Skip to content

Test: Windows agent terminal sandboxing #323515

Description

@dileepyavan

Refs #323224

Complexity: 4

Create Issue


Context

Windows agent terminal sandboxing uses the MXC runtime (wxc-exec.exe) . This test plan item validates that agent shell commands on Windows are wrapped through MXC when sandboxing is enabled, that workspace/temp filesystem access behaves as expected, configured filesystem rules are honored, and explicit unsandboxed execution does not happen silently.

Setup

  • Use a Windows machine preferebly a VM as this needs windows insider version. More details here.
  • Open a workspace folder.
  • Enable agent terminal sandboxing:
    • chat.agent.sandbox.enabled: on
  • For Agent Host testing, use the Agent Host/custom terminal tool path if available.

Create issue

Test Steps

1. Verify a sandboxed shell command runs

  1. Open Chat or the Agents Window.
  2. Start a local Agent Host or Copilot agent session.
  3. Ask the agent to run a simple shell command, for example:
    • echo WINDOWS_SANDBOX_TEST
    • pwd
    • dir
  4. Verify the command completes successfully.

Expected:

  • The command output is returned to chat.
  • The command is reported/logged as sandboxed.
  • On Windows, the wrapped command/config path uses MXC / wxc-exec.exe, not the POSIX sandbox-runtime.

2. Verify workspace write access

  1. Ask the agent to create a temporary file in the workspace, for example:
    • echo hello > .sandbox-windows-test.txt
  2. Ask the agent to read the file back.
  3. Ask the agent to delete it.

Expected:

  • Writing inside the workspace succeeds.
  • Reading the file succeeds.
  • Cleanup succeeds.
  • The sandbox config exposes the workspace as writable.

3. Verify filesystem restrictions outside the workspace

  1. Ask the agent to read or write a path outside the allowed workspace/temp locations, for example under the user profile.
  2. If a custom sandbox filesystem setting is configured, include a specific denied/read-only path using the setting chat.agent.sandbox.fileSystem.windows

Expected:

  • Disallowed writes are blocked or fail.
  • Allowed read-only paths can be read but not modified.
  • The agent reports failures clearly and does not silently rerun the command unsandboxed.

4. Verify unsandboxed execution confirmation

  1. Ask the agent to run a command with explicit unsandboxed execution, or use a path that requires escaping the sandbox.
  2. Test with unsandboxed commands allowed and disabled if possible.

Expected:

  • If unsandboxed commands are allowed, VS Code asks for confirmation before running outside the sandbox.
  • If unsandboxed commands are disabled, the command does not run unsandboxed and the failure is surfaced.

5. Verify shell/environment behavior

  1. Run commands in PowerShell that depend on normal Windows environment setup, for example:
    • $env:PATH
    • $env:USERPROFILE
    • Get-Location
  2. Optionally test with a non-default PowerShell path if available.

Expected:

  • The shell launches with the expected environment.
  • The working directory is the workspace.
  • Basic PowerShell commands work inside the sandbox.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions