Skip to content

Permissive Learning Mode 2/6 filesystem extraction#585

Open
lilybarkley-msft wants to merge 1 commit into
user/lilybarkley/plm-pr1-audit-skeletonfrom
user/lilybarkley/plm-pr2-fs-extraction
Open

Permissive Learning Mode 2/6 filesystem extraction#585
lilybarkley-msft wants to merge 1 commit into
user/lilybarkley/plm-pr1-audit-skeletonfrom
user/lilybarkley/plm-pr2-fs-extraction

Conversation

@lilybarkley-msft

@lilybarkley-msft lilybarkley-msft commented Jun 27, 2026

Copy link
Copy Markdown

📖 Description

PR 2 of 6 — stacked on PR1. Adds filesystem extraction to PLM.

  • EventID=14 (access-failure) decoder:
    • File-path normalization (NT-object / verbatim / DOS-device → DOS form)
    • Post-XPath filters: current-directory, drive-letter, self-access, invalid filename chars
    • Per-event accumulator that pushes LearningModeAccessEvent rows (file path + access mask)
  • ETW walker (for_each_event_xml / EvtQuery / EvtRender) with bounded peak memory
  • Shared ParseAccumulator + per-event dispatcher in event_parser
  • config.rs foundations: load/parse, filesystem.{readwritePaths,readonlyPaths} merge, deny_file_set
  • stop/log wired to the FS-extraction pipeline

Capability extraction, config-generation summaries, and UI policy land in PR3–PR5. requested_capabilities is exposed as an always-empty placeholder so call-sites stay stable across the split.

🔗 References

  • Base: PR1 (user/lilybarkley/plm-pr1-audit-skeleton)
  • Next: PR3 — config generation (Adjusted_<name>.json write + detection summaries)

🔍 Validation

  • cargo build -p plm --target x86_64-pc-windows-msvc — clean
  • cargo fmt --all -- --check — clean
  • cargo clippy -p plm --target x86_64-pc-windows-msvc --all-targets -- -D warnings — clean
  • cargo test -p plm --target x86_64-pc-windows-msvc37 passed (12 new over PR1; cover path-normalization, post-XPath filters, accumulator dispatch, ETW XML parsing).

✅ Checklist

📋 Issue Type

  • Bug fix
  • Feature
  • Task

GitHub Actions runs the PR validation build automatically. The ADO pipeline
(MXC-PR-Build) is the official build pipeline that signs the binaries; it
runs on merge to main and nightly, and Microsoft reviewers can trigger it
on a PR with /azp run. See docs/pull-requests.md.

Microsoft Reviewers: Open in CodeFlow
@lilybarkley-msft lilybarkley-msft requested a review from a team as a code owner June 27, 2026 01:38
@lilybarkley-msft lilybarkley-msft force-pushed the user/lilybarkley/plm-pr2-fs-extraction branch 2 times, most recently from 91fdb02 to 2d73df4 Compare July 2, 2026 01:20
Walks EventID=14 records from the captured .etl, decodes file paths
through normalization + post-XPath filters, and merges them into
ilesystem.readwritePaths / ilesystem.readonlyPaths on an
in-memory copy of the input config. The Adjusted_*.json writer arrives
in the next PR.

New modules:
- event_parser: EvtQuery/EvtRender walk + ParseAccumulator dispatch
- access_failure: EventID=14 decoder + path normalization
- access_event: LearningModeAccessEvent plain struct
- config: WRITE/READ masks, filesystem init, update_from_access_events

Wired stop.rs and log.rs to invoke the FS merge pipeline.

Capability ACE-blob extraction, EventID=27 UI relaxation, the
adjusted-config writer, and merge_capabilities arrive in subsequent
PRs.

37 tests pass; cargo fmt + clippy clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lilybarkley-msft lilybarkley-msft force-pushed the user/lilybarkley/plm-pr2-fs-extraction branch from 2d73df4 to ebc5420 Compare July 2, 2026 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant