Windows Isolation Shortfalls Demand Custom Sandbox
Existing Windows tools fail for AI coding agents like Codex, which drive open-ended developer workflows (shells, Git, Python, builds). AppContainer suits scoped apps but not dynamic agent binaries. Windows Sandbox offers VM isolation but requires host/guest bridging and excludes Home SKUs, blocking direct workspace access. Mandatory Integrity Control (MIC) labels workspaces low-integrity, exposing them to all low-trust processes—not just Codex—risking broader compromise. Result: Codex defaults force users to approve every command (inefficient) or enable full access (unsafe). Solution: Build OS-enforced sandbox with file write limits to workspace (current directory + config.toml writable_roots), read access matching user, and no outbound network unless approved.
Unelevated Prototype Uses SIDs and Restricted Tokens for Granular Writes
First prototype avoids admin elevation by creating synthetic sandbox-write SID, granting it write/execute/delete on workspace and denying on .git, .codex, .agents. Launches commands under write-restricted token requiring dual checks: normal user ACL + sandbox-write SID access (restricted list: Everyone, session SID, sandbox-write). This enforces writes only where intended without modifying host broadly. Network limits use advisory env vars: HTTPS_PROXY=http://127.0.0.1:9, ALL_PROXY=http://127.0.0.1:9, GIT_HTTPS_PROXY=http://127.0.0.1:9, GIT_SSH_COMMAND=cmd /c exit 1, plus denybin PATH stubs for SSH/SCP. Tradeoffs: Slow ACL setup on large dirs, hard to reconfigure, weak network (bypassable by custom sockets or non-proxy tools). Firewall infeasible unelevated—can't target restricted tokens or child processes like Git/Python.
Elevated Redesign Leverages Dedicated Users and Firewall for Strong Isolation
Shift to elevation at setup creates local users CodexSandboxOffline (firewall-blocked) and CodexSandboxOnline (network-allowed), with encrypted DPAPI credentials. Setup binary codex-windows-sandbox-setup.exe handles: synthetic SID, users, firewall rules blocking all outbound for Offline user, async read ACLs on dirs like C:\Users\<user>, C:\Windows, C:\Program Files. Command flow splits: codex.exe launches codex-command-runner.exe as sandbox user via CreateProcessWithLogonW; runner creates restricted token (same SID list) on sandbox side using OpenProcessToken, CreateRestrictedToken, CreateProcessAsUserW for child. Ensures read equivalence to real user, write restrictions, and per-session firewall scoping without blocking all Python/Git globally. Setup once, then frictionless: agents run tests, edit files, Git branch in workspace without net exfil or stray writes.
Safety-Usability Balance Matches macOS/Linux Sandboxes
Final multi-binary architecture (codex.exe, setup.exe, runner.exe, child) mirrors macOS Seatbelt/.sbpl and Linux seccomp/bubblewrap: OS primitives for process tree isolation. Complexity earned—each layer solves privilege walls, token boundaries, async costs—yielding production sandbox where agents act like developers (full reads, targeted writes) but can't escape bounds. Users avoid tedious approvals or risky full access, matching cross-platform delight.