Terminal sandbox bypasses approval rules; cannot enforce command restrictions

[gevalo1]

Summary

When chat.agent.sandbox.enabled is enabled, terminal commands can execute without any approval prompt, even when:

• chat.tools.terminal.autoApprove contains explicit deny rules

This makes it impossible to enforce “always require approval” or “never run” semantics for specific commands. Even when running in a sandbox, I still want to have some control over when (or not at all) the agent can run certain commands.

---

Repro steps

Use the following settings:

{
    "chat.agent.sandbox.enabled": true,
    "chat.tools.terminal.enableAutoApprove": true,
    "chat.tools.terminal.autoApprove": {
        "/.*/": false,
        "terraform": false
    }
}

Then let the agent execute some Terraform commands.
Without sandbox, it would ask for approval, with sandbox it does not need to ask for approval. Assuming auth/... is already setup, this could have serious consequences if the agent wants to test changes by running Terraform automatically.

---

Actual behavior

• Commands execute without any approval prompt
• Logs show that rules are evaluated, e.g.:
  • Command 'terraform state list' is denied by deny list rule: terraform
• Despite this, the command still runs without confirmation

---

Expected behavior

Users should be able to enforce that certain commands are never executed without explicit approval, regardless of sandbox mode.

At minimum, rules with value false should guarantee that a command is not executed silently.

---

Problem

Currently there is no way to express:

“Even in sandbox mode, these commands must not run without approval (or must not run at all).”

The autoApprove setting behaves like a policy system, but in sandbox mode it's ignored.

This makes it difficult to combine:

• sandboxing (for isolation)
• explicit safety constraints (for control)

---

Suggested improvements

1) Decouple sandbox from approval rules

Provide a setting to enforce approval rules even in sandbox mode, for example:

    "chat.agent.sandbox.enforceApprovalRules": true

This would allow:

• sandbox + silent execution (current behavior)
• sandbox + enforced approval (opt-in)

---

2) Add explicit “deny” semantics (no execution)

Introduce a way to mark commands as never executable, not just “require approval”, for example:

    "chat.tools.terminal.blockedCommands": [
        "terraform",
        "kubectl",
        "..."
    ]

Or something that's more granular and with regex support.

This would:

• prevent execution entirely (even with sandbox)
• provide stronger guarantees than the current autoApprove: false behavior

---

Workarounds

• Disable sandbox → approval rules behave as expected, but not ideal

[gevalo1]

I am aware of the documented functionality of sandbox mode: https://code.visualstudio.com/docs/copilot/concepts/trust-and-safety#_agent-sandboxing.

Regardless, I think this would still be useful.

---

The only other issue similar to this one I found so far is this one: #309954.
But this is using enableAutoApprove: false, here we are using true.
Since I do want to make use of auto approvals, I just want the safety and control of knowing that it's impossible for the agent to execute some specific commands while working.