Migrate isolation_session backend + SDK to the IsolationSession Preview API#592
Open
adpa-ms wants to merge 5 commits into
Open
Migrate isolation_session backend + SDK to the IsolationSession Preview API#592adpa-ms wants to merge 5 commits into
adpa-ms wants to merge 5 commits into
Conversation
…ew API The IsolationSession WinRT surface MXC consumes is now frozen as the Preview namespace. Regenerate the Rust bindings against it and reshape the consumers to the reduced, stable API: - bindings: regenerate from the Preview WinMD; add the windows-crate Foundation feature (the Preview surface references IClosable). - backend (manager/policy/state_aware/one_shot): the OS now assigns an opaque agent user name at provision and validates identity/token at the service, so the sandbox id tail is that opaque name. Collapse the local/Entra provision and start paths into single token-carrying calls, drop host-folder sharing and the per-session sizing profile, and reject all filesystem/network/proxy policy at every phase. Entra is carried by the start config's user bundle rather than inferred from the sandbox id. - domain/wire: remove the sizing-profile config id; regenerate the dev schema and the SDK wire types. - probe: advertise isolation-session availability via `wxc-exec --probe` (probes.isolationSessionAvailable) instead of a registry build pin. - SDK: drop filesystem/configurationId from the typed configs and gate the isolation_session method on the probe fact. Retail CI green: fmt, clippy --all-features, build+test with the feature on and off, SDK unit, schema/sdk-types codegen, and config validation. VM end-to-end validation is pending. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The one-shot and state-aware PowerShell suites and their JSON fixtures asserted behavior the Preview migration removed. Bring them in line with the new backend: - drop the filesystem-sharing, path-filter, sizing-profile (configurationId) and start-identity cross-check tests (and their fixtures); - assert that filesystem policy is now rejected (policy_validation) at provision as well as the post-provision phases; - assert the sandbox id tail is the opaque OS-assigned agent user name rather than a client-minted token; - rework the simultaneous-sandbox and concurrent one-shot tests to use per-sandbox %TEMP% markers / a host ACL grant instead of folder sharing; - add a fixture proving an unknown configurationId is gracefully ignored. Verified end-to-end on an isolation-capable VM: one-shot 11/11, state-aware 42/42, SDK node integration 2/2 (55/55). Config schema validation green (157 configs). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Post-migration review found documentation and comment staleness left
behind by the Preview migration (no functional defects). Bring the prose
in line with the shipped backend:
- rename the three isolation-session docs to drop the "initial-plan"
framing (now living specs): initial-bringup-plan -> oneshot and
state-aware-{rust,typescript}-initial-plan -> state-aware-{rust,typescript};
update all inbound links (copilot-instructions, sdk/README).
- correct the stale policy matrix and prose: filesystem policy is now
rejected (policy_validation) at every phase; remove the deleted
configurationId / v2-interface / UPN-match / registration content; the
sandbox id tail is the opaque OS-assigned agent user name.
- scrub residual internal names from MXC prose/comments: IsoEnvBroker,
IsoSessionApp.dll, and the pre-Preview Windows.AI.IsolationEnvironment
namespace -> Windows.AI.IsolationSession.Preview; genericize bringup-era
OS-side names (agent-user format, host binary, worker-process interface).
- rewrite the Lifecycle E "registration leak" test comments to the
per-agent-user isolation rationale (RemoveUserAsync is per user) and
disambiguate two identical assert messages.
- refresh the stale configurationId sample in a content-agnostic
config_parser test to a user bundle.
- fix the IsolationSession row in copilot-instructions (filesystem
rejected at every phase; drop ShareFolderBatchAsync/IsoSessionApp.dll).
Retail CI green: fmt, clippy, build x64+arm64 with the feature on, unit
tests feature on (359) and off (397), wxc_host_prep (17, elevated).
Re-verified end-to-end on an isolation-capable VM: 55/55 (one-shot 11,
state-aware 42, SDK node 2).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
181e356 to
9c5b11d
Compare
The IsolationSession Preview API gained two provision-time getters on `IsoSessionUserResult` (`AgentUserSid`, `EphemeralWorkspacePath`). Regenerate the bindings and surface both as provision metadata: - bindings: regenerate from the newer Preview WinMD; the only surface change is the two additive getters (the `IIsoSessionUserResult` IID recomputes accordingly). No other interface changed. - manager: `add_user` now returns a `ProvisionedUser` carrying the agent user name, the agent SID, and the shared ephemeral workspace path (read from the three `IsoSessionUserResult` getters). - state-aware: extend `IsolationSessionProvisionMetadata` with `agentUserSid` and `ephemeralWorkspacePath` and populate them at provision. The `sandboxId` tail (the addressing key) is unchanged. - one-shot: adapt the `add_user` call site; one-shot still returns no provision metadata, so it surfaces nothing new. - SDK: add the two fields to the `IsolationSessionProvisionMetadata` type and refresh the unit-test fixtures. The ephemeral workspace is a directory shared between the calling user and the isolated agent user (the caller can stage files into the session through it); each isolated user can access only its own workspace, and it is deleted when the sandbox is deprovisioned. It does not change the workload's working directory. Tests: - Rust unit: provision metadata serializes to exactly the three camelCase wire keys. - VM state-aware E2E (Lifecycle F): metadata presence, caller<->session file sharing, cross-session workspace isolation (a session cannot read a peer's workspace), and workspace deletion on deprovision. - SDK integration: asserts the new metadata fields are present. Validation: fmt, clippy (all-features), build + unit tests feature on and off, wxc_host_prep (elevated), SDK unit, schema/sdk-types codegen, config validation -- all green. Clean-room package build (x64 + arm64) green. VM end-to-end on an isolation-capable build: 62/62 (one-shot 11, state-aware 49, SDK node 2); manual TTY operator-confirmed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
9c5b11d to
60184aa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
Migrates the experimental
isolation_sessionbackend (Rust backend + TypeScript SDK) from the in-developmentWindows.AI.IsolationSessionWinRT surface to the frozenWindows.AI.IsolationSession.Previewnamespace, reshaping every consumer to the reduced, stable API. This is a breaking change to the backend's experimental surface (it is gated behind--experimental).Applied symmetrically across bindings → backend → domain → wire → schema → SDK → tests → docs:
ShareFolderBatchAsync+ the protected-paths filter) is removed. Filesystem policy (readwritePaths/readonlyPaths/deniedPaths) is now rejected at every phase withpolicy_validationon both the one-shot and state-aware paths — the folder-sharing sink is gone entirely, eliminating the subtree-inheritance hazard.configurationId) is removed from the config, wire types, and dev schema; an unknownconfigurationIdis now silently ignored rather than rejected.userbundle (upn+wamToken) is still accepted at provision and start. Only the call shape changes: the previous split between the v1 and v2 provisioning interfaces collapses into a single token-carryingAddUserAsync/StartSessionAsyncpair, and the separate app-registration step is dropped. The service now assigns an opaque agent-user name at provision and validates the token itself, so thesandboxIdtail is that opaque handle (no client-side UPN cross-check).platform.tsto a runtime probe fact (probes.isolationSessionAvailablefromwxc-exec --probe).The Rust bindings are regenerated against the Preview metadata (provenance in
GENERATION_INFO.toml), and abuild.rspath bug is fixed so the "bindings must be regenerated" version-gate is actually live.🔗 References
docs/isolation-session/oneshot.md,docs/isolation-session/state-aware-rust.md,docs/isolation-session/state-aware-typescript.md.🔍 Validation
cargo fmt --check; clippy--all-targets --all-features -D warnings; build + unit tests with theisolation_sessionfeature on (359 pass) and off (397 pass);wxc_host_prep(17, elevated); SDK unit tests; schema/SDK-type codegen; config validation — all green.✅ Checklist
📋 Issue Type
Microsoft Reviewers: Open in CodeFlow