## Summary
While profiling agent sessions that make a lot of `edit_file`
operations, I noticed the LSP `textDocument/didChange` handler firing
excessively. Looking into this, I found out that the streaming edit
pipeline was applying each `CharOperation` from `StreamingDiff` as its
own `buffer.edit` transaction, and every transaction emits a
`BufferEvent::Edited` event. Each event can trigger several other
expensive events depending on whether the buffer is being rendered in an
editor or is registered with a language.
For example, there are `didChange` LSP events, the editor's on edit work
(matching brackets, bracket colorization, code actions, outline), and
more. A single `edit_file` could trigger hundreds of these at the higher
end in a single synchronous app update, which would block the foreground
thread for a bit and cause Zed to drop frames.
I fixed this by collecting all of a chunk's `CharOperation`s and
applying them in one `buffer.edit` call, so only a single
`BufferEvent::Edited` event gets emitted. This is safe because
operations are non overlapping by design of streaming diff (the edit
cursor only advances).
## Why this wasn't caught earlier
The cost only fully appears when a buffer is both registered with a
language server and rendered in an editor. Without that, most of the per
transaction observers never run, so the existing `edit_file_tool`
benchmark (which ran the tool against a bare buffer) didn't surface it.
I reworked the benchmark to open the edited buffer in an editor view,
register a fake language server with per edit diagnostics, and lay out a
frame, so it exercises the same cascade as the real editor. I also added
a larger fixture.
## Results
Measured with the `release-fast` profile on the reworked benchmark:
| Fixture | Initial file | Before | After | Improvement |
| --- | --- | --- | --- | --- |
| `tiny_function_rewrite` | 1.4 KB | 31.1 ms | 12.1 ms | −61% |
| `small_function_rewrite` | 3.0 KB | 42.4 ms | 19.3 ms | −55% |
| `medium_many_small_changes` | 4.6 KB | 309.2 ms | 151.5 ms | −51% |
| `medium_insertions` | 4.6 KB | 171.8 ms | 126.1 ms | −27% |
| `large_multi_edit` | 44 KB | 9,549 ms | 919 ms | −90% |
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the UI/UX checklist
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- Improved agent's edit file tool performance
## Summary
This started from #57636, after we saw ChatGPT subscription/Codex
requests stall over the past week. OpenCode v1.15.11 shipped related
resilience fixes for the same class of Codex subscription endpoint
issues, so this ports the relevant pieces into Zed's native ChatGPT
subscription provider.
When Zed asks ChatGPT/Codex for a response, sometimes the server
connection can get stuck before it even sends the first response
headers. Before this PR, Zed could wait indefinitely, which looks like
OpenCode/Zed “stalling.”
This PR makes Zed:
- Wait up to 10 seconds for the server to start responding.
- If nothing comes back in that window, treat it as a temporary
network/API failure.
- Let the existing retry logic try again instead of leaving the user
stuck.
- Send a stable session-id header so OpenAI’s Codex backend can
associate requests with the same Zed agent thread.
- Add tests to make sure:
- stuck-before-response requests time out,
- normal slow streaming responses are not cut off,
- ChatGPT subscription requests send the right session header,
- the agent retries this kind of failure.
intended user-facing result is: fewer “the assistant is just sitting
there forever” failures when using ChatGPT subscription models.
## Verification
- cargo test -p open_ai responses
- cargo test -p language_models openai_subscribed
- cargo test -p agent test_send_retry_on_http_send_error
- cargo check -p open_ai
- cargo check -p language_models
- cargo check -p agent
Release Notes:
- Fixed ChatGPT subscription requests stalling indefinitely before
response headers arrive.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Closes #ISSUE
Release Notes:
- N/A or Added/Fixed/Improved ...
---------
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Stacked on top of #57430.
When the `sandboxing` feature flag is on (macOS only), agent-run
terminal commands are launched under `/usr/bin/sandbox-exec` with a
per-command Seatbelt policy:
- **Reads:** any path on the filesystem.
- **Writes:** each project worktree plus a per-command `$TMPDIR`.
- **Network:** blocked.
The model can request relaxations on individual calls via three new
input flags on the `terminal` tool:
- `allow_network: true`
- `allow_fs_write: true`
- `unsandboxed: true`
Each one triggers a separate always-prompt user approval (bypassing any
`always_allow` rules, since escalation is a stronger trust boundary than
the baseline command approval). The flags are silently ignored when
sandboxing is off, so the model can't surreptitiously change runtime
behavior by setting them in the no-op case.
The per-command tempdir is provisioned regardless of sandbox state so
the model can't infer whether the sandbox is in effect by looking at
`$TMPDIR`.
The Seatbelt config file's lifetime is tied to the `Terminal` entity via
an opaque RAII handle (`SandboxConfigHandle = Box<dyn Any + Send>`), so
cancellation paths drop it automatically.
### Notes for review
- The writable scope passed to the sandbox is the project's worktree
paths plus the per-command tempdir, **not** the resolved `cd` working
directory — `cd` is model-controlled, and using it as the writable scope
would let the model widen its own write permissions outside the project.
- The new tool flags are always present in the JSON schema (with
`#[serde(default)]`), even when the sandbox prompt section isn't
rendered. The system prompt only documents them when the section is
present, so the model shouldn't try to use them when it's not — but the
schema doesn't actively reject them, just ignores them.
- I opted not to add an end-to-end test for the escalation prompt path:
the existing `FakeThreadEnvironment` ignores the new params and toggling
the feature flag in tests is more wiring than felt worth it for a first
cut. The pure-function pieces (`sandbox_approval_title`, schema,
deserialization) are covered, and the sandbox crate itself has
end-to-end tests that actually invoke `sandbox-exec`.
Release Notes:
- N/A
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Stacked on top of #57429.
Adds a new `sandboxing` feature flag (off for staff by default) and a
single source-of-truth helper `sandboxing_enabled(cx) = cfg!(target_os =
"macos") && cx.has_flag::<SandboxingFeatureFlag>()`. When the helper
returns true, the agent's system prompt gains a new `## Terminal
sandbox` section that:
- Lists each worktree's absolute path as a writable directory.
- Describes the per-command `$TMPDIR` scratch directory.
- States that outbound network access is blocked.
- Documents the three per-command flags (`allow_network`,
`allow_fs_write`, `unsandboxed`) the model can request to relax the
sandbox.
- Tells the model the section is stable for the duration of the
conversation.
When the flag is off, the section is omitted entirely — no mention of
sandboxing at all.
No behavior change to terminal execution yet; that's the next PR in the
stack.
Three new tests cover: section omitted when `sandboxing: false`, section
rendered with all worktrees + flag docs when `sandboxing: true`, and the
zero-worktrees case.
Release Notes:
- N/A
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Co-authored-by: Martin Ye <martin@zed.dev>
Follow-up to #57772.
While comparing the `edit_file_tool_streaming/medium_insertions`
benchmark in Criterion and xctrace, I noticed the DP scoring loop was
spending most of its time on inlined `Matrix::get`/`Matrix::set` access
in `StreamingDiff::push_new`.
This changes the loop to split the previous and current score columns
once per DP column and then index those column slices directly. This
keeps the scoring algorithm the same, but hoists the column offset
calculation out of the inner loop and gives the compiler clearer
aliasing information between the immutable previous column and mutable
current column.
In xctrace, the hottest DP scoring line dropped from 10,407 samples
before to 9,409 samples after on
`edit_file_tool_streaming/medium_insertions`, and total
`StreamingDiff::push_new` leaf samples dropped from 10,800 to 9,822.
This is consistently faster in the end-to-end `edit_file_tool`
benchmark, and gives a small speed-up for the targeted workload without
changing the scoring algorithm.
### Results
Benchmarked with `release-fast` against a clean baseline using
Criterion’s `before_slice` baseline.
#### `streaming_diff_push_new`
| Fixture | Before median | After median | Change |
| --- | ---: | ---: | ---: |
| `tiny_function_rewrite` | `7.6317 ms` | `6.4951 ms` | 10.8% faster |
| `small_function_rewrite` | `45.961 ms` | `44.839 ms` | No significant
change |
| `medium_many_small_changes` | `99.694 ms` | `104.83 ms` | 5.2% slower
|
| `medium_insertions` | `95.909 ms` | `83.093 ms` | 13.5% faster |
#### `edit_file_tool_streaming`
| Fixture | Before median | After median | Change |
| --- | ---: | ---: | ---: |
| `tiny_function_rewrite` | `1.1110 ms` | `1.0617 ms` | 7.1% faster |
| `small_function_rewrite` | `2.4554 ms` | `2.2751 ms` | 7.1% faster |
| `medium_many_small_changes` | `87.272 ms` | `77.065 ms` | 11.5% faster
|
| `medium_insertions` | `92.469 ms` | `87.478 ms` | 5.9% faster |
The lower-level `streaming_diff_push_new` benchmark is mixed, but the
end-to-end `edit_file_tool_streaming` workload improves across all
fixtures.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A or Added/Fixed/Improved ...
Release Notes:
- agent: Fixed an issue where commit message generation would not
respect instructions from global `AGENTS.md`
---------
Co-authored-by: Richard Feldman <oss@rtfeldman.com>
Extends the same `~/.agents/skills` special case that
`create_directory`, `edit_file`, and `write_file` already use to the
path tools, so the agent can copy or move skills into and out of the
global skills folder and delete individual skills or skill resources
beneath it.
- `copy_path` now allows source and/or destination to be a descendant of
`~/.agents/skills`, going through `fs::copy_recursive` directly when one
side is outside the project.
- `move_path` now allows source and/or destination to be a descendant of
`~/.agents/skills`, going through `fs.rename` directly when one side is
outside the project. Moving the `~/.agents/skills` root itself is
rejected.
- `delete_path` now allows deleting any file or directory beneath
`~/.agents/skills`, going through `fs.remove_dir` / `fs.remove_file`
directly. Deleting the `~/.agents/skills` root itself is rejected.
- All three tools still always prompt for approval on agent-skill paths,
even when default tool permissions are set to allow.
- Added shared helpers in `tool_permissions.rs` for resolving global
skill descendants and rejecting operations on the skills root where
needed.
- Added tests covering copying and moving skills in both directions,
deleting a global skill directory/file, and rejecting deletion of the
skills root.
Release Notes:
- Agent can now copy or move skills into and out of `~/.agents/skills`
and delete individual skills, with an explicit confirmation prompt for
each operation
Summary
- Allow write_file and edit_file to create or modify files under
~/.agents/skills.
- Keep the global skills exception constrained to that directory and
preserve existing project-path behavior.
- Document global skill file editing support in the built-in
create-skill instructions.
Tests
- cargo fmt -p agent
- cargo test -p agent global_skill_file
- cargo test -p agent
test_create_directory_allows_global_skill_directory
Release Notes:
- Fixed agent file editing for global skills
---------
Co-authored-by: Richard Feldman <oss@rtfeldman.com>
Ensures that we show the error message of the `edit_file`/`write_file`
tools in the UI
Release Notes:
- agent: Fixed an issue where errors would not show up in the UI if an
edit tool call failed
For long threads we will spend more and more time cloning the messages
just to save them to the database, as we need a copy of everything to do
so asynchronously. Messages are really expensive to clone though and we
accumulate a lot of them really fast, so even for smaller threads we
start seeing pauses in the millisecond range. The fix to this is fairly
simple though, we never mutate the messages once pushed to the vec, so
just Arc them.
This PR also slightly changes `UserMessage` to be a bit faster to clone
as well.
Release Notes:
- Fixed a cause of stutters when interacting with the agent
Summary:
- Added a rename action for agent threads in the sidebar.
- Persisted renamed thread titles and kept open thread views in sync.
Release Notes:
- Improved agent threads by allowing them to be renamed directly from
the sidebar.
Format `read_file` tool output in `cat -n` style: each line is prefixed
with its line number right-aligned in a 6-character field, followed by a
single tab, followed by the line's original content (newlines preserved,
including CRLF). Numbering reflects the actual file lines, so a ranged
read starting at line 42 emits `42` for its first line, not `1`.
For large files, content returned by `get_buffer_content_or_outline` is
**not** prefixed:
- The symbol outline path already conveys structure via its `[L100-150]`
annotations.
- The truncated first-1KB fallback (used when a file exceeds
`AUTO_OUTLINE_SIZE` and has no parseable outline) is wrapped in a
synthetic `# First 1KB of …` header, so its lines don't correspond to
real file line numbers.
Both cases are reported via `BufferContent::is_synthetic` (renamed from
`is_outline`).
Also updates the `edit_file` tool's input doc to describe the prefix
format and tell the model to strip it before constructing `old_text` /
`new_text`, preserving the original indentation that appears after the
tab.
Updates how we render `read_file` tool call outputs in the UI
(screenshots included in comments below).
Also fixes an existing bug where `read_file` tool call outputs would not
re-render their content code block when an older thread was restored
(the tool's `replay` hook was missing).
Closes AI-226
Release Notes:
- Improved how `read_file` tool output renders in the agent panel, with
a line-number gutter, and fixed it not re-rendering on restored threads
---------
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
## Summary
- Hide deleted skills immediately in Settings while deletion completes
- Refresh the skill index after creating a skill so Settings updates
without reopening
Closes AI-299
Release Notes:
- Fixed skill management so newly created and deleted skills update in
Settings immediately.
When `read_file` returns a file outline instead of full contents, the
result is now wrapped in a plain fenced code block rather than tagging
it with the file's path.
Previously, the outline was wrapped in a fenced block tagged with the
file path (e.g. `` ```crates/agent/src/tools/read_file_tool.rs ``).
Because the tag contains a slash, the markdown parser routed it through
`CodeBlockKind::FencedSrc`, resolved the file's language by path, and
ran the language's tree-sitter parser against the outline on every
paint. The outline is structural (e.g. `fn foo [L10-20]`), not actual
source for the file's language, so the parse was both expensive and
produced incorrect highlighting.
Because GPUI rebuilds the visible element tree on every window paint,
anything that triggers a repaint (cursor blink in the focused message
editor, animations, the turn timer, etc.) would re-run the tree-sitter
parse on the entire outline, throttling the frame rate while the tool
call was expanded.
This change adds an `is_outline_response` flag in `ReadFileTool::run`
and, when set, passes an empty tag to `MarkdownCodeBlock` so the
renderer sees `CodeBlockKind::Fenced` (no language). Plain monospace
formatting is preserved; the path tag is still used for the non-outline
(full file) case.
Adds two regression tests: one asserting the outline path uses an
untagged fenced block, and one asserting the full-file path keeps the
path tag (so the next person fixing this doesn't accidentally strip the
tag everywhere).
Also includes a small markdown-rendering follow-up:
`MarkdownElementBuilder::push_text` was recomputing the base text style
(cloning `base_text_style` and walking the style stack) twice per
highlighted token. For a code block with hundreds of highlight tokens,
that's hundreds of redundant `TextStyle` clones per paint. The style
stack does not change while runs are being attributed, so the style is
now computed once outside the loop and reused.
Closes AI-234
Release Notes:
- Improved scrolling smoothness in the agent panel when a `read_file`
tool call with a large file outline is expanded.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
Currently, the `diagnostics` tool queries the current state of the
workspace. However, if the LSP is slow to update diagnostics, this can
lead to stale diagnostics being given to the agent.
This PR changes the `diagnostics` tool to attempt to pull fresh
diagnostics. If it fails, it informs the agent and falls back to the old
behaviour (not all LSPs support pull-based diagnostics).
Release Notes:
- N/A or Added/Fixed/Improved ...
Removes the `skills` feature flag now that Skills are ready to ship to
all users. Cleans up all `cx.has_flag::<SkillsFeatureFlag>()` gates
across the agent, agent_ui, prompt_store, and title_bar crates, drops
the now-unused `feature_flags` dependency from `prompt_store` and
`title_bar`, and removes the dead `update_flags(true, vec!["skills"])`
calls from the agent's skills tests.
Closes AI-269
Release Notes:
- Enabled Skills for all users.
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Co-authored-by: Martin Ye <martinye022@gmail.com>
Closes AI-267
This PR adds a skills subpage in the settings UI, where we display
global skills in the user tab and project skills in the corresponding
project tab. The approach taken here was the simplest one out of the
possible avenues we could've taken to implement this (which would
possibly require bigger refactors), given this is potentially the very
first page in the settings UI where we're displaying stuff that does not
correspond to data available in the `settings.json`.
Important to note that a major limitation of the global approach is that
it's dependent on the native agent having loaded the skill index,
meaning there's an edge case where, if you open the settings UI _before_
having opened the agent panel, you won't immediately see the available
skills. Something to discuss but that it felt like a viable option for a
first ship.
Release Notes:
- Agent: Added a skills section to the settings UI.
In the interactive MCP OAuth flow, the MCP client registers itself with
the authorization in one of three ways:
- Client ID Metadata Document aka CIMD (recommended default). This is
already implemented: https://zed.dev/oauth/client-metadata.json.
- Dynamic Client Registration (DCR). This is the traditional method.
Also already implemented in Zed.
- Pre-registration: the client is registered out of band, typically in
the IdP or SaaS provider's UI. You get a client id and maybe a client
secret, that have to be provided by the MCP client when it wants to
exchange an access token. This is what this pull request is about.
This PR has two main parts:
- Allow users to configure a client id and optional client secret for an
MCP server in their configuration, under a new `oauth` key, and take it
into account
- Make the MCP server state and the configuration modal aware of the
intermediate states (client secret missing) and error cases stemming
from client pre-registration.
The client secret can be stored either in the system keychain or in
plain text in the MCP server configuration. The UI tries to steer user
towards the more secure option: the keychain.
<img width="715" height="201" alt="Screenshot 2026-04-10 at 16 48 06"
src="https://github.com/user-attachments/assets/5e64103e-6746-4ef0-8bd9-533d492b6912"
/>
<img width="884" height="544" alt="Screenshot 2026-04-10 at 16 47 07"
src="https://github.com/user-attachments/assets/0e35bb3c-cbc4-4e8c-a713-66323597b2e2"
/>
<img width="785" height="558" alt="Screenshot 2026-04-10 at 16 47 23"
src="https://github.com/user-attachments/assets/03339187-1508-461a-87ae-a7c2647df9a5"
/>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Closes
https://github.com/issues/assigned?issue=zed-industries%7Czed%7C52198
**Note for the reviewer: I know how busy the AI team is at the moment so
please treat this as low priority, we don't have signal that this is a
highly desired feature. It's a rather large PR, so I'm happy to pair
review / walk through it.**
Release Notes:
- Added support for OAuth client pre-registration (client id, client
secret) to the built-in MCP client.
This PR fixes a panic that could occur in the `edit_file` tool where
streaming in text could split in the middle of a multibyte character.
Closes FR-3 and [ZED-7ZX](https://zed-dev.sentry.io/issues/7480598098).
Release Notes:
- Fixed a panic that could occur when streaming in text with the
`edit_file` tool.
Closes AI-266
This PR adds a built-in skill called `create-skill`, which allows the
Zed agent to have access to a skill that teaches it how to properly
create skills for Zed. You can manually invoke it as well as just
letting the model auto-invoke it in case your prompt suggests creating a
new skill.
Release Notes:
- Agent: Added a built-in skill called `create-skill` to make the Zed
agent informed about how to do that.
---------
Co-authored-by: Richard Feldman <richard@zed.dev>
Still behind a flag until RFD progresses. But also fixes one area where
we would have called delete even if we didn't have support.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
Closes AI-230
This PR makes skills, added as /-mentions, be rendered in the agent
panel as creases, like anything you'd @-mention. Naturally, clicking on
the crease button opens the corresponding skill file in a buffer.
It turned out to be quite a bit of plumbing to make this work,
particularly as I am also introducing an interface to display dividers
and headers in the completion menu. This was relevant to me to add
because it sets a good foundation to convert many agent panel-related
actions as slash commands.
Release Notes:
- N/A
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Watches a user-global `AGENTS.md` file alongside `settings.json` (at
`~/.config/zed/AGENTS.md` on macOS/Linux, `%APPDATA%\Zed\AGENTS.md` on
Windows) and includes its trimmed contents in the native agent's system
prompt.
This matches the pattern used by Codex (`CODEX_HOME/AGENTS.md`,
defaulting to `~/.codex/AGENTS.md`) and OpenCode
(`~/.config/opencode/AGENTS.md`): personal instructions live next to
other app config and apply across every project the user opens.
## Behavior
- Native Zed agent only. Not passed to ACP / external agents.
- Reads the local config dir, so SSH-remoted projects still get the
local user's personal `AGENTS.md` (project rules continue to come from
the remote workspace).
- Missing, empty, or whitespace-only files are silently treated as no
`AGENTS.md`.
- Read errors surface through the same notification UI as settings
errors, with a stable notification ID that's dismissed once the file
becomes readable again.
- The file is read in full, matching how existing project rules / repo
`AGENTS.md` files are loaded today.
## System prompt rendering
In the system prompt, the user-global `AGENTS.md` appears as `###
Personal AGENTS.md` immediately before `### Project Rules`, so the model
sees personal defaults first and project guidance later (project rules
take precedence on conflicts).
## Tests
- `user_agents_md` watcher: initial load, empty/whitespace ignored,
reacts to file edits.
- `SystemPromptTemplate`: renders personal `AGENTS.md` before project
rules; omits the section when no user `AGENTS.md` is present.
Closes AI-231
Release Notes:
- Added support for a global `AGENTS.md` file alongside `settings.json`
that is automatically included in the agent's instructions for every
project.
The tool definition is very clearly contradicting the previous behavior.
Performance impact is unclear to me, we increase the work in a
potentially expensive loop, but it seems necessary to have both the
specified behavior from the tool definition, as well as the
heuristic/fallback for misbehaving models that seems to be intended.
Self-Review Checklist:
- [X] I've reviewed my own diff for quality, security, and reliability
- [X] Unsafe blocks (if any) have justifying comments
- [X] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [X] Tests cover the new/changed behavior
- [X] Performance impact has been considered and is acceptable
Closes#56225
Release Notes:
- Fixed tool paths preferring files in subdirectories named after the
project root
Treat `.agents/skills/` (project-local) and `~/.agents/skills/` (global)
as **sensitive paths**, on par with `.zed/` and the global config
directory. The agent's built-in editing tools (`edit_file`,
`write_file`, `create_directory`, `delete_path`, `move_path`,
`copy_path`) now require explicit user authorization before modifying
anything inside those paths, because the contents of skill files control
agent behavior.
This protection is worth landing on its own, ahead of Zed adding its own
skills support: other agents (e.g. Claude Code) already write skill
files into these locations, so a Zed installation may already have
skills on disk that should not be silently editable by the agent.
Also tightens the **pre-existing `.zed/` check** to compare path
components case-insensitively. macOS and Windows use case-insensitive
filesystems by default, so without this fix a malicious settings author
could bypass the local-settings classifier with `.ZED/settings.json`
(the canonicalized inode would match, but the path-component comparison
would miss it). The new `.agents/skills/` check has the same hazard and
now shares a single `component_matches_ignore_ascii_case` helper with
the `.zed/` check.
Introduces the `agent_skills` crate, scoped for now to just the path
constants and helpers (`global_skills_dir`,
`project_skills_relative_path`, `SKILL_FILE_NAME`) so the
tool-permission machinery can recognize the agent skills tree without
depending on a skill discovery / parsing / loading layer. Those will
land in follow-up PRs.
Closes AI-217
Release Notes:
- Agent: Require user confirmation before letting tools modify files
inside `.agents/skills/` (per-project) or `~/.agents/skills/` (global),
so skills installed by any agent are protected from unsolicited edits
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Co-authored-by: Martin Ye <martinye022@gmail.com>
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
At this point, this tool rarely gets called and the agent can likely
figure out how to call these itself.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- Removed open tool from built-in Agent tools.
Streamline the instructions around communication, tool use, planning,
and project roots.
Remove the `now` tool and also clean up several tool descriptions.
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
---------
Co-authored-by: Bennet Bo Fenner <bennetbo@gmx.de>
Closes#52042
Release Notes:
- agent: Added setting `subagent_model` to specify which model is used
when subagent is spawned
---------
Co-authored-by: Ben Brandt <benjamin.j.brandt@gmail.com>
Before:
1. Agent tries to edit unsaved file
2. Tool call fails with error telling the agent to ask the user to save
or discard edits
3. User types save/restore
4. Agent uses save/restore tool
https://github.com/user-attachments/assets/c94dd361-e8e0-48ee-be31-da8afe594419
After:
1. Agent tries to edit unsaved file
2. User is prompted to save/restore file
3. User accepts/rejects or saves/discards file manually
https://github.com/user-attachments/assets/1d98a0c4-4420-4426-94f2-42355de230be
Release Notes:
- agent: Improved UX when agent tries to edit unsaved buffer
---------
Co-authored-by: Ben Brandt <benjamin.j.brandt@gmail.com>
This fixes a race condition where the thread would not get the LSP tools
at startup if the feature flag was not resolved yet.
We now always add the tools, but filter them out when we start a new
turn if the feature flag is not set.
Release Notes:
- N/A
Fixed an issue where the leak detector would sometimes cause panics when
running unit evals. Fixed this by matching the tear-down logic that we
use in the `gpui::test` macro
> thread 'tools::evals::edit_file::eval_from_pixels_constructor'
(14336149) panicked at crates/gpui/src/app/entity_map.rs:1116:9:
Exited with leaked handles:
Leaked handle for entity language::buffer::Buffer (EntityId(50v1)):
Release Notes:
- N/A
