### Verify WSLC Functionality with Hello World Example Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-getting-started.md Execute the included hello world configuration for WSLC to verify that the setup is working correctly. This command requires the --experimental flag. ```powershell cd . src/target/x86_64-pc-windows-msvc/release/wxc-exec.exe --experimental --debug examples/wslc_hello_world.json ``` -------------------------------- ### Setup WSLc SDK Installation Script Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md A PowerShell script (`scripts/setup-wslc.ps1`) to automate the setup of the WSLC SDK prerequisite. It verifies installation, pre-pulls images, and supports custom storage paths. ```PowerShell wxc-exec.exe --setup-wslc ``` -------------------------------- ### Install Rust Toolchain Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Installs the Rust programming language toolchain, including the `rustup` installer and environment setup. ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh source "$HOME/.cargo/env" ``` -------------------------------- ### One-time Setup: Install WSLC SDK MSI Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md Execute this command to install the Windows Subsystem for Linux (WSL) Container SDK MSI package. ```powershell msiexec /i wsl.2.8.1.0.x64.msi ``` -------------------------------- ### Install and Build SDK Source: https://github.com/microsoft/mxc/blob/main/README.md Installs the necessary dependencies and builds the SDK. This is a prerequisite for using the SDK. ```bash npm install && npm run build ``` -------------------------------- ### Start Sandbox Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api-overview.md Starts a previously provisioned sandbox. It takes the sandbox ID and optional configuration, returning a Promise that resolves with the StartResult. ```APIDOC ## startSandbox ### Description Starts a previously provisioned sandbox. This function requires the sandbox ID and accepts optional configuration and spawn options, returning a Promise that resolves with the StartResult. ### Method `startSandbox(sandboxId: SandboxId, config?: StartConfigFor, options?: SandboxSpawnOptions): Promise>` ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body - **sandboxId** (SandboxId) - Required - The ID of the sandbox to start. - **config** (StartConfigFor) - Optional - Configuration specific to the start phase for the given backend. - **options** (SandboxSpawnOptions) - Optional - Options for spawning the sandbox. ``` -------------------------------- ### Programmatic SDK Usage Example Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md Illustrates how to programmatically spawn a sandbox environment using the SDK, with experimental features enabled. ```javascript spawnSandbox("python3 app.py", policy, { experimental: true }) ``` -------------------------------- ### Local Fuzzing Setup and Execution (Windows) Source: https://github.com/microsoft/mxc/blob/main/docs/fuzzing.md Installs nightly Rust, cargo-fuzz, and configures the PATH for the MSVC ASAN runtime. Runs a fuzz target for a specified duration using a local seed corpus. ```powershell # One-time setup rustup toolchain install nightly --profile minimal cargo +nightly install cargo-fuzz # Put the MSVC ASAN runtime DLL on PATH for this shell $asanDir = (Get-ChildItem 'C:\Program Files\Microsoft Visual Studio' -Recurse \ -Filter 'clang_rt.asan_dynamic-x86_64.dll' -ErrorAction SilentlyContinue \ | Where-Object FullName -Match 'HostX64\x64\clang_rt' | Select-Object -First 1).Directory.FullName $env:PATH = "$asanDir;$env:PATH" # Run a target for 30 seconds (uses tests/configs/ as the seed corpus) cd src\testing\fuzz cargo +nightly fuzz run config_parser ..\..\tests\configs -- -max_total_time=30 ``` -------------------------------- ### Install Python 3 via Homebrew Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Installs Python 3 using Homebrew, making `python3` available for use in example configurations. ```bash brew install python ``` -------------------------------- ### NanVix MicroVM Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/nanvix-microvm/nanvix-integration-plan.md Example JSON configuration for running a process within a NanVix microVM. Specifies the command line and timeout for the process. ```json { "process": { "commandLine": "import sys\nprint(f'Python {sys.version} on {sys.platform}')", "timeout": 30000 }, "containment": "microvm" } ``` -------------------------------- ### WSLC Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md Illustrates the updated JSON configuration format for WSLC, specifying the containment type, command line, and timeout settings. ```json { "containment": "wslc", "process": { "commandLine": "...", "timeout": "..." } } ``` -------------------------------- ### Install Xcode Command Line Tools Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Installs the necessary tools for building native binaries on macOS. ```bash xcode-select --install ``` -------------------------------- ### WSL Container Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md An example JSON configuration for setting up a WSL container, specifying the image, CPU count, memory, and filesystem settings. This configuration is used when the 'containment' field is set to 'wslc'. ```json { "containment": "wslc", "process": { "commandLine": "python3 -c \"print('hello')\"", "timeout": 60000 }, "wslc": { "image": "python:3.12", "cpuCount": 2, "memoryMb": 4096 }, "filesystem": { "readwritePaths": ["C:\\workspace"] }, "network": { "defaultPolicy": "block" } } ``` -------------------------------- ### Full Lifecycle Example: IsolationSession Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md Demonstrates the complete lifecycle of an IsolationSession sandbox, from provisioning to deprovisioning. Includes examples of buffered and streaming command execution. ```typescript import { provisionSandbox, startSandbox, execInSandbox, execInSandboxAsync, stopSandbox, deprovisionSandbox, getAvailableToolsPolicy, IsolationSessionProvisionConfig, SandboxSpawnOptions, } from '@microsoft/mxc-sdk'; const tools = getAvailableToolsPolicy(); const provisionConfig: IsolationSessionProvisionConfig = { filesystem: { readwritePaths: ['C:\\workspace', ...tools.readwritePaths], readonlyPaths: tools.readonlyPaths, }, network: { defaultPolicy: 'allow', allowedHosts: ['api.anthropic.com'] }, }; // IsolationSession is experimental, so every call carries `experimental: true`. const opts: SandboxSpawnOptions = { experimental: true }; // Provision — cross-cutting fields apply at this phase per the IS honor matrix (§10.3). const { sandboxId } = await provisionSandbox('isolation_session', provisionConfig, opts); // Start — backend-specific config picks the session size. await startSandbox(sandboxId, { configurationId: 'small' }, opts); // Exec — buffered convenience for short workloads. const result = await execInSandboxAsync( sandboxId, { process: { commandLine: 'echo hello', timeout: 5000 } }, opts, ); console.log(result.stdout); // "hello\n" // Exec — streaming for long-running workloads. Returns IPty. const session = execInSandbox( sandboxId, { process: { commandLine: 'C:\\workspace\\agent.exe --watch' } }, opts, ); session.onData((chunk) => process.stdout.write(chunk)); session.onExit(({ exitCode }) => console.log(`agent exit: ${exitCode}`)); // Stop and deprovision when done. Stop and deprovision Configs carry only `version?`, // so callers typically pass `{}` (or omit when no options are needed). await stopSandbox(sandboxId, {}, opts); await deprovisionSandbox(sandboxId, {}, opts); ``` -------------------------------- ### Full MXC Configuration Schema Example Source: https://github.com/microsoft/mxc/blob/main/docs/schema.md This is a comprehensive example of the MXC configuration JSON, illustrating all available settings for version, container ID, containment, lifecycle, process, filesystem, fallback, network, processContainer, LXC, and experimental features. ```json { "version": "0.4.0-alpha", // Schema version (semver). Current stable: "0.4.0-alpha". Also accepts "0.5.0-alpha". "containerId": "my-container", // Externally assigned container ID "containment": "processcontainer", // Backend (see table below) "lifecycle": { "destroyOnExit": true, // Destroy container after execution "preservePolicy": false // Retain container policies after exit if applicable }, "process": { "commandLine": "python app.py", // Required: command to execute "cwd": "C:\\workspace", // Working directory "env": ["MY_VAR=value"], // Environment variables as KEY=VALUE "timeout": 30000 // Timeout in ms (0 = no timeout) }, "filesystem": { "readwritePaths": ["C:\\temp"], // Read-write access "readonlyPaths": ["C:\\data"], // Read-only access "deniedPaths": ["C:\\Windows"] }, "fallback": { "allowDaclMutation": true // Allow Tier 3 DACL fallback (default true) }, "network": { "defaultPolicy": "block", // "allow" or "block" "enforcementMode": "firewall", // "capabilities", "firewall", or "both" "proxy": { "localhost": 8080 } // Loopback proxy port (processcontainer; bubblewrap) }, "processContainer": { "leastPrivilege": false, "capabilities": ["internetClient"] }, "lxc": { "distribution": "alpine", "release": "3.19" }, "experimental": { "wslc": { "image": "alpine:latest", "imageTarPath": "C:\\images\\alpine.tar", "cpuCount": 4, "memoryMb": 2048, "gpu": false, "storagePath": "C:\\wslc-storage" }, "seatbelt": { "profileOverride": null, "guiAccess": false, "launchMethod": "exec", "nestedPty": true, "keychainAccess": false } } } ``` -------------------------------- ### Prepare Null Device Log Record Example Source: https://github.com/microsoft/mxc/blob/main/docs/host-prep.md An example of a JSON-Lines log record generated by prepare-null-device, detailing the operation's outcome. ```json {"ts":"2025-01-01T12:00:00Z","op":"prepare-null-device","want_sacl":true,"result":"applied","drift":"dacl-differs"} ``` -------------------------------- ### Bubblewrap Filesystem Policy Example Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md Configures read-write, read-only, and denied paths for a Bubblewrap sandbox. This example mounts /data read-only, /workspace read-write, and denies access to /secrets. ```json { "version": "0.6.0-alpha", "containment": "bubblewrap", "process": { "commandLine": "cat /data/input.txt && echo result > /workspace/output.txt" }, "filesystem": { "readonlyPaths": ["/data"], "readwritePaths": ["/workspace"], "deniedPaths": ["/secrets"] } } ``` -------------------------------- ### Basic Hello World Script Source: https://github.com/microsoft/mxc/blob/main/docs/examples.md A simple example to print 'Hello from MXC!' and the Python version. This is useful for verifying basic script execution. ```json { "script": "python -c \"import sys; print('Hello from MXC!'); print(f'Python version: {sys.version}');\"", "processContainer": { "name": "CLI-HelloWorld" } } ``` -------------------------------- ### Start Backend Dispatch (Rust) Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md Rust code showing the backend's handling of the start request, including deserializing experimental configuration. ```rust // Dispatcher deserializes `experimental.isolation_session.start` into // IsolationSessionStartConfig { configuration_id: Small }, then calls: backend.start( "iso:reg-abc:prov-123", &request, Some(IsolationSessionStartConfig { configuration_id: Small }), ) // returns Ok(StartResult { metadata: None }) ``` -------------------------------- ### Install LXC on Fedora/RHEL Source: https://github.com/microsoft/mxc/blob/main/docs/lxc-support/lxc-backend.md Installs LXC and development libraries on Fedora/RHEL-based systems. ```bash sudo dnf install lxc lxc-devel ``` -------------------------------- ### Install Bubblewrap on Fedora/RHEL Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md Installs the bubblewrap package on Fedora or RHEL systems. ```bash sudo dnf install bubblewrap ``` -------------------------------- ### Install LXC on Arch Linux Source: https://github.com/microsoft/mxc/blob/main/docs/lxc-support/lxc-backend.md Installs LXC on Arch Linux systems. ```bash sudo pacman -S lxc ``` -------------------------------- ### NanVix CLI Debug Output Example Source: https://github.com/microsoft/mxc/blob/main/docs/nanvix-microvm/nanvix-integration-plan.md Example output from