OpenAI - Codex Docs Changes 2026-04-18 18:18 UTC → 2026-04-21 06:45 UTC

153Codex enforces the sandbox differently depending on your OS:153Codex enforces the sandbox differently depending on your OS:

154 154 

155- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.155- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

156- **Linux** uses the `bwrap` pipeline plus `seccomp` by default. `use_legacy_landlock` is available when you need the older path. In managed proxy mode, the default `bwrap` pipeline routes egress through a proxy-only bridge and fails closed if it can’t build valid local proxy routes.156- **Linux** uses `bwrap` plus `seccomp` by default.

157- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.157- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

158 158 

159If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:159If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

176 176 

177See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.177See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

178 178 

179When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.179When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

180 180 

181In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.181In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

182 182 

183### Run Codex in Dev Containers

184 

185If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

186 

187Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

188 

189Devcontainers provide substantial protection, but they do not prevent every

190 attack. If you run Codex with `--sandbox danger-full-access` or

191 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

192 project can exfiltrate anything available inside the devcontainer, including

193 Codex credentials. Use this pattern only with trusted repositories, and

194 monitor Codex activity as you would in any other elevated environment.

195 

196The reference implementation includes:

197 

198- an Ubuntu 24.04 base image with Codex and common development tools installed;

199- an allowlist-driven firewall profile for outbound access;

200- VS Code settings and extension recommendations for reopening the workspace in a container;

201- persistent mounts for command history and Codex configuration;

202- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

203 

204To try it:

205 

2061. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

2072. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

2083. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.

2094. After the container starts, open a terminal and run `codex`.

210 

211You can also start the container from the CLI:

212 

213```bash

214devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

215```

216 

217The example has three main pieces:

218 

219- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

220- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

221- `.devcontainer/init-firewall.sh` applies the outbound network policy.

222 

223The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

224 

225Inside the container, choose one of these modes:

226 

227- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

228- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

229 

183## Version control230## Version control

184 231 

185Codex works best with a version control workflow:232Codex works best with a version control workflow:

14memories as a helpful local recall layer, not as the only source for rules that14memories as a helpful local recall layer, not as the only source for rules that

15must always apply.15must always apply.

16 16 

17[Chronicle](https://developers.openai.com/codex/memories/chronicle) helps Codex recover recent working

18context from your screen to build up memory.

19 

17## Enable memories20## Enable memories

18 21 

19In the Codex app, enable Memories in settings.22In the Codex app, enable Memories in settings.

1# Chronicle

2 

3Chronicle is in an **opt-in research preview**. It is only available for

4 ChatGPT Pro subscribers on macOS, and is not yet available in the EU, UK and

5 Switzerland. Please review the [Privacy and Security](#privacy-and-security)

6 section for details and to understand the current risks before enabling.

7 

8Chronicle augments Codex memories with context from your screen. When you prompt

9Codex, those memories can help it understand what you’ve been working on with

10less need for you to restate context.

11 

12Chronicle is available as an opt-in research preview in the Codex app on macOS.

13It requires macOS Screen Recording and Accessibility permissions. Before

14enabling, be aware that Chronicle uses rate limits quickly, increases risk of

15prompt injection, and stores memories unencrypted on your device.

16 

17## How Chronicle helps

18 

19We’ve designed Chronicle to reduce the amount of context you have to restate

20when you work with Codex. By using recent screen context to improve memory

21building, Chronicle can help Codex understand what you’re referring to, identify

22the right source to use, and pick up on the tools and workflows you rely on.

23 

24### Use what’s on screen

25 

26With Chronicle Codex can understand what you are currently looking at, saving

27you time and context switching.

28 

29### Fill in missing context

30 

31No need to carefully craft your context and start from zero. Chronicle lets

32Codex fill in the gaps in your context.

33 

34### Remember tools and workflows

35 

36No need to explain to Codex which tools to use to perform your work. Codex

37learns as you work to save you time in the long run.

38 

39In these cases, Codex uses Chronicle to provide additional context. When another

40source is better for the job, such as reading the specific file, Slack thread,

41Google Doc, dashboard, or pull request, Codex uses Chronicle to identify the

42source and then use that source directly.

43 

44## Enable Chronicle

45 

461. Open Settings in the Codex app.

472. Go to **Personalization** and make sure **Memories** is enabled.

483. Turn on **Chronicle** below the Memories setting.

494. Review the consent dialog and choose **Continue**.

505. Grant macOS Screen Recording and Accessibility permissions when prompted.

516. When setup completes, choose **Try it out** or start a new thread.

52 

53If macOS reports that Screen Recording or Accessibility permission is denied,

54open System Settings > Privacy & Security > Screen Recording or

55Accessibility and enable Codex. If a permission is restricted by macOS or your

56organization, Chronicle will start after the restriction is removed and Codex

57receives the required permission.

58 

59## Pause or disable Chronicle at any time

60 

61You control when Chronicle generates memories using screen context. Use the

62Codex menu bar icon to choose **Pause Chronicle** or **Resume Chronicle**. Pause

63Chronicle before meetings or when viewing sensitive content that you do not want

64Codex to use as context. To disable Chronicle, return to **Settings >

65Personalization > Memories** and turn off **Chronicle**.

66 

67You can also control whether memories are used in a given thread. [Learn

68more](https://developers.openai.com/codex/memories#control-memories-per-thread).

69 

70## Rate limits

71 

72Chronicle works by running sandboxed agents in the background to generate

73memories from captured screen images. These agents currently consume rate limits

74quickly.

75 

76## Privacy and security

77 

78Chronicle uses screen captures, which can include sensitive information visible

79on your screen. It does not have access to your microphone or system audio.

80Don’t use Chronicle to record meetings or communications with others without

81their consent. Pause Chronicle when viewing content you do not want remembered

82in memories.

83 

84### Where does Chronicle store my data?

85 

86Screen captures are ephemeral and will only be saved temporarily on your

87computer. Temporary screen capture files may appear under

88`$TMPDIR/chronicle/screen_recording/` while Chronicle is running. Screen captures

89that are older than 6 hours will be deleted while Chronicle is running.

90 

91The memories that Chronicle generates are just like other Codex memories:

92unencrypted markdown files that you can read and modify if needed. You can also

93ask Codex to search them. If you want to have Codex forget something you can

94delete the respective file inside the folder or selectively edit the markdown

95files to remove the information you’d like to remove. You should not manually

96add new information. The generated Chronicle memories are stored locally on your

97computer under `$CODEX_HOME/memories_extensions/chronicle/` (typically

98`~/.codex/memories_extensions/chronicle`).

99 

100Both directories for your screen captures and memories might contain sensitive information. Make sure you do not share content with others, and be aware that other programs on your computer can also access these files.

101 

102### What data gets shared with OpenAI?

103 

104Chronicle captures screen context locally, then periodically uses Codex to

105summarize recent activity into memories. To generate those memories, Chronicle

106starts an ephemeral Codex session with access to this screen context. That

107session may process selected screenshot frames, OCR text extracted from

108screenshots, timing information, and local file paths for the relevant time

109window.

110 

111Screen captures used for memory generation are stored temporarily on your device. They are processed on our

112servers to generate memories, which are then stored locally on device. We do not

113store the screenshots on our servers after processing unless required by law,

114and do not use them for training.

115 

116The generated memories are Markdown files stored locally under

117`$CODEX_HOME/memories_extensions/chronicle/`. When Codex uses memories in a

118future session, relevant memory contents may be included as context for that

119session, and may be used to improve our models if allowed in your ChatGPT

120settings. [Learn more](https://help.openai.com/en/articles/7730893-data-controls-faq).

121 

122## Prompt injection risk

123 

124Using Chronicle increases risk to prompt injection attacks from screen content.

125For instance, if you browse a site with malicious agent instructions, Codex may

126follow those instructions.

127 

128## Troubleshooting

129 

130### How do I enable Chronicle?

131 

132If you do not see the Chronicle setting, make sure you are using a Codex app

133build that includes Chronicle and that you have Memories enabled inside Settings

134> Personalization.

135 

136Chronicle is currently only available for ChatGPT Pro subscribers on macOS.

137Chronicle is not available in the EU, UK and Switzerland.

138 

139If setup does not complete:

140 

1411. Confirm that Codex has Screen Recording and Accessibility permissions.

1422. Quit and reopen the Codex app.

1433. Open **Settings > Personalization** and check the Chronicle status.

144 

145### Which model is used for generating the Chronicle memories?

146 

147Chronicle uses the same model as your other [Memories](https://developers.openai.com/codex/memories). If you

148did not configure a specific model it uses your default Codex model. To choose a

149specific model, update the `consolidation_model` in your

150[configuration](https://developers.openai.com/codex/config-basic).

151 

152```toml

153[memories]

154consolidation_model = "gpt-5.4-mini"

155```

1# Remote connections1# Remote connections

2 2 

3SSH remote connections are currently in alpha. We are gradually rolling out3SSH remote connections are currently in alpha. To enable them today, set

4access. Availability, setup flows, and supported environments may change as4`remote_connections = true` in the `[features]` table in

5the feature improves.5`~/.codex/config.toml`. Availability, setup flows, and supported environments

6may change as the feature improves.

6 7 

7Remote connections let Codex work with projects that live on another8Remote connections let Codex work with projects that live on another

8SSH-accessible machine. Use them when the codebase, credentials, services, or9SSH-accessible machine. Use them when the codebase, credentials, services, or

424. In the Codex app, open **Settings > Connections**, add or enable the SSH host,434. In the Codex app, open **Settings > Connections**, add or enable the SSH host,

43 then choose a remote project folder.44 then choose a remote project folder.

44 45 

46If remote connections don't appear yet, enable the alpha feature flag in

47`~/.codex/config.toml`:

48 

49```toml

50[features]

51remote_connections = true

52```

53 

45Remote project threads run commands, read files, and write changes on the54Remote project threads run commands, read files, and write changes on the

46remote host.55remote host.

47 56