Auto-approve tee command and /tmp writes in terminal tool#288328
Draft
Auto-approve tee command and /tmp writes in terminal tool#288328
Conversation
Co-authored-by: Tyriar <[email protected]>
Copilot
AI
changed the title
[WIP] Consider auto approving file writes to /tmp
Auto-approve tee command and /tmp writes in terminal tool
Jan 16, 2026
sanchirico
added a commit
to sanchirico/vscode
that referenced
this pull request
Mar 1, 2026
Adds `tee` to the auto-approve allowlist, a `TeeFileWriteParser` so the file
write analyzer detects `tee`'s file arguments (same pattern as `SedFileWriteParser`),
and allows writes to `/tmp` and `/private/tmp` in the analyzer.
On macOS `/tmp` is a symlink to `/private/tmp`. If the shell resolves
the symlink before the path reaches the analyzer, `startsWith('/tmp/')` misses
it. Checking both prefixes covers both cases.
I left out `/var/tmp`. I believe it's more for stuff that survives reboots and
microsoft#288327 only asks for `/tmp`.
Not sure if `/private/tmp` is in scope for microsoft#288327. Let me know if you'd rather drop it and keep only `/tmp`.
microsoft#288328 covers most of the same ground but doesn't handle `/private/tmp`.
Copilot also didn't touch the no workspace folders path to allow `/tmp` there,
so I left that out too. If the AI that filed the PR didn't think it was needed,
who am I to argue. It probably knows more than me. Let me know if you want it
added though.
For the pre-existing tests that used `/tmp/file.txt` as the "outside workspace - block" example, I updated the path to `/etc/file.txt` to preserve the original intent rather than flipping them to "allow" like microsoft#288328 does (which just makes them redundant with the new allow tests).
Tests added for `/tmp`, `/private/tmp`, and `tee` with various destinations.
Fixes microsoft#288327
sanchirico
added a commit
to sanchirico/vscode
that referenced
this pull request
Mar 1, 2026
Feel free to reject if this is more than what's wanted for microsoft#288327, happy to take a different approach. I thought this would be a simple first PR, but adding `tee` means the file write analyzer needs to know which files `tee` targets (redirections are already caught by tree-sitter). So it also needed a `TeeFileWriteParser` and a shared tokenizer extraction. Adds `tee` to the auto-approve allowlist, a `TeeFileWriteParser` so the file write analyzer detects `tee`'s file arguments (same pattern as `SedFileWriteParser`), and allows writes to `/tmp` and `/private/tmp` in the analyzer. On macOS `/tmp` is a symlink to `/private/tmp`. If the shell resolves the symlink before the path reaches the analyzer, `startsWith('/tmp/')` misses it. Checking both prefixes covers both cases. I left out `/var/tmp`. I believe it's more for stuff that survives reboots and microsoft#288327 only asks for `/tmp`. Not sure if `/private/tmp` is in scope for microsoft#288327. Let me know if you'd rather drop it and keep only `/tmp`. microsoft#288328 covers most of the same ground but doesn't handle `/private/tmp`. Copilot also didn't touch the no-workspace-folders path to allow `/tmp` there, so I added that too. Also extracts the duplicate `_tokenizeCommand` from `SedFileWriteParser` into a shared `commandParserUtils.ts`. For pre-existing tests that used `/tmp/file.txt` as the "outside workspace - block" example, I updated the path to `/etc/file.txt` to preserve the original intent rather than flipping them to "allow" like microsoft#288328 does (which just makes them redundant with the new allow tests). Tests added for `/tmp`, `/private/tmp`, and `tee` with various destinations. Fixes microsoft#288327
sanchirico
added a commit
to sanchirico/vscode
that referenced
this pull request
Mar 1, 2026
I'm not 100% sure about this. I thought this would be a simple first PR, but adding `tee` means the file write analyzer needs to know which files `tee` targets. So it also needed a `TeeFileWriteParser` and shared tokenizer extraction?
This adds `tee` to the auto-approve allowlist, a `TeeFileWriteParser` so the file
write analyzer detects `tee`'s file arguments (same pattern as `SedFileWriteParser`),
and allows writes to `/tmp` and `/private/tmp` in the analyzer.
On macOS `/tmp` is a symlink to `/private/tmp`. If the shell resolves
the symlink before the path reaches the analyzer, `startsWith('/tmp/')` misses
it. Checking both prefixes covers both cases.
I left out `/var/tmp`. I believe it's more for stuff that survives reboots and
microsoft#288327 only asks for `/tmp`.
Not sure if `/private/tmp` is in scope for microsoft#288327. Let me know if you'd rather drop it and keep only `/tmp`.
microsoft#288328 covers most of the same ground but doesn't handle `/private/tmp`.
Copilot also didn't touch the no-workspace-folders path to allow `/tmp` there,
so I added that too.
Also extracts the duplicate `_tokenizeCommand` from `SedFileWriteParser` into a shared `commandParserUtils.ts`.
For pre-existing tests that used `/tmp/file.txt` as the "outside workspace - block" example, I updated the path to `/etc/file.txt` to preserve the original intent rather than flipping them to "allow" like microsoft#288328 does (which just makes them redundant with the new allow tests).
Tests added for `/tmp`, `/private/tmp`, and `tee` with various destinations.
Fixes microsoft#288327
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commands like
npm run test 2>&1 | tee /tmp/test_output.logwere blocked becauseteewasn't auto-approved and/tmpwrites were rejected.Changes
Auto-approve
teecommandterminalChatAgentToolsConfiguration.tsAllow
/tmpwrites on Unix-like systemscommandLineFileWriteAnalyzer.tsto permit writes to/tmp/Test coverage
/tmpwrite allowance and subdirectoriesteewith various destinations/tmpto be blockedExamples
Now auto-approved:
Still require approval:
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.