the wxc-exec command with the --debug flag, showing script details, NanVix configuration, and execution results. ```text $ wxc-exec.exe --debug microvm_config.json Script code length: 58 Working directory: Script timeout: 30000 Container name: CLI NanVix: nanvixd="C:\\nanvix\\bin\\nanvixd.exe" NanVix: bin_dir="C:\\nanvix\\bin" NanVix: ramfs="C:\\nanvix\\bin\\nanvix_rootfs.img" NanVix: python="C:\\nanvix\\bin\\python3.initrd" NanVix: process exited with code 0 Exit code: 0 Python 3.12.3 (tags/0715636-nanvix-03bba66:0715636) on nanvix ``` -------------------------------- ### Bubblewrap Process Settings Example Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md Configures the command line, working directory, environment variables, and timeout for a process within a Bubblewrap sandbox. ```json { "process": { "commandLine": "python3 script.py", "cwd": "/workspace", "env": ["PATH=/usr/bin", "HOME=/tmp"], "timeout": 30000 } } ``` -------------------------------- ### JSON Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/nanvix-microvm/nanvix-integration-plan.md Example of the JSON configuration format used for Nanvix execution. Specifies the command line and timeout for the process, and the containment type. ```json { "process": { "commandLine": "print('Hello from NanVix!')", "timeout": 30000 }, "containment": "microvm" } ``` -------------------------------- ### Installing Python with Winget Source: https://github.com/microsoft/mxc/blob/main/tests/playground/src/renderer/index.html Install Python using the winget package manager. This version works out of the box with MXC. ```powershell winget install Python.Python.3.14 ``` -------------------------------- ### Start Diagnostic Console and Run Source: https://github.com/microsoft/mxc/blob/main/docs/diagnostics.md Starts the diagnostic console and then enables diagnostics before running the MXC execution environment. Requires admin privileges for ETW. ```powershell # Terminal 1: start the diagnostic console (run as admin for ETW) mxc-diagnostic-console.exe # Terminal 2: enable diagnostics and run $env:MXC_DIAG_CONSOLE = "1" wxc-exec.exe --experimental my-config.json ``` -------------------------------- ### Setup WSLC with a Specific Image Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-support-plan.md Use this PowerShell command to pre-pull a container image using the setup script. This ensures the image is available locally before invoking the runner. ```powershell .\scripts\setup-wslc.ps1 -Image alpine:latest ``` -------------------------------- ### Simple Sandbox Creation Source: https://github.com/microsoft/mxc/blob/main/docs/sandbox-policy/v1/policy.md A basic example of spawning a sandbox with a given script and policy. This uses the default process containment. ```typescript spawnSandbox(script, policy); ``` -------------------------------- ### Example: Built-in Test Proxy with Allowlist Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md This configuration uses the bundled linux-test-proxy for tests. It allows connections only to 'api.github.com'. Ensure 'builtinTestServer' is true for this mode. ```json { "version": "0.6.0-alpha", "platform": "linux", "containment": "bubblewrap", "process": { "commandLine": "curl -fsSL https://api.github.com/zen && echo OK" }, "network": { "defaultPolicy": "allow", "proxy": { "builtinTestServer": true }, "allowedHosts": ["api.github.com"] } } ``` -------------------------------- ### Verify wxc-exec.exe Startup Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-getting-started.md Check if the wxc-exec.exe binary starts without errors after building it with WSLC support. ```powershell .