1 files changed, 53 insertions, 0 deletions

diff --git a/src/zencompute/runners/windowsrunner.h b/src/zencompute/runners/windowsrunner.h
new file mode 100644
index 000000000..9f2385cc4
--- /dev/null
+++ b/src/zencompute/runners/windowsrunner.h
@@ -0,0 +1,53 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include "localrunner.h"
+
+#if ZEN_WITH_COMPUTE_SERVICES && ZEN_PLATFORM_WINDOWS
+
+#	include <zencore/windows.h>
+
+#	include <string>
+
+namespace zen::compute {
+
+/** Windows process runner using CreateProcessW for executing worker executables.
+
+	Subclasses LocalProcessRunner, reusing sandbox management, worker manifesting,
+	input/output handling, and monitor thread infrastructure. Overrides only the
+	platform-specific methods: process spawning, sweep, and cancellation.
+
+	When Sandboxed is true, child processes are isolated using a Windows AppContainer:
+	no network access (AppContainer blocks network by default when no capabilities are
+	granted) and no filesystem access outside explicitly granted sandbox and worker
+	directories. This requires no elevation.
+ */
+class WindowsProcessRunner : public LocalProcessRunner
+{
+public:
+	WindowsProcessRunner(ChunkResolver&				  Resolver,
+						 const std::filesystem::path& BaseDir,
+						 DeferredDirectoryDeleter&	  Deleter,
+						 WorkerThreadPool&			  WorkerPool,
+						 bool						  Sandboxed			   = false,
+						 int32_t					  MaxConcurrentActions = 0);
+	~WindowsProcessRunner();
+
+	[[nodiscard]] SubmitResult SubmitAction(Ref<RunnerAction> Action) override;
+	void					   SweepRunningActions() override;
+	void					   CancelRunningActions() override;
+	bool					   CancelAction(int ActionLsn) override;
+	void					   SampleProcessCpu(RunningAction& Running) override;
+
+private:
+	void GrantAppContainerAccess(const std::filesystem::path& Path, DWORD AccessMask);
+
+	bool		 m_Sandboxed	   = false;
+	PSID		 m_AppContainerSid = nullptr;
+	std::wstring m_AppContainerName;
+};
+
+}  // namespace zen::compute
+
+#endif