From dc4c5b976b4c0d5d12b794ae0dedc23ec40446f7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 4 May 2026 22:15:41 +0000 Subject: [PATCH 1/3] Initial plan From 82222fd2c808af6b58ac826d450c72645e69342b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 4 May 2026 22:19:49 +0000 Subject: [PATCH 2/3] Forbid routing terminal secret prompts through vscode_askQuestions Agent-Logs-Url: https://github.com/microsoft/vscode/sessions/9f66acd2-1929-46f2-9e20-013a5fe79bc4 Co-authored-by: meganrogge <29464607+meganrogge@users.noreply.github.com> --- .../chatAgentTools/browser/tools/runInTerminalTool.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts b/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts index 7cb1c9feabb0f..6e424f3a4d207 100644 --- a/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts +++ b/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts @@ -146,6 +146,7 @@ function createPowerShellModelDescription(shell: string, isSandboxEnabled: boole '', 'Interactive Input Handling:', '- When a terminal command is waiting for interactive input, do NOT suggest alternatives or ask the user whether to proceed. Instead, use the vscode_askQuestions tool to collect the needed values from the user, then send them.', + '- NEVER use vscode_askQuestions to request sensitive input such as passwords, passphrases, API keys, tokens, or other secrets — answers to that tool are sent through the model. If the prompt requires a secret, tell the user to type it directly into the terminal and stop; do not call vscode_askQuestions or send_to_terminal for that prompt.', `- Send exactly one answer per prompt using ${TerminalToolId.SendToTerminal}. Never send multiple answers in a single send.`, `- After each send, call ${TerminalToolId.GetTerminalOutput} to read the next prompt before sending the next answer.`, '- Continue one prompt at a time until the command finishes.', @@ -228,6 +229,7 @@ Best Practices: Interactive Input Handling: - When a terminal command is waiting for interactive input, do NOT suggest alternatives or ask the user whether to proceed. Instead, use the vscode_askQuestions tool to collect the needed values from the user, then send them. +- NEVER use vscode_askQuestions to request sensitive input such as passwords, passphrases, API keys, tokens, or other secrets — answers to that tool are sent through the model. If the prompt requires a secret, tell the user to type it directly into the terminal and stop; do not call vscode_askQuestions or send_to_terminal for that prompt. - Send exactly one answer per prompt using ${TerminalToolId.SendToTerminal}. Never send multiple answers in a single send. - After each send, call ${TerminalToolId.GetTerminalOutput} to read the next prompt before sending the next answer. - Continue one prompt at a time until the command finishes.`); @@ -1777,7 +1779,11 @@ export class RunInTerminalTool extends Disposable implements IToolImpl { * 2. In auto-approve mode, leads with `send_to_terminal` for non-secret * prompts to minimize round-trips, with a `get_terminal_output` fallback. * 3. In default mode, leads with `get_terminal_output` as the safe - * recovery action and offers `vscode_askQuestions` only for real prompts. + * recovery action and offers `vscode_askQuestions` only for real + * non-secret prompts. Secret prompts (passwords, passphrases, + * tokens) must never be routed through `vscode_askQuestions` + * because answers to that tool are sent through the model — the + * user is told to type those values directly into the terminal. * `kill_terminal` is only advertised on the timeout branch — suggesting it * in the general case leads the model to terminate valid interactive * sessions (e.g. `npm init`) instead of driving them. @@ -1794,7 +1800,7 @@ export class RunInTerminalTool extends Disposable implements IToolImpl { lines.push(` 2. If the command may still be producing output or the shell prompt has not returned, call ${TerminalToolId.GetTerminalOutput} with id="${termId}" to continue polling.`); } else { lines.push(` 1. If the command may still be producing output or the shell prompt has not returned, call ${TerminalToolId.GetTerminalOutput} with id="${termId}" to continue polling. This is the default and safest action when unsure.`); - lines.push(` 2. Only if the output clearly ends with a real input prompt (password:, Continue? (y/n), etc. — a normal shell prompt like \`$\` or \`#\` does NOT count), call the vscode_askQuestions tool to ask the user, then send each answer using ${TerminalToolId.SendToTerminal} with id="${termId}" (which returns the next few lines of output). Repeat one prompt at a time.`); + lines.push(` 2. Only if the output clearly ends with a real non-secret input prompt (Continue? (y/n), Enter selection, etc. — a normal shell prompt like \`$\` or \`#\` does NOT count), call the vscode_askQuestions tool to ask the user, then send each answer using ${TerminalToolId.SendToTerminal} with id="${termId}" (which returns the next few lines of output). Repeat one prompt at a time. NEVER route secret prompts (passwords, passphrases, tokens, API keys, etc.) through vscode_askQuestions — answers to that tool are sent through the model. For secret prompts, tell the user to type the value directly into the terminal and stop.`); } if (mentionTimeout) { lines.push(` 3. A timeout does not mean the command failed — call ${TerminalToolId.GetTerminalOutput} with id="${termId}" to continue polling. Only call ${TerminalToolId.KillTerminal} if the command is genuinely hung and you need to retry with a different approach.`); From 20905dc1c63b932b72262b84aeb157aa355793c7 Mon Sep 17 00:00:00 2001 From: Megan Rogge Date: Mon, 4 May 2026 18:26:32 -0400 Subject: [PATCH 3/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../chatAgentTools/browser/tools/runInTerminalTool.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts b/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts index 6e424f3a4d207..90884a4b7ce2d 100644 --- a/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts +++ b/src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts @@ -146,7 +146,7 @@ function createPowerShellModelDescription(shell: string, isSandboxEnabled: boole '', 'Interactive Input Handling:', '- When a terminal command is waiting for interactive input, do NOT suggest alternatives or ask the user whether to proceed. Instead, use the vscode_askQuestions tool to collect the needed values from the user, then send them.', - '- NEVER use vscode_askQuestions to request sensitive input such as passwords, passphrases, API keys, tokens, or other secrets — answers to that tool are sent through the model. If the prompt requires a secret, tell the user to type it directly into the terminal and stop; do not call vscode_askQuestions or send_to_terminal for that prompt.', + `- NEVER use vscode_askQuestions to request sensitive input such as passwords, passphrases, API keys, tokens, or other secrets — answers to that tool are sent through the model. If the prompt requires a secret, tell the user to type it directly into the terminal and stop; do not call vscode_askQuestions or ${TerminalToolId.SendToTerminal} for that prompt.`, `- Send exactly one answer per prompt using ${TerminalToolId.SendToTerminal}. Never send multiple answers in a single send.`, `- After each send, call ${TerminalToolId.GetTerminalOutput} to read the next prompt before sending the next answer.`, '- Continue one prompt at a time until the command finishes.',