Codex Windows sandbox engineering blog

Summary

OpenAI published a detailed engineering blog on May 13 describing how they built a secure sandbox for Codex on Windows. Windows lacks OS-level sandbox primitives comparable to macOS Seatbelt or Linux Bubblewrap/Landlock, so the team implemented Restricted Token-based isolation. Two modes: elevated sandbox (stronger, requires admin) and unelevated fallback. Also supports WSL2 with Linux sandbox. The high-level SandboxPolicy API translates to OS-native primitives across all three platforms.

Implications

• Feeds the Claude Code security surface thread as a cross-agent comparison point: Codex now has documented, engineered sandboxing across all three major OS platforms. The SandboxPolicy abstraction is architecturally similar to Claude Code’s sandbox approach.
• Windows sandbox is the hardest platform to secure for coding agents — this engineering investment signals OpenAI expects significant Windows enterprise adoption for Codex.
• The WSL2 path using Linux sandbox is pragmatic: enterprise Windows machines with WSL2 get Linux-grade isolation without the Restricted Token complexity.