Public release commit

Author: SohamDas2021

.azure-pipelines/.cargo/config.toml

@@ -0,0 +1,15 @@
+
+# Instruct Cargo to use the Azure Artifacts feed instead of crates.io for pulling public crates
+# in ADO pipelines. This file is copied to the `<repo-root>/src` folder during rust pipeline builds.
+# See: https://eng.ms/docs/more/languages-at-microsoft/rust/articles/gettingstarted/install/installcicd
+# See: https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/buildworkflows/rust
+
+[registries]
+Mxc-Azure-Feed = { index = "sparse+https://microsoft.pkgs.visualstudio.com/Dart/_packaging/Mxc-Azure-Feed/Cargo/index/" }
+
+[source.crates-io]
+replace-with = "Mxc-Azure-Feed"
+
+# Add linker for arm64 on linux for cross-compilation
+[target.aarch64-unknown-linux-gnu]
+linker = "aarch64-linux-gnu-gcc"

.azure-pipelines/.npm/.npmrc

@@ -0,0 +1,6 @@
+; Used in azure pipelines to point to our azure artifacts feed for npm packages.
+; See README.md in <repo-root>/.azure-pipelines/ for more details on Central Feeds Services.
+; This file is copied to the '<repo-root>/sdk' folder during npm pipeline builds.
+registry=https://microsoft.pkgs.visualstudio.com/Dart/_packaging/Mxc-Azure-Feed/npm/registry/ 
+                 
+always-auth=true

.azure-pipelines/1ES.Build.yml

@@ -0,0 +1,193 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# Push trigger on `main` exists primarily to populate the Azure Pipelines
+# target-dir and CARGO_HOME cache scopes for the default branch. PR-triggered
+# runs are branch-scoped on writes and cannot populate `main`'s scope; they
+# can only *read* from it as a fallback. Without a `main` trigger, the
+# 1ES `cacheOptions.enableTargetCache: true` configuration in
+# `Rust.Build.Job.yml` runs every PR with a cold target dir — the
+# auto-generated wildcard restore key (visible in the `🎯 Cache target
+# directory` task log as `…|Rust=<ver>|**`) finds no prior entry in
+# main's scope, so each PR build does a fully cold cargo compile
+# (~14 min on x64 WXC).
+#
+# After this trigger is enabled, the first push to `main` populates the
+# cache; every subsequent PR's restore step finds it via that wildcard
+# fallback and the cargo build step drops to a few minutes.
+#
+# Docs-only commits to `main` don't need to rebuild the whole workspace,
+# so the path exclusion list here matches the one added to the `pr:`
+# trigger in PR #396 (kept in sync intentionally — if that PR lands and
+# the lists drift, reconcile them).
+trigger:
+  branches:
+    include:
+    - main
+  paths:
+    exclude:
+    - 'docs/**'
+    - 'tests/examples/**'
+    - '.github/ISSUE_TEMPLATE/**'
+    - '.github/PULL_REQUEST_TEMPLATE.md'
+    - '.github/copilot-instructions.md'
+    - '.github/instructions/**'
+    - '**/*.md'
+    - '.editorconfig'
+
+name: $(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+
+pr:
+  branches:
+    include:
+    - main
+    - feature/*
+    - user/*
+  # Skip the full build pipeline when a PR only touches documentation /
+  # non-shipping content. Any change outside this exclusion list still
+  # triggers the pipeline as before. Keep this list conservative — exclude
+  # only paths that cannot possibly affect built artifacts or test behavior.
+  paths:
+    exclude:
+    - 'docs/**'
+    - 'tests/examples/**'
+    - '.github/ISSUE_TEMPLATE/**'
+    - '.github/PULL_REQUEST_TEMPLATE.md'
+    - '.github/copilot-instructions.md'
+    - '.github/instructions/**'
+    - '**/*.md'
+    - '.editorconfig'
+
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+
+parameters:
+  - name: officialBuild
+    displayName: Build Official or Unofficial
+    type: string
+    default: Unofficial
+    values:
+      - Official
+      - Unofficial
+
+  - name: debug
+    displayName: Enable debug output for SDK tests
+    type: boolean
+    default: false
+
+  # Reused by Rust/Mac/NpmSdk templates. Values come from MXC-ESRP-Signing
+  # on Official runs; sign steps are gated, so missing values on Unofficial
+  # runs are harmless.
+  - name: ESRPInfo
+    type: object
+    default:
+      serviceName: $(serviceName)
+      tenantId: $(tenantId)
+      azureKeyVaultName: $(azureKeyVaultName)
+      authCertName: $(authCertName)
+      signCertName: $(signCertName)
+      clientId: $(clientId)
+
+variables:
+  # Prevents failure when no Rust tests are found; pipeline runs will still fail if present
+  # tests do not pass.
+  - name: NEXTEST_NO_TESTS
+    value: pass
+  - ${{ if eq(parameters.officialBuild, 'Official') }}:
+    - group: MXC-ESRP-Signing
+
+extends:
+  template: v1/1ES.${{parameters.officialBuild}}.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      image: windows-2022
+      os: windows
+
+    customBuildTags:
+    - ES365AIMigrationTooling
+
+    stages:
+    - stage: Build_Binaries
+      displayName: 'Build Executables'
+      jobs:
+
+        # Build Binaries for all targets in parallel
+        - template: .azure-pipelines/templates/Rust.Build.Job.yml@self
+          parameters:
+            isOfficialBuild: ${{ eq(parameters.officialBuild, 'Official') }}
+            matrix:
+              - name: windows_x64
+                os: windows
+                arch: x64
+                component: WXC
+              - name: windows_arm64
+                os: windows
+                arch: arm64
+                component: WXC
+              - name: linux_x64
+                os: linux
+                arch: x64
+                component: LXC
+              - name: linux_arm64
+                os: linux
+                arch: arm64
+                component: LXC
+
+            ESRPInfo: ${{ parameters.ESRPInfo }}
+
+        # macOS uses a separate template because it runs on a different
+        # pool (Microsoft-hosted). The produced artifact name follows the same
+        # scheme (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it.
+        - template: .azure-pipelines/templates/Mac.Build.Job.yml@self
+          parameters:
+            isOfficialBuild: ${{ eq(parameters.officialBuild, 'Official') }}
+            ESRPInfo: ${{ parameters.ESRPInfo }}
+
+    - stage: Package_MXC
+      displayName: 'Package MXC'
+      dependsOn: Build_Binaries
+      jobs:
+      - template: .azure-pipelines/templates/Package.NpmSdk.Job.yml@self
+        parameters:
+          targets:
+            - artifact: wxc-binaries-x86_64-pc-windows-msvc
+              sdkArch: x64
+            - artifact: wxc-binaries-aarch64-pc-windows-msvc
+              sdkArch: arm64
+            - artifact: lxc-binaries-x86_64-unknown-linux-gnu
+              sdkArch: x64
+            - artifact: lxc-binaries-aarch64-unknown-linux-gnu
+              sdkArch: arm64
+            - artifact: mxc-binaries-aarch64-apple-darwin
+              sdkArch: arm64
+
+          ESRPInfo: ${{ parameters.ESRPInfo }}
+
+      - template: .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml@self
+
+    - stage: Lint
+      displayName: 'Lint'
+      dependsOn: []
+      jobs:
+      - template: .azure-pipelines/templates/Lint.Job.yml@self
+
+    - stage: SDK_Unit_Tests
+      displayName: 'SDK Unit Tests'
+      dependsOn: []
+      jobs:
+      - template: .azure-pipelines/templates/SDK.Unit.Test.Job.yml@self
+        parameters:
+          debug: ${{ parameters.debug }}
+
+    - stage: SDK_Integration_Tests
+      displayName: 'SDK Integration Tests'
+      dependsOn: Package_MXC
+      jobs:
+      - template: .azure-pipelines/templates/SDK.Integration.Test.Job.yml@self
+        parameters:
+          debug: ${{ parameters.debug }}

.azure-pipelines/1ES.Release.yml

@@ -0,0 +1,88 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+trigger: none
+name: $(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+  pipelines:
+  # Reference pipeline that created the signed npm artifacts so we can consume them later
+  - pipeline: MXC 
+    source: 'MXC-Official-Build'
+    trigger: none
+
+
+# Parameters for ESRP release info will be passed from the ADO UI.
+parameters:
+  - name: ESRPInfo
+    type: object
+    default:
+      serviceName: ''
+      tenantId: ''
+      azureKeyVaultName: ''
+      authCertName: ''
+      signCertName: ''
+      clientId: ''
+      ApproversEmail: ''
+      OwnersEmail: ''
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      image: windows-2022
+      os: windows
+    customBuildTags:
+    - ES365AIMigrationTooling
+
+    sdl:
+      sourceAnalysisPool:
+        name: Azure-Pipelines-1ESPT-ExDShared
+        image: windows-latest
+        os: windows
+
+    stages:
+    - stage: Publish_to_NPM
+      displayName: 'Publish NPM Package'
+      variables:
+      - name: release_environment
+        value: Production
+      jobs:
+      - job: ReleaseJob
+        templateContext:
+          type: releaseJob
+          isProduction: true
+          inputs:
+          - input: pipelineArtifact
+            pipeline: MXC
+            targetPath: '$(Pipeline.Workspace)/packages'
+            artifactName: mxc-npm-sdk-package
+
+        displayName: Publish to NPM
+        steps:
+        - task: EsrpRelease@10
+          displayName: 'Publish to NPM'
+          inputs:
+            connectedservicename: ${{ parameters.ESRPInfo.serviceName }}
+            usemanagedidentity: false
+            keyvaultname: ${{ parameters.ESRPInfo.azureKeyVaultName }}
+            authcertname: ${{ parameters.ESRPInfo.authCertName }}
+            signcertname: ${{ parameters.ESRPInfo.signCertName }}
+            clientid: ${{ parameters.ESRPInfo.clientId }}
+            intent: 'PackageDistribution'
+            contenttype: npm
+            contentsource: 'Folder'
+            folderlocation: '$(Pipeline.Workspace)/packages'
+            owners: ${{ parameters.ESRPInfo.OwnersEmail }}
+            approvers: ${{ parameters.ESRPInfo.ApproversEmail }}
+            waitforreleasecompletion: true
+            serviceendpointurl: 'https://api.esrp.microsoft.com'
+            mainpublisher: ESRPRELPACMAN
+            domaintenantid: ${{ parameters.ESRPInfo.tenantId }} 
+
+  

.azure-pipelines/Fuzz.Build.yml

@@ -0,0 +1,47 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+#
+# Daily fuzzing pipeline for MXC.
+#
+# Builds the mxc_fuzz crate with AddressSanitizer and submits the resulting
+# drop directory to OneFuzz. Bugs found are filed against the SDL fuzzing
+# work item 62294501 via the routing fields in src/testing/fuzz/OneFuzzConfig.json.
+#
+# Schedule: daily at 00:00 UTC on `main`. PRs do not trigger this pipeline.
+
+pr: none
+trigger: none
+
+schedules:
+  - cron: "0 0 * * *"
+    displayName: Daily fuzzing submission
+    branches:
+      include:
+        - main
+    always: true
+
+name: $(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+
+resources:
+  repositories:
+    - repository: 1ESPipelineTemplates
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      image: windows-latest
+      os: windows
+
+    customBuildTags:
+      - ES365AIMigrationTooling
+
+    stages:
+      - stage: Fuzz
+        displayName: 'Build + submit fuzzers'
+        jobs:
+          - template: .azure-pipelines/templates/Fuzz.Build.Job.yml@self

.azure-pipelines/README.md

@@ -0,0 +1,20 @@
+# Configuration Strategy
+
+## For Developers
+
+Developers should to use public registries like `crates.io`
+and `npmjs` directly so they can iterate quickly.
+
+## For CI/Pipelines
+
+### Central Feed Services
+Production CI pipelines use an Azure Artifacts feed (CFS) to source dependencies
+from crates.io and npmjs, helping ensure secure and vetted consumption of third‑party packages.
+(Microsoft engineers can consult the internal "Central Feed Services" documentation for setup details; external readers can treat the centralized feed as a Microsoft-internal Azure Artifacts mirror of the public registries.)
+
+### Production Build and Release pipelines
+- We use Azure pipelines for official builds with signing and public releases.
+
+### PR Pipelines
+- We use github actions but will be consolidated to use the azure pipelines which
+  contain governance tasks, like binary scanning etc in the future.