RