Windows Sandbox - Alpha version

codex-rs/Cargo.toml

@@ -87,6 +87,7 @@ codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
 codex-utils-tokenizer = { path = "utils/tokenizer" }
+codex-windows-sandbox = { path = "windows-sandbox" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -210,6 +211,7 @@ walkdir = "2.5.0"
 webbrowser = "1.0"
 which = "6"
 wildmatch = "2.5.0"
+
 wiremock = "0.6"
 zeroize = "1.8.1"
 

codex-rs/README.md

@@ -63,6 +63,9 @@ codex sandbox macos [--full-auto] [COMMAND]...
 # Linux
 codex sandbox linux [--full-auto] [COMMAND]...
 
+# Windows
+codex sandbox windows [--full-auto] [COMMAND]...
+
 # Legacy aliases
 codex debug seatbelt [--full-auto] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...

codex-rs/cli/Cargo.toml

@@ -47,6 +47,9 @@ tokio = { workspace = true, features = [
     "signal",
 ] }
 
+[target.'cfg(target_os = "windows")'.dependencies]
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }

codex-rs/cli/src/debug_sandbox.rs

@@ -11,6 +11,7 @@ use codex_protocol::config_types::SandboxMode;
 
 use crate::LandlockCommand;
 use crate::SeatbeltCommand;
+use crate::WindowsCommand;
 use crate::exit_status::handle_exit_status;
 
 pub async fn run_command_under_seatbelt(
@@ -51,9 +52,29 @@ pub async fn run_command_under_landlock(
     .await
 }
 
+pub async fn run_command_under_windows(
+    command: WindowsCommand,
+    codex_linux_sandbox_exe: Option<PathBuf>,
+) -> anyhow::Result<()> {
+    let WindowsCommand {
+        full_auto,
+        config_overrides,
+        command,
+    } = command;
+    run_command_under_sandbox(
+        full_auto,
+        command,
+        config_overrides,
+        codex_linux_sandbox_exe,
+        SandboxType::Windows,
+    )
+    .await
+}
+
 enum SandboxType {
     Seatbelt,
     Landlock,
+    Windows,
 }
 
 async fn run_command_under_sandbox(
@@ -87,6 +108,63 @@ async fn run_command_under_sandbox(
     let stdio_policy = StdioPolicy::Inherit;
     let env = create_env(&config.shell_environment_policy);
 
+    // Special-case Windows sandbox: execute and exit the process to emulate inherited stdio.
+    if let SandboxType::Windows = sandbox_type {
+        #[cfg(target_os = "windows")]
+        {
+            use codex_windows_sandbox::run_windows_sandbox_capture;
+
+            let policy_str = match &config.sandbox_policy {
+                codex_core::protocol::SandboxPolicy::DangerFullAccess => "workspace-write",
+                codex_core::protocol::SandboxPolicy::ReadOnly => "read-only",
+                codex_core::protocol::SandboxPolicy::WorkspaceWrite { .. } => "workspace-write",
+            };
+
+            let sandbox_cwd = sandbox_policy_cwd.clone();
+            let cwd_clone = cwd.clone();
+            let env_map = env.clone();
+            let command_vec = command.clone();
+            let res = tokio::task::spawn_blocking(move || {
+                run_windows_sandbox_capture(
+                    policy_str,
+                    &sandbox_cwd,
+                    command_vec,
+                    &cwd_clone,
+                    env_map,
+                    None,
+                )
+            })
+            .await;
+
+            let capture = match res {
+                Ok(Ok(v)) => v,
+                Ok(Err(err)) => {
+                    eprintln!("windows sandbox failed: {err}");
+                    std::process::exit(1);
+                }
+                Err(join_err) => {
+                    eprintln!("windows sandbox join error: {join_err}");
+                    std::process::exit(1);
+                }
+            };
+
+            if !capture.stdout.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stdout().write_all(&capture.stdout);
+            }
+            if !capture.stderr.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stderr().write_all(&capture.stderr);
+            }
+
+            std::process::exit(capture.exit_code);
+        }
+        #[cfg(not(target_os = "windows"))]
+        {
+            anyhow::bail!("Windows sandbox is only available on Windows");
+        }
+    }
+
     let mut child = match sandbox_type {
         SandboxType::Seatbelt => {
             spawn_command_under_seatbelt(
@@ -115,6 +193,9 @@ async fn run_command_under_sandbox(
             )
             .await?
         }
+        SandboxType::Windows => {
+            unreachable!("Windows sandbox should have been handled above");
+        }
     };
     let status = child.wait().await?;
 