\src\target\x86_64-pc-windows-msvc\release\wxc-exec.exe --help ``` -------------------------------- ### MXC Config JSON Example Source: https://github.com/microsoft/mxc/blob/main/docs/versioning.md Illustrates the structure of an MXC configuration JSON, which includes the same version as the SandboxPolicy. ```json { "version": "0.4.0-alpha", "process": { ... }, "filesystem": { ... }, "network": { ... } } ``` -------------------------------- ### MicroVM Hello World Configuration Source: https://github.com/microsoft/mxc/blob/main/docs/nanvix-microvm/nanvix-integration-plan.md An example JSON configuration file for setting up a MicroVM environment for a 'hello world' scenario. This file specifies the backend and containment strategy. ```json { "backend": { "type": "nanvix", "config": { "containment": "microvm" } }, "command": [ "print('Hello from MicroVM!')" ], "timeout": 5000 } ``` -------------------------------- ### State-Aware Call After Graduation Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md Example of a state-aware 'start' call against IsolationSession after the backend's state-aware path has graduated. The 'experimental' block is removed. ```json { "version": "0.7.0-alpha", "phase": "start", "sandboxId": "iso:reg-abc:prov-123", "isolation_session": { "start": { "configurationId": "small" } } } ``` -------------------------------- ### State-Aware Call Before Graduation Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md Example of a state-aware 'start' call against IsolationSession before the backend's state-aware path has graduated. Note the 'experimental' block. ```json { "version": "0.6.0-alpha", "phase": "start", "sandboxId": "iso:reg-abc:prov-123", "experimental": { "isolation_session": { "start": { "configurationId": "small" } } } } ``` -------------------------------- ### Running wxc-exec with Experimental Flag Source: https://github.com/microsoft/mxc/blob/main/docs/versioning.md Demonstrates how to execute wxc-exec or lxc-exec with a configuration file and enable experimental features using the --experimental flag. ```bash wxc-exec.exe config.json --experimental lxc-exec config.json --experimental # Flag order does not matter — these are equivalent: wxc-exec.exe --experimental config.json ``` -------------------------------- ### Create and Run a Sandbox Source: https://github.com/microsoft/mxc/blob/main/sdk/README.md This snippet demonstrates how to create a sandbox configuration from a policy, spawn a sandbox process, and capture its output. It checks for platform support, discovers host tools, and sets up filesystem and network policies. ```typescript import { spawnSandboxFromConfig, createConfigFromPolicy, getAvailableToolsPolicy, getTemporaryFilesPolicy, getPlatformSupport, } from '@microsoft/mxc-sdk'; if (!getPlatformSupport().isSupported) { throw new Error('MXC not available on this host'); } // Discover host tools (python, node, etc.) and a writable temp dir. const tools = getAvailableToolsPolicy(process.env); const temp = getTemporaryFilesPolicy(); const config = createConfigFromPolicy({ version: '0.5.0-alpha', filesystem: { readonlyPaths: tools.readonlyPaths, // PATH, PYTHONPATH, JAVA_HOME, … readwritePaths: temp.readwritePaths, // %TEMP% / $TMPDIR }, network: { allowOutbound: false }, timeoutMs: 30_000, }); config.process!.commandLine = 'python -c "print(\'hello from sandbox\')"'; const child = spawnSandboxFromConfig(config, { usePty: false }); child.stdout!.on('data', (d) => process.stdout.write(d)); child.on('close', (code) => console.log('exit:', code)); ``` -------------------------------- ### Install Homebrew Package Manager Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Installs Homebrew, a package manager for macOS, which is used to install other development tools. ```bash /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" ``` -------------------------------- ### Start Request Payload (JSON) Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md The JSON payload for the start phase, including the sandbox ID and experimental configuration for starting the session. ```json { "version": "0.6.0-alpha", "phase": "start", "sandboxId": "iso:reg-abc:prov-123", "experimental": { "isolation_session": { "start": { "configurationId": "small" } } } } ``` -------------------------------- ### Create Config with Abstract Intent Source: https://github.com/microsoft/mxc/blob/main/sdk/README.md Select a backend using an abstract intent like 'vm'. The SDK resolves this to a concrete backend suitable for the host. This example shows how to configure a sandbox for VM execution and set a command to