Overview
Implement Phase 1 of the MXC (Microsoft Execution Containers) sandbox integration to add contained local code execution capability to entrabot, pairing identity+attribution with OS-enforced containment.
Design Documents
Phase 1 Scope (Build Now)
Process-level containment via MXC on macOS (Seatbelt) and Windows (processcontainer/AppContainer), driven from Python using the native MXC binary + JSON policy.
Implementation Tasks
Security Model (Hardened)
✅ Disabled by default (ENTRABOT_ENABLE_RUN_CODE=1 required)
✅ Positive-allowlist-only (no deniedPaths reliance; Windows doesn't support it)
✅ Backend-aware fail-closed (refuses policies with unenforceable primitives)
✅ Binary verification (SHA256 check before exec; untrusted → refuse to run)
✅ No secrets in sandbox (keychainAccess=false hardcoded, not overridable)
✅ Audit-first (fail-closed if audit fails)
✅ Structured argv, no shell (no shell-metachar escapes)
✅ Operator-set ceiling, LLM can only narrow (Learning #54)
Phase 2 (Stub Now, Build Later)
Entra-bound session isolation + Intune governance. Platform surfaces not GA yet (Windows Insider-only, Entra/Intune binding APIs unreleased). Ship seams:
Backend.SESSION enum value
session.py stub with Phase-2 requirements docstring
identity_binding() hook
Success Criteria
References
- Build 2026 announcement: Windows Developer Blog, Windows platform security for AI agents (2026-06-02)
- MXC OSS repo:
github.com/microsoft/mxc
- Schema:
0.6.0-alpha
- Supersedes: TODOS.md "AppContainer sandbox production implementation" item
Overview
Implement Phase 1 of the MXC (Microsoft Execution Containers) sandbox integration to add contained local code execution capability to entrabot, pairing identity+attribution with OS-enforced containment.
Design Documents
docs/architecture/DESIGN-mxc-sandbox.md(merged in PR docs: MXC execution-container integration design (Phase 1 plan) #15)docs/platform-learnings/mxc-windows-sandbox.md(merged in PR docs: MXC (Microsoft Execution Containers) platform research #14)Phase 1 Scope (Build Now)
Process-level containment via MXC on macOS (Seatbelt) and Windows (processcontainer/AppContainer), driven from Python using the native MXC binary + JSON policy.
Implementation Tasks
sandbox/base.py— SandboxRunner protocol, dataclasses, error taxonomysandbox/policy.py— Policy builder with positive-allowlist clamping (backend-aware, fail-closed)sandbox/binary.py— Binary resolution with SHA256 verificationsandbox/mac.py+windows.py— Platform-specific runnersmcp_server.py—run_codetool (opt-in viaENTRABOT_ENABLE_RUN_CODE=1)scripts/setup_sandbox.sh+.ps1— Binary provisioning with self-signingsandbox/session.py— Phase 2 stub for future Entra-bound session isolationtests/sandbox/suite + opt-in adversarial integration testssandbox/linux.py— Optional, lower prioritySecurity Model (Hardened)
✅ Disabled by default (
ENTRABOT_ENABLE_RUN_CODE=1required)✅ Positive-allowlist-only (no
deniedPathsreliance; Windows doesn't support it)✅ Backend-aware fail-closed (refuses policies with unenforceable primitives)
✅ Binary verification (SHA256 check before exec; untrusted → refuse to run)
✅ No secrets in sandbox (
keychainAccess=falsehardcoded, not overridable)✅ Audit-first (fail-closed if audit fails)
✅ Structured argv, no shell (no shell-metachar escapes)
✅ Operator-set ceiling, LLM can only narrow (Learning #54)
Phase 2 (Stub Now, Build Later)
Entra-bound session isolation + Intune governance. Platform surfaces not GA yet (Windows Insider-only, Entra/Intune binding APIs unreleased). Ship seams:
Backend.SESSIONenum valuesession.pystub with Phase-2 requirements docstringidentity_binding()hookSuccess Criteria
pytest -v && ruff check .)run_codetool not registered when env flag unsetReferences
github.com/microsoft/mxc0.6.0-alpha