codex-rs/cli/src/lib.rs

@@ -32,3 +32,17 @@ pub struct LandlockCommand {
     #[arg(trailing_var_arg = true)]
     pub command: Vec<String>,
 }
+
+#[derive(Debug, Parser)]
+pub struct WindowsCommand {
+    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
+    #[arg(long = "full-auto", default_value_t = false)]
+    pub full_auto: bool,
+
+    #[clap(skip)]
+    pub config_overrides: CliConfigOverrides,
+
+    /// Full command args to run under Windows restricted token sandbox.
+    #[arg(trailing_var_arg = true)]
+    pub command: Vec<String>,
+}

codex-rs/cli/src/main.rs

@@ -7,6 +7,7 @@ use codex_chatgpt::apply_command::ApplyCommand;
 use codex_chatgpt::apply_command::run_apply_command;
 use codex_cli::LandlockCommand;
 use codex_cli::SeatbeltCommand;
+use codex_cli::WindowsCommand;
 use codex_cli::login::read_api_key_from_stdin;
 use codex_cli::login::run_login_status;
 use codex_cli::login::run_login_with_api_key;
@@ -151,6 +152,9 @@ enum SandboxCommand {
     /// Run a command under Landlock+seccomp (Linux only).
     #[clap(visible_alias = "landlock")]
     Linux(LandlockCommand),
+
+    /// Run a command under Windows restricted token (Windows only).
+    Windows(WindowsCommand),
 }
 
 #[derive(Debug, Parser)]
@@ -472,6 +476,17 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                 )
                 .await?;
             }
+            SandboxCommand::Windows(mut windows_cli) => {
+                prepend_config_flags(
+                    &mut windows_cli.config_overrides,
+                    root_config_overrides.clone(),
+                );
+                codex_cli::debug_sandbox::run_command_under_windows(
+                    windows_cli,
+                    codex_linux_sandbox_exe,
+                )
+                .await?;
+            }
         },
         Some(Subcommand::Apply(mut apply_cli)) => {
             prepend_config_flags(
@@ -497,7 +512,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                 // Respect root-level `-c` overrides plus top-level flags like `--profile`.
                 let cli_kv_overrides = root_config_overrides
                     .parse_overrides()
-                    .map_err(|e| anyhow::anyhow!(e))?;
+                    .map_err(anyhow::Error::msg)?;
 
                 // Thread through relevant top-level flags (at minimum, `--profile`).
                 // Also honor `--search` since it maps to a feature toggle.

codex-rs/cli/src/mcp_cmd.rs

@@ -196,7 +196,9 @@ impl McpCli {
 
 async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Result<()> {
     // Validate any provided overrides even though they are not currently applied.
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
     let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
         .await
         .context("failed to load configuration")?;
@@ -310,7 +312,9 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
 }
 
 async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveArgs) -> Result<()> {
-    config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
 
     let RemoveArgs { name } = remove_args;
 
@@ -341,7 +345,9 @@ async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveAr
 }
 
 async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
     let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
         .await
         .context("failed to load configuration")?;
@@ -380,7 +386,9 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
 }
 
 async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
     let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
         .await
         .context("failed to load configuration")?;
@@ -407,7 +415,9 @@ async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutAr
 }
 
 async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
     let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
         .await
         .context("failed to load configuration")?;
@@ -662,7 +672,9 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
 }
 
 async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
     let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
         .await
         .context("failed to load configuration")?;

codex-rs/core/Cargo.toml

@@ -83,6 +83,7 @@ tree-sitter-bash = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v4"] }
 which = { workspace = true }
 wildmatch = { workspace = true }
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
 
 
 [target.'cfg(target_os = "linux")'.dependencies]

codex-rs/core/src/config/mod.rs

@@ -769,6 +769,8 @@ impl ConfigToml {
         let mut forced_auto_mode_downgraded_on_windows = false;
         if cfg!(target_os = "windows")
             && matches!(resolved_sandbox_mode, SandboxMode::WorkspaceWrite)
+            // If the experimental Windows sandbox is enabled, do not force a downgrade.
+            && crate::safety::get_platform_sandbox().is_none()
         {
             sandbox_policy = SandboxPolicy::new_read_only_policy();
             forced_auto_mode_downgraded_on_windows = true;
@@ -900,6 +902,10 @@ impl Config {
         };
 
         let features = Features::from_config(&cfg, &config_profile, feature_overrides);
+        #[cfg(target_os = "windows")]
+        {
+            crate::safety::set_windows_sandbox_enabled(features.enabled(Feature::WindowsSandbox));
+        }
 
         let resolved_cwd = {
             use std::env;