What were the drawbacks of the previous approach to restricting Codex's access on Windows?

The previous approach required administrator privileges, expensive ACL setup, and weak network isolation.

What is the first working sandbox for Codex on Windows like?

The first working sandbox ran entirely unelevated, creating a synthetic SID called sandbox-write and launching commands under a write-restricted token.

OpenAI Reveals Custom Windows Sandbox Architecture for Codex Coding Agent

Q: What is OpenAI's Codex coding agent and where does it run?

OpenAI's Codex coding agent runs locally on developer machines through command line interfaces, IDE extensions, and desktop applications.

Q: Why did OpenAI develop a custom sandboxing approach for Windows?

OpenAI developed a custom sandboxing approach because existing Windows isolation mechanisms did not fully satisfy the requirements of autonomous coding agents.

Learn about OpenAI's innovative solution to balance security, usability, and developer productivity on Windows for its autonomous coding agent, Codex.

OpenAI has published details of its Windows sandbox architecture, which powers its Codex coding agent, highlighting the engineering tradeoffs required to balance security, usability, and developer productivity on Microsoft's operating system. The company explained that it built a custom sandboxing approach after finding that existing Windows isolation mechanisms did not fully satisfy the requirements of autonomous coding agents.

Background and Context

Codex, OpenAI's coding agent, runs locally on developer machines through command line interfaces, IDE extensions, and desktop applications. Because the agent can execute commands, read files, modify source code, and perform development tasks, OpenAI needed a mechanism to restrict its access while minimizing interruptions to developer workflows.

According to David Wiesen, a member of OpenAI's technical staff, users previously faced a tradeoff between approving nearly every agent action or granting unrestricted system access through a full-access mode. This approach had several drawbacks, including the need for administrator privileges, expensive ACL setup, and weak network isolation.

Why Windows Was the Hard Platform

OpenAI's engineers found that macOS and Linux shipped with sandbox support early, providing kernel-level namespace isolation that cleanly separates the agent's view of the filesystem from the host. In contrast, Windows has no equivalent of unshare(2) or Seatbelt profiles, relying on Security Identifiers (SIDs), Access Control Lists (ACLs), restricted tokens, and user-boundary isolation.

OpenAI had to compose these primitives into something that felt as seamless as the Linux sandbox while remaining safe. The company evaluated several existing Windows security technologies, including Windows Sandbox and Mandatory Integrity Control (MIC). While Windows Sandbox provides strong isolation through a disposable virtual machine, OpenAI concluded it was not suitable because Codex requires direct access to a developer's working environment, tools, and repositories.

The Unelevated Prototype

The first working sandbox ran entirely unelevated. It created a synthetic SID called sandbox-write and launched commands under a write-restricted token whose restricted SID list comprised Everyone, the current logon session SID, and the synthetic SID. To permit writes to the workspace, Codex stamped a write-allow ACE for the synthetic SID onto the working directory.

This approach had several advantages, including no administrator privileges required, granular per-directory write control, and no user-visible elevation prompts. However, it also had disqualifying drawbacks, such as expensive ACL setup, hard-to-change semantics, and weak network isolation.

The Elevated Sandbox: Production Architecture

The production design introduces two dedicated lower-privilege sandbox users, filesystem permission boundaries, firewall rules, and local policy changes needed for commands that run in the sandbox. This approach provides stronger UI isolation and is preferred over the unelevated sandbox.

Enterprise administrators can constrain which native sandbox implementations Codex can use through requirements.toml. By default, both sandbox modes also use a private desktop for stronger UI isolation.

Key Facts

OpenAI built a custom Windows sandbox architecture to power its Codex coding agent.
The company evaluated several existing Windows security technologies, including Windows Sandbox and Mandatory Integrity Control (MIC).
Codex requires direct access to a developer's working environment, tools, and repositories.
The production design introduces two dedicated lower-privilege sandbox users, filesystem permission boundaries, firewall rules, and local policy changes needed for commands that run in the sandbox.
Enterprise administrators can constrain which native sandbox implementations Codex can use through requirements.toml.

What Comes Next

The publication of OpenAI's Windows sandbox architecture provides valuable insights into the engineering tradeoffs required to balance security, usability, and developer productivity on Microsoft's operating system. As the adult industry continues to adopt AI-powered tools like Codex, understanding the technical nuances behind these solutions will be crucial for platform operators and developers.