Skip to content

Windows MXC sandbox: ProcessContainerRunner (Phase 1 port) #92

Description

@brandwe

Tracking issue for porting the MXC (Microsoft eXecution Container) sandbox from macOS to Windows. The macOS Phase 1 (Seatbelt) implementation landed in #86; this tracks bringing the same containment to Windows using the Windows MXC preview.

Why

entrabot owns agent identity + attribution for cloud actions; MXC is the OS-enforced containment boundary around the agent's local code execution. Windows is MXC's primary platform (processcontainer is a default, non-experimental backend there), and it's the only place the session-isolation + Entra-binding story (Phase 2) can actually be validated.

What's already built (cross-platform, from #86)

  • src/entrabot/sandbox/base.pySandboxRunner protocol, SandboxPolicy, error taxonomy
  • src/entrabot/sandbox/policy.pybuild_policy() (MXC 0.6.0-alpha JSON), clamp_to_ceiling() (operator ceiling, Learning tools: Non-atomic cursor write can regress to bootstrap path — PR #17/18 fix lost on crash #54)
  • src/entrabot/sandbox/binary.py — binary resolve + SHA256 pin verification
  • src/entrabot/sandbox/__init__.pyget_sandbox_runner() platform dispatch
  • src/entrabot/sandbox/mac.pySeatbeltRunner (the proven reference impl)
  • run_code / write_local_file MCP tools

Done = checklist

  • src/entrabot/sandbox/windows.pyProcessContainerRunner implementing the SandboxRunner protocol (run / get_capabilities / identity_binding), mirroring mac.py. Backend processprocesscontainer (AppContainer→BaseContainer). Invoke wxc-exec.exe via file or --config-base64 (NOT the macOS stdin patch). get_capabilities() must report network host-filtering as unenforced on Windows so fail-closed logic refuses policies it can't honor.
  • Wire into get_sandbox_runner()src/entrabot/sandbox/__init__.py lines 29–31 currently raise SandboxUnavailableError("Windows ProcessContainer runner not yet implemented"). Replace with the real runner.
  • Pin real win32-x86_64 / win32-amd64 SHA256 (see blocker issue) — resolve_and_verify() fails closed on the current all-zero placeholders.
  • Fix the operator-ceiling path-separator bug (see blocker issue) — run_code shreds Windows drive-letter paths.
  • Add scripts/setup_sandbox.ps1 (idempotent, non-fatal) — locate/install wxc-exec, set MXC_BIN_DIR.
  • Validate the demo matrix on Windows: write-to-Documents BLOCKED, read-from-Documents ALLOWED, write-to-temp ALLOWED, driven by ENTRABOT_SANDBOX_READWRITE_PATHS.
  • Full suite green on Windows: pytest -v --tb=short && ruff check . (TDD — failing test first, per AGENTS.md).
  • docs/platform-learnings note on what the Windows preview actually exposed for processcontainer, isolation_session, and Entra binding (announced vs reachable).

Phase 2 (don't build yet, just scout)

src/entrabot/sandbox/session.py is a stub; identity_binding() raises NotImplementedError. If the preview exposes session isolation + Entra binding, that's the path to attributing container activity to the entrabot Agent User — capture what's reachable.

Read first

Constraints: positive-allowlist only; pin schema 0.6.0-alpha, validate with --dry-run; MXC is 0.x (schema churn) and not a trusted boundary yet — defense-in-depth only, never relax an existing gate.

Related: #86 (macOS Phase 1).

Blockers (must land first)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions