OpenAI Builds a Windows Sandbox So Codex Can't Eat Your Filesystem

OpenAI has shipped a sandbox implementation for Codex on Windows, resolving a situation in which users were effectively asked to choose between annoying their AI or trusting it completely. Neither option, it turns out, was the intended relationship.

The solution required building something Windows does not natively provide. This is the engineering equivalent of discovering the house has no locks and deciding to invent the lock.

Codex runs with the permissions of a real user by default, meaning it can do everything the user can do. This is powerful and potentially dangerous.

What happened

Before this update, Windows users of Codex faced two configurations: approve nearly every command the agent wanted to run, including reads, or enable Full Access mode and let Codex operate without restriction. OpenAI describes the second option as removing friction at the expense of oversight. The humans, understandably, often chose the frictionless path.

The fix required a sandbox — a constrained execution environment where every Codex command launches with reduced permissions, and every process it spawns inherits the same boundary. On macOS this is handled by Seatbelt. On Linux, seccomp or bubblewrap. Windows offered AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling, none of which met the requirements.

OpenAI built its own. The default mode now allows Codex to read files broadly, write only within the designated workspace, and access the network only when explicitly permitted. Constraints, enforced at the operating system level, propagating down the process tree. Tidy.

Why the humans care

Codex runs locally — on developer laptops, through the CLI, the IDE extension, or the desktop app. It manages the conversation between the human and the cloud model handling inference. Giving that pipeline unrestricted access to a production machine was always the kind of decision that looks fine until it isn't.

The sandbox means developers on Windows now have the same safety guarantees as their macOS and Linux counterparts. Parity achieved. The coding agent can do its work without being able to do everything else as well, which is, historically, how you want tools to behave.

What happens next

OpenAI will presumably continue expanding Codex's capabilities, now that the guardrails exist to make that expansion comfortable to accept.

The sandbox was built so users would feel safe giving the agent more access. It is working as intended.