Stacked on top of #57429.
Adds a new `sandboxing` feature flag (off for staff by default) and a
single source-of-truth helper `sandboxing_enabled(cx) = cfg!(target_os =
"macos") && cx.has_flag::<SandboxingFeatureFlag>()`. When the helper
returns true, the agent's system prompt gains a new `## Terminal
sandbox` section that:
- Lists each worktree's absolute path as a writable directory.
- Describes the per-command `$TMPDIR` scratch directory.
- States that outbound network access is blocked.
- Documents the three per-command flags (`allow_network`,
`allow_fs_write`, `unsandboxed`) the model can request to relax the
sandbox.
- Tells the model the section is stable for the duration of the
conversation.
When the flag is off, the section is omitted entirely — no mention of
sandboxing at all.
No behavior change to terminal execution yet; that's the next PR in the
stack.
Three new tests cover: section omitted when `sandboxing: false`, section
rendered with all worktrees + flag docs when `sandboxing: true`, and the
zero-worktrees case.
Release Notes:
- N/A
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Co-authored-by: Martin Ye <martin@zed.dev>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
Watches a user-global `AGENTS.md` file alongside `settings.json` (at
`~/.config/zed/AGENTS.md` on macOS/Linux, `%APPDATA%\Zed\AGENTS.md` on
Windows) and includes its trimmed contents in the native agent's system
prompt.
This matches the pattern used by Codex (`CODEX_HOME/AGENTS.md`,
defaulting to `~/.codex/AGENTS.md`) and OpenCode
(`~/.config/opencode/AGENTS.md`): personal instructions live next to
other app config and apply across every project the user opens.
## Behavior
- Native Zed agent only. Not passed to ACP / external agents.
- Reads the local config dir, so SSH-remoted projects still get the
local user's personal `AGENTS.md` (project rules continue to come from
the remote workspace).
- Missing, empty, or whitespace-only files are silently treated as no
`AGENTS.md`.
- Read errors surface through the same notification UI as settings
errors, with a stable notification ID that's dismissed once the file
becomes readable again.
- The file is read in full, matching how existing project rules / repo
`AGENTS.md` files are loaded today.
## System prompt rendering
In the system prompt, the user-global `AGENTS.md` appears as `###
Personal AGENTS.md` immediately before `### Project Rules`, so the model
sees personal defaults first and project guidance later (project rules
take precedence on conflicts).
## Tests
- `user_agents_md` watcher: initial load, empty/whitespace ignored,
reacts to file edits.
- `SystemPromptTemplate`: renders personal `AGENTS.md` before project
rules; omits the section when no user `AGENTS.md` is present.
Closes AI-231
Release Notes:
- Added support for a global `AGENTS.md` file alongside `settings.json`
that is automatically included in the agent's instructions for every
project.
Treat `.agents/skills/` (project-local) and `~/.agents/skills/` (global)
as **sensitive paths**, on par with `.zed/` and the global config
directory. The agent's built-in editing tools (`edit_file`,
`write_file`, `create_directory`, `delete_path`, `move_path`,
`copy_path`) now require explicit user authorization before modifying
anything inside those paths, because the contents of skill files control
agent behavior.
This protection is worth landing on its own, ahead of Zed adding its own
skills support: other agents (e.g. Claude Code) already write skill
files into these locations, so a Zed installation may already have
skills on disk that should not be silently editable by the agent.
Also tightens the **pre-existing `.zed/` check** to compare path
components case-insensitively. macOS and Windows use case-insensitive
filesystems by default, so without this fix a malicious settings author
could bypass the local-settings classifier with `.ZED/settings.json`
(the canonicalized inode would match, but the path-component comparison
would miss it). The new `.agents/skills/` check has the same hazard and
now shares a single `component_matches_ignore_ascii_case` helper with
the `.zed/` check.
Introduces the `agent_skills` crate, scoped for now to just the path
constants and helpers (`global_skills_dir`,
`project_skills_relative_path`, `SKILL_FILE_NAME`) so the
tool-permission machinery can recognize the agent skills tree without
depending on a skill discovery / parsing / loading layer. Those will
land in follow-up PRs.
Closes AI-217
Release Notes:
- Agent: Require user confirmation before letting tools modify files
inside `.agents/skills/` (per-project) or `~/.agents/skills/` (global),
so skills installed by any agent are protected from unsolicited edits
---------
Co-authored-by: MartinYe1234 <52641447+MartinYe1234@users.noreply.github.com>
Co-authored-by: Martin Ye <martinye022@gmail.com>
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
## Context
Adds a tool to utilize the UI we already expose to ACP agents. Behind a
feature flag for now.
## How to Review
Mostly a tool to hook up to all of the plan plumbing we already have in
acp thread.
## Self-Review Checklist
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Release Notes:
- N/A
Adds an optional `timeout_ms` parameter to the terminal tool that allows
bounding the runtime of shell commands. When the timeout expires, the
running terminal task is killed and the tool returns with the partial
output captured so far.
## Summary
This PR adds the ability for the agent to specify a maximum runtime when
invoking the terminal tool. This helps prevent indefinite hangs when
running commands that might wait for network, user prompts, or long
builds/tests.
## Changes
- Add `timeout_ms` field to `TerminalToolInput` schema
- Extend `TerminalHandle` trait with `kill()` method
- Implement `kill()` for `AcpTerminalHandle` and `EvalTerminalHandle`
- Race terminal exit against timeout, killing on expiry
- Update system prompt to recommend using timeouts for long-running
commands
- Add test for timeout behavior
- Update `.rules` to document GPUI executor timers for tests
## Testing
- Added `test_terminal_tool_timeout_kills_handle` which verifies that
when a timeout is specified and expires, the terminal handle is killed
and the tool returns with partial output.
- All existing agent tests pass.
Release Notes:
- agent: Added optional `timeout_ms` parameter to the terminal tool,
allowing the agent to bound command runtime and prevent indefinite hangs
Closes#41478
Release Notes:
- Fixed#41478
<img width="459" height="916" alt="Screenshot 2025-10-29 at 1 31 26 PM"
src="https://github.com/user-attachments/assets/1d5b9fdf-9800-44e4-bdd5-f0964f93625f"
/>
> caused by using haiku 4.5 from the anthropic provider and then
swapping to sonnet 3.7 through zed, doing this does mess with prompt
caching but a model swap already invalidates that so it shouldn't have
any cost impact on end users
