What Windows Sandbox Security Means for Codex Autonomous Agents
Windows sandbox security for Codex autonomous agents is a system isolation architecture that uses Windows security identifiers, access control lists, restricted tokens, and dedicated sandbox accounts to confine agent actions to approved files, tools, and sessions while keeping the rest of the machine off-limits. OpenAI built this custom model because existing Windows isolation features did not match the needs of autonomous coding agents, which must read repositories, run tools, and control desktop apps without gaining full system control. Codex on Windows can execute commands, modify source code, and drive GUI applications, so OpenAI introduced an architecture that separates the agent’s permissions from the user’s normal account. The result is secure code execution that still feels practical for developers: they can let the agent run locally, manage tasks from a phone, and rely on the sandbox to enforce strict boundaries around what the agent can and cannot do.
SIDs, ACLs, and Restricted Tokens: The Unelevated Sandbox
OpenAI’s first Windows sandbox design, known as the unelevated sandbox, combines three core primitives: security identifiers (SIDs), access control lists (ACLs), and write-restricted tokens. A synthetic SID named sandbox-write marks which locations Codex is allowed to modify, such as the active workspace or explicitly configured directories. ACLs then enforce that this SID has write access only where it should, while sensitive paths, including Git metadata directories, remain read-only. Commands run under a token that can read more than it can write, limiting damage if an agent step misbehaves. This setup gives Codex enough reach to edit code, run tests, and inspect project files, but prevents broad filesystem changes. According to OpenAI, this work helps make Codex on Windows both powerful and secure, allowing developers to use autonomous agents in real-world environments with greater confidence.
Elevated Sandbox Accounts and Network Boundaries
To strengthen isolation, OpenAI later introduced the elevated sandbox, which creates separate local Windows accounts such as CodexSandboxOffline and CodexSandboxOnline during setup. Every command the agent runs is executed under these sandbox accounts using restricted tokens, so the agent never inherits the full rights of the logged-in developer. This makes the sandbox’s system isolation architecture clearer: filesystem access is limited by both account membership and ACL rules, and network access can be filtered through firewall policies. The CodexSandboxOffline account can be placed behind strict network rules, while CodexSandboxOnline supports workflows that genuinely need online resources. Developers gain predictable, secure code execution without constant prompts, since the sandbox account encapsulates what the agent can reach. As one developer commented on X, the sandbox architecture becomes “the unsung hero” by keeping the agent away from the rest of the filesystem.
Foreground-Only Sessions and Safe Desktop Control
On Windows, Codex autonomous agents control desktop applications by reading the screen, clicking interface elements, and typing through workflows, but they do so only on the active desktop. The agent cannot quietly run in the background while a user continues normal work in the same session; the machine effectively becomes the task surface while automation is running. This foreground-only design is a security and usability compromise. It avoids hidden, long-lived background processes and aligns with sandbox accounts that are tied to a specific interactive session. OpenAI combines this with strict permission boundaries, so Codex can test installers, reproduce bugs, or step through UI flows without lingering access after the task ends. The sandbox rules limit persistence and unauthorized system access while still enabling realistic desktop testing, where the agent operates in the same environment developers use for day-to-day projects.
Phone-Based Oversight and Developer Productivity
The Windows sandbox security model is paired with a workflow that connects Codex’s desktop automation to mobile supervision. Developers can start a task on a Windows PC, then use the ChatGPT app on a phone to approve commands, inspect diffs, review screenshots, and read terminal output. The work still runs on the sandboxed desktop, not on the phone, so approvals happen remotely while the sandbox enforces boundaries locally. This arrangement supports secure code execution and productivity at the same time: the agent has enough access to repositories and tools inside its sandbox accounts, while users retain high-level control from wherever they are. Because the sandbox limits both filesystem and network reach, developers can feel comfortable letting Codex continue longer tasks like builds or GUI checks without “hovering over it like a nervous parent,” and still intervene quickly through their mobile device when the next decision point appears.
