Skip to content

Phase 3a: decouple ProcessContainer backend selection from schema version#580

Open
MGudgin wants to merge 2 commits into
mainfrom
user/gudge/versioning_phase3a_decouple_backend
Open

Phase 3a: decouple ProcessContainer backend selection from schema version#580
MGudgin wants to merge 2 commits into
mainfrom
user/gudge/versioning_phase3a_decouple_backend

Conversation

@MGudgin

@MGudgin MGudgin commented Jun 26, 2026

Copy link
Copy Markdown
Member

Stacked PR. Base is user/gudge/versioning_phase2_5_state_aware_conformance (Phase 2.5), not main. Review/merge 2.5 first; this branch will be retargeted to main once 2.5 lands.

Summary

Phase 3a of the versioning remediation. It decouples the Windows ProcessContainer AppContainer-vs-BaseContainer choice from the config's schema version, making backend selection purely host-capability driven: BaseContainer is preferred when the OS supports it, AppContainer is the downlevel fallback. The schema version no longer changes runtime backend selection, and --experimental no longer influences the AC/BC choice (it still gates the other experimental backends/features). This is the foundation for Phase 3b (raising the schema floor and retiring 0.4.0/0.5.0).

Details

  • Executor binary (src/core/wxc/src/main.rs): route ProcessContainer unconditionally through dispatch_with_fallback (already capability-driven, prefer_bc=true); delete the version/experimental gate and the else plain-AppContainer arm.
  • SDK streaming (src/core/mxc-sdk/src/dispatch.rs): select the backend with a direct fallback_detector::is_base_container_usable() probe — the same probe the dispatcher's Tier 1 selection uses, so the binary and streaming paths agree. Semantic shift (intentional): streaming on a non-BaseContainer host now gracefully uses AppContainer instead of fail-closing.
  • Delete is_base_container_version + BASE_CONTAINER_MIN_VERSION and their unit tests (src/core/wxc_common/src/config_parser.rs).
  • Reword now-stale hints/comments that told users to use schema 0.4.0-alpha to fall back to AppContainer (base_container_runner.rs, launch_diagnostics.rs, appcontainer_runner.rs, models.rs ContainmentBackend doc, mxc-sdk policy.rs).
  • Reframe the mxc-sdk sandbox.rs integration tests that used the policy version to select the tier as backend-agnostic ProcessContainer regression guards.

Behavior note: this only changes configs that previously took the plain-AppContainer path (schema < 0.5 without --experimental); every config that already satisfied experimental || version >= 0.5 already routed through the capability-driven dispatcher and is unaffected. Those legacy configs are retired in Phase 3b.

Tests

  • cargo test -p wxc_common -p mxc-sdk (357 + mxc-sdk pass).
  • cargo clippy --workspace --all-targets -- -D warnings; cargo fmt --all -- --check.
  • check-schema-codegen.js and check-sdk-types-codegen.js both green (no wire change).
Microsoft Reviewers: Open in CodeFlow
Gudge and others added 2 commits June 26, 2026 11:31
This PR adds a compile-time conformance oracle for the SDK's state-aware
lifecycle types, extending the one-shot wire-conformance coverage to the
lifecycle surface so a change to the state-aware wire model that the SDK forgets
to mirror fails CI instead of drifting silently.

Details:
- Add sdk/tests/unit/wire-conformance-state-aware.test.ts: type-level assertions
  that the public state-aware types in sdk/src/state-aware-types.ts conform to
  the generated wire defs - the Phase and IsolationConfigurationId enums, the
  Entra user bundle (IsolationUser), and the per-phase IsolationSessionPhase
  field set - checked in both directions (public->wire and wire->public) so a new
  field on either side is caught. The per-phase wire surface is DERIVED from the
  real public phase configs (the union of their keys minus the lifted
  version/filesystem/process fields) rather than restated, so a newly exposed
  public phase field cannot bypass the oracle. The per-phase configs are asserted
  to reuse the one-shot public leaf types (ProcessConfig / FilesystemConfig).
- Extract the shared assertion helpers into sdk/tests/unit/conformance-helpers.ts
  and reuse them from both the one-shot and state-aware tests. OnlyInPublic strips
  the wire-side index signature so public-only key checks are non-vacuous against
  open generated objects (which carry `[k: string]: unknown`); this also makes the
  one-shot oracle's open-object key checks meaningful.
- Wire the new test into the SDK unit-test run list and document both conformance
  surfaces in docs/schema-codegen.md.

Tests:
- cd sdk && npm test -> 185 (incl. both conformance oracles).
- Negative probes confirm teeth on every drift surface: a widened sizing enum, a
  Phase change, a new wire or public user-bundle field, and a new wire or public
  per-phase field each make the corresponding assertion fail to compile.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Generated-with: claude-opus-4.8
…sion

This PR decouples the Windows ProcessContainer AppContainer-vs-BaseContainer
choice from the config's schema version, making it purely host-capability
driven: BaseContainer is preferred when the OS supports it, AppContainer is the
downlevel fallback. The schema `version` field no longer changes runtime backend
selection, and `--experimental` no longer influences the AC/BC choice (it still
gates other experimental backends/features). This is the foundation for Phase 3b
(raising the schema floor and retiring 0.4.0/0.5.0).

Details:
- Executor binary (wxc/src/main.rs): route ProcessContainer unconditionally
  through `dispatch_with_fallback` (already capability-driven, prefer_bc=true);
  delete the version/experimental gate and the `else` plain-AppContainer arm.
- SDK streaming (mxc-sdk/src/dispatch.rs): select the backend with a direct
  `fallback_detector::is_base_container_usable()` probe (the same probe the
  dispatcher's Tier 1 selection uses) instead of the version/experimental gate.
  This is a deliberate semantic shift: streaming on a non-BaseContainer host now
  gracefully uses AppContainer instead of fail-closing.
- Delete `is_base_container_version` + `BASE_CONTAINER_MIN_VERSION` and their
  unit tests (wxc_common/src/config_parser.rs).
- Reword now-stale hints/comments that told users to use schema '0.4.0-alpha' to
  fall back to AppContainer (base_container_runner.rs, launch_diagnostics.rs,
  appcontainer_runner.rs, models.rs ContainmentBackend doc, mxc-sdk policy.rs).
- Reframe the mxc-sdk sandbox.rs integration tests that used the policy version
  to select the tier as backend-agnostic ProcessContainer regression guards.

Behavior note: this only changes configs that previously took the plain-
AppContainer path (schema < 0.5 without --experimental); every config that
already satisfied `experimental || version >= 0.5` already routed through the
capability-driven dispatcher and is unaffected. Those legacy configs are retired
in Phase 3b.

Tests:
- cargo test -p wxc_common -p mxc-sdk (357 + mxc-sdk pass).
- cargo clippy --workspace --all-targets -- -D warnings; cargo fmt --all -- --check.
- check-schema-codegen.js and check-sdk-types-codegen.js both green (no wire change).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Generated-with: claude-opus-4.8
@MGudgin MGudgin requested a review from a team as a code owner June 26, 2026 19:46
Base automatically changed from user/gudge/versioning_phase2_5_state_aware_conformance to main June 30, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant