[confcom] update help text and README

MahatiC · MahatiC · commit 53515f948fae · 2026-04-15T23:44:08.000+01:00
diff --git a/src/confcom/README.md b/src/confcom/README.md
@@ -60,6 +60,21 @@ The `confcom` extension does not currently support:
 - Variables and Parameters with non-primitive data types e.g. objects and arrays
 - Nested and Linked ARM Templates
 
+## Platform Support (Linux and Windows Policies)
+
+The `--platform` parameter controls whether policies are generated for Linux (`linux/amd64`, the default) or Windows (`windows/amd64`) containers.
+
+**Docker Desktop must be running in the matching container mode** to produce correct layer hashes:
+
+| Policy Target | Docker Container Mode | Where to Run |
+|---|---|---|
+| Linux (`--platform linux/amd64`) | Linux containers | WSL or PowerShell |
+| Windows (`--platform windows/amd64`) | Windows containers | PowerShell only |
+
+- **Windows policies cannot be generated from WSL**, because Windows layer hashing (CIMfs) requires Windows APIs.
+- **Linux policies can be generated from either WSL or PowerShell**, as long as Docker Desktop is in Linux containers mode.
+- Running with the wrong Docker container mode may produce **incorrect layer hashes** that will cause the container to be rejected at runtime.
+
 ## Trademarks
 
 This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py
@@ -105,6 +105,10 @@
           type: boolean
           short-summary: 'When enabled, the default fragments are not included in the generated policy. This includes containers needed to mount azure files, mount secrets, mount git repos, and other common ACI features'
 
+        - name: --platform
+          type: string
+          short-summary: 'Target platform for policy generation (linux/amd64 or windows/amd64). Defaults to linux/amd64. Docker Desktop must be running in the matching container mode to produce correct layer hashes.'
+
     examples:
         - name: Input an ARM Template file to inject a base64 encoded Confidential Container Security Policy into the ARM Template
           text: az confcom acipolicygen --template-file "./template.json"
@@ -116,6 +120,8 @@
           text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"
         - name: Input an ARM Template file and use a fragments JSON file to generate a policy
           text: az confcom acipolicygen --template-file "./template.json" --fragments-json "./fragments.json" --include-fragments
+        - name: Generate a Windows container policy (requires Docker Desktop in Windows containers mode)
+          text: az confcom acipolicygen --template-file "./template.json" --platform windows/amd64 --outraw-pretty-print
 """
 
 helps[
diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py
@@ -119,7 +119,10 @@ def load_arguments(self, _):
             options_list=("--platform",),
             required=False,
             default="linux/amd64",
-            help="Target platform for policy generation. Defaults to linux/amd64.",
+            help="Target platform for policy generation. Defaults to linux/amd64. "
+                 "Note: Docker Desktop must be running in the matching container mode "
+                 "(Linux containers for linux/amd64, Windows containers for windows/amd64) "
+                 "to produce correct layer hashes.",
             choices=["linux/amd64", "windows/amd64"],
         )
         c.argument(
