mirror of
https://github.com/microsoft/vscode.git
synced 2026-05-25 09:50:51 +01:00
Josh Spicer
f67b297601
* Implement account policy gate for AI features - Introduced AccountPolicyGateContribution to manage account policy state and notifications. - Added support for "Require Approved Account" policy, restricting AI features based on account approval. - Enhanced AccountPolicyService to handle gate state and reasons for unsatisfaction. - Updated configuration for chat features to include policy definitions. - Added tests to validate gate behavior under various account scenarios. * Refactor account policy gate logic to focus on approved organizations and update related descriptions * Add Account Policy Gate service and integrate with existing policy services * Add account policy gate information to PolicyDiagnosticsAction * Fix CI: layer violation, ESLint, i18n entry, policyData export - Move ChatAccountPolicyGateActiveContext to services/policies/common to avoid services-layer import from contrib (chatContextKeys re-exports). - Replace 'in' operator in test helper with explicit undefined check. - Add vs/workbench/services/policies entry to i18n.resources.json. - Append ChatDisableAIFeatures and ChatApprovedAccountOrganizations to build/lib/policies/policyData.jsonc. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add account policy settings for approved organizations and AI feature control * Switch ChatApprovedAccountOrganizations to type:'array' Use the platform's array-typed policy contract instead of a custom comma-separated string format. Mirrors PolicyConfiguration's existing normalisation: PolicyValue is always string|number|boolean, so array policies arrive at the policy service as JSON-stringified arrays. - chat.contribution.ts: type:'string' -> type:'array', items:string - accountPolicyService: simpler parser (JSON.parse + Array.isArray) - tests: pass arrays via JSON.stringify in setupGate helper Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Don't restrict policies during policyNotResolved boot window When the user IS signed into an approved org but account-side policy data hasn't loaded yet (policyNotResolved), skip applying restricted values. Policies with `value` callbacks naturally return undefined when policyData is null, so no account-level overrides slip through. This eliminates: - Transient 'Unable to write chat.disableAIFeatures' error on boot - Flash of the gate notification that auto-dismisses seconds later - Brief UI hide/show cycle as ChatDisableAIFeatures toggles For stable restricted reasons (noAccount, wrongProvider, orgNotApproved) restrictions still apply immediately. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add Contact Administrator and Learn More links to gate notification Replace the 'Don't Show Again' button with: - 'Contact Your informational guidanceAdministrator' - 'Learn opens enterprise docs overview pageMore' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Show approved organizations in gate notification Add approved org list to IAccountPolicyGateInfo so the notification can display which organizations the admin requires. Shown as a suffix like 'Approved organizations: github, microsoft.' when the list is concrete (not the wildcard '*'). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Move 'contact your administrator' from button to message text Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix: check org membership before policyData resolution Move the org-membership check before the policyData null check in computeGateInfo. This ensures users NOT in an approved org are restricted immediately (orgNotApproved), even while policy data is loading. The policyNotResolved reason now only applies to users who ARE in an approved making it safe to skip restrictions for thatorg transient state without leaving a security gap. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Directly set chatSetupHidden context key when gate is restricted entitlement pipeline to force chat.disableAIFeatures=true (which has timing issues in the multiplex policy service), directly toggle the chatSetupHidden context key from the gate contribution. This is the same key that drives sentiment.hidden across the entire chat UI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Use IChatEntitlementService.setForceHidden to hide chat when gate restricted Add setForceHidden(hidden) API to IChatEntitlementService so the gate contribution can cleanly force the hidden state without fighting with the entitlement context's own update cycle. The gate contribution calls setForceHidden(true) when restricted and setForceHidden(false) when satisfied/inactive. Inside ChatEntitlementContext, _forceHidden is checked in withConfiguration alongside the existing chat.disableAIFeatures either one forces hidden: true on the state.setting Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix setForceHidden fallback when no ChatEntitlementContext In Code OSS Dev (and any build without productService.defaultChatAgent), ChatEntitlementContext is never created, so setForceHidden was a no-op. Fall back to directly setting the chatSetupHidden context key when the context is unavailable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add trace logging to AccountPolicyGateContribution Logs state, reason, and isRestricted on every gate apply so we can diagnose why setForceHidden might not be taking effect. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Gate chat view on accountPolicyGateActive context key The chat view's `when` clause had an OR with panelParticipantRegistered that bypassed the hidden state once the Copilot extension registered. Wrap the entire condition with accountPolicyGateActive.negate() so the chat view is hidden whenever the gate is restricted, regardless of extension registration state. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Re-show notification on account swap, include account name and org list - Track dismissal by reason+account combo so swapping to a different account (while still blocked) triggers a fresh notification. - Show the current account name in the orgNotApproved message so the user knows which account is being evaluated. - Format approved org list as bulleted lines for readability. - Vary message text by reason (noAccount vs orgNotApproved). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Generalize sessions blocked overlay for account policy gate The sessions (Agents) app now shows a full-screen blocking overlay when the account policy gate restricts access, reusing the same pattern as the existing 'agent disabled' overlay. - SessionsPolicyBlockedOverlay now accepts ISessionsBlockedOverlayOptions with a reason enum (AgentDisabled | AccountPolicyGate) and optional account name / approved organizations - AccountPolicyGate variant shows 'Sign-In Required' title, approved org list, contact admin text, and Sign In + Open VS Code buttons - SessionsPolicyBlockedContribution listens to both ChatConfiguration and IAccountPolicyGateService, prioritizing agent-disabled over gate - Added CSS for org list and footer sections - Updated component fixture with new variants for screenshot testing Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix notification formatting: use inline comma-separated org list Notifications render as plain inline text, so the bullet-point and newline formatting was collapsing into a single unreadable line. Switch to a parenthesized comma-separated list instead. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix sessions overlay: remove workbench notification, handle gate natively The workbench-layer AccountPolicyGateContribution (which shows a notification toast) was imported in sessions.common.main.ts, causing a notification to appear instead of the full-screen blocking overlay. - Remove accountPolicyGate.contribution.js import from sessions - SessionsPolicyBlockedContribution now handles context key, setForceHidden, and telemetry directly (same as the workbench contribution, but with an overlay instead of a notification) - Overlay properly recreates on account changes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Defer notification until account service has settled On startup, computeGateInfo fires with reason=noAccount before the default account service has loaded the persisted session. This caused the notification to show 'Sign in...' even when the user was already signed in but the account just hadn't loaded yet. Fix: set context key + setForceHidden immediately (fail-closed), but defer the notification until the first onDidChangeGateInfo event, which fires after the account service has had time to resolve. A 5-second fallback timer ensures the notification still appears if the gate never transitions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix gate stuck on noAccount: re-evaluate after account init barrier DefaultAccountService.setDefaultAccountProvider sets currentDefaultAccount via provider.refresh() but does NOT fire onDidChangeDefaultAccount for the initial load. This caused computeGateInfo() to permanently stay on noAccount even though the user was signed in. Fix: await getDefaultAccount() (which waits for the init barrier) then re-evaluate the gate. This ensures the gate transitions from noAccount to the correct state once the persisted session loads. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add 'Sign into an approved GitHub account' to notification messages Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Regenerate policyData.jsonc to match array type for ChatApprovedAccountOrganizations Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove ChatDisableAIFeatures policy registration This policy was dead enforcement is handled by setForceHiddencode and the accountPolicyGateActive context key, not the policy pipeline. Regenerated policyData.jsonc. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address code review: fix duplicate IPC, remove unused import - Remove duplicate updatePolicyDefinitions call on managed policy service. AccountPolicyService now uses a read-only reference (managedPolicyReader) for getPolicyValue/onDidChange only. MultiplexPolicyService handles pushing definitions to all child services. (Reviews #1 & #4) - Remove unused Emitter import and void workaround in test file (Review #2) - Removed the fail-closed try/catch that was guarding the now-removed updatePolicyDefinitions call (Review # the duplicate call that could3 fail-open is gone entirely) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove JSDoc from currentDefaultAccount interface addition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Revert sessions overlay will revisit approachchanges Reverts all changes to the sessions (Agents) policyBlocked overlay, CSS, fixture, and contribution. Re-adds the workbench-layer accountPolicyGate.contribution import so sessions still gets the notification + context key + telemetry. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Restore sessions overlay with loading state for transient restrictions Bring back the generalized sessions overlay with three states: - AgentDisabled: existing 'Agents Disabled' message (unchanged) - Loading: just the logo + animated progress bar for transient states (noAccount before account loads, policyNotResolved) blocks the UI without showing an incorrect message - AccountPolicyGate: 'Sign-In Required' with sign-in button, org list, and contact admin footer for stable restrictions (orgNotApproved, wrongProvider) The loading state uses the same progress bar animation as the welcome/walkthrough overlay. This avoids the flash of 'Agents Disabled' that appeared during the fail-closed transient window when the user IS actually in an approved org. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Don't show overlay for noAccount/ let welcome screen handle sign-inwrongProvider When the user hasn't signed in yet (noAccount) or is signed into the wrong provider (wrongProvider), the sessions welcome/walkthrough screen already handles the sign-in flow. Showing our 'Agents Disabled' or loading overlay on top would block the user from signing in. Only show the overlay for: - orgNotApproved: user signed in but wrong org (stable restriction) - policyNotResolved: loading bar while waiting for policy data Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove 'Open VS Code' button from account policy gate overlay Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix: don't show 'Agents Disabled' when gate is forcing restrictedValue When the account policy gate is active, it forces chat.agent.enabled to false via restrictedValue. The overlay was checking that config first and incorrectly showing 'Agents Disabled'. Now we skip the agent-disabled check when the gate is active, since the value is being artificially restricted by our own not by an admingate explicitly disabling agents. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Defer all stable gate-blocked states to welcome screen When the account policy gate is unsatisfied for any user-actionable reason (noAccount, wrongProvider, orgNotApproved), don't show the policy-blocked overlay. Instead, defer to the sessions welcome/walkthrough screen so the user can sign in or switch accounts via the standard sign-in flow. The Loading overlay is still shown during the transient PolicyNotResolved state to prevent flashing the welcome screen while data is in flight. Removes the now-dead AccountPolicyGate overlay variant and its supporting code (organizations list, footer styles, fixtures). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Show AccountPolicyGate overlay for orgNotApproved only When the user is definitively signed into a non-approved org, show the custom Sign-In Required overlay with org list and switch-account button. noAccount/wrongProvider still defer to the welcome screen. PolicyNotResolved still shows the loading bar. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix boot-race test to match managed policy reader pattern The test was relying on AccountPolicyService calling updatePolicyDefinitions on the managed service, but that no longer happens (the MultiplexPolicyService handles it). Updated the test to explicitly seed the managed service and Restricted after seeding. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review feedback - Fix setForceHidden signature in test mocks to match interface - Include approvedOrganizations in gateInfoChanged detection - Replace raw setTimeout with disposableTimeout for proper cleanup - Fix AgentDisabled overlay: suppress only when gate forces the value, not when gate is merely active (handles Satisfied+AgentDisabled case) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Polish ChatApprovedAccountOrganizations policy description Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Trim self-explanatory comments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>