# Workspace Trust in OpenVSCode Server ### Overview OpenVSCode Server, like Visual Studio Code, provides a secure editing environment by introducing the concept of **Workspace Trust**. This mechanism protects developers from unintentionally executing unsafe code when opening a folder that contains files authored by unknown or untrusted sources. When you open a folder, OpenVSCode Server prompts you to indicate whether you trust the authors of the files in that folder. Your choice determines whether the workspace runs in **Trusted Mode** (all features enabled) or **Restricted Mode** (limited, safe execution). *** ### Why Workspace Trust Matters Modern code editors provide advanced features that may automatically execute or interpret files in your workspace. Examples include: * **Tasks and Build Scripts** – e.g., `tasks.json` running shell commands. * **Debug Configurations** – e.g., `launch.json` triggering executables. * **Extensions** – some extensions can execute workspace-specific code. * **Settings and Code Snippets** – workspace-level configuration can alter execution environments. If these features run on untrusted code, they could compromise the host system, leak credentials, or introduce malicious behavior. Workspace Trust ensures **security-first execution**. *** ### Trust States There are two main trust states: #### 1. Trusted Mode * All editor features are enabled. * Workspace-specific settings, extensions, tasks, and debugging configurations are active. * Intended for codebases you authored, or repositories you trust. #### 2. Restricted Mode * Editor enters a **locked-down state**. * The following are **disabled or limited**: * Execution of workspace tasks and launch configurations. * Automatic activation of workspace-reliant extensions. * Certain APIs that extensions may call. * Access to workspace-level settings that could affect security. * Safe for exploring third-party or unknown codebases. You can always upgrade a workspace from **Restricted** to **Trusted** after verifying the files. *** ### Trust Prompt Explained When you open a new folder, OpenVSCode Server displays a trust dialog with options: * **Yes, I trust the authors**\ Enables trusted mode for the current folder. * **No, I don’t trust the authors**\ Opens the workspace in restricted mode. * **Trust the authors of all files in the parent folder**\ Extends trust to the parent directory (and all subdirectories). Useful for project structures under a common root like `~/Projects/`. #### Example: If you open: ``` ~/RakeshTigadi/cold-call-sentiment-analysis ``` and select **Trust parent folder**, then the entire `~/RakeshTigadi/` tree is trusted. *** ### Security Model and Enforcement The trust system in OpenVSCode Server is built on three principles: 1. **Least Privilege by Default**\ Unknown code is opened in restricted mode unless explicitly trusted. 2. **Granular Control**\ Trust can be applied at the folder or parent-folder level. 3. **Transparency**\ The editor clearly indicates when restricted mode is active and lists which features are unavailable. Restricted mode enforcement includes: * Blocking execution of code in `tasks.json` and `launch.json`. * Preventing execution of workspace `npm`/`yarn`/`pip` scripts via VSCode tasks. * Disabling extension APIs that rely on workspace execution. * Not loading workspace settings that could alter environment behavior. *** ### Managing Trust Settings You can manage trust at any time: * **Status Bar Indicator**\ Restricted Mode is shown in the status bar. Click to manage trust. * **Command Palette** (`Ctrl+Shift+P` / `Cmd+Shift+P`)\ Run: `Workspaces: Manage Workspace Trust`. * **Settings File**\ Trust decisions are stored in user configuration and can be reset if needed. *** ### Best Practices * **Trust only code you control**: Personal or organizational repositories. * **Review before trusting**: For open-source code, inspect scripts and configs. * **Default to Restricted**: When uncertain, start in restricted mode. * **Use Parent Folder Trust**: For monorepos or structured org folders. * **Audit Extensions**: Only enable extensions you trust, as they can execute code. *** ### Example Scenarios 1. **Personal Project**\ You open your own repository → Safe to trust authors. 2. **Organizational Repo**\ Open a company-managed Git repo → Trust if policies validate it. 3. **Open-Source Contribution**\ Opening a random GitHub project → Start in restricted mode, review code, then trust if needed. 4. **Shared Workspace**\ Folder downloaded via email/zip → Use restricted mode until you verify contents. *** ### References * [Visual Studio Code: Workspace Trust ↗︎](https://code.visualstudio.com/docs/editing/workspaces/workspace-trust) * [OpenVSCode Server Documentation ↗︎](https://github.com/gitpod-io/openvscode-server) *** ### FAQ **Q. Can I still edit files in Restricted Mode?**\ Yes. You can view, edit, and save files normally. Only execution-related features are disabled. **Q. Will extensions work in Restricted Mode?**\ Only extensions that don’t require workspace execution will run. Others will remain disabled until trust is granted. **Q. Can I change my decision later?**\ Yes, you can always manage trust from the status bar or Command Palette. **Q. Is trusting a folder permanent?**\ Trust is remembered until you explicitly revoke it or reset trust settings. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zeliot.in/condense/condense-app-getting-started/workspace-trust-in-openvscode-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.