Guide agent away from interactive privilege-escalation commands#324787
Guide agent away from interactive privilege-escalation commands#324787meganrogge wants to merge 4 commits into
Conversation
Add tool-description guidance instructing the agent to avoid commands that block on an interactive password/UAC prompt it cannot answer (sudo/su/doas without a non-interactive flag on POSIX; Start-Process -Verb RunAs / runas.exe on PowerShell). Instead, the model should tell the user to run the command themselves and stop rather than retrying with variations. This mirrors the Copilot CLI runtime's prompt guidance and avoids the wasted turns / hangs described in #324319, where sudo password prompts appear in a terminal the user cannot type into. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
📬 CODENOTIFYThe following users are being notified based on files changed in this PR: @anthonykim1Matched files:
|
There was a problem hiding this comment.
Pull request overview
This PR ports the Copilot CLI runtime's prompt-guidance approach for privilege escalation into the VS Code terminal tool. It augments the run_in_terminal tool descriptions with guidance steering the model away from commands that would block on an interactive elevation prompt (UAC/password) that cannot be answered from a chat-owned terminal, telling the model to instead ask the user to run the command themselves and stop rather than retrying. This is a string-only change to tool descriptions with no behavioral or runtime code touched.
Changes:
- Adds POSIX guidance (bash/zsh/fish via the shared
createGenericDescription) to avoidsudo/su/doaswithout a non-interactive flag (e.g.sudo -n). - Adds PowerShell guidance to avoid
Start-Process -Verb RunAs/runas.exe. - In both cases, instructs the model to defer to the user and not retry with variations, complementing existing sensitive-input handling.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts | Adds two best-practices lines (PowerShell and POSIX shells) to the terminal tool descriptions discouraging interactive privilege-escalation commands. |
Review details
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Medium
|
/requires-eval-assessment terminalbench2 gpt-5.5,claude-opus-4.8,claude-opus-4.7 |
|
⏳ Queued vscode build for
|
Per PR feedback: in interactive mode the user can focus the terminal and type a sudo/UAC password directly (bypassing the model), which is a supported flow, so the "avoid privilege escalation" guidance should not appear there. Gate the elevation line on the auto-approve setting, where such prompts are cancelled because no human is available to answer them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…efaults Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
🔄 First vscode build failed; retried failed stages: https://dev.azure.com/monacotools/Monaco/_build/results?buildId=454131 |
|
🚀 Queued eval-assessment publish build for
|
|
❌ Eval-assessment build did not succeed (result: |
Adds tool-description guidance so the agent avoids terminal commands that block on an interactive privilege-escalation prompt it cannot answer.
Context: #324319
The agent runs a
sudocommand that prompts for a password in a chat-owned terminal the user can't type into, wasting the prompt.How the Copilot CLI runtime handles this (for comparison)
github/copilot-agent-runtimeuses two layers:stdinclosed (api_shell_process.rs,.stdin(Stdio::null())), sosudoerrors out immediately ("a terminal is required to read the password") instead of hanging.src/runtime/src/prompts/cli_system.rstells the model privilege-escalation commands will block/fail and it should stop and inform the user rather than retrying.VS Code runs agent commands in a real, shared pty, so it deliberately can't adopt (1) without breaking the supported interactive flow where a present user focuses the terminal and types their password. VS Code already covers the runtime side differently: it detects sensitive prompts and cancels in auto/autopilot mode, and offers "focus terminal" interactively (
monitoring/outputMonitor.ts,runInTerminalTool.ts).What this PR changes
This ports layer 2 only — the prompt guidance — which VS Code was missing. It adds a line to the
run_in_terminaldescriptions instructing the model to avoid commands that block on an interactive elevation prompt, and to tell the user to run them instead of retrying with variations:sudo/su/doaswithout a non-interactive flag (e.g.sudo -n).Start-Process -Verb RunAs/runas.exe.This is complementary to the existing detect-and-cancel behavior: it reduces wasted turns by discouraging such commands up front and by discouraging retry loops (the pattern the CLI's
sudo-requiredbenchmark guards against). It matches the improvement suggested in the issue discussion ("add an instruction like don't use sudo commands").Scope / risk
runInTerminalTool.ts; no runtime/behavioral code touched.Fixes #324319