[cherry-pick] [release/1.121] Allow sandbox writes to workspace storage#319486
Merged
Conversation
dileepyavan
added
the
release-cherry-pick
Contributor
📬 CODENOTIFYThe following users are being notified based on files changed in this PR: @anthonykim1Matched files:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This cherry-pick updates terminal sandboxing so the workspace storage directory is treated as a writable root (in addition to being readable), aligning behavior with the intended TerminalSandboxEngine host-provided workspace/session storage location.
Changes:
- Add the workspace storage root to the sandbox filesystem write allow-list.
- Update Windows filesystem setting text to explicitly mention the workspace storage folder as an allowed write root.
- Extend the terminal sandbox service test to assert workspace storage is included in
allowWrite.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/browser/terminalSandboxService.test.ts | Adds an assertion that workspace storage is included in allowWrite. |
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalChatAgentToolsConfiguration.ts | Updates Windows allowWrite setting description to mention workspace storage. |
| src/vs/platform/sandbox/common/terminalSandboxEngine.ts | Includes workspace storage path in computed write roots (and adjusts async flow accordingly). |
Copilot's findings
Comments suppressed due to low confidence (1)
src/vs/platform/sandbox/common/terminalSandboxEngine.ts:74
getWorkspaceStorageReadRootis now used to grant write access (and the JSDoc mentions allowWrite), so the method name is misleading. Consider renaming it (and related references likeonDidChangeRootsdocs) to something likegetWorkspaceStorageRoot/getWorkspaceStorageAccessRootto reflect its read+write semantics and avoid future confusion.
/** Path added to `allowRead` and `allowWrite` for the engine's workspace/session storage area. */
getWorkspaceStorageReadRoot(): Promise<URI | undefined>;
/** Roots that must be writable inside the sandbox (workspace folders / session cwds). */
getWriteRoots(): readonly URI[];
/** Fires when {@link getWriteRoots} or {@link getWorkspaceStorageReadRoot} change. */
readonly onDidChangeRoots: Event<void>;
- Files reviewed: 3/3 changed files
- Comments generated: 0
dmitrivMS
approved these changes
Jun 2, 2026
dileepyavan
added
the
~release-cherry-pick
vs-code-engineering
Bot
removed
the
~release-cherry-pick
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TerminalSandboxEnginearchitectureValidation
terminalSandboxService.test.ts: 62 passed, 0 failed