How OpenAI Built a Custom Sandbox to Bring Codex to Windows

OpenAI’s Codex coding agent shipped without a working sandbox on Windows until the engineering team built one from scratch, according to the OpenAI Blog. Before this work, Windows users were stuck choosing between manually approving nearly every agent command or handing Codex unrestricted system access — a security gap that didn’t exist for macOS and Linux users, who benefit from OS-native isolation primitives like Apple’s Seatbelt and Linux’s seccomp or bubblewrap.

The Windows Isolation Gap in OpenAI Codex

According to the OpenAI Blog, a Codex engineer who joined the project in September 2025 found that the Windows version had no sandbox implementation at all. On all platforms, Codex runs locally on developer machines — via CLI, an IDE extension, or a desktop application — and executes commands with the full permissions of the signed-in user. The intended default behavior restricts file writes to the active workspace directory and blocks outbound network access, but enforcing those constraints requires OS-level primitives that Windows does not provide natively.

The OpenAI team evaluated three existing Windows mechanisms: AppContainer (a capability-based model designed for pre-scoped apps), Windows Sandbox (a lightweight virtual machine), and Mandatory Integrity Control labeling. The OpenAI Blog notes that each approach broke down against Codex’s operational profile: the agent must dynamically invoke shells, Git, Python interpreters, package managers, and arbitrary build tools — a surface area too broad and unpredictable for any of these tools to handle without significant friction or escape risk.

A Custom Sandbox Architecture for Dynamic Developer Workflows

Rather than retrofitting an ill-fitting existing tool, the team designed a purpose-built isolation layer. The architecture ensures that every Codex command launches already inside the sandbox boundary, with all descendant processes inheriting the same constraints automatically — no per-command approval required for low-risk operations like file reads.

This mirrors a broader pattern in agentic AI deployment: as coding agents gain the ability to autonomously execute multi-step tasks, the traditional model of user approval for each discrete action becomes impractical, yet blanket system trust is unacceptable. The Windows gap was a concrete example of how OS-level security infrastructure has not kept pace with the demands of ambient, agent-driven compute.

Why This Matters

For enterprise and professional developers running Windows — still the dominant desktop platform in many corporate environments — the absence of a proper Codex sandbox was a genuine adoption barrier. Teams with security policies or compliance requirements could not responsibly enable Full Access mode, yet constant manual approval prompts undermine the productivity case for using a coding agent at all.

The custom sandbox removes that blocker and brings Windows to parity with macOS and Linux deployments. More broadly, OpenAI’s decision to engineer a bespoke isolation layer rather than wait for Microsoft to ship native primitives signals that AI tooling vendors may increasingly need to own their own security infrastructure rather than rely on the host OS. Organizations evaluating Codex for Windows deployments should verify that their specific toolchains — particularly unconventional build systems or proprietary package managers — remain functional within the new sandbox constraints.