Add MXC preflight diagnostics#480
Merged
Merged
Conversation
Log sandbox settings snapshots, bridge request lifecycle, effective policy path accounting, and preflight artifacts so sandbox policy drops can be debugged before running MXC. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bkudiess
added a commit
to bkudiess/openclaw-windows-node
that referenced
this pull request
May 21, 2026
Removes the Node.js + @microsoft/mxc-sdk + tools/mxc/run-command.cjs path for MXC AppContainer sandboxing and replaces it with a pure-C# pipeline that calls wxc-exec.exe directly. node.exe is no longer required at runtime. Key changes: - MxcConfigBuilder: pure function building wxc-exec ContainerConfig from SandboxExecutionRequest + scratch dir. Owns env allow-list + scrub, PATH tool resolution, shell command-line construction, cwd auto-grant. - DirectAppContainerExecutor: ISandboxExecutor that creates per-invocation scratch dir, builds the config, logs a redacted summary (full JSON behind OPENCLAW_MXC_LOG_FULL_CONFIG=1), handles timeout/cancel, and falls back to --config <file> when the base64 config exceeds the cmdline limit. - MxcExecutor (in OrcaCore.Models/Services for cross-project compat): additive caps + RunWithConfigFileAsync. Uses ProcessStartInfo.ArgumentList to avoid manual quoting hazards. WaitForExit() after kill so async stdout /stderr handlers drain before we read. - MxcAvailability: no more RunCommandScriptPath; probes tools/mxc/<arch>/ wxc-exec.exe first, legacy node_modules fallback. - MxcCommandRunner: applies PR openclaw#480 diagnostic logging (LogSandboxRequest/LogSandboxResult) so sandbox settings round-tripping through wxc-exec is verifiable. CWD is logged as <set>/<null>, not the literal path. - csproj: replaces 4 SDK/bridge copy targets with CopyWxcExecToOutput, CopyWxcExecToPublish, ValidateWxcExecShipped, ValidateWxcExecPublished, and a ValidateMxcArchMapping target that errors on unmapped RIDs. - Tests: MxcConfigBuilderTests with 4 SDK-captured golden JSONs (LockedDown/Balanced/Permissive/Custom) for byte-equivalence vs the SDK output, plus env-scrub case-insensitivity, ResolveToolDirsFromPath, cwd auto-grant, timeout defaulting. DirectAppContainerExecutorTests cover the fail-fast paths. Symmetric golden compare with an explicit allow-list for the fields the SDK leaves empty. Security hardening surfaced by adversarial review: - IsDriveRoot guard in ResolveToolDirsFromPath prevents a misconfigured PATH entry from granting the whole system drive as readonly. - CONNECTION_STRING and CONNSTR markers added to credential env-scrub. - Env dict uses OrdinalIgnoreCase so an agent cannot inject a case-variant duplicate of a host-allowlisted var (APPDATA vs appdata). - Reject embedded quotes in --config path; ArgumentList everywhere else. - Host-side CancelAfter mirrors the builder's effective timeout (no unbounded wait when request.TimeoutMs is 0). - ct.ThrowIfCancellationRequested() before the timeout branch so caller cancellation isn't mislabeled as TimedOut. - UTF-8 byte count for the base64 cmdline-overflow threshold. Removed: - src/OpenClaw.Shared/Mxc/OneShotAppContainerExecutor.cs - tools/mxc/run-command.cjs Subsumes openclaw#480. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bkudiess
added a commit
to bkudiess/openclaw-windows-node
that referenced
this pull request
May 21, 2026
Removes the Node.js + @microsoft/mxc-sdk + tools/mxc/run-command.cjs path for MXC AppContainer sandboxing and replaces it with a pure-C# pipeline that calls wxc-exec.exe directly. node.exe is no longer required at runtime. Key changes: - MxcConfigBuilder: pure function building wxc-exec ContainerConfig from SandboxExecutionRequest + scratch dir. Owns env allow-list + scrub, PATH tool resolution, shell command-line construction, cwd auto-grant. - DirectAppContainerExecutor: ISandboxExecutor that creates per-invocation scratch dir, builds the config, logs a redacted summary (full JSON behind OPENCLAW_MXC_LOG_FULL_CONFIG=1), handles timeout/cancel, and falls back to --config <file> when the base64 config exceeds the cmdline limit. - MxcExecutor (in OrcaCore.Models/Services for cross-project compat): additive caps + RunWithConfigFileAsync. Uses ProcessStartInfo.ArgumentList to avoid manual quoting hazards. WaitForExit() after kill so async stdout /stderr handlers drain before we read. - MxcAvailability: no more RunCommandScriptPath; probes tools/mxc/<arch>/ wxc-exec.exe first, legacy node_modules fallback. - MxcCommandRunner: applies PR openclaw#480 diagnostic logging (LogSandboxRequest/LogSandboxResult) so sandbox settings round-tripping through wxc-exec is verifiable. CWD is logged as <set>/<null>, not the literal path. - csproj: replaces 4 SDK/bridge copy targets with CopyWxcExecToOutput, CopyWxcExecToPublish, ValidateWxcExecShipped, ValidateWxcExecPublished, and a ValidateMxcArchMapping target that errors on unmapped RIDs. - Tests: MxcConfigBuilderTests with 4 SDK-captured golden JSONs (LockedDown/Balanced/Permissive/Custom) for byte-equivalence vs the SDK output, plus env-scrub case-insensitivity, ResolveToolDirsFromPath, cwd auto-grant, timeout defaulting. DirectAppContainerExecutorTests cover the fail-fast paths. Symmetric golden compare with an explicit allow-list for the fields the SDK leaves empty. Security hardening surfaced by adversarial review: - IsDriveRoot guard in ResolveToolDirsFromPath prevents a misconfigured PATH entry from granting the whole system drive as readonly. - CONNECTION_STRING and CONNSTR markers added to credential env-scrub. - Env dict uses OrdinalIgnoreCase so an agent cannot inject a case-variant duplicate of a host-allowlisted var (APPDATA vs appdata). - Reject embedded quotes in --config path; ArgumentList everywhere else. - Host-side CancelAfter mirrors the builder's effective timeout (no unbounded wait when request.TimeoutMs is 0). - ct.ThrowIfCancellationRequested() before the timeout branch so caller cancellation isn't mislabeled as TimedOut. - UTF-8 byte count for the base64 cmdline-overflow threshold. Removed: - src/OpenClaw.Shared/Mxc/OneShotAppContainerExecutor.cs - tools/mxc/run-command.cjs Subsumes openclaw#480. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bkudiess
added a commit
to bkudiess/openclaw-windows-node
that referenced
this pull request
May 21, 2026
Removes the Node.js + @microsoft/mxc-sdk + tools/mxc/run-command.cjs path for MXC AppContainer sandboxing and replaces it with a pure-C# pipeline that calls wxc-exec.exe directly. node.exe is no longer required at runtime. Key changes: - MxcConfigBuilder: pure function building wxc-exec ContainerConfig from SandboxExecutionRequest + scratch dir. Owns env allow-list + scrub, PATH tool resolution, shell command-line construction, cwd auto-grant. - DirectAppContainerExecutor: ISandboxExecutor that creates per-invocation scratch dir, builds the config, logs a redacted summary (full JSON behind OPENCLAW_MXC_LOG_FULL_CONFIG=1), handles timeout/cancel, and falls back to --config <file> when the base64 config exceeds the cmdline limit. - MxcExecutor (in OrcaCore.Models/Services for cross-project compat): additive caps + RunWithConfigFileAsync. Uses ProcessStartInfo.ArgumentList to avoid manual quoting hazards. WaitForExit() after kill so async stdout /stderr handlers drain before we read. - MxcAvailability: no more RunCommandScriptPath; probes tools/mxc/<arch>/ wxc-exec.exe first, legacy node_modules fallback. - MxcCommandRunner: applies PR openclaw#480 diagnostic logging (LogSandboxRequest/LogSandboxResult) so sandbox settings round-tripping through wxc-exec is verifiable. CWD is logged as <set>/<null>, not the literal path. - csproj: replaces 4 SDK/bridge copy targets with CopyWxcExecToOutput, CopyWxcExecToPublish, ValidateWxcExecShipped, ValidateWxcExecPublished, and a ValidateMxcArchMapping target that errors on unmapped RIDs. - Tests: MxcConfigBuilderTests with 4 SDK-captured golden JSONs (LockedDown/Balanced/Permissive/Custom) for byte-equivalence vs the SDK output, plus env-scrub case-insensitivity, ResolveToolDirsFromPath, cwd auto-grant, timeout defaulting. DirectAppContainerExecutorTests cover the fail-fast paths. Symmetric golden compare with an explicit allow-list for the fields the SDK leaves empty. Security hardening surfaced by adversarial review: - IsDriveRoot guard in ResolveToolDirsFromPath prevents a misconfigured PATH entry from granting the whole system drive as readonly. - CONNECTION_STRING and CONNSTR markers added to credential env-scrub. - Env dict uses OrdinalIgnoreCase so an agent cannot inject a case-variant duplicate of a host-allowlisted var (APPDATA vs appdata). - Reject embedded quotes in --config path; ArgumentList everywhere else. - Host-side CancelAfter mirrors the builder's effective timeout (no unbounded wait when request.TimeoutMs is 0). - ct.ThrowIfCancellationRequested() before the timeout branch so caller cancellation isn't mislabeled as TimedOut. - UTF-8 byte count for the base64 cmdline-overflow threshold. Removed: - src/OpenClaw.Shared/Mxc/OneShotAppContainerExecutor.cs - tools/mxc/run-command.cjs Subsumes openclaw#480. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
node --check tools\mxc\run-command.cjsdotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore --filter FullyQualifiedName~MxcCommandRunnerTests.\build.ps1dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore— 1804 passed / 28 skippeddotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore— 1149 passed