OpenAI: Codex sandbox for Windows introduces controlled filesystem and network restrictions for autonomous agents

OpenAI published Codex Windows Sandbox on May 13, 2026 — a security architecture enabling autonomous execution of the Codex coding agent on the Windows operating system. The approach closes a gap, since previous Codex versions were limited to macOS and Linux platforms where Unix-tradition sandbox primitives were immediately available.

What does the sandbox technically secure?

OpenAI designed the sandbox around two key constraints: controlled filesystem access and network restrictions. The Codex agent writes and runs scripts without manual review of every command, so sandbox isolation ensures that mistakes or adversarial inputs cannot access files outside the agent’s working directory or make uncontrolled network calls.

Why did Windows require a separate architecture?

macOS and Linux have mature sandbox primitives — Unix chroot, macOS seatbelt profiles and Linux namespace isolation. Windows takes a different approach to sandboxing: it requires a separate combination of Windows Security Sandbox, AppContainer and Windows Filtering Platform for network controls. OpenAI had to build the architecture from scratch to achieve the same isolation guarantees.

What is its position in OpenAI’s agentic strategy?

Codex has become one of OpenAI’s key products in 2026 — alongside API Codex models, the Codex CLI and the Codex Cloud option for GitHub repositories. Expanding to Windows opens the market of enterprise developers who use Windows as their primary work platform. The approach aligns with OpenAI’s emphasis on “safe, efficient coding agents” — suggesting that every new platform support requires a full security audit before launch.

Details from RSS description: the full article at openai.com/index/* returns HTTP 403 on direct WebFetch requests, so the primary source was the openai.com/news/rss.xml feed.