* fix: remove escapeMarkdownSyntaxTokens from terminal command labels
Fixes#303844
The command text in ChatTerminalThinkingCollapsibleWrapper was being
escaped with escapeMarkdownSyntaxTokens(), which adds backslashes before
chars like - * # etc. This is unnecessary because the text is always
rendered inside markdown code spans or via .textContent, both of which
treat content as literal.
Also adds a component fixture for the terminal collapsible wrapper to
enable visual regression testing of command label rendering.
* fix: use DOM nodes instead of MarkdownString for sandbox command labels
Addresses review feedback: commands containing backticks (common in
PowerShell) would break the inline-code markdown spans. Now both
sandbox and non-sandbox paths use text nodes + <code> elements with
.textContent, which is always safe for arbitrary command text.
Also adds fixture cases for backtick-containing commands to catch
this class of issue.
* fix: remove colons from fixture names to fix CI artifact paths
* add screenshot baselines for terminal collapsible fixtures
* fix: exclude sandbox analyzer when sandbox rewriting is disabled
When `ConfirmTerminalCommandTool` (used by CLI for
`vscode_get_terminal_confirmation`) disables sandbox command rewriting
via `_enableCommandLineSandboxRewriting = false`, the
`CommandLineSandboxAnalyzer` was still active and returning
`forceAutoApproval: true`. This caused the confirmation to be skipped
even though the command would not actually be sandboxed.
Guard `CommandLineSandboxAnalyzer` with the same
`_enableCommandLineSandboxRewriting` check that already guards
`CommandLineSandboxRewriter`.
Fixesmicrosoft/vscode-internalbacklog#7187
* update doc comment for _enableCommandLineSandboxRewriting
* clarify test name per review feedback
* fix: strip command echo and prompt from terminal output (#303531)
Prevent sandbox-wrapped command lines from leaking as output when
commands produce no actual output. Adds stripCommandEchoAndPrompt()
to isolate real output from marker-based terminal buffer captures.
Also adds configurable idle poll interval and shell integration
timeout=0 support for faster test execution.
* Fix compilation errors
* fix: tighten trailing prompt stripping to avoid dropping legitimate output
Anchor prompt-detection regexes to specific prompt shapes instead of
broadly matching any line ending with $, #, %, or >. This prevents
stripping real command output like "100%", "<div>", or "item #".
* Review feedback
* fix: skip stale prompt fragments before command echo in stripping
In CI, ^C cancellations leave stale prompt fragments before the actual
command echo line. The leading-strip loop now continues scanning past
unmatched lines until it finds the command echo, instead of breaking
on the first non-matching line.
* fix: handle macOS CI prompt format and add stripping to rich strategy
- Add trailing prompt patterns for hostname:path user$ (no @ sign)
- Handle wrapped prompt fragments like "er$" at line boundaries
- Add stripCommandEchoAndPrompt to RichExecuteStrategy marker fallback
- Context-aware wrapped prompt continuation detection
* fix: Linux CI sandbox prereqs, platform-aware tests, broader prompt stripping
- Add bubblewrap and socat to Linux CI apt-get install
- Make sandbox test assertions platform-aware (macFileSystem vs linuxFileSystem)
- Make /etc/shells test accept both macOS and Linux first-line format
- Broaden wrapped prompt fragment regex to handle path chars (ts/testWorkspace$)
- Fix continuation pattern to match user@host:path wrapped lines
- Apply stripCommandEchoAndPrompt to getOutput() in BasicExecuteStrategy
(basic shell integration lacks reliable 133;C markers so getOutput()
can include command echo)
- Keep RichExecuteStrategy getOutput() unstripped (rich integration
has reliable markers)
* fix: detect sandbox failures heuristically when exit code is unavailable
* Relax some tests when shell integration is off
* refactor: extract findCommandEcho and use prompt evidence to narrow trailing prompt regex matching
* Cover case where the command is duplicated in `stripCommandEchoAndPrompt`
* Fix sandbox tests for Linux: handle different shell path and error message
- Handle /usr/bin/bash (Linux) vs /bin/bash (macOS) in /tmp write test
- Handle 'Read-only file system' (Linux) vs 'Operation not permitted' (macOS)
- Add 'Read-only file system' to outputLooksSandboxBlocked heuristic
- Replace newlines with spaces (not empty) to handle terminal wrapping
- Extract outputLooksSandboxBlocked as exported function with unit tests
* Fix slash history test
* Fix sandbox execPath resolution for remote environments
Add execPath to IRemoteAgentEnvironment so the server sends its actual
process.execPath to the client. The sandbox service now uses this instead
of hardcoding appRoot + '/node', which only works in production builds.
* Fix terminal output capture: prevent premature idle detection and handle partial command echoes
- setupRecreatingStartMarker returns IDisposable to stop marker recreation
before sending commands (prevents marker jumping on PSReadLine re-renders)
- noneExecuteStrategy waits for cursor to move past start line after sendText
before starting idle detection (prevents end marker at same line as start)
- findCommandEcho supports suffix matching for partial command echoes from
wrapped getOutput() results (shell integration ON with long commands)
- Suffix matching requires mid-word split to avoid false positives on output
that happens to be a suffix of the command (e.g. echo output)
- Integration tests: use ; separator on Windows, add && conversion test,
handle Windows exit code quirks with cmd /c
* Fix mock in unit test
* Address PR feedback: logging, performance, timeout, and docs
- Strip sensitive data from debug logs (log metadata only)
- Use array join instead of O(n^2) string concat in stripNewLinesAndBuildMapping
- Add 5s timeout to cursor-move wait to prevent indefinite hangs
- Align shellIntegrationTimeout descriptions (0 = skip the wait)
* Install bubblewrap and socat in Linux CI pipelines
These are required for terminal sandbox integration tests.
* Force /bin/bash over /bin/sh for copilot terminal profile
Shell integration cannot be injected into /bin/sh, causing loss of
exit code detection. This matches the existing cmd.exe -> powershell
override pattern.
* Fix bracketed prompt without @ and cap trailing prompt stripping at 2 lines
- Extend bracketed prompt patterns from isUnixAt to isUnix so prompts
like [W007DV9PF9-1:~/path] are recognized (CI macOS prompt format)
- Cap trailing prompt stripping at 2 non-empty lines to prevent
over-stripping legitimate output
- Add unit tests for bracketed prompt without @ format
* Distinguish complete vs fragment prompts to prevent false stripping
Split trailing prompt patterns into two categories:
- Complete prompts (user@host:~ $, PS C:\>, etc.) stop stripping
immediately — anything above is command output, not a wrapped prompt
- Fragment patterns (er$, ] $, [host:~/path...) allow continued
stripping to reassemble wrapped prompts
This prevents falsely stripping output lines that happen to end with
$ or # when a real complete prompt sits below them. Added adversarial
tests verifying correct behavior for output containing prompt-like
characters.
* Attempt to cover up the `run_in_terminal` tool not being registered quickly
Split trailing prompt patterns into two categories:
- Complete prompts (user@host:~ $, PS C:\>, etc.) stop stripping
immediately — anything above is command output, not a wrapped prompt
- Fragment patterns (er$, ] $, [host:~/path...) allow continued
stripping to reassemble wrapped prompts
This prevents falsely stripping output lines that happen to end with
$ or # when a real complete prompt sits below them. Added adversarial
tests verifying correct behavior for output containing prompt-like
characters.
- Extend bracketed prompt patterns from isUnixAt to isUnix so prompts
like [W007DV9PF9-1:~/path] are recognized (CI macOS prompt format)
- Cap trailing prompt stripping at 2 non-empty lines to prevent
over-stripping legitimate output
- Add unit tests for bracketed prompt without @ format
Shell integration cannot be injected into /bin/sh, causing loss of
exit code detection. This matches the existing cmd.exe -> powershell
override pattern.
- setupRecreatingStartMarker returns IDisposable to stop marker recreation
before sending commands (prevents marker jumping on PSReadLine re-renders)
- noneExecuteStrategy waits for cursor to move past start line after sendText
before starting idle detection (prevents end marker at same line as start)
- findCommandEcho supports suffix matching for partial command echoes from
wrapped getOutput() results (shell integration ON with long commands)
- Suffix matching requires mid-word split to avoid false positives on output
that happens to be a suffix of the command (e.g. echo output)
- Integration tests: use ; separator on Windows, add && conversion test,
handle Windows exit code quirks with cmd /c
Add execPath to IRemoteAgentEnvironment so the server sends its actual
process.execPath to the client. The sandbox service now uses this instead
of hardcoding appRoot + '/node', which only works in production builds.
- Handle /usr/bin/bash (Linux) vs /bin/bash (macOS) in /tmp write test
- Handle 'Read-only file system' (Linux) vs 'Operation not permitted' (macOS)
- Add 'Read-only file system' to outputLooksSandboxBlocked heuristic
- Replace newlines with spaces (not empty) to handle terminal wrapping
- Extract outputLooksSandboxBlocked as exported function with unit tests
* Adopt new codicons version
* terminal: use terminal-secure codicon for sandboxed commands
Add per-invocation icon support to tool invocations via
`IPreparedToolInvocation.icon` and `IChatToolInvocation.icon`.
The terminal tool sets the icon to `terminal-secure` when sandbox
is active, or `terminal` otherwise. The thinking content part and
subagent content part use this icon when rendering, falling back
to the existing heuristic for tools without a registered icon.
Also removes the $(lock) theme icon prefix from sandbox invocation
messages since the icon now communicates the sandbox state.
* Fix unit test
* Review feedback
Add per-invocation icon support to tool invocations via
`IPreparedToolInvocation.icon` and `IChatToolInvocation.icon`.
The terminal tool sets the icon to `terminal-secure` when sandbox
is active, or `terminal` otherwise. The thinking content part and
subagent content part use this icon when rendering, falling back
to the existing heuristic for tools without a registered icon.
Also removes the $(lock) theme icon prefix from sandbox invocation
messages since the icon now communicates the sandbox state.
- Add bubblewrap and socat to Linux CI apt-get install
- Make sandbox test assertions platform-aware (macFileSystem vs linuxFileSystem)
- Make /etc/shells test accept both macOS and Linux first-line format
- Broaden wrapped prompt fragment regex to handle path chars (ts/testWorkspace$)
- Fix continuation pattern to match user@host:path wrapped lines
- Apply stripCommandEchoAndPrompt to getOutput() in BasicExecuteStrategy
(basic shell integration lacks reliable 133;C markers so getOutput()
can include command echo)
- Keep RichExecuteStrategy getOutput() unstripped (rich integration
has reliable markers)
* Re-register run_in_terminal tool when sandbox settings change
When the terminal sandbox setting is toggled at runtime, the
run_in_terminal tool's schema and description were not updated because
the tool data was only computed once at startup. This meant the model
never learned about requestUnsandboxedExecution when sandbox was
enabled after startup.
Fix by using a MutableDisposable to manage the tool registration and
re-registering whenever sandbox-related settings, network domains, or
trusted domains change.
Fixes#303714
* Fix race condition in run_in_terminal tool re-registration and add refresh tests
Guard _registerRunInTerminalTool against stale async resolutions using a monotonically increasing version counter. Export ChatAgentToolsContribution for testability. Add integration tests verifying tool data refreshes on config and trusted domain changes.
In CI, ^C cancellations leave stale prompt fragments before the actual
command echo line. The leading-strip loop now continues scanning past
unmatched lines until it finds the command echo, instead of breaking
on the first non-matching line.
Anchor prompt-detection regexes to specific prompt shapes instead of
broadly matching any line ending with $, #, %, or >. This prevents
stripping real command output like "100%", "<div>", or "item #".
Prevent sandbox-wrapped command lines from leaking as output when
commands produce no actual output. Adds stripCommandEchoAndPrompt()
to isolate real output from marker-based terminal buffer captures.
Also adds configurable idle poll interval and shell integration
timeout=0 support for faster test execution.
