Skip to content

Migrate isolation_session backend + SDK to the IsolationSession Preview API#592

Open
adpa-ms wants to merge 5 commits into
feature/isolation-session-internalfrom
user/adibpa/copilot-preview-migration
Open

Migrate isolation_session backend + SDK to the IsolationSession Preview API#592
adpa-ms wants to merge 5 commits into
feature/isolation-session-internalfrom
user/adibpa/copilot-preview-migration

Conversation

@adpa-ms

@adpa-ms adpa-ms commented Jun 30, 2026

Copy link
Copy Markdown

📖 Description

Migrates the experimental isolation_session backend (Rust backend + TypeScript SDK) from the in-development Windows.AI.IsolationSession WinRT surface to the frozen Windows.AI.IsolationSession.Preview namespace, reshaping every consumer to the reduced, stable API. This is a breaking change to the backend's experimental surface (it is gated behind --experimental).

Applied symmetrically across bindings → backend → domain → wire → schema → SDK → tests → docs:

  • Host-folder sharing (ShareFolderBatchAsync + the protected-paths filter) is removed. Filesystem policy (readwritePaths/readonlyPaths/deniedPaths) is now rejected at every phase with policy_validation on both the one-shot and state-aware paths — the folder-sharing sink is gone entirely, eliminating the subtree-inheritance hazard.
  • Sizing profile (configurationId) is removed from the config, wire types, and dev schema; an unknown configurationId is now silently ignored rather than rejected.
  • Entra cloud-agent support is retained — the optional user bundle (upn + wamToken) is still accepted at provision and start. Only the call shape changes: the previous split between the v1 and v2 provisioning interfaces collapses into a single token-carrying AddUserAsync/StartSessionAsync pair, and the separate app-registration step is dropped. The service now assigns an opaque agent-user name at provision and validates the token itself, so the sandboxId tail is that opaque handle (no client-side UPN cross-check).
  • Availability gating moves from a hardcoded OS-build pin in platform.ts to a runtime probe fact (probes.isolationSessionAvailable from wxc-exec --probe).

The Rust bindings are regenerated against the Preview metadata (provenance in GENERATION_INFO.toml), and a build.rs path bug is fixed so the "bindings must be regenerated" version-gate is actually live.

🔗 References

  • IsolationSession backend specs updated in this PR: docs/isolation-session/oneshot.md, docs/isolation-session/state-aware-rust.md, docs/isolation-session/state-aware-typescript.md.

🔍 Validation

  • Local CI gates: cargo fmt --check; clippy --all-targets --all-features -D warnings; build + unit tests with the isolation_session feature on (359 pass) and off (397 pass); wxc_host_prep (17, elevated); SDK unit tests; schema/SDK-type codegen; config validation — all green.
  • End-to-end on an isolation-capable host (from the clean deliverable package): 55/55 — one-shot 11, state-aware 42, SDK Node E2E 2.
  • Manual interactive TTY (streaming, interactive PowerShell, console resize): operator-confirmed pass.

✅ Checklist

📋 Issue Type

  • Task
Microsoft Reviewers: Open in CodeFlow
@adpa-ms adpa-ms requested a review from a team as a code owner June 30, 2026 01:03

@jeffstall jeffstall left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

adpa-ms and others added 4 commits July 1, 2026 13:47
…ew API

The IsolationSession WinRT surface MXC consumes is now frozen as the Preview
namespace. Regenerate the Rust bindings against it and reshape the consumers
to the reduced, stable API:

- bindings: regenerate from the Preview WinMD; add the windows-crate
  Foundation feature (the Preview surface references IClosable).
- backend (manager/policy/state_aware/one_shot): the OS now assigns an
  opaque agent user name at provision and validates identity/token at the
  service, so the sandbox id tail is that opaque name. Collapse the
  local/Entra provision and start paths into single token-carrying calls,
  drop host-folder sharing and the per-session sizing profile, and reject
  all filesystem/network/proxy policy at every phase. Entra is carried by
  the start config's user bundle rather than inferred from the sandbox id.
- domain/wire: remove the sizing-profile config id; regenerate the dev
  schema and the SDK wire types.
- probe: advertise isolation-session availability via `wxc-exec --probe`
  (probes.isolationSessionAvailable) instead of a registry build pin.
- SDK: drop filesystem/configurationId from the typed configs and gate the
  isolation_session method on the probe fact.

Retail CI green: fmt, clippy --all-features, build+test with the feature on
and off, SDK unit, schema/sdk-types codegen, and config validation. VM
end-to-end validation is pending.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The one-shot and state-aware PowerShell suites and their JSON fixtures
asserted behavior the Preview migration removed. Bring them in line with
the new backend:

- drop the filesystem-sharing, path-filter, sizing-profile (configurationId)
  and start-identity cross-check tests (and their fixtures);
- assert that filesystem policy is now rejected (policy_validation) at
  provision as well as the post-provision phases;
- assert the sandbox id tail is the opaque OS-assigned agent user name
  rather than a client-minted token;
- rework the simultaneous-sandbox and concurrent one-shot tests to use
  per-sandbox %TEMP% markers / a host ACL grant instead of folder sharing;
- add a fixture proving an unknown configurationId is gracefully ignored.

Verified end-to-end on an isolation-capable VM: one-shot 11/11,
state-aware 42/42, SDK node integration 2/2 (55/55). Config schema
validation green (157 configs).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Post-migration review found documentation and comment staleness left
behind by the Preview migration (no functional defects). Bring the prose
in line with the shipped backend:

- rename the three isolation-session docs to drop the "initial-plan"
  framing (now living specs): initial-bringup-plan -> oneshot and
  state-aware-{rust,typescript}-initial-plan -> state-aware-{rust,typescript};
  update all inbound links (copilot-instructions, sdk/README).
- correct the stale policy matrix and prose: filesystem policy is now
  rejected (policy_validation) at every phase; remove the deleted
  configurationId / v2-interface / UPN-match / registration content; the
  sandbox id tail is the opaque OS-assigned agent user name.
- scrub residual internal names from MXC prose/comments: IsoEnvBroker,
  IsoSessionApp.dll, and the pre-Preview Windows.AI.IsolationEnvironment
  namespace -> Windows.AI.IsolationSession.Preview; genericize bringup-era
  OS-side names (agent-user format, host binary, worker-process interface).
- rewrite the Lifecycle E "registration leak" test comments to the
  per-agent-user isolation rationale (RemoveUserAsync is per user) and
  disambiguate two identical assert messages.
- refresh the stale configurationId sample in a content-agnostic
  config_parser test to a user bundle.
- fix the IsolationSession row in copilot-instructions (filesystem
  rejected at every phase; drop ShareFolderBatchAsync/IsoSessionApp.dll).

Retail CI green: fmt, clippy, build x64+arm64 with the feature on, unit
tests feature on (359) and off (397), wxc_host_prep (17, elevated).
Re-verified end-to-end on an isolation-capable VM: 55/55 (one-shot 11,
state-aware 42, SDK node 2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@adpa-ms adpa-ms force-pushed the user/adibpa/copilot-preview-migration branch from 181e356 to 9c5b11d Compare July 1, 2026 21:45
The IsolationSession Preview API gained two provision-time getters on
`IsoSessionUserResult` (`AgentUserSid`, `EphemeralWorkspacePath`).
Regenerate the bindings and surface both as provision metadata:

- bindings: regenerate from the newer Preview WinMD; the only surface
  change is the two additive getters (the `IIsoSessionUserResult` IID
  recomputes accordingly). No other interface changed.
- manager: `add_user` now returns a `ProvisionedUser` carrying the agent
  user name, the agent SID, and the shared ephemeral workspace path
  (read from the three `IsoSessionUserResult` getters).
- state-aware: extend `IsolationSessionProvisionMetadata` with
  `agentUserSid` and `ephemeralWorkspacePath` and populate them at
  provision. The `sandboxId` tail (the addressing key) is unchanged.
- one-shot: adapt the `add_user` call site; one-shot still returns no
  provision metadata, so it surfaces nothing new.
- SDK: add the two fields to the `IsolationSessionProvisionMetadata`
  type and refresh the unit-test fixtures.

The ephemeral workspace is a directory shared between the calling user
and the isolated agent user (the caller can stage files into the
session through it); each isolated user can access only its own
workspace, and it is deleted when the sandbox is deprovisioned. It does
not change the workload's working directory.

Tests:
- Rust unit: provision metadata serializes to exactly the three
  camelCase wire keys.
- VM state-aware E2E (Lifecycle F): metadata presence, caller<->session
  file sharing, cross-session workspace isolation (a session cannot
  read a peer's workspace), and workspace deletion on deprovision.
- SDK integration: asserts the new metadata fields are present.

Validation: fmt, clippy (all-features), build + unit tests feature on
and off, wxc_host_prep (elevated), SDK unit, schema/sdk-types codegen,
config validation -- all green. Clean-room package build (x64 + arm64)
green. VM end-to-end on an isolation-capable build: 62/62 (one-shot 11,
state-aware 49, SDK node 2); manual TTY operator-confirmed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@adpa-ms adpa-ms force-pushed the user/adibpa/copilot-preview-migration branch from 9c5b11d to 60184aa Compare July 1, 2026 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants