Split trailing prompt patterns into two categories:
- Complete prompts (user@host:~ $, PS C:\>, etc.) stop stripping
immediately — anything above is command output, not a wrapped prompt
- Fragment patterns (er$, ] $, [host:~/path...) allow continued
stripping to reassemble wrapped prompts
This prevents falsely stripping output lines that happen to end with
$ or # when a real complete prompt sits below them. Added adversarial
tests verifying correct behavior for output containing prompt-like
characters.
- Extend bracketed prompt patterns from isUnixAt to isUnix so prompts
like [W007DV9PF9-1:~/path] are recognized (CI macOS prompt format)
- Cap trailing prompt stripping at 2 non-empty lines to prevent
over-stripping legitimate output
- Add unit tests for bracketed prompt without @ format
Shell integration cannot be injected into /bin/sh, causing loss of
exit code detection. This matches the existing cmd.exe -> powershell
override pattern.
- setupRecreatingStartMarker returns IDisposable to stop marker recreation
before sending commands (prevents marker jumping on PSReadLine re-renders)
- noneExecuteStrategy waits for cursor to move past start line after sendText
before starting idle detection (prevents end marker at same line as start)
- findCommandEcho supports suffix matching for partial command echoes from
wrapped getOutput() results (shell integration ON with long commands)
- Suffix matching requires mid-word split to avoid false positives on output
that happens to be a suffix of the command (e.g. echo output)
- Integration tests: use ; separator on Windows, add && conversion test,
handle Windows exit code quirks with cmd /c
Add execPath to IRemoteAgentEnvironment so the server sends its actual
process.execPath to the client. The sandbox service now uses this instead
of hardcoding appRoot + '/node', which only works in production builds.
- Handle /usr/bin/bash (Linux) vs /bin/bash (macOS) in /tmp write test
- Handle 'Read-only file system' (Linux) vs 'Operation not permitted' (macOS)
- Add 'Read-only file system' to outputLooksSandboxBlocked heuristic
- Replace newlines with spaces (not empty) to handle terminal wrapping
- Extract outputLooksSandboxBlocked as exported function with unit tests
* Adopt new codicons version
* terminal: use terminal-secure codicon for sandboxed commands
Add per-invocation icon support to tool invocations via
`IPreparedToolInvocation.icon` and `IChatToolInvocation.icon`.
The terminal tool sets the icon to `terminal-secure` when sandbox
is active, or `terminal` otherwise. The thinking content part and
subagent content part use this icon when rendering, falling back
to the existing heuristic for tools without a registered icon.
Also removes the $(lock) theme icon prefix from sandbox invocation
messages since the icon now communicates the sandbox state.
* Fix unit test
* Review feedback
Add per-invocation icon support to tool invocations via
`IPreparedToolInvocation.icon` and `IChatToolInvocation.icon`.
The terminal tool sets the icon to `terminal-secure` when sandbox
is active, or `terminal` otherwise. The thinking content part and
subagent content part use this icon when rendering, falling back
to the existing heuristic for tools without a registered icon.
Also removes the $(lock) theme icon prefix from sandbox invocation
messages since the icon now communicates the sandbox state.
- Add bubblewrap and socat to Linux CI apt-get install
- Make sandbox test assertions platform-aware (macFileSystem vs linuxFileSystem)
- Make /etc/shells test accept both macOS and Linux first-line format
- Broaden wrapped prompt fragment regex to handle path chars (ts/testWorkspace$)
- Fix continuation pattern to match user@host:path wrapped lines
- Apply stripCommandEchoAndPrompt to getOutput() in BasicExecuteStrategy
(basic shell integration lacks reliable 133;C markers so getOutput()
can include command echo)
- Keep RichExecuteStrategy getOutput() unstripped (rich integration
has reliable markers)
* Re-register run_in_terminal tool when sandbox settings change
When the terminal sandbox setting is toggled at runtime, the
run_in_terminal tool's schema and description were not updated because
the tool data was only computed once at startup. This meant the model
never learned about requestUnsandboxedExecution when sandbox was
enabled after startup.
Fix by using a MutableDisposable to manage the tool registration and
re-registering whenever sandbox-related settings, network domains, or
trusted domains change.
Fixes#303714
* Fix race condition in run_in_terminal tool re-registration and add refresh tests
Guard _registerRunInTerminalTool against stale async resolutions using a monotonically increasing version counter. Export ChatAgentToolsContribution for testability. Add integration tests verifying tool data refreshes on config and trusted domain changes.
In CI, ^C cancellations leave stale prompt fragments before the actual
command echo line. The leading-strip loop now continues scanning past
unmatched lines until it finds the command echo, instead of breaking
on the first non-matching line.
Anchor prompt-detection regexes to specific prompt shapes instead of
broadly matching any line ending with $, #, %, or >. This prevents
stripping real command output like "100%", "<div>", or "item #".
Prevent sandbox-wrapped command lines from leaking as output when
commands produce no actual output. Adds stripCommandEchoAndPrompt()
to isolate real output from marker-based terminal buffer captures.
Also adds configurable idle poll interval and shell integration
timeout=0 support for faster test execution.
