docs: MXC (Microsoft Execution Containers) platform research

[brandwe]

Summary

Deep-research platform-learnings writeup of Microsoft Execution Containers (MXC), announced at Build 2026 — the OS-level, policy-driven sandbox for agent code execution. Researched from primary sources (github.com/microsoft/mxc, @microsoft/mxc-sdk v0.6.1, the Windows Developer Blog).

This is highly on-thesis: entrabot owns agent identity + attribution; MXC is the execution-containment half of the same device-agent security story. They compose.

What's in the doc

• What MXC actually is — and the critical distinction between the OSS code-execution sandbox (verifiable today) vs. the Windows/Agent-365 "agent identity" vision layer (announced, rolling out). The press conflates them; the doc separates them.
• Composable containment spectrum — process / session / micro-VM / WSL / Windows-365, and the backend matrix (AppContainer, Windows Sandbox, LXC, Bubblewrap, Seatbelt (macOS), NanVix micro-VM, Hyperlight, isolation_session).
• Policy model — the versioned JSON schema (filesystem/network/UI, default-deny), discovery helpers.
• Third-party integration — TS SDK vs. native-binary+JSON (the Python path), plus the ecosystem (Copilot CLI, OpenAI Codex, NVIDIA OpenShell, OpenClaw, Manus, Hermes).
• macOS Seatbelt backend — entrabot is macOS-primary; includes the keychainAccess knob that intersects our keyring usage.
• entrabot fit + gap analysis — MXC closes entrabot's "no local execution boundary" gap; integration would be native-binary-from-Python; likely supersedes the Windows AppContainer spike on our roadmap. 7 open questions before building.

Notes

• Docs-only. No code changes.
• Linked from docs/index.md and the AGENTS.md required-reading table.
• Status captured honestly: early preview, explicitly not a security boundary yet, 0.x schema churn — treat as defense-in-depth.

🤖 Generated with GitHub Copilot CLI

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com