sandbox policy data

* Reject disabled unsandboxed terminal requests

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
(cherry picked from commit 8ead54a)

Co-authored-by: dileepyavan <52841896+dileepyavan@users.noreply.github.com>
dileepyavan added a commit that referenced this pull request May 11, 2026
@dileepyavan
[cherry-pick] Add sandbox unsandboxed auto-approval setting (#315410) (
f611483 
…#315848)

Add sandbox unsandboxed auto-approval setting (#315410)

* Add sandbox unsandboxed auto-approval setting

* Potential fix for pull request finding



* Update sandbox policy data

* Reject disabled unsandboxed terminal requests

---------


(cherry picked from commit 8ead54a)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pwang347 pwang347 pwang347 approved these changes

@joshspicer joshspicer Awaiting requested review from joshspicer joshspicer is a code owner

@rebornix rebornix Awaiting requested review from rebornix rebornix is a code owner

@joaomoreno joaomoreno Awaiting requested review from joaomoreno joaomoreno is a code owner

@sandy081 sandy081 Awaiting requested review from sandy081 sandy081 is a code owner

@alexdima alexdima Awaiting requested review from alexdima alexdima is a code owner

Assignees

@dileepyavan dileepyavan

Labels

None yet

Projects

None yet

Milestone

1.121.0

Development

Successfully merging this pull request may close these issues.

Copilot easily breaking out of sandbox mode

3 participants

@dileepyavan @pwang347