agentHost: respect workspace trust#322196
Draft
roblourens wants to merge 3 commits into
Draft
Conversation
Prevent untrusted windows from communicating with the local Agent Host while still allowing the process to start. Require folder trust before creating or sending Agent Host sessions, including remote Agent Host workspaces, and prompt instead of silently trusting folders. (Written by Copilot) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR integrates VS Code’s workspace trust model into Agent Host flows, aiming to prevent untrusted workspaces from initiating or using Agent Host sessions/connections while still allowing the local Agent Host infrastructure to exist independently.
Changes:
- Introduces a shared
AgentHostWorkspaceTrusthelper and uses it to require/prompt trust before creating sessions and sending requests (editor + Agents window paths). - Gates local Agent Host surfacing/registration and terminal integration based on workspace trust.
- Marks remote Agent Host workspaces as trust-required and updates/extends tests accordingly.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/chat/test/browser/agentSessions/agentHostTerminalContribution.test.ts | Stubs workspace trust service for terminal contribution tests. |
| src/vs/workbench/contrib/chat/test/browser/agentSessions/agentHostChatContribution.test.ts | Stubs trust management/request services for chat contribution tests. |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostWorkspaceTrust.ts | New helper to check/prompt/require trust for Agent Host-backed URIs. |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostTerminalContribution.ts | Disables Agent Host terminal integration when workspace is untrusted. |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostSessionHandler.ts | Requires trust before creating new Agent Host sessions (when a working directory is present). |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostChatContribution.ts | Clears/blocks local agent registrations when workspace trust is revoked; prevents activation while untrusted. |
| src/vs/sessions/contrib/workspace/browser/workspaceFolderManagement.ts | Prompts for trust instead of silently trusting folders for trust-required workspaces. |
| src/vs/sessions/contrib/providers/remoteAgentHost/test/browser/remoteAgentHostSessionsProvider.test.ts | Adds coverage ensuring remote sends prompt/require trust for the underlying folder. |
| src/vs/sessions/contrib/providers/remoteAgentHost/browser/remoteAgentHostSessionsProvider.ts | Marks remote Agent Host workspaces as requiresWorkspaceTrust: true. |
| src/vs/sessions/contrib/providers/agentHost/test/browser/localAgentHostSessionsProvider.test.ts | Adds tests for untrusted workspace behavior and trust-gated sends. |
| src/vs/sessions/contrib/providers/agentHost/browser/localAgentHostSessionsProvider.ts | Stops exposing/using the local Agent Host connection while untrusted; clears root-state-derived surfaces. |
| src/vs/sessions/contrib/providers/agentHost/browser/baseAgentHostSessionsProvider.ts | Introduces trust gating for new session backend start + requires trust before send for new sessions. |
| src/vs/sessions/contrib/chat/browser/newChatWidget.ts | Reuses the shared trust prompt message for folder trust requests. |
| src/vs/platform/agentHost/electron-browser/localAgentHostService.ts | Makes the renderer-side local Agent Host MessagePort connection conditional on workspace trust and refactors proxy forwarding accordingly. |
Copilot's findings
- Files reviewed: 14/14 changed files
- Comments generated: 4
Respond to Copilot review feedback by resyncing the local renderer connection when the agent host setting changes, reporting disabled and untrusted states distinctly, and dropping in-flight local connections if trust changes before connection publication. (Written by Copilot) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolve current main conflicts after upstream Agent Host session-list changes and keep the local Agent Host workspace-trust gating intact. (Written by Copilot) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
(Written by Copilot)