Adds a dotnet API

.github/copilot-instructions.md

@@ -2,12 +2,12 @@
 
 - When running examples in this repository, use the `Justfile` recipes instead of invoking `cargo run` or `python` directly.
 - Use `just examples` from the repository root to run the full example suite.
-- To run examples for a specific sandbox, use module-scoped recipes: `just wasm examples`, `just js examples`, `just python examples`.
+- To run examples for a specific sandbox, use module-scoped recipes: `just wasm examples`, `just js examples`, `just python examples`, `just dotnet examples`.
 - Use `just build` from the repository root to build all subprojects and SDKs.
 - Reason: the example commands depend on `WIT_WORLD` being set to `src/wasm_sandbox/wit/sandbox-world.wasm`; the `Justfile` handles that setup.
 
 Make things cross-platform where possible (window/mac/linux).  Mac supprot for hyperlight isn't avaliable yet but is coming.
 
 - **After changing WIT interfaces**: you must run `just build` (or at minimum rebuild the guest `.wasm` and `.aot` files) before running examples. The pre-compiled guest binaries embed the WIT signature; a mismatch causes "Host function vector parameter missing length" errors at runtime.
 
-- **Formatting and linting**: always use `just fmt` and `just fmt-check` from the repository root instead of invoking `cargo fmt`, `ruff format`, or `ruff check` directly. The Justfile recipes run multiple tools in sequence (e.g. `ruff format` + `ruff check --fix` for Python) and missing a step causes CI failures.
+- **Formatting and linting**: always use `just fmt` and `just fmt-check` from the repository root instead of invoking `cargo fmt`, `ruff format`, `ruff check`, or `dotnet format` directly. The Justfile recipes run multiple tools in sequence and missing a step causes CI failures.

.github/workflows/ci.yml

@@ -99,6 +99,81 @@ jobs:
       - name: Run examples
         run: just wasm examples
 
+  dotnet-sdk:
+    name: .NET SDK (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606  # v1.15.4
+        with:
+          toolchain: nightly, 1.94
+          components: rustfmt, clippy
+          rustflags: ""
+
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
+        with:
+          dotnet-version: '8.0.x'
+
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
+
+      - name: Install Python
+        run: uv python install 3.12
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: "latest"
+          cache: npm
+          cache-dependency-path: src/wasm_sandbox/guests/javascript/package-lock.json
+
+      - name: Install just
+        run: cargo install --locked just
+
+      - name: Install clang (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y clang
+
+      - name: Install LLVM (Windows)
+        if: runner.os == 'Windows'
+        run: choco install llvm -y
+
+      - name: Enable KVM
+        if: runner.os == 'Linux' && !env.ACT
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
+          sudo chmod 666 /dev/kvm
+
+      - name: Build sandbox runtimes
+        run: |
+          just wasm build
+          just js build
+
+      - name: Format check
+        run: just dotnet fmt-check
+
+      - name: Lint
+        run: just dotnet lint
+
+      - name: Build
+        run: just dotnet build
+
+      - name: Test Rust FFI
+        run: just dotnet test-rust
+
+      - name: Test .NET
+        run: just dotnet test-dotnet
+
+      - name: Run examples
+        run: just dotnet examples
+
+      - name: Package test
+        run: just dotnet package-test
+
   python-sdk:
     name: Python SDK (${{ matrix.os }})
     runs-on: ${{ matrix.os }}

.github/workflows/publish.yml

@@ -1,4 +1,4 @@
-name: Publish Python SDK
+name: Publish Python SDK & .NET SDK
 
 on:
   push:
@@ -112,3 +112,103 @@ jobs:
 
       - name: Publish to PyPI
         run: just python python-publish
+
+  # Build the Windows native library for the .NET P/Invoke NuGet package.
+  dotnet-build-windows:
+    if: ${{ !github.event.act }}
+    name: Build Windows .NET native library
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606  # v1.15.4
+        with:
+          cache-key: release-windows-dotnet
+          rustflags: ""
+
+      - name: Install just
+        run: cargo install --locked just
+
+      - name: Install LLVM
+        run: choco install llvm -y
+
+      - name: Build sandbox runtimes
+        run: |
+          just wasm build release
+          just js build release
+
+      - name: Build Windows native library
+        run: just dotnet build-rust release
+
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: dotnet-native-windows
+          path: target/release/hyperlight_sandbox_dotnet_ffi.dll
+
+  # Build and publish .NET NuGet packages.
+  dotnet-publish:
+    if: ${{ !github.event.act }}
+    name: Publish .NET NuGet packages
+    needs: [dotnet-build-windows]
+    runs-on: ubuntu-latest
+    environment:
+      name: nuget
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606  # v1.15.4
+        with:
+          cache-key: release
+          rustflags: ""
+
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Install just
+        run: cargo install --locked just
+
+      - name: Install clang
+        run: sudo apt-get update && sudo apt-get install -y clang
+
+      - name: Enable KVM
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
+          sudo chmod 666 /dev/kvm
+
+      - name: Build sandbox runtimes
+        run: |
+          just wasm build release
+          just js build release
+
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: dotnet-native-windows
+          path: target/release
+
+      - name: Build and pack
+        run: just dotnet dist
+
+      - name: Package test
+        run: just dotnet package-test release
+
+      - name: Verify NuGet native assets
+        run: |
+          unzip -l dist/dotnetsdk/Hyperlight.HyperlightSandbox.PInvoke.*.nupkg | grep -F "runtimes/linux-x64/native/libhyperlight_sandbox_dotnet_ffi.so"
+          unzip -l dist/dotnetsdk/Hyperlight.HyperlightSandbox.PInvoke.*.nupkg | grep -F "runtimes/win-x64/native/hyperlight_sandbox_dotnet_ffi.dll"
+
+      - name: NuGet login
+        uses: NuGet/login@ebc737b6fc418a6ca0073cf116ec8dc156d8b81e  # v1
+        id: nuget-login
+        with:
+          user: ${{ vars.NUGET_USER }}
+
+      - name: Publish to NuGet
+        env:
+          NUGET_API_KEY: ${{ steps.nuget-login.outputs.NUGET_API_KEY }}
+        run: just dotnet publish

.gitignore

@@ -16,4 +16,12 @@ wheels/
 pip-wheel-metadata/
 src/sdk/python/wasm_backend/Cargo.lock
 src/sdk/python/hyperlight_js_backend/Cargo.lock
+src/sdk/dotnet/ffi/Cargo.lock
 docs/end-user-overview-slides.html
+
+# dotnet
+[Bb]in/
+[Oo]bj/
+.vs/
+*.user
+*.nupkg