agentHost: auto-approve reads of Copilot SDK tool-output temp files#313837
Merged
roblourens merged 2 commits intoMay 2, 2026
Conversation
The Copilot SDK spills oversized tool results to a file under os.tmpdir() (named like `copilot-tool-output-*.txt`) and asks the model to read it back in a follow-up turn. These reads were prompting for permission even though the file was just written by the SDK on our behalf. Mirrors the existing session-state auto-approval pattern: only auto- approves `read` requests whose path lives directly in os.tmpdir() and whose basename matches the SDK's two known naming layouts. (Written by Copilot) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces permission prompts in the agent host by auto-approving read permission requests for Copilot SDK “spilled” large tool outputs stored as temp files under os.tmpdir(), aligning with the existing auto-approval behavior for internal session-state files.
Changes:
- Add temp-file pattern detection (
isCopilotSdkToolOutputTempFile) for Copilot SDK tool-output spill files. - Auto-approve
readpermission requests when the requested path matches the Copilot SDK temp-file pattern intmpDir. - Add unit tests covering positive/negative cases and ensuring
writeis not auto-approved.
Show a summary per file
| File | Description |
|---|---|
src/vs/platform/agentHost/node/copilot/copilotAgentSession.ts |
Adds temp-file detection + auto-approval path for read permission requests targeting Copilot SDK spill files in the OS temp directory. |
src/vs/platform/agentHost/test/node/copilotAgentSession.test.ts |
Adds tests for the new auto-approval behavior and its expected boundaries. |
Copilot's findings
Comments suppressed due to low confidence (1)
src/vs/platform/agentHost/node/copilot/copilotAgentSession.ts:627
- Auto-approving reads in the global OS temp directory based only on basename pattern can leak unrelated local data: any pre-existing file (or symlink) in tmpDir with a matching name would be read without user confirmation. Consider tightening this by validating the target is an actual regular file (not a symlink) and narrowing the match (e.g., enforce expected timestamp/id lengths), or preferably auto-approve only paths that were observed/recorded as SDK-created spill files for this session.
// Auto-approve reads of large-tool-output temp files written by the
// Copilot SDK itself. The SDK spills oversized tool results to
// `os.tmpdir()/copilot-tool-output-…txt` and then asks the model
// to read them back in a follow-up turn — no need to confirm.
if (request.kind === 'read' && typeof request.path === 'string') {
if (isCopilotSdkToolOutputTempFile(request.path, this._environmentService.tmpDir.fsPath)) {
this._logService.info(`[Copilot:${this.sessionId}] Auto-approving Copilot SDK tool-output temp file ${request.path}`);
return { kind: 'approve-once' };
}
}
- Files reviewed: 2/2 changed files
- Comments generated: 2
- Restrict the SDK tool-output regex to \d{10,} for the timestamp and
exactly 6 lowercase alphanumeric chars for the random id, matching
what the SDK actually emits and reducing the auto-approval surface.
- Drop the `export` from `isCopilotSdkToolOutputTempFile` since it has
no callers outside this module.
(Written by Copilot)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
dmitrivMS
approved these changes
May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
When a tool result is too large to fit inline, the Copilot SDK spills it to a temp file under
os.tmpdir()(named likecopilot-tool-output-<…>.txtor<ts>-copilot-tool-output-<…>.txt) and then asks the model toreadthat file back in a follow-up turn. Today the agent host prompts the user for permission on every one of those reads, even though the file was just written by the SDK on our behalf.This change auto-approves those
readpermission requests, mirroring the existing session-state auto-approval pattern inCopilotAgentSession.How
isCopilotSdkToolOutputTempFile(filePath, tmpDir)incopilotAgentSession.ts:os.tmpdir()(no nested subdirs)<timestamp>-copilot-tool-output-<6-char-id>.txtcopilot-tool-output-<timestamp>-<6-char-id>.txthandlePermissionRequest, after the existing session-state branch, auto-approve whenrequest.kind === 'read'and the path matches the helper.How to repro the original prompt
Ask the agent something like:
The shell tool result spills to
os.tmpdir()/…copilot-tool-output-….txt, and the follow-upreadof that file is what was prompting before this change.Tests
Added 4 unit tests in
copilotAgentSession.test.tscovering:tmpDirare not auto-approvedtmpDirare not auto-approvedwriteto a tool-output path is not auto-approvedAll 78 tests in the suite pass;
compile-check-ts-nativeis clean.Notes for reviewers
extensions/copilot/src/extension/chatSessions/copilotcli/node/permissionHelpers.ts) does not currently have parity for this. Out of scope for this PR — happy to follow up.(Written by Copilot)