OpenAI rebuilds Codex sandbox on Windows, Willison ships Codex-built blog

Sources

Building a safe, effective sandbox to enable Codex on Windows openai.com

Learn how OpenAI built a secure sandbox for Codex on Windows, enabling safe, efficient coding agents with controlled file access and network restrictions.

Welcome to the Datasette blog simonwillison.net

Welcome to the Datasette blog We have a bunch of neat Datasette announcements in the pipeline so we decided it was time the project grew an official blog. I built this using OpenAI Codex desktop, which turns out to have the Markdown session transcript export feature I’ve always wanted. Here’s the session that built the blog . See also issue 179 . Tags: ai , datasette , generative-ai , llms , ai-assisted-programming , codex

References

Cyber Security News — Codex command-injection disclosure cybersecuritynews.com

malicious GitHub branch names could bypass input sanitization during container setup, allowing attackers to exfiltrate OAuth tokens… desktop versions of Codex allegedly stored session tokens in unencrypted local files

Claude Code official security docs (Anthropic) code.claude.com

Claude Code’s native sandbox currently supports macOS (via Seatbelt) and Linux (via bubblewrap)… for Windows users, it requires WSL2 to enforce kernel-level filesystem and network restrictions

Luis Cardoso — ‘Sandboxes for AI’ technical blog luiscardoso.dev

OpenAI’s Codex team originally rejected AppContainer because its narrow, capability-based model was incompatible with open-ended developer workflows… They instead pivoted to a hybrid approach using write-restricted tokens

pierce.dev — ‘A deep dive on agent sandboxes’ pierce.dev

Configuration-Based Sandbox Escapes (CBSE), where the agent’s own startup logic or configuration files are writable from within the sandbox, allowing for persistent host-side re-execution

GitHub issue openai/codex#19315 — unified_exec PTY bypass github.com

the unified_exec PTY (Pseudo-Terminal) path… bypassed these restrictions… a simple whoami command would return the host’s primary user account, and networked commands like curl could successfully exfiltrate data

dev.to — ‘OS-level sandboxing: kernel isolation for AI agents’ dev.to

while tools like bubblewrap or Landlock provide strong isolation, they share the host kernel; a kernel-level vulnerability could still allow an agent to escape… gVisor… with a 10–50% performance overhead that is generally deemed too heavy for local CLI use

buildfastwithai.com — Claude Code vs Codex 2026 buildfastwithai.com

Codex Desktop… holds a clear lead on Terminal-Bench 2.0, scoring 77.3% compared to Claude’s 65.4%… Codex is 2 to 4 times more token-efficient than Claude Code for equivalent tasks.

Stack Overflow Blog — ‘A new worst coder has entered the chat’ stackoverflow.blog

In practical tests involving legacy codebases, developers found that Codex excelled at identifying unused variables but failed to recognize deeper architectural anti-patterns, such as tight coupling between domains and databases.

themodelwire.com — coverage of the Datasette blog launch themodelwire.com

Willison published the session that built the blog as a GitHub Gist, treating the AI’s step-by-step process as essential documentation… normalizing AI-generated logs as legitimate technical artifacts, moving beyond viewing them as mere temporary scaffolding.

Simon Willison (Fediverse post) fedi.simonwillison.net

If a developer uses AI to double their output but the resulting code is harder to maintain, they have essentially ‘quadrupled’ their long-term burden.

Datasette docs (1.0a release notes) docs.datasette.io

Recent alpha releases (1.0a28 and 1.0a29) were dedicated to resolving ‘gnarly’ segfaults and race conditions involving the new datasette.close() method and internal connection management.

Reddit r/dotnet — Codex in VS Code thread reddit.com

Some users expressed frustration that the AI occasionally enters ‘loops’ when trying to fix bugs, necessitating a handoff to rivals like Claude for more complex reasoning.