What the Codex Windows Sandbox Is and Why It Matters
The Codex Windows sandbox is a security architecture that lets an AI coding agent execute tasks autonomously on a developer’s PC while restricting its access to files, tools, and network resources through native Windows security primitives instead of full virtual machines or containers. OpenAI designed this system because traditional Windows isolation options did not fit autonomous code execution: Codex needs to read and modify real project files, drive GUI applications, and run commands without taking over the whole system. On Windows, Codex can now control desktop apps, test interfaces, and reproduce bugs from the active session, while approvals and instructions flow through ChatGPT on a phone. The design focuses on AI agent security by isolating the agent in a controlled environment, balancing strong boundaries with the flexibility developers expect from modern coding assistants.
Unelevated Sandbox: SIDs, ACLs, and Restricted Tokens
OpenAI’s first Codex Windows sandbox, known as the unelevated sandbox, relied on Windows security identifiers (SIDs), access control lists (ACLs), and write‑restricted tokens. The team introduced a synthetic SID called sandbox-write, which granted write access only to specific directories such as the current workspace and any explicitly configured writable paths. Sensitive locations, including Git metadata directories, stayed protected through strict ACL rules, so even autonomous code execution could not silently rewrite repository internals. This design gave Codex controlled access to the environment developers care about, without exposing the rest of the system as a playground. According to OpenAI’s description, Windows does not provide a single primitive that maps cleanly to safe agent execution, so combining SIDs, ACLs, and restricted tokens became the practical path to AI agent security on everyday developer machines.
Elevated Sandbox: Dedicated Accounts and Network Boundaries
OpenAI later redesigned the Codex Windows sandbox into an elevated sandbox that creates dedicated local accounts such as CodexSandboxOffline and CodexSandboxOnline during setup. All Codex commands run under these isolated accounts using restricted tokens, so privileges stay tightly scoped even when the agent performs elevated tasks. Firewall configuration can tie network permissions to each sandbox account, giving fine‑grained control over online and offline modes while preserving normal developer tools and workflows. This model differs from containerization: instead of shipping an entire separate environment, it uses the Windows security architecture itself to define fences around filesystem and networking access. For developers, this means Codex Windows sandbox sessions can be powerful enough to run real tools and tests, yet still ring‑fenced so that AI-driven mistakes do not become full system compromises.
Foreground Control, Mobile Oversight, and Developer Experience
On Windows, Codex operates on the active desktop, reading the screen, clicking controls, and typing through task flows like GUI testing, installer checks, or bug reproduction. Because Codex runs in the foreground, users hand over their current session while automation is in progress instead of working in parallel on the same desktop. The updated Codex Windows sandbox widens what the agent can safely automate, but it keeps this foreground constraint to limit unexpected interference. Phone-based oversight completes the workflow: a developer can connect a PC from the ChatGPT app on iOS or Android, then review approvals, code diffs, test results, terminal output, and screenshots. The phone remains a review surface while the Codex Windows sandbox executes tasks locally, so developers gain remote control of desktop automation without turning their mobile device into a separate execution environment.
How the Sandbox Differs from Containers and Why It Sets a Pattern
The Codex Windows sandbox stands apart from typical containers or Windows Sandbox virtual machines because it retains direct access to the developer’s tools and repositories while still enforcing strong boundaries. Windows Sandbox was rejected for Codex since it runs in a disposable VM that does not share the live development environment and is not available on all editions. Instead, OpenAI combined core Windows primitives—SIDs, ACLs, and restricted tokens—with dedicated accounts and firewall rules to build isolation inside the host OS. Commenters have noted that this AI agent security model treats the filesystem as something to be carefully segmented rather than fully exposed. As coding agents become more capable, this approach offers a pattern: use the native Windows security architecture to create narrow, purposeful execution zones so autonomous code execution can help with real projects without demanding blind trust.
