Apply reviewer feedback to Security section in agent mode docs

[Copilot]

This PR applies comprehensive reviewer feedback to improve the Security section of the agent mode documentation. The changes enhance clarity, structure, and completeness based on detailed review comments.

Key Improvements Made

Enhanced language and clarity:

• More concise introductory text for better readability
• Improved descriptions for autonomous file operations and context access risks
• Clearer warnings about MCP server trust and arbitrary code execution

Expanded Workspace Trust explanation:

• Added high-level introduction explaining what Workspace Trust is as VS Code's security feature
• Added details about restricted mode being the default for untrusted workspaces
• Included recommendation to review code before trusting workspaces
• Clarified that AI capabilities are disabled in restricted mode

Better structure and formatting:

• Changed "MCP security" heading to "MCP server trust" for clarity
• Converted user best practices from paragraph format to bulleted list
• Enhanced file change review description to mention diff editor capabilities
• Added specific example for tool enablement (preventing code edits in planning mode)

Improved technical accuracy:

• Updated secure credentials store description to be more specific about "sensitive tool input parameters"
• Enhanced session isolation explanation with clearer language
• Added proper link to dev containers documentation
• Cleaned up corrupted text in Related resources section

User-focused improvements:

• Restructured MCP trust section to emphasize security risks upfront
• Provided more actionable guidance throughout the section
• Maintained security-first approach while improving accessibility

These changes address all reviewer feedback while preserving the comprehensive security guidance and maintaining the security-first approach of the original implementation.

Fixes #8571

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[ntrogh]

@copilot I like the cross-references within the article.
For the Security section, here's an outline and talking points I suggest you use:

• Understanding the security model
  Document the risks:

  • Autonomous file operations: could modify sensitive files, could trigger watch tasks that run malicious code
  • Tool and command execution: run tools and terminal commands that can run arbitrary code, interact with local file system, communicate with external services, or modify your dev environment,
  • Context and data access: has access to your workspace files and can use this information to make decisions about what changes to implement

• Built-in protections

  • Workspace Trust integration

  • Permission-based security architecture

    • Approve tool calls and terminal commands
    • Review file changes
    • Tool enablement

  • MCP security

    • Before starting an MCP server, you need to trust it
      • avoids malicious code execution on startup
      • trust prompt when installing or on MCP server configuration change

  • Additional safeguards

    • Secure credentials store for tool configuration

• User responsibility and best practices

  • Review suggested commands before approval
  • Review MCP tool configuration before starting them
  • Review MCP server publisher information
  • Verify proposed changes to (critical) files
  • Consider using dev containers or VMs for isolation to run scripts and make tool calls
  • When opening a codebase, open it in restricted mode until you've reviewed it for malicious code like watch tasks or scripts.

---

[ntrogh]

@copilot Only update chat-agent-mode.md

---

[Copilot]

@copilot Only update chat-agent-mode.md

--- ...

Updated the Security section in chat-agent-mode.md following your detailed outline. The new structure focuses on documenting the specific risks, reorganizes built-in protections with clearer sub-sections, and includes comprehensive user best practices as requested. Commit 8555e8a

[ntrogh]

Suggested change

	Agent mode operates with significant autonomy and comes with important security considerations. It's crucial to understand the potential risks:
	Agent mode operates with significant autonomy and comes with important security considerations:

[Copilot]

Updated the introductory text to be more concise as suggested. Commit 75090be

[ntrogh]

Suggested change

	**Autonomous file operations**: Agent mode can automatically modify files in your workspace, including sensitive configuration files, source code, or data files. These modifications could potentially trigger watch tasks or scripts that run malicious code if working with untrusted projects.
	**Autonomous file operations**: Agent mode automatically modifies files in your workspace, including sensitive configuration files, source code, or data files. These modifications might trigger watch tasks or scripts that run malicious code if working with untrusted projects.

[Copilot]

Updated the autonomous file operations description with the suggested wording improvements. Commit 75090be

[ntrogh]

Suggested change

	**Context and data access**: Agent mode has access to your workspace files and can use this information to make decisions about what changes to implement. This includes potentially sensitive information like API keys, configuration files, or proprietary code.
	**Context and data access**: Agent mode has access to your workspace files and uses this information to make decisions about what changes to implement. This includes potentially sensitive information like API keys, configuration files, or proprietary code.

[Copilot]

Updated the context and data access description with clearer language as suggested. Commit 75090be

[ntrogh]

Can you add a little more background on what Workspace Trust is?
By default, when your workspace is in restricted mode (untrusted), agent mode and other AI capabilities are disabled for the workspace.
Recommendation is that you carefully review code or projects you downloaded before you trust the workspace, and only then use agent mode.

[Copilot]

Added more background on Workspace Trust including details about restricted mode by default and the recommendation to review code before trusting the workspace. Commit 75090be

[ntrogh]

Suggested change

	**Review file changes**: While agent mode can automatically write files, you can review proposed changes in the chat interface before they are applied.
	**Review file changes**: While agent mode can automatically write files, you can review proposed changes in a diff editor and decide to keep or reject each individual change.

[Copilot]

Updated the file changes review description to mention the diff editor and individual change decisions. Commit 75090be

[ntrogh]

Suggested change

	**Secure credentials store**: VS Code uses a secure credentials store for tool configuration, helping protect sensitive authentication information.
	**Secure credentials store**: VS Code uses a secure credentials store for sensitive tool input parameters, helping protect sensitive authentication information.

[Copilot]

Updated the secure credentials store description to be more specific about "sensitive tool input parameters". Commit 75090be

[ntrogh]

Suggested change

	**Session isolation**: Tool approvals can be scoped to the current session, allowing you to grant temporary permissions that don't persist.
	**Session isolation**: You can scope tool approvals to the current session, enabling you to grant temporary permissions that don't persist.

[Copilot]

Updated the session isolation description with clearer language about scoping and enabling temporary permissions. Commit 75090be

[ntrogh]

Suggested change

	While agent mode includes security protections, users should follow these best practices:
	While agent mode includes security protections, you should follow these best practices:

[Copilot]

Updated the user best practices intro with simpler language as suggested. Commit 75090be

[ntrogh]

Use a bulleted list for these items

[Copilot]

Converted all best practices to a bulleted list format as requested. Commit 75090be

[ntrogh]

Suggested change

	**Consider using dev containers or VMs for isolation**: For enhanced security, run agent mode operations in isolated environments like dev containers or virtual machines to limit potential impact.
	**Consider using dev containers or VMs for isolation**: For enhanced security, run agent mode operations in isolated environments like [dev containers](https://code.visualstudio.com/docs/devcontainers/containers) or virtual machines to limit potential impact.

[Copilot]

Updated the dev containers description with the proper link to the dev containers documentation. Commit 75090be

[ntrogh]

@copilot handle my review comments

[Copilot]

@copilot handle my review comments

All review comments have been addressed with the suggested changes applied. The Security section now includes the improved language, better structure, expanded Workspace Trust explanation, bulleted list format for best practices, and proper links. Commit 75090be

[ntrogh]

@copilot Please implement the requested changes

[ntrogh]

@copilot Add a high-level introduction about what Workspace Trust is, so the reader can better frame this section.

[Copilot]

Added a high-level introduction explaining that Workspace Trust is VS Code's security feature that helps users decide whether code in a folder can be executed safely. This provides better context for readers to understand the section. Commit 30d8155

[ntrogh]

@copilot What is this? Can you review and remove where appropriate?

[Copilot]

Cleaned up the corrupted text that was duplicating parts of the customization documentation link. The Related resources section now ends cleanly with just the two proper links as intended. Commit 30d8155