Running an AI coding agent on your machine is a different kind of trust problem than running a chatbot. A coding agent doesn't just generate text - it reads files, writes files, runs code, and makes network requests. On Linux, container-based sandboxing handles this reasonably well. On Windows, the problem is harder.
OpenAI published a technical breakdown of how they built the sandbox that lets Codex run safely on Windows. The core challenge: give the agent enough access to actually do useful work while preventing it from touching anything it shouldn't.
What the Sandbox Actually Restricts
The Windows sandbox they built operates with tightly scoped file access - Codex can read and write within project directories you explicitly allow, but not freely browse your filesystem. Network access is similarly gated: the agent can reach services it needs for development tasks, but outbound connections outside that allowlist are blocked.
This matters more than it sounds. A coding agent working on a web project might legitimately need to install npm packages, run a local dev server, and read environment config. But you don't want it silently making requests to external endpoints or reading credentials stored elsewhere on your machine. The sandbox enforces that boundary without requiring you to think through every possible action the agent might take.
The Windows-Specific Problem
Windows doesn't have native container primitives the way Linux does. OpenAI had to build on Windows Sandbox - Microsoft's lightweight VM feature - combined with additional process isolation and filesystem virtualization to get the security properties they needed. The result runs fast enough to be practical for an interactive coding workflow, which is the constraint that makes this genuinely difficult. A sandbox that takes 30 seconds to spin up is useless for a tool people run constantly.
For developers using Codex, the practical implication is that the agent's access to your system is defined and bounded rather than open-ended. You're not just trusting the model's judgment about what it should touch - the environment itself enforces limits.
OpenAI's writeup is worth reading for anyone thinking seriously about running AI coding agents locally, on any platform. The threat model they're working against - an agent that's been manipulated through malicious code in a repo, for example - is a real one, and how they addressed it on Windows sets a useful baseline for what "safe" should mean in this context.
