microsoft
diff --git a/‎.github/skills/vscode-dev-workbench/SKILL.md‎
Lines changed: 16 additions & 4 deletions b/‎.github/skills/vscode-dev-workbench/SKILL.md‎
Lines changed: 16 additions & 4 deletions
diff --git a/‎build/.moduleignore‎
Lines changed: 8 additions & 0 deletions b/‎build/.moduleignore‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎build/azure-pipelines/darwin/app-entitlements.plist‎
Lines changed: 4 additions & 0 deletions b/‎build/azure-pipelines/darwin/app-entitlements.plist‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml‎
Lines changed: 10 additions & 0 deletions b/‎build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎build/darwin/sign.ts‎
Lines changed: 95 additions & 7 deletions b/‎build/darwin/sign.ts‎
Lines changed: 95 additions & 7 deletions
diff --git a/‎cli/Cargo.lock‎
Lines changed: 4 additions & 4 deletions b/‎cli/Cargo.lock‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎extensions/copilot/package.json‎
Lines changed: 43 additions & 2 deletions b/‎extensions/copilot/package.json‎
Lines changed: 43 additions & 2 deletions
diff --git a/‎extensions/copilot/package.nls.json‎
Lines changed: 4 additions & 0 deletions b/‎extensions/copilot/package.nls.json‎
Lines changed: 4 additions & 0 deletions
@@ -21,12 +21,20 @@ If your paths differ, check `server/` in `vscode-dev` for the source root resolu
 
 ## Start the dev server
 
+**Critical:** Run `npm run dev` from the **`vscode-dev`** folder, NOT from `vscode`. The `vscode` repo has no `dev` script and will fail with `npm error Missing script: "dev"`. Terminal tools that simplify/strip leading `cd` into separate commands will silently keep the cwd of a previous terminal — always use an absolute `pushd` or verify with `pwd` before `npm run dev`.
+
 ```bash
-cd vscode-dev
-npm run dev   # runs watch + nodemon; serves https://127.0.0.1:3000
+cd /path/to/vscode-dev     # NOT /path/to/vscode
+npm run dev                # runs watch + nodemon; serves https://127.0.0.1:3000
 ```
 
-On first start you may see one crash like `Cannot find module './indexes'` — it's the watcher racing the first build. nodemon restarts automatically once `out/` finishes compiling.
+If you're driving this through an agent/terminal tool, prefer:
+
+```bash
+pushd /absolute/path/to/vscode-dev >/dev/null && pwd && npm run dev
+```
+
+On first start you may see one crash like `Cannot find module './indexes'` — it's the watcher racing the first build. nodemon restarts automatically once `out/` finishes compiling. The server is ready when `curl -sk -o /dev/null -w "%{http_code}" https://127.0.0.1:3000/` returns `200`.
 
 ## URLs
 
@@ -97,15 +105,19 @@ For a true mobile viewport, drive a standalone Playwright script with `devices['
 
 ## Testing the Agents window against a local mock agent host
 
+If the scenario touches the Agents window (`/agents` route), you almost always need the mock agent host running. Without it, the Agents window will sit on the sign-in / tunnel-discovery screen and block any real interaction. Start it **in addition to** the dev server — it's a second terminal, not a replacement.
+
 `vscode-dev` supports a `?mock-agent-host=ws://…` URL parameter that short-circuits tunnel discovery and wires the Agents window to a raw WebSocket. Pair it with the mock agent host binary from `microsoft/vscode`:
 
 ```bash
-cd vscode
+cd /path/to/vscode
 node out/vs/platform/agentHost/node/agentHostServerMain.js \
   --enable-mock-agent --quiet --without-connection-token --port 8765
 # Listens on ws://localhost:8765
 ```
 
+Prerequisite: `out/` in the `vscode` repo must be populated by the `VS Code - Build` task (or `npm run watch`). If `out/vs/platform/agentHost/node/agentHostServerMain.js` is missing, start that task first.
+
 `--enable-mock-agent` registers the `ScriptedMockAgent` from `src/vs/platform/agentHost/test/node/mockAgent.ts` with one pre-existing session. Seed additional sessions via the `VSCODE_AGENT_HOST_MOCK_SEED_SESSIONS` env var, using a comma-separated list of session URIs (for example, `VSCODE_AGENT_HOST_MOCK_SEED_SESSIONS=mock://pre-1,mock://pre-2`). Scripted prompts include `hello`, `use-tool`, `error`, `permission`, `write-file`, `run-safe-command`, `slow`, `client-tool`, `subagent`, etc. (see `mockAgent.ts` for the full list).
 
 Then open:
 
@@ -159,6 +159,14 @@ vsda/**
 @vscode/policy-watcher/index.d.ts
 !@vscode/policy-watcher/build/Release/vscode-policy-watcher.node
 
+@vscode/macos-keychain/build/**
+@vscode/macos-keychain/src/**
+@vscode/macos-keychain/test/**
+@vscode/macos-keychain/binding.gyp
+@vscode/macos-keychain/README.md
+@vscode/macos-keychain/index.d.ts
+!@vscode/macos-keychain/build/Release/keychainNative.node
+
 @vscode/windows-ca-certs/**/*
 !@vscode/windows-ca-certs/package.json
 !@vscode/windows-ca-certs/**/*.node
 
@@ -10,5 +10,9 @@
     <true/>
     <key>com.apple.security.automation.apple-events</key>
     <true/>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>$(TeamIdentifierPrefix)com.microsoft.vscode.shared-secrets</string>
+    </array>
 </dict>
 </plist>
@@ -332,6 +332,16 @@ steps:
         BUILD_SOURCESDIRECTORY: $(Build.SourcesDirectory)
       displayName: ✍️ Codesign & Notarize
 
+    # Re-sign the app without the provisioning profile for tests.
+    # This strips the keychain-access-groups entitlement which requires a
+    # provisioning profile and is not needed for running tests. The codesign
+    # step reads from the archives packaged above which have the full entitlements.
+    - script: |
+        set -e
+        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)
+        DEBUG=electron-osx-sign* node build/darwin/sign.ts --skip-provisioning-profile $(agent.builddirectory)
+      displayName: Set Hardened Entitlements (for tests)
+
   - ${{ if or(eq(parameters.VSCODE_RUN_ELECTRON_TESTS, true), eq(parameters.VSCODE_RUN_BROWSER_TESTS, true), eq(parameters.VSCODE_RUN_REMOTE_TESTS, true)) }}:
     - template: product-build-darwin-test.yml@self
       parameters:
 
@@ -18,15 +18,66 @@ function getElectronVersion(): string {
 	return target;
 }
 
-function getEntitlementsForFile(filePath: string): string {
+const mainProvisioningProfilePath = path.join(baseDir, 'darwin', 'main.provisionprofile');
+const agentsProvisioningProfilePath = path.join(baseDir, 'darwin', 'agents.provisionprofile');
+
+function hasProvisioningProfile(): boolean {
+	return fs.existsSync(mainProvisioningProfilePath);
+}
+
+function getEntitlementsForFile(filePath: string, tempDir: string, useProvisioningProfile: boolean, teamId?: string): string {
 	if (filePath.includes(' Helper (GPU).app')) {
 		return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist');
 	} else if (filePath.includes(' Helper (Renderer).app')) {
 		return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist');
 	} else if (filePath.includes(' Helper (Plugin).app')) {
 		return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist');
 	}
-	return path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist');
+	const entitlementsPath = path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist');
+	if (!useProvisioningProfile) {
+		// Without a provisioning profile, keychain-access-groups entitlement
+		// will cause signing failures. Strip it from the entitlements plist.
+		return getStrippedEntitlements(entitlementsPath, tempDir);
+	}
+	if (teamId) {
+		return getExpandedEntitlements(entitlementsPath, tempDir, teamId);
+	}
+	return entitlementsPath;
+}
+
+let _strippedEntitlementsPath: string | undefined;
+
+/**
+ * Returns a path to a copy of the entitlements plist with the
+ * keychain-access-groups key removed.
+ */
+function getStrippedEntitlements(entitlementsPath: string, tempDir: string): string {
+	if (!_strippedEntitlementsPath) {
+		const content = fs.readFileSync(entitlementsPath, 'utf8');
+		const stripped = content.replace(
+			/\s*<key>keychain-access-groups<\/key>\s*<array>[\s\S]*?<\/array>/,
+			''
+		);
+		_strippedEntitlementsPath = path.join(tempDir, 'app-entitlements-stripped.plist');
+		fs.writeFileSync(_strippedEntitlementsPath, stripped);
+	}
+	return _strippedEntitlementsPath;
+}
+
+let expandedEntitlementsPath: string | undefined;
+
+/**
+ * Returns a path to a copy of the entitlements plist with
+ * $(TeamIdentifierPrefix) expanded to the actual team identifier.
+ */
+function getExpandedEntitlements(entitlementsPath: string, tempDir: string, teamId: string): string {
+	if (!expandedEntitlementsPath) {
+		const content = fs.readFileSync(entitlementsPath, 'utf8');
+		const expanded = content.replace(/\$\(TeamIdentifierPrefix\)/g, teamId + '.');
+		expandedEntitlementsPath = path.join(tempDir, 'app-entitlements.plist');
+		fs.writeFileSync(expandedEntitlementsPath, expanded);
+	}
+	return expandedEntitlementsPath;
 }
 
 async function retrySignOnKeychainError<T>(fn: () => Promise<T>, maxRetries: number = 3): Promise<T> {
@@ -58,7 +109,7 @@ async function retrySignOnKeychainError<T>(fn: () => Promise<T>, maxRetries: num
 	throw lastError;
 }
 
-async function main(buildDir?: string): Promise<void> {
+async function main(buildDir?: string, skipProvisioningProfile?: boolean): Promise<void> {
 	const tempDir = process.env['AGENT_TEMPDIRECTORY'];
 	const arch = process.env['VSCODE_ARCH'];
 	const identity = process.env['CODESIGN_IDENTITY'];
@@ -78,23 +129,51 @@ async function main(buildDir?: string): Promise<void> {
 		? path.resolve(appRoot, appName, 'Contents', 'Applications', `${product.embedded.nameLong}.app`, 'Contents', 'Info.plist')
 		: undefined;
 
+	const useProvisioningProfile = !skipProvisioningProfile && hasProvisioningProfile();
+	const resolvedProvisioningProfile = useProvisioningProfile ? mainProvisioningProfilePath : undefined;
+
+	let teamId: string | undefined;
+	if (resolvedProvisioningProfile) {
+		const profilePlist = await spawn('security', ['cms', '-D', '-i', resolvedProvisioningProfile]);
+		const teamIdMatch = /<key>TeamIdentifier<\/key>\s*<array>\s*<string>(.*?)<\/string>/s.exec(profilePlist);
+		if (teamIdMatch) {
+			teamId = teamIdMatch[1];
+			console.log(`Extracted TeamIdentifier from provisioning profile: ${teamId}`);
+		} else {
+			console.warn('Could not extract TeamIdentifier from provisioning profile; $(TeamIdentifierPrefix) will not be expanded');
+		}
+	}
+
+	// Embed the agents provisioning profile into the embedded app bundle
+	// before signing, since @electron/osx-sign only supports one top-level profile.
+	if (useProvisioningProfile && product.embedded && fs.existsSync(agentsProvisioningProfilePath)) {
+		const embeddedAppPath = path.join(appRoot, appName, 'Contents', 'Applications', `${product.embedded.nameLong}.app`);
+		if (fs.existsSync(embeddedAppPath)) {
+			const embeddedProfileDest = path.join(embeddedAppPath, 'Contents', 'embedded.provisionprofile');
+			fs.copyFileSync(agentsProvisioningProfilePath, embeddedProfileDest);
+			console.log(`Embedded agents provisioning profile into ${embeddedProfileDest}`);
+		}
+	}
+
 	const appOpts: SignOptions = {
 		app: path.join(appRoot, appName),
 		platform: 'darwin',
 		optionsForFile: (filePath) => ({
-			entitlements: getEntitlementsForFile(filePath),
+			entitlements: getEntitlementsForFile(filePath, tempDir, useProvisioningProfile, teamId),
 			hardenedRuntime: true,
 		}),
 		preAutoEntitlements: false,
-		preEmbedProvisioningProfile: false,
+		preEmbedProvisioningProfile: !!resolvedProvisioningProfile,
+		provisioningProfile: resolvedProvisioningProfile,
 		keychain: path.join(tempDir, 'buildagent.keychain'),
 		version: getElectronVersion(),
 		identity,
 	};
 
 	// Only overwrite plist entries for x64 and arm64 builds,
 	// universal will get its copy from the x64 build.
-	if (arch !== 'universal') {
+	// Skip when re-signing (skipProvisioningProfile) since entries already exist.
+	if (arch !== 'universal' && !skipProvisioningProfile) {
 		await spawn('plutil', [
 			'-insert',
 			'NSAppleEventsUsageDescription',
@@ -171,10 +250,19 @@ async function main(buildDir?: string): Promise<void> {
 	}
 
 	await retrySignOnKeychainError(() => sign(appOpts));
+
+	// Dump entitlements from the signed binary for diagnostic purposes
+	const mainBinary = path.join(appRoot, appName, 'Contents', 'MacOS', product.nameShort);
+	console.log(`Dumping entitlements from signed binary: ${mainBinary}`);
+	const entitlementsDump = await spawn('codesign', ['--display', '--entitlements', '-', '--xml', mainBinary]);
+	console.log(`Signed entitlements:\n${entitlementsDump}`);
 }
 
 if (import.meta.main) {
-	main(process.argv[2]).catch(async err => {
+	const args = process.argv.slice(2);
+	const skipProvisioningProfile = args.includes('--skip-provisioning-profile');
+	const buildDir = args.filter(a => !a.startsWith('--'))[0];
+	main(buildDir, skipProvisioningProfile).catch(async err => {
 		console.error(err);
 		const tempDir = process.env['AGENT_TEMPDIRECTORY'];
 		if (tempDir) {
 
@@ -235,6 +235,27 @@
 					]
 				}
 			},
+			{
+				"name": "skill",
+				"toolReferenceName": "skill",
+				"displayName": "%copilot.tools.skill.name%",
+				"icon": "$(book)",
+				"userDescription": "%copilot.tools.skill.description%",
+				"modelDescription": "Invoke a skill to handle a user's request with specialized instructions and workflows.\n\nSkills are domain-specific capabilities discovered from SKILL.md files. When a user's task matches an available skill, call this tool to load and apply it. If the user types a slash command (e.g. \"/deploy\", \"/test\"), treat it as a skill invocation.\n\nUsage:\n- Pass the skill name only (no arguments).\n- Examples: skill: \"docx\", skill: \"deploy\", skill: \"fix-ci-failures\"\n\nRules:\n- Available skills appear in system-reminder messages earlier in the conversation.\n- BLOCKING: When a matching skill exists, you MUST call this tool before producing any other output about the task.\n- Never reference a skill without calling this tool.\n- Do not call this tool for a skill that is already active in the current turn (indicated by a <command-name> tag).\n- Do not use this tool for built-in commands such as /help or /clear.",
+				"when": "config.github.copilot.chat.skillTool.enabled",
+				"inputSchema": {
+					"type": "object",
+					"properties": {
+						"skill": {
+							"type": "string",
+							"description": "The skill name. E.g., \"commit\", \"review-pr\", or \"pdf\""
+						}
+					},
+					"required": [
+						"skill"
+					]
+				}
+			},
 			{
 				"name": "copilot_searchWorkspaceSymbols",
 				"toolReferenceName": "symbols",
@@ -1265,7 +1286,8 @@
 					"problems",
 					"readFile",
 					"viewImage",
-					"readNotebookCellOutput"
+					"readNotebookCellOutput",
+					"skill"
 				]
 			},
 			{
@@ -1294,6 +1316,7 @@
 					"resolveMemoryFileUri",
 					"runCommand",
 					"switchAgent",
+					"toolSearch",
 					"vscodeAPI"
 				]
 			},
@@ -3792,6 +3815,15 @@
 							"clear-both"
 						]
 					},
+					"github.copilot.chat.anthropic.cacheBreakpoints.lastTwoMessages": {
+						"type": "boolean",
+						"default": false,
+						"markdownDescription": "%github.copilot.config.anthropic.cacheBreakpoints.lastTwoMessages%",
+						"tags": [
+							"experimental",
+							"onExp"
+						]
+					},
 					"github.copilot.chat.responsesApiReasoningSummary": {
 						"type": "string",
 						"default": "detailed",
@@ -4411,6 +4443,15 @@
 							"experimental"
 						]
 					},
+					"github.copilot.chat.skillTool.enabled": {
+						"type": "boolean",
+						"default": false,
+						"markdownDescription": "%github.copilot.config.skill.enabled%",
+						"tags": [
+							"advanced",
+							"experimental"
+						]
+					},
 					"github.copilot.chat.executionSubagent.enabled": {
 						"type": "boolean",
 						"default": false,
@@ -4475,7 +4516,7 @@
 					},
 					"github.copilot.chat.agentHistorySummarizationInline": {
 						"type": "boolean",
-						"default": false,
+						"default": true,
 						"markdownDescription": "%github.copilot.config.agentHistorySummarizationInline%",
 						"tags": [
 							"advanced",
 
@@ -342,6 +342,7 @@
 	"copilot.toolSet.web.description": "Fetch information from the web",
 	"github.copilot.config.useMessagesApi": "Use the Messages API instead of the Chat Completions API when supported.",
 	"github.copilot.config.anthropic.contextEditing.mode": "Select the context editing mode for Anthropic models. Automatically manages conversation context as it grows, helping optimize costs and stay within context window limits.\n\n- `off`: Context editing is disabled.\n- `clear-thinking`: Clears thinking blocks while preserving tool uses.\n- `clear-tooluse`: Clears tool uses while preserving thinking blocks.\n- `clear-both`: Clears both thinking blocks and tool uses.\n\n**Note**: This is an experimental feature. Context editing may cause additional cache rewrites. Enable with caution.",
+	"github.copilot.config.anthropic.cacheBreakpoints.lastTwoMessages": "Use the 'last two messages' cache breakpoint strategy instead of heuristic-based placement for Anthropic Messages API.",
 	"github.copilot.config.useResponsesApi": "Use the Responses API instead of the Chat Completions API when supported. Enables reasoning and reasoning summaries.\n\n**Note**: This is an experimental feature that is not yet activated for all users.\n\n**Important**: URL API path resolution for custom OpenAI-compatible and Azure models is independent of this setting and fully determined by `url` property of `#github.copilot.chat.customOAIModels#` or `#github.copilot.chat.azureModels#` respectively.",
 	"github.copilot.config.responsesApiReasoningSummary": "Sets the reasoning summary style used for the Responses API. Requires `#github.copilot.chat.useResponsesApi#`.",
 	"github.copilot.config.responsesApiContextManagement.enabled": "Enables context management for the Responses API. Requires `#github.copilot.chat.useResponsesApi#`.",
@@ -490,6 +491,9 @@
 	"copilot.tools.runSubagent.description": "Runs a task within an isolated subagent context. Enables efficient organization of tasks and context window management.",
 	"copilot.tools.searchSubagent.name": "Search Subagent",
 	"copilot.tools.searchSubagent.description": "Launch an iterative search-focused subagent to find relevant code in your workspace.",
+	"copilot.tools.skill.name": "Skill",
+	"copilot.tools.skill.description": "Execute a skill by name. Skills provide specialized capabilities, domain knowledge, and refined workflows.",
+	"github.copilot.config.skill.enabled": "Enable the skill tool in Copilot Chat. When enabled, skills are invoked via a dedicated skill tool instead of readFile.",
 	"github.copilot.config.searchSubagent.enabled": "Enable the search subagent tool for iterative code exploration in the workspace.",
 	"github.copilot.config.searchSubagent.useAgenticProxy": "Use the agentic proxy for the search subagent tool.",
 	"github.copilot.config.searchSubagent.model": "Model to use for the search subagent. When useAgenticProxy is enabled, defaults to 'vscode-agentic-search-router-a'. Otherwise defaults to the main agent model.",