You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tracking issue for porting the MXC (Microsoft eXecution Container) sandbox from macOS to Windows. The macOS Phase 1 (Seatbelt) implementation landed in #86; this tracks bringing the same containment to Windows using the Windows MXC preview.
Why
entrabot owns agent identity + attribution for cloud actions; MXC is the OS-enforced containment boundary around the agent's local code execution. Windows is MXC's primary platform (processcontainer is a default, non-experimental backend there), and it's the only place the session-isolation + Entra-binding story (Phase 2) can actually be validated.
src/entrabot/sandbox/mac.py — SeatbeltRunner (the proven reference impl)
run_code / write_local_file MCP tools
Done = checklist
src/entrabot/sandbox/windows.py — ProcessContainerRunner implementing the SandboxRunner protocol (run / get_capabilities / identity_binding), mirroring mac.py. Backend process → processcontainer (AppContainer→BaseContainer). Invoke wxc-exec.exe via file or --config-base64 (NOT the macOS stdin patch). get_capabilities() must report network host-filtering as unenforced on Windows so fail-closed logic refuses policies it can't honor.
Wire into get_sandbox_runner() — src/entrabot/sandbox/__init__.py lines 29–31 currently raise SandboxUnavailableError("Windows ProcessContainer runner not yet implemented"). Replace with the real runner.
Pin real win32-x86_64 / win32-amd64 SHA256 (see blocker issue) — resolve_and_verify() fails closed on the current all-zero placeholders.
Fix the operator-ceiling path-separator bug (see blocker issue) — run_code shreds Windows drive-letter paths.
Add scripts/setup_sandbox.ps1 (idempotent, non-fatal) — locate/install wxc-exec, set MXC_BIN_DIR.
Validate the demo matrix on Windows: write-to-Documents BLOCKED, read-from-Documents ALLOWED, write-to-temp ALLOWED, driven by ENTRABOT_SANDBOX_READWRITE_PATHS.
Full suite green on Windows: pytest -v --tb=short && ruff check . (TDD — failing test first, per AGENTS.md).
docs/platform-learnings note on what the Windows preview actually exposed for processcontainer, isolation_session, and Entra binding (announced vs reachable).
Phase 2 (don't build yet, just scout)
src/entrabot/sandbox/session.py is a stub; identity_binding() raises NotImplementedError. If the preview exposes session isolation + Entra binding, that's the path to attributing container activity to the entrabot Agent User — capture what's reachable.
Constraints: positive-allowlist only; pin schema 0.6.0-alpha, validate with --dry-run; MXC is 0.x (schema churn) and not a trusted boundary yet — defense-in-depth only, never relax an existing gate.
Tracking issue for porting the MXC (Microsoft eXecution Container) sandbox from macOS to Windows. The macOS Phase 1 (Seatbelt) implementation landed in #86; this tracks bringing the same containment to Windows using the Windows MXC preview.
Why
entrabot owns agent identity + attribution for cloud actions; MXC is the OS-enforced containment boundary around the agent's local code execution. Windows is MXC's primary platform (
processcontaineris a default, non-experimental backend there), and it's the only place the session-isolation + Entra-binding story (Phase 2) can actually be validated.What's already built (cross-platform, from #86)
src/entrabot/sandbox/base.py—SandboxRunnerprotocol,SandboxPolicy, error taxonomysrc/entrabot/sandbox/policy.py—build_policy()(MXC 0.6.0-alpha JSON),clamp_to_ceiling()(operator ceiling, Learning tools: Non-atomic cursor write can regress to bootstrap path — PR #17/18 fix lost on crash #54)src/entrabot/sandbox/binary.py— binary resolve + SHA256 pin verificationsrc/entrabot/sandbox/__init__.py—get_sandbox_runner()platform dispatchsrc/entrabot/sandbox/mac.py—SeatbeltRunner(the proven reference impl)run_code/write_local_fileMCP toolsDone = checklist
src/entrabot/sandbox/windows.py—ProcessContainerRunnerimplementing theSandboxRunnerprotocol (run / get_capabilities / identity_binding), mirroringmac.py. Backendprocess→processcontainer(AppContainer→BaseContainer). Invokewxc-exec.exevia file or--config-base64(NOT the macOS stdin patch).get_capabilities()must report network host-filtering as unenforced on Windows so fail-closed logic refuses policies it can't honor.get_sandbox_runner()—src/entrabot/sandbox/__init__.pylines 29–31 currentlyraise SandboxUnavailableError("Windows ProcessContainer runner not yet implemented"). Replace with the real runner.win32-x86_64/win32-amd64SHA256 (see blocker issue) —resolve_and_verify()fails closed on the current all-zero placeholders.run_codeshreds Windows drive-letter paths.scripts/setup_sandbox.ps1(idempotent, non-fatal) — locate/installwxc-exec, setMXC_BIN_DIR.ENTRABOT_SANDBOX_READWRITE_PATHS.pytest -v --tb=short && ruff check .(TDD — failing test first, per AGENTS.md).docs/platform-learningsnote on what the Windows preview actually exposed forprocesscontainer,isolation_session, and Entra binding (announced vs reachable).Phase 2 (don't build yet, just scout)
src/entrabot/sandbox/session.pyis a stub;identity_binding()raisesNotImplementedError. If the preview exposes session isolation + Entra binding, that's the path to attributing container activity to the entrabot Agent User — capture what's reachable.Read first
docs/platform-learnings/mxc-windows-sandbox.md(backend table §2, policy schema §3, integration surfaces §4, gaps §7)docs/decisions/007-mxc-sandbox-integration.md(ADR)docs/guides/mxc-sandbox.md,scripts/demo_sandbox.pydocs/runbooks/hard-won-learnings.mdConstraints: positive-allowlist only; pin schema 0.6.0-alpha, validate with
--dry-run; MXC is 0.x (schema churn) and not a trusted boundary yet — defense-in-depth only, never relax an existing gate.Related: #86 (macOS Phase 1).
Blockers (must land first)
split(":")shreds Windows drive-letter pathswxc-exec.exeSHA256 (placeholder zeros fail closed)