microsoft

microsoft/mxc

Rust MIT Security early-preview-status

Policy-driven, layered isolation and containment

1.1k stars
52 forks
active
GitHub +32 / week

1.1k

Stars

52

Forks

50

Open issues

14

Contributors

AI Analysis

MXC is a sandboxed code execution system for safely running untrusted code (model outputs, plugins, tools) on Windows, Linux, and macOS with policy-driven isolation across multiple containment backends. It serves developers, AI platforms, and security-conscious teams who need to execute untrusted workloads with fine-grained control over filesystem, network, and UI access. This is specialized infrastructure for threat isolation, not a general-purpose runtime.

Security Security Tool Discovery value: 8/10
Documentation 8/10
Activity 10/10
Community 7/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

sandboxing untrusted-code-execution security-isolation multi-platform-containment policy-driven
Actively maintained Well documented MIT licensed Niche/specialized use case
Deep Analysis · Based on README and public signals
3w ago

Microsoft's cross-platform sandboxed execution system for untrusted AI-generated code lands in early preview

MXC (Microsoft eXecution Container) is a policy-driven sandboxing framework designed to safely run untrusted code — model output, plugins, tools — across Windows, Linux, and macOS. It abstracts over multiple containment backends (process sandboxes, LXC, Bubblewrap, Seatbelt, Hyperlight, MicroVM) behind a unified JSON schema and TypeScript SDK. Its primary audience appears to be developers building AI agent pipelines, plugin systems, or tool-calling infrastructure on top of Microsoft's AI stack. The project is in early, explicitly-warned preview and should not yet be treated as a security boundary.

Origin

Created in February 2026, MXC is a very young project from Microsoft, likely incubated in response to growing demand for safe code execution in agentic AI workflows. Its lineage probably draws from internal Microsoft sandboxing work including Hyperlight.

Growth

Reached ~1,000 stars within roughly 4.5 months of creation, gaining 56 stars in the past week. Growth appears driven by Microsoft's brand, the timeliness of AI agent code execution as a problem space, and cross-platform scope. Momentum is steady but not viral — consistent with developer curiosity and early integration interest rather than broad production adoption.

In production

Adoption not verified. The README carries an explicit early-preview warning stating that current security policies are 'overly permissive' and that 'no MXC profiles should be treated as security boundaries currently.' No production deployments, case studies, or external integrations are referenced in the available README.

Code analysis
Architecture

Appears to follow a native Rust core (platform-specific binaries per backend) paired with a TypeScript SDK that wraps the binaries for Node.js consumers. The design likely uses a process-boundary IPC model where the Rust binary mediates policy enforcement and the SDK communicates via JSON schema. Multiple backend adapters (bubblewrap, lxc, seatbelt, hyperlight, windows sandbox, wslc) are likely compiled conditionally per platform. The lifecycle model (provision → start → exec → stop → deprovision) suggests stateful session support beyond simple one-shot execution.

Tests

README documents unit tests (Rust cargo test per crate), SDK unit and integration tests (npm test, npm run test:integration), and E2E tests (wxc_e2e_tests crate). Coverage percentage is not documented in README.

Maintenance

Last push was on the current date (2026-06-22), indicating very active ongoing development. The pinned Rust toolchain version (1.93), structured build scripts per platform, schema versioning (0.7.0-alpha for macOS), and explicit changelogs on known limitations all suggest organized, deliberate engineering rather than ad-hoc commits. Active relative to current date.

Honest verdict

ADOPT IF: you are building AI agent or plugin execution infrastructure on Microsoft-adjacent stacks and need a cross-platform sandboxing abstraction that covers Windows-native backends (Windows Sandbox, Hyperlight, IsolationSession) not well served by Linux-centric alternatives — and you can tolerate early-preview instability. AVOID IF: you need a production security boundary today; the project itself explicitly warns that current policies are overly permissive and should not be trusted as security boundaries. MONITOR IF: you are evaluating sandboxing options for agentic AI pipelines and want to track MXC's maturation toward a stable, audited release — the architectural breadth and Microsoft backing make it worth watching.

Independent dimensions

Mainstream potential

5/10

Technical importance

8/10

Adoption evidence

2/10

Risks
  • Explicit security immaturity: the README warns that current sandbox policies are overly permissive and not production-safe, making early adoption potentially dangerous for security-sensitive workloads.
  • Backend fragmentation risk: supporting eight distinct containment backends across three platforms significantly increases surface area for bugs, inconsistent policy enforcement, and maintenance burden.
  • Microsoft ecosystem dependency: tight coupling to Windows-specific backends (Hyperlight, IsolationSession, WSLC) may limit portability value for teams not already invested in Microsoft infrastructure.
  • Early-stage schema instability: the versioned JSON schema (0.7.0-alpha for macOS) and preview warnings signal that API compatibility may break during maturation, raising integration cost for early adopters.
  • Unclear differentiation from microsoft/litebox: organizational overlap with another Microsoft Rust sandboxing repo raises questions about long-term project consolidation or abandonment of one effort.
Prediction

MXC is likely to mature into a supported component of Microsoft's AI developer toolchain, particularly for Windows-based agent runtimes. It may converge with or absorb Litebox. Broad community adoption outside Microsoft's ecosystem is uncertain.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Rust
73.4%
TypeScript
14%
PowerShell
9.4%
Shell
0.9%
HTML
0.7%
CSS
0.7%
JavaScript
0.6%
Batchfile
0.3%

Information

Language
Rust
License
MIT
Last updated
14h ago
Created
5mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

anthropic-experimental

anthropic-experimental/sandbox-runtime

Sandbox Runtime is a lightweight OS-level sandboxing tool for enforcing...

4.6k TypeScript Security
superradcompany

superradcompany/microsandbox

Microsandbox is a lightweight microVM runtime for executing untrusted workloads...

6.9k Rust DevOps
microsoft

microsoft/litebox

LiteBox is a Rust-based security-focused library OS that provides a minimal...

2.6k Rust Security
coder

coder/mux

Mux is a desktop application for parallel agentic development that orchestrates...

1.9k TypeScript AI & ML
TencentCloud

TencentCloud/CubeSandbox

CubeSandbox is a high-performance sandbox runtime built on RustVMM and KVM,...

9.4k Rust AI & ML
vs. alternatives
superradcompany/microsandbox

Microsandbox (~6,640 stars) is also Rust-based and targets similar sandboxed execution use cases with significantly higher community traction. MXC differentiates on cross-platform breadth (especially Windows-native backends) and Microsoft ecosystem integration, but lacks microsandbox's adoption evidence.

anthropic-experimental/sandbox-runtime

Anthropic's sandbox-runtime (~4,466 stars, TypeScript) targets a similar AI code-execution problem but appears narrower in platform scope. MXC's multi-backend Rust core may offer lower-level policy control; sandbox-runtime may be easier to consume for pure Node.js developers.

microsoft/litebox

Also from Microsoft (~2,638 stars, Rust), Litebox likely shares organizational lineage with MXC. The exact boundary between the two projects is unclear from available metadata, suggesting possible overlap or complementary roles within Microsoft's sandboxing portfolio.

coder/mux

Coder's mux (~1,859 stars, TypeScript) focuses on multiplexed execution environments in different contexts. Less directly comparable — MXC's security-policy focus and multi-backend abstraction target a distinct problem from mux's apparent session-routing emphasis.

Helvesec/rmux

rmux (~1,817 stars, Rust) appears to address multiplexing rather than policy-driven security isolation, making it a weak direct competitor. MXC's sandboxing focus is more specialized and security-oriented by design.