run. ```typescript const config = createConfigFromPolicy(policy, 'vm'); // → windows_sandbox on Windows config.process!.commandLine = 'cmd /c whoami'; const pty = spawnSandboxFromConfig(config, { experimental: true }); ``` -------------------------------- ### Install Bubblewrap on Alpine Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md Installs the bubblewrap package on Alpine Linux. ```bash apk add bubblewrap ``` -------------------------------- ### Install Bubblewrap on Debian/Ubuntu Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md Installs the bubblewrap package on Debian or Ubuntu systems. ```bash sudo apt install bubblewrap ``` -------------------------------- ### Install LXC on Debian/Ubuntu Source: https://github.com/microsoft/mxc/blob/main/docs/lxc-support/lxc-backend.md Installs LXC and development libraries on Debian-based systems. ```bash sudo apt install lxc lxc-utils liblxc-dev ``` -------------------------------- ### Start IsolationSession (TypeScript) Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md Initiates the start phase for a provisioned IsolationSession with specified configuration. ```typescript await startSandbox( sandboxId, { configurationId: 'small' }, { experimental: true }, ); ``` -------------------------------- ### Start Response Payload (JSON) Source: https://github.com/microsoft/mxc/blob/main/docs/state-aware-lifecycle/mxc-state-aware-sandbox-api.md The JSON response from the executor after the start phase, indicating success. ```json { "result": {} } ``` -------------------------------- ### Typical WSLC Lifecycle Commands Source: https://github.com/microsoft/mxc/blob/main/docs/wsl/wsl-container-getting-started.md This shows the two-step process for daily use: first pre-pulling an image into the SDK cache, then executing a configuration against that cached image. ```powershell # (one-time per image) pre-pull into the SDK cache . scripts/setup-wslc.ps1 -Image # (any number of times) execute against the cached image . src/target/x86_64-pc-windows-msvc/release/wxc-exec.exe ` --experimental my-config.json ``` -------------------------------- ### Windows Sandbox Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/windows-sandbox/windows-sandbox.md This JSON configuration specifies parameters for running a command within the Windows Sandbox. It includes the command to execute, timeouts, and experimental settings for sandbox management. ```json { "version": "0.5.0-alpha", "containment": "windows_sandbox", "process": { "commandLine": "python -S -B -c \"print('hello')\"", "timeout": 60000 }, "experimental": { "windows_sandbox": { "idleTimeoutMs": 300000, "daemonPipeName": "wxc-windows-sandbox" } } } ``` -------------------------------- ### Install Node.js via Homebrew Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Installs Node.js using Homebrew, required for building and testing the TypeScript SDK layer. ```bash brew install node ``` -------------------------------- ### Version Negotiation Steps Source: https://github.com/microsoft/mxc/blob/main/docs/versioning.md Outlines the step-by-step process for version negotiation between the user's SandboxPolicy and the MXC system, including OS calls and version selection. ```text 1. User sends SandboxPolicy with version "0.4.0-alpha" 2. MXC validates: is "0.4.0-alpha" ≤ SUPPORTED_VERSION? Yes → continue No → error: "upgrade wxc-exec" 3. MXC calls: EnumerateSandboxSpecVersionInfo(HIGHEST_MAJOR) OS returns: [ { version: "1.4.5", isAvailable: true }, { version: "2.0.0", isAvailable: true } ] 4. MXC selects the best tech language version for the features in the policy 5. MXC translates policy → flat buffer targeting that tech language version 6. MXC calls: CreateProcessInSandbox(flatbuffer) OS returns: success or error with disposition ``` -------------------------------- ### Installing PowerShell 7+ MSI package Source: https://github.com/microsoft/mxc/blob/main/tests/playground/src/renderer/index.html Install the PowerShell 7+ MSI package. MSIX and Microsoft Store versions are not supported. ```powershell Install MSI package ``` -------------------------------- ### Install MXC TypeScript SDK Source: https://github.com/microsoft/mxc/blob/main/README.md Installs the MXC TypeScript SDK package from npm. This is the first step to using the SDK in a Node.js project. ```bash npm install @microsoft/mxc-sdk ``` -------------------------------- ### Default-Deny Policy Example Source: https://github.com/microsoft/mxc/blob/main/docs/sandbox-policy/v1/policy.md Demonstrates how to create a fully locked-down sandbox by providing an empty policy. Future policy versions will default to denied permissions for new fields. ```typescript spawnSandbox("script.sh", { version: "0.5.0-dev" }); ``` -------------------------------- ### Build mxc-exec-mac for all architectures Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Build the mxc-exec-mac binary for both Apple Silicon and Intel architectures for distribution. ```bash ./build-mac.sh --all ``` -------------------------------- ### macOS Seatbelt Backend Configuration Example Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md This JSON configuration sets up the Seatbelt backend for MXC, specifying containment, process details, filesystem access, network policies, and experimental Seatbelt options. ```json { "$schema": "./schemas/dev/mxc-config.schema.0.7.0-dev.json", "containment": "seatbelt", "process": { "commandLine": "echo hi from seatbelt", "timeout": 30000 }, "filesystem": { "readwritePaths": ["/tmp/output"], "readonlyPaths": ["/Users/me/project"], "deniedPaths": ["/Users/me/.ssh"] }, "network": { "defaultPolicy": "block", "allowedHosts": ["api.github.com"] }, "experimental": { "seatbelt": { "mode": "exec" } } } ``` -------------------------------- ### Run mxc-exec-mac with a config file Source: https://github.com/microsoft/mxc/blob/main/docs/macos-support/seatbelt-backend.md Execute the mxc-exec-mac binary with the experimental flag and a configuration file. ```bash ./mxc-exec-mac --experimental config.json ``` -------------------------------- ### Test Configuration for Experimental Feature Source: https://github.com/microsoft/mxc/blob/main/docs/authoring-a-new-feature.md Create a JSON configuration file to test the new experimental feature. This example shows how to define `gpuIsolation` settings within the `experimental` block. ```json { "version": "0.5.0-alpha", "containment": "processcontainer", "process": { "commandLine": "cmd.exe /c echo gpu isolation test" }, "experimental": { "gpuIsolation": { "deviceIndex": 0, "memoryLimitMb": 1024, "allowCuda": true } } } ``` -------------------------------- ### SDK Usage for NanVix Sandbox Source: https://github.com/microsoft/mxc/blob/main/docs/nanvix-microvm/nanvix-integration-plan.md Example of spawning a sandbox asynchronously using the MXC SDK with NanVix containment. Demonstrates basic script execution and retrieving stdout and exit code. ```typescript import { spawnSandboxAsync } from '@microsoft/mxc-sdk'; const result = await spawnSandboxAsync( "print('Hello from NanVix!')", {}, // no policy needed — NanVix is isolated by design { containment: 'microvm' } ); console.log(result.stdout); // "Hello from NanVix!" console.log(result.exitCode); // 0 ``` -------------------------------- ### Bubblewrap Hello World Configuration Source: https://github.com/microsoft/mxc/blob/main/docs/bwrap-support/bubblewrap-backend.md A basic JSON configuration for the Bubblewrap backend to run a simple 'echo' command. ```json { "version": "0.6.0-alpha", "containment": "bubblewrap", "process": { "commandLine": "echo 'Hello from Bubblewrap sandbox'" } } ``` -------------------------------- ### SandboxPolicy Example Source: https://github.com/microsoft/mxc/blob/main/docs/versioning.md Defines a SandboxPolicy object with a specified version and filesystem/network configurations. ```typescript const policy: SandboxPolicy = { version: "0.4.0-alpha", filesystem: { ... }, network: { ... }, timeoutMs: 30000, }; ``` -------------------------------- ### Build TypeScript SDK Source: https://github.com/microsoft/mxc/blob/main/CONTRIBUTING.md Installs dependencies and builds the TypeScript SDK for the MXC project. ```bash # SDK (from sdk/) npm install && npm run build ```