Refs #323224
Complexity: 4
Create Issue
Context
Windows agent terminal sandboxing uses the MXC runtime (wxc-exec.exe) . This test plan item validates that agent shell commands on Windows are wrapped through MXC when sandboxing is enabled, that workspace/temp filesystem access behaves as expected, configured filesystem rules are honored, and explicit unsandboxed execution does not happen silently.
Setup
- Use a Windows machine preferebly a VM as this needs windows insider version. More details here.
- Open a workspace folder.
- Enable agent terminal sandboxing:
chat.agent.sandbox.enabled: on
- For Agent Host testing, use the Agent Host/custom terminal tool path if available.
Create issue
Test Steps
1. Verify a sandboxed shell command runs
- Open Chat or the Agents Window.
- Start a local Agent Host or Copilot agent session.
- Ask the agent to run a simple shell command, for example:
echo WINDOWS_SANDBOX_TEST
pwd
dir
- Verify the command completes successfully.
Expected:
- The command output is returned to chat.
- The command is reported/logged as sandboxed.
- On Windows, the wrapped command/config path uses MXC /
wxc-exec.exe, not the POSIX sandbox-runtime.
2. Verify workspace write access
- Ask the agent to create a temporary file in the workspace, for example:
echo hello > .sandbox-windows-test.txt
- Ask the agent to read the file back.
- Ask the agent to delete it.
Expected:
- Writing inside the workspace succeeds.
- Reading the file succeeds.
- Cleanup succeeds.
- The sandbox config exposes the workspace as writable.
3. Verify filesystem restrictions outside the workspace
- Ask the agent to read or write a path outside the allowed workspace/temp locations, for example under the user profile.
- If a custom sandbox filesystem setting is configured, include a specific denied/read-only path using the setting
chat.agent.sandbox.fileSystem.windows
Expected:
- Disallowed writes are blocked or fail.
- Allowed read-only paths can be read but not modified.
- The agent reports failures clearly and does not silently rerun the command unsandboxed.
4. Verify unsandboxed execution confirmation
- Ask the agent to run a command with explicit unsandboxed execution, or use a path that requires escaping the sandbox.
- Test with unsandboxed commands allowed and disabled if possible.
Expected:
- If unsandboxed commands are allowed, VS Code asks for confirmation before running outside the sandbox.
- If unsandboxed commands are disabled, the command does not run unsandboxed and the failure is surfaced.
5. Verify shell/environment behavior
- Run commands in PowerShell that depend on normal Windows environment setup, for example:
$env:PATH
$env:USERPROFILE
Get-Location
- Optionally test with a non-default PowerShell path if available.
Expected:
- The shell launches with the expected environment.
- The working directory is the workspace.
- Basic PowerShell commands work inside the sandbox.
Refs #323224
Complexity: 4
Create Issue
Context
Windows agent terminal sandboxing uses the MXC runtime (
wxc-exec.exe) . This test plan item validates that agent shell commands on Windows are wrapped through MXC when sandboxing is enabled, that workspace/temp filesystem access behaves as expected, configured filesystem rules are honored, and explicit unsandboxed execution does not happen silently.Setup
chat.agent.sandbox.enabled:onCreate issue
Test Steps
1. Verify a sandboxed shell command runs
echo WINDOWS_SANDBOX_TESTpwddirExpected:
wxc-exec.exe, not the POSIXsandbox-runtime.2. Verify workspace write access
echo hello > .sandbox-windows-test.txtExpected:
3. Verify filesystem restrictions outside the workspace
chat.agent.sandbox.fileSystem.windowsExpected:
4. Verify unsandboxed execution confirmation
Expected:
5. Verify shell/environment behavior
$env:PATH$env:USERPROFILEGet-LocationExpected: