@theia/workspace 1.68.0-next.34 → 1.68.0-next.48

package/src/browser/workspace-commands.ts

@@ -148,6 +148,11 @@ export namespace WorkspaceCommands {
         id: 'navigator.copyRelativeFilePath',
         label: 'Copy Relative Path'
     });
+    export const MANAGE_WORKSPACE_TRUST = Command.toDefaultLocalizedCommand({
+        id: 'workspace:manageTrust',
+        category: WORKSPACE_CATEGORY,
+        label: 'Manage Workspace Trust'
+    });
 }
 
 @injectable()

package/src/browser/workspace-frontend-contribution.ts

@@ -19,13 +19,15 @@ import { CommandContribution, CommandRegistry, MenuContribution, MenuModelRegist
 import { isOSX, environment } from '@theia/core';
 import {
     open, OpenerService, CommonMenus, KeybindingRegistry, KeybindingContribution,
-    FrontendApplicationContribution, SHELL_TABBAR_CONTEXT_COPY, OnWillStopAction, Navigatable, SaveableSource, Widget
+    FrontendApplicationContribution, SHELL_TABBAR_CONTEXT_COPY, OnWillStopAction, Navigatable, SaveableSource, Widget,
+    QuickInputService, QuickPickItem
 } from '@theia/core/lib/browser';
 import { FileDialogService, OpenFileDialogProps, FileDialogTreeFilters } from '@theia/filesystem/lib/browser';
 import { ContextKeyService } from '@theia/core/lib/browser/context-key-service';
 import { WorkspaceService } from './workspace-service';
 import { WorkspaceFileService, THEIA_EXT, VSCODE_EXT } from '../common';
 import { WorkspaceCommands } from './workspace-commands';
+import { WorkspaceTrustService } from './workspace-trust-service';
 import { QuickOpenWorkspace } from './quick-open-workspace';
 import URI from '@theia/core/lib/common/uri';
 import { FileService } from '@theia/filesystem/lib/browser/file-service';
@@ -74,6 +76,10 @@ export class WorkspaceFrontendContribution implements CommandContribution, Keybi
     @inject(PreferenceConfigurations) protected readonly preferenceConfigurations: PreferenceConfigurations;
     @inject(FilesystemSaveableService) protected readonly saveService: FilesystemSaveableService;
     @inject(WorkspaceFileService) protected readonly workspaceFileService: WorkspaceFileService;
+    @inject(QuickInputService)
+    protected readonly quickInputService: QuickInputService;
+    @inject(WorkspaceTrustService)
+    protected readonly workspaceTrustService: WorkspaceTrustService;
 
     configure(): void {
         const workspaceExtensions = this.workspaceFileService.getWorkspaceFileExtensions();
@@ -165,7 +171,9 @@ export class WorkspaceFrontendContribution implements CommandContribution, Keybi
                     open(this.openerService, this.workspaceService.workspace.resource);
                 }
             }
-
+        });
+        commands.registerCommand(WorkspaceCommands.MANAGE_WORKSPACE_TRUST, {
+            execute: () => this.manageWorkspaceTrust()
         });
     }
 
@@ -495,6 +503,39 @@ export class WorkspaceFrontendContribution implements CommandContribution, Keybi
         return this.workspaceService.workspace?.resource;
     }
 
+    protected async manageWorkspaceTrust(): Promise<void> {
+        const currentTrust = await this.workspaceTrustService.getWorkspaceTrust();
+        const trust = nls.localizeByDefault('Trust');
+        const dontTrust = nls.localizeByDefault("Don't Trust");
+        const currentSuffix = `(${nls.localizeByDefault('Current')})`;
+
+        const items: QuickPickItem[] = [
+            {
+                label: trust,
+                description: currentTrust ? currentSuffix : undefined
+            },
+            {
+                label: dontTrust,
+                description: !currentTrust ? currentSuffix : undefined
+            }
+        ];
+
+        const selected = await this.quickInputService.showQuickPick(items, {
+            title: nls.localizeByDefault('Manage Workspace Trust'),
+            placeholder: nls.localize('theia/workspace/manageTrustPlaceholder', 'Select trust state for this workspace')
+        });
+
+        if (selected) {
+            const newTrust = selected.label === trust;
+            if (newTrust !== currentTrust) {
+                this.workspaceTrustService.setWorkspaceTrust(newTrust);
+                if (newTrust) {
+                    await this.workspaceTrustService.addToTrustedFolders();
+                }
+            }
+        }
+    }
+
     onWillStop(): OnWillStopAction<boolean> | undefined {
         const { workspace } = this.workspaceService;
         if (workspace && this.workspaceService.isUntitledWorkspace(workspace.resource)) {

package/src/browser/workspace-trust-service.spec.ts

@@ -0,0 +1,259 @@
+// *****************************************************************************
+// Copyright (C) 2026 EclipseSource GmbH.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// http://www.eclipse.org/legal/epl-2.0.
+//
+// This Source Code may also be made available under the following Secondary
+// Licenses when the conditions for such availability set forth in the Eclipse
+// Public License v. 2.0 are satisfied: GNU General Public License, version 2
+// with the GNU Classpath Exception which is available at
+// https://www.gnu.org/software/classpath/license.html.
+//
+// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
+// *****************************************************************************
+
+import { expect } from 'chai';
+import * as sinon from 'sinon';
+import { PreferenceChange, PreferenceScope } from '@theia/core/lib/common/preferences';
+import { WorkspaceTrustService } from './workspace-trust-service';
+import { WORKSPACE_TRUST_EMPTY_WINDOW, WORKSPACE_TRUST_TRUSTED_FOLDERS } from '../common/workspace-trust-preferences';
+
+class TestableWorkspaceTrustService extends WorkspaceTrustService {
+    public async testHandlePreferenceChange(change: PreferenceChange): Promise<void> {
+        return this.handlePreferenceChange(change);
+    }
+
+    public async testHandleWorkspaceChanged(): Promise<void> {
+        return this.handleWorkspaceChanged();
+    }
+
+    public setCurrentTrust(trust: boolean): void {
+        this.currentTrust = trust;
+    }
+
+    public getCurrentTrust(): boolean | undefined {
+        return this.currentTrust;
+    }
+
+    public override isWorkspaceTrustResolved(): boolean {
+        return super.isWorkspaceTrustResolved();
+    }
+}
+
+describe('WorkspaceTrustService', () => {
+    let service: TestableWorkspaceTrustService;
+
+    beforeEach(() => {
+        service = new TestableWorkspaceTrustService();
+    });
+
+    describe('handleWorkspaceChanged', () => {
+        let resolveWorkspaceTrustStub: sinon.SinonStub;
+        let getWorkspaceTrustStub: sinon.SinonStub;
+        let updateRestrictedModeIndicatorStub: sinon.SinonStub;
+
+        beforeEach(() => {
+            resolveWorkspaceTrustStub = sinon.stub(service as unknown as { resolveWorkspaceTrust: () => Promise<void> }, 'resolveWorkspaceTrust').resolves();
+            getWorkspaceTrustStub = sinon.stub(service, 'getWorkspaceTrust').resolves(true);
+            updateRestrictedModeIndicatorStub = sinon.stub(
+                service as unknown as { updateRestrictedModeIndicator: (trust: boolean) => void },
+                'updateRestrictedModeIndicator'
+            );
+        });
+
+        afterEach(() => {
+            sinon.restore();
+        });
+
+        it('should reset trust state when workspace changes', async () => {
+            service.setCurrentTrust(true);
+
+            await service.testHandleWorkspaceChanged();
+
+            expect(service.getCurrentTrust()).to.be.undefined;
+        });
+
+        it('should re-evaluate trust when workspace changes', async () => {
+            service.setCurrentTrust(true);
+
+            await service.testHandleWorkspaceChanged();
+
+            expect(resolveWorkspaceTrustStub.calledOnce).to.be.true;
+        });
+
+        it('should update restricted mode indicator after workspace change if not trusted', async () => {
+            getWorkspaceTrustStub.resolves(false);
+
+            await service.testHandleWorkspaceChanged();
+
+            expect(updateRestrictedModeIndicatorStub.calledOnceWith(false)).to.be.true;
+        });
+
+        it('should reset workspaceTrust deferred to unresolved state', async () => {
+            // First resolve the trust
+            service.setCurrentTrust(true);
+
+            await service.testHandleWorkspaceChanged();
+
+            // After workspace change, it should be reset and resolved again via resolveWorkspaceTrust
+            expect(resolveWorkspaceTrustStub.calledOnce).to.be.true;
+        });
+    });
+
+    describe('handlePreferenceChange', () => {
+        let isWorkspaceInTrustedFoldersStub: sinon.SinonStub;
+        let setWorkspaceTrustStub: sinon.SinonStub;
+        let workspaceTrustPrefStub: { [key: string]: unknown };
+        let workspaceServiceStub: { workspace: unknown };
+
+        beforeEach(() => {
+            isWorkspaceInTrustedFoldersStub = sinon.stub(service as unknown as { isWorkspaceInTrustedFolders: () => boolean }, 'isWorkspaceInTrustedFolders');
+            setWorkspaceTrustStub = sinon.stub(service, 'setWorkspaceTrust');
+            // Mock workspaceTrustPref - default emptyWindow to false so trusted folders logic runs
+            workspaceTrustPrefStub = { [WORKSPACE_TRUST_EMPTY_WINDOW]: false };
+            (service as unknown as { workspaceTrustPref: { [key: string]: unknown } }).workspaceTrustPref = workspaceTrustPrefStub;
+            // Mock workspaceService with a workspace (non-empty)
+            workspaceServiceStub = { workspace: { resource: { toString: () => 'file:///some/workspace' } } };
+            (service as unknown as { workspaceService: { workspace: unknown } }).workspaceService = workspaceServiceStub;
+        });
+
+        afterEach(() => {
+            sinon.restore();
+        });
+
+        it('should update trust to true when folder is added to trustedFolders', async () => {
+            service.setCurrentTrust(false);
+            isWorkspaceInTrustedFoldersStub.returns(true);
+
+            const change: PreferenceChange = {
+                preferenceName: WORKSPACE_TRUST_TRUSTED_FOLDERS,
+                scope: PreferenceScope.User,
+                domain: [],
+                newValue: ['/some/path'],
+                oldValue: [],
+                affects: () => true
+            };
+
+            await service.testHandlePreferenceChange(change);
+
+            expect(setWorkspaceTrustStub.calledOnceWith(true)).to.be.true;
+        });
+
+        it('should update trust to false when folder is removed from trustedFolders', async () => {
+            service.setCurrentTrust(true);
+            isWorkspaceInTrustedFoldersStub.returns(false);
+
+            const change: PreferenceChange = {
+                preferenceName: WORKSPACE_TRUST_TRUSTED_FOLDERS,
+                scope: PreferenceScope.User,
+                domain: [],
+                newValue: [],
+                oldValue: ['/some/path'],
+                affects: () => true
+            };
+
+            await service.testHandlePreferenceChange(change);
+
+            expect(setWorkspaceTrustStub.calledOnceWith(false)).to.be.true;
+        });
+
+        it('should not update trust when trustedFolders change does not affect current workspace', async () => {
+            service.setCurrentTrust(false);
+            isWorkspaceInTrustedFoldersStub.returns(false);
+
+            const change: PreferenceChange = {
+                preferenceName: WORKSPACE_TRUST_TRUSTED_FOLDERS,
+                scope: PreferenceScope.User,
+                domain: [],
+                newValue: ['/other/path'],
+                oldValue: [],
+                affects: () => true
+            };
+
+            await service.testHandlePreferenceChange(change);
+
+            expect(setWorkspaceTrustStub.called).to.be.false;
+        });
+
+        describe('emptyWindow setting changes', () => {
+            beforeEach(() => {
+                // Reset workspace to undefined for empty window tests
+                workspaceServiceStub.workspace = undefined;
+            });
+
+            it('should update trust to true when emptyWindow setting changes to true for empty window', async () => {
+                service.setCurrentTrust(false);
+                workspaceServiceStub.workspace = undefined;
+
+                const change: PreferenceChange = {
+                    preferenceName: WORKSPACE_TRUST_EMPTY_WINDOW,
+                    scope: PreferenceScope.User,
+                    domain: [],
+                    newValue: true,
+                    oldValue: false,
+                    affects: () => true
+                };
+
+                await service.testHandlePreferenceChange(change);
+
+                expect(setWorkspaceTrustStub.calledOnceWith(true)).to.be.true;
+            });
+
+            it('should update trust to false when emptyWindow setting changes to false for empty window', async () => {
+                service.setCurrentTrust(true);
+                workspaceServiceStub.workspace = undefined;
+
+                const change: PreferenceChange = {
+                    preferenceName: WORKSPACE_TRUST_EMPTY_WINDOW,
+                    scope: PreferenceScope.User,
+                    domain: [],
+                    newValue: false,
+                    oldValue: true,
+                    affects: () => true
+                };
+
+                await service.testHandlePreferenceChange(change);
+
+                expect(setWorkspaceTrustStub.calledOnceWith(false)).to.be.true;
+            });
+
+            it('should not update trust when emptyWindow setting changes but workspace is open', async () => {
+                service.setCurrentTrust(false);
+                workspaceServiceStub.workspace = { resource: { toString: () => 'file:///some/path' } };
+
+                const change: PreferenceChange = {
+                    preferenceName: WORKSPACE_TRUST_EMPTY_WINDOW,
+                    scope: PreferenceScope.User,
+                    domain: [],
+                    newValue: true,
+                    oldValue: false,
+                    affects: () => true
+                };
+
+                await service.testHandlePreferenceChange(change);
+
+                expect(setWorkspaceTrustStub.called).to.be.false;
+            });
+
+            it('should not update trust when emptyWindow setting changes but trust already matches', async () => {
+                service.setCurrentTrust(true);
+                workspaceServiceStub.workspace = undefined;
+
+                const change: PreferenceChange = {
+                    preferenceName: WORKSPACE_TRUST_EMPTY_WINDOW,
+                    scope: PreferenceScope.User,
+                    domain: [],
+                    newValue: true,
+                    oldValue: false,
+                    affects: () => true
+                };
+
+                await service.testHandlePreferenceChange(change);
+
+                expect(setWorkspaceTrustStub.called).to.be.false;
+            });
+        });
+    });
+});

package/src/browser/workspace-trust-service.ts

@@ -15,20 +15,27 @@
 // *****************************************************************************
 
 import { ConfirmDialog, Dialog, StorageService } from '@theia/core/lib/browser';
-import { PreferenceChange, PreferenceScope, PreferenceService } from '@theia/core/lib/common/preferences';
+import { StatusBar, StatusBarAlignment } from '@theia/core/lib/browser/status-bar/status-bar';
+import { OS } from '@theia/core';
+import { DisposableCollection } from '@theia/core/lib/common/disposable';
+import { Emitter, Event } from '@theia/core/lib/common';
+import URI from '@theia/core/lib/common/uri';
+import { PreferenceChange, PreferenceSchemaService, PreferenceScope, PreferenceService } from '@theia/core/lib/common/preferences';
 import { MessageService } from '@theia/core/lib/common/message-service';
 import { nls } from '@theia/core/lib/common/nls';
 import { Deferred } from '@theia/core/lib/common/promise-util';
-import { inject, injectable, postConstruct } from '@theia/core/shared/inversify';
+import { inject, injectable, postConstruct, preDestroy } from '@theia/core/shared/inversify';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
 import {
-    WorkspaceTrustPreferences, WORKSPACE_TRUST_EMPTY_WINDOW, WORKSPACE_TRUST_ENABLED, WORKSPACE_TRUST_STARTUP_PROMPT, WorkspaceTrustPrompt
+    WorkspaceTrustPreferences, WORKSPACE_TRUST_EMPTY_WINDOW, WORKSPACE_TRUST_ENABLED, WORKSPACE_TRUST_STARTUP_PROMPT, WORKSPACE_TRUST_TRUSTED_FOLDERS, WorkspaceTrustPrompt
 } from '../common/workspace-trust-preferences';
 import { FrontendApplicationConfigProvider } from '@theia/core/lib/browser/frontend-application-config-provider';
 import { WorkspaceService } from './workspace-service';
+import { WorkspaceCommands } from './workspace-commands';
 import { ContextKeyService } from '@theia/core/lib/browser/context-key-service';
 
 const STORAGE_TRUSTED = 'trusted';
+export const WORKSPACE_TRUST_STATUS_BAR_ID = 'workspace-trust-status';
 
 @injectable()
 export class WorkspaceTrustService {
@@ -47,13 +54,26 @@ export class WorkspaceTrustService {
     @inject(WorkspaceTrustPreferences)
     protected readonly workspaceTrustPref: WorkspaceTrustPreferences;
 
+    @inject(PreferenceSchemaService)
+    protected readonly preferenceSchemaService: PreferenceSchemaService;
+
     @inject(WindowService)
     protected readonly windowService: WindowService;
 
     @inject(ContextKeyService)
     protected readonly contextKeyService: ContextKeyService;
 
+    @inject(StatusBar)
+    protected readonly statusBar: StatusBar;
+
     protected workspaceTrust = new Deferred<boolean>();
+    protected currentTrust: boolean | undefined;
+    protected pendingTrustDialog: Deferred<boolean> | undefined;
+
+    protected readonly onDidChangeWorkspaceTrustEmitter = new Emitter<boolean>();
+    readonly onDidChangeWorkspaceTrust: Event<boolean> = this.onDidChangeWorkspaceTrustEmitter.event;
+
+    protected readonly toDispose = new DisposableCollection(this.onDidChangeWorkspaceTrustEmitter);
 
     @postConstruct()
     protected init(): void {
@@ -62,8 +82,31 @@ export class WorkspaceTrustService {
 
     protected async doInit(): Promise<void> {
         await this.workspaceService.ready;
+        await this.workspaceTrustPref.ready;
+        await this.preferenceSchemaService.ready;
         await this.resolveWorkspaceTrust();
-        this.preferences.onPreferenceChanged(change => this.handlePreferenceChange(change));
+        this.toDispose.push(
+            this.preferences.onPreferenceChanged(change => this.handlePreferenceChange(change))
+        );
+        this.toDispose.push(
+            this.workspaceService.onWorkspaceChanged(() => this.handleWorkspaceChanged())
+        );
+
+        // Show status bar item if starting in restricted mode
+        const initialTrust = await this.getWorkspaceTrust();
+        this.updateRestrictedModeIndicator(initialTrust);
+
+        // React to trust changes
+        this.toDispose.push(
+            this.onDidChangeWorkspaceTrust(trust => {
+                this.updateRestrictedModeIndicator(trust);
+            })
+        );
+    }
+
+    @preDestroy()
+    protected onStop(): void {
+        this.toDispose.dispose();
     }
 
     getWorkspaceTrust(): Promise<boolean> {
@@ -76,18 +119,35 @@ export class WorkspaceTrustService {
             if (trust !== undefined) {
                 await this.storeWorkspaceTrust(trust);
                 this.contextKeyService.setContext('isWorkspaceTrusted', trust);
+                this.currentTrust = trust;
                 this.workspaceTrust.resolve(trust);
+                this.onDidChangeWorkspaceTrustEmitter.fire(trust);
+                if (trust && this.workspaceTrustPref[WORKSPACE_TRUST_ENABLED]) {
+                    await this.addToTrustedFolders();
+                }
             }
         }
     }
 
+    setWorkspaceTrust(trusted: boolean): void {
+        if (this.currentTrust === trusted) {
+            return;
+        }
+        this.currentTrust = trusted;
+        this.contextKeyService.setContext('isWorkspaceTrusted', trusted);
+        if (this.workspaceTrustPref[WORKSPACE_TRUST_STARTUP_PROMPT] === WorkspaceTrustPrompt.ONCE) {
+            this.storeWorkspaceTrust(trusted);
+        }
+        this.onDidChangeWorkspaceTrustEmitter.fire(trusted);
+    }
+
     protected isWorkspaceTrustResolved(): boolean {
         return this.workspaceTrust.state !== 'unresolved';
     }
 
     protected async calculateWorkspaceTrust(): Promise<boolean | undefined> {
-        if (!this.workspaceTrustPref[WORKSPACE_TRUST_ENABLED]) {
-            // in VS Code if workspace trust is disabled, we implicitly trust the workspace
+        const trustEnabled = this.workspaceTrustPref[WORKSPACE_TRUST_ENABLED];
+        if (!trustEnabled) {
             return true;
         }
 
@@ -95,11 +155,89 @@ export class WorkspaceTrustService {
             return true;
         }
 
+        if (this.isWorkspaceInTrustedFolders()) {
+            return true;
+        }
+
         if (this.workspaceTrustPref[WORKSPACE_TRUST_STARTUP_PROMPT] === WorkspaceTrustPrompt.NEVER) {
             return false;
         }
 
-        return this.loadWorkspaceTrust();
+        // For ONCE mode, check stored trust first
+        if (this.workspaceTrustPref[WORKSPACE_TRUST_STARTUP_PROMPT] === WorkspaceTrustPrompt.ONCE) {
+            const storedTrust = await this.loadWorkspaceTrust();
+            if (storedTrust !== undefined) {
+                return storedTrust;
+            }
+        }
+
+        // For ALWAYS mode or ONCE mode with no stored decision, show dialog
+        return this.showTrustPromptDialog();
+    }
+
+    protected async showTrustPromptDialog(): Promise<boolean> {
+        // If dialog is already open, wait for its result
+        if (this.pendingTrustDialog) {
+            return this.pendingTrustDialog.promise;
+        }
+
+        this.pendingTrustDialog = new Deferred<boolean>();
+        try {
+            const trust = nls.localizeByDefault('Yes, I trust the authors');
+            const dontTrust = nls.localizeByDefault("No, I don't trust the authors");
+            const folderPath = this.workspaceService.workspace?.resource?.path?.toString() ?? '';
+
+            const dialog = new ConfirmDialog({
+                title: nls.localizeByDefault('Do you trust the authors of the files in this folder?'),
+                msg: nls.localize('theia/workspace/trustDialogMessage',
+                    'If you trust the authors of this folder, code inside may be executed. Only trust folders that you trust the contents of.') +
+                    (folderPath ? `\n\n"${folderPath}"` : ''),
+                ok: trust,
+                cancel: dontTrust,
+            });
+
+            const result = await dialog.open();
+            const trusted = result === true;
+            this.pendingTrustDialog.resolve(trusted);
+            return trusted;
+        } catch (e) {
+            this.pendingTrustDialog.resolve(false);
+            throw e;
+        } finally {
+            this.pendingTrustDialog = undefined;
+        }
+    }
+
+    async addToTrustedFolders(): Promise<void> {
+        const workspaceUri = this.workspaceService.workspace?.resource;
+        if (!workspaceUri) {
+            return;
+        }
+        if (!this.isWorkspaceInTrustedFolders()) {
+            const currentFolders = this.workspaceTrustPref[WORKSPACE_TRUST_TRUSTED_FOLDERS] || [];
+            await this.preferences.set(
+                WORKSPACE_TRUST_TRUSTED_FOLDERS,
+                [...currentFolders, workspaceUri.toString()],
+                PreferenceScope.User
+            );
+        }
+    }
+
+    protected isWorkspaceInTrustedFolders(): boolean {
+        const workspaceUri = this.workspaceService.workspace?.resource;
+        if (!workspaceUri) {
+            return false;
+        }
+        const trustedFolders = this.workspaceTrustPref[WORKSPACE_TRUST_TRUSTED_FOLDERS] || [];
+        const caseSensitive = !OS.backend.isWindows;
+        return trustedFolders.some(folder => {
+            try {
+                const folderUri = new URI(folder).normalizePath();
+                return workspaceUri.normalizePath().isEqual(folderUri, caseSensitive);
+            } catch {
+                return false; // Invalid URI in preferences
+            }
+        });
     }
 
     protected async loadWorkspaceTrust(): Promise<boolean | undefined> {
@@ -115,6 +253,19 @@ export class WorkspaceTrustService {
     }
 
     protected async handlePreferenceChange(change: PreferenceChange): Promise<void> {
+        // Handle trustedFolders changes regardless of scope
+        if (change.preferenceName === WORKSPACE_TRUST_TRUSTED_FOLDERS) {
+            // For empty windows with emptyWindow setting enabled, trust should remain true
+            if (this.workspaceTrustPref[WORKSPACE_TRUST_EMPTY_WINDOW] && !this.workspaceService.workspace) {
+                return;
+            }
+            const isNowInTrustedFolders = this.isWorkspaceInTrustedFolders();
+            if (isNowInTrustedFolders !== this.currentTrust) {
+                this.setWorkspaceTrust(isNowInTrustedFolders);
+            }
+            return;
+        }
+
         if (change.scope === PreferenceScope.User) {
             if (change.preferenceName === WORKSPACE_TRUST_STARTUP_PROMPT && change.newValue !== WorkspaceTrustPrompt.ONCE) {
                 this.storage.setData(STORAGE_TRUSTED, undefined);
@@ -125,12 +276,34 @@ export class WorkspaceTrustService {
                 this.windowService.reload();
             }
 
-            if (change.preferenceName === WORKSPACE_TRUST_ENABLED || change.preferenceName === WORKSPACE_TRUST_EMPTY_WINDOW) {
+            if (change.preferenceName === WORKSPACE_TRUST_ENABLED) {
                 this.resolveWorkspaceTrust();
             }
+
+            // Handle emptyWindow setting change for empty windows
+            if (change.preferenceName === WORKSPACE_TRUST_EMPTY_WINDOW && !this.workspaceService.workspace) {
+                // For empty windows, directly update trust based on the new setting value
+                const shouldTrust = !!change.newValue;
+                if (this.currentTrust !== shouldTrust) {
+                    this.setWorkspaceTrust(shouldTrust);
+                }
+            }
         }
     }
 
+    protected async handleWorkspaceChanged(): Promise<void> {
+        // Reset trust state for the new workspace
+        this.workspaceTrust = new Deferred<boolean>();
+        this.currentTrust = undefined;
+
+        // Re-evaluate trust for the new workspace
+        await this.resolveWorkspaceTrust();
+
+        // Update status bar indicator
+        const trust = await this.getWorkspaceTrust();
+        this.updateRestrictedModeIndicator(trust);
+    }
+
     protected async confirmRestart(): Promise<boolean> {
         const shouldRestart = await new ConfirmDialog({
             title: nls.localizeByDefault('A setting has changed that requires a restart to take effect.'),
@@ -141,13 +314,33 @@ export class WorkspaceTrustService {
         return shouldRestart === true;
     }
 
+    protected updateRestrictedModeIndicator(trusted: boolean): void {
+        if (trusted) {
+            this.hideRestrictedModeStatusBarItem();
+        } else {
+            this.showRestrictedModeStatusBarItem();
+        }
+    }
+
+    protected showRestrictedModeStatusBarItem(): void {
+        this.statusBar.setElement(WORKSPACE_TRUST_STATUS_BAR_ID, {
+            text: '$(shield) ' + nls.localizeByDefault('Restricted Mode'),
+            alignment: StatusBarAlignment.LEFT,
+            priority: 5000,
+            tooltip: nls.localize('theia/workspace/restrictedModeTooltip',
+                'Running in Restricted Mode. Some features are disabled because this folder is not trusted. Click to manage trust settings.'),
+            command: WorkspaceCommands.MANAGE_WORKSPACE_TRUST.id
+        });
+    }
+
+    protected hideRestrictedModeStatusBarItem(): void {
+        this.statusBar.removeElement(WORKSPACE_TRUST_STATUS_BAR_ID);
+    }
+
     async requestWorkspaceTrust(): Promise<boolean | undefined> {
         if (!this.isWorkspaceTrustResolved()) {
-            const isTrusted = await this.messageService.info(nls.localize('theia/workspace/trustRequest',
-                'An extension requests workspace trust but the corresponding API is not yet fully supported. Do you want to trust this workspace?'),
-                Dialog.YES, Dialog.NO);
-            const trusted = isTrusted === Dialog.YES;
-            this.resolveWorkspaceTrust(trusted);
+            const trusted = await this.showTrustPromptDialog();
+            await this.resolveWorkspaceTrust(trusted);
         }
         return this.workspaceTrust.promise;
     }