Skip to content

Guide agent away from interactive privilege-escalation commands#324787

Open
meganrogge wants to merge 4 commits into
mainfrom
meganrogge/agent-avoid-interactive-sudo
Open

Guide agent away from interactive privilege-escalation commands#324787
meganrogge wants to merge 4 commits into
mainfrom
meganrogge/agent-avoid-interactive-sudo

Conversation

@meganrogge

@meganrogge meganrogge commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Adds tool-description guidance so the agent avoids terminal commands that block on an interactive privilege-escalation prompt it cannot answer.

Context: #324319

The agent runs a sudo command that prompts for a password in a chat-owned terminal the user can't type into, wasting the prompt.

How the Copilot CLI runtime handles this (for comparison)

github/copilot-agent-runtime uses two layers:

  1. Headless fail-fast (core mechanism): its shell tool spawns commands with no TTY and stdin closed (api_shell_process.rs, .stdin(Stdio::null())), so sudo errors out immediately ("a terminal is required to read the password") instead of hanging.
  2. Prompt guidance + loop caps: src/runtime/src/prompts/cli_system.rs tells the model privilege-escalation commands will block/fail and it should stop and inform the user rather than retrying.

VS Code runs agent commands in a real, shared pty, so it deliberately can't adopt (1) without breaking the supported interactive flow where a present user focuses the terminal and types their password. VS Code already covers the runtime side differently: it detects sensitive prompts and cancels in auto/autopilot mode, and offers "focus terminal" interactively (monitoring/outputMonitor.ts, runInTerminalTool.ts).

What this PR changes

This ports layer 2 only — the prompt guidance — which VS Code was missing. It adds a line to the run_in_terminal descriptions instructing the model to avoid commands that block on an interactive elevation prompt, and to tell the user to run them instead of retrying with variations:

  • POSIX (bash/zsh): avoid sudo/su/doas without a non-interactive flag (e.g. sudo -n).
  • PowerShell: avoid Start-Process -Verb RunAs / runas.exe.

This is complementary to the existing detect-and-cancel behavior: it reduces wasted turns by discouraging such commands up front and by discouraging retry loops (the pattern the CLI's sudo-required benchmark guards against). It matches the improvement suggested in the issue discussion ("add an instruction like don't use sudo commands").

Scope / risk

  • String-only change to two tool-description builders in runInTerminalTool.ts; no runtime/behavioral code touched.
  • Does not disable interactive sudo — a present user can still focus the terminal and enter a password as today.

Fixes #324319

Add tool-description guidance instructing the agent to avoid commands that
block on an interactive password/UAC prompt it cannot answer (sudo/su/doas
without a non-interactive flag on POSIX; Start-Process -Verb RunAs / runas.exe
on PowerShell). Instead, the model should tell the user to run the command
themselves and stop rather than retrying with variations.

This mirrors the Copilot CLI runtime's prompt guidance and avoids the wasted
turns / hangs described in #324319, where sudo password
prompts appear in a terminal the user cannot type into.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 7, 2026 16:00
@vs-code-engineering

Copy link
Copy Markdown
Contributor

📬 CODENOTIFY

The following users are being notified based on files changed in this PR:

@anthonykim1

Matched files:

  • src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts

@meganrogge meganrogge self-assigned this Jul 7, 2026
@meganrogge meganrogge added this to the 1.129.0 milestone Jul 7, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR ports the Copilot CLI runtime's prompt-guidance approach for privilege escalation into the VS Code terminal tool. It augments the run_in_terminal tool descriptions with guidance steering the model away from commands that would block on an interactive elevation prompt (UAC/password) that cannot be answered from a chat-owned terminal, telling the model to instead ask the user to run the command themselves and stop rather than retrying. This is a string-only change to tool descriptions with no behavioral or runtime code touched.

Changes:

  • Adds POSIX guidance (bash/zsh/fish via the shared createGenericDescription) to avoid sudo/su/doas without a non-interactive flag (e.g. sudo -n).
  • Adds PowerShell guidance to avoid Start-Process -Verb RunAs / runas.exe.
  • In both cases, instructs the model to defer to the user and not retry with variations, complementing existing sensitive-input handling.
Show a summary per file
File Description
src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts Adds two best-practices lines (PowerShell and POSIX shells) to the terminal tool descriptions discouraging interactive privilege-escalation commands.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Medium

@meganrogge

Copy link
Copy Markdown
Collaborator Author

/requires-eval-assessment terminalbench2 gpt-5.5,claude-opus-4.8,claude-opus-4.7

@meganrogge meganrogge added the ~requires-eval-assessment Evals will be run and will generate a report upon completion label Jul 7, 2026
@vs-code-engineering

Copy link
Copy Markdown
Contributor

⏳ Queued vscode build for 9b5a05af7746c60d7eb95cbc33aa36b32504bb39 (step 1/2).

roblourens
roblourens previously approved these changes Jul 7, 2026
Per PR feedback: in interactive mode the user can focus the terminal and
type a sudo/UAC password directly (bypassing the model), which is a supported
flow, so the "avoid privilege escalation" guidance should not appear there.
Gate the elevation line on the auto-approve setting, where such prompts are
cancelled because no human is available to answer them.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
DonJayamanne
DonJayamanne previously approved these changes Jul 7, 2026
…efaults

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@meganrogge meganrogge enabled auto-merge (squash) July 7, 2026 17:38
@vs-code-engineering

Copy link
Copy Markdown
Contributor

🔄 First vscode build failed; retried failed stages: https://dev.azure.com/monacotools/Monaco/_build/results?buildId=454131

@vs-code-engineering

Copy link
Copy Markdown
Contributor

🚀 Queued eval-assessment publish build for 27d21de9432a2bde734aa885bc3ba71bf6005835 (step 2/2).

@vs-code-engineering

Copy link
Copy Markdown
Contributor

❌ Eval-assessment build did not succeed (result: failed).

@vs-code-engineering vs-code-engineering Bot removed the ~requires-eval-assessment Evals will be run and will generate a report upon completion label Jul 7, 2026
@meganrogge meganrogge disabled auto-merge July 7, 2026 19:30
@meganrogge meganrogge enabled auto-merge (squash) July 7, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

github copilot regularly prompts for passwords that can't be entered.

5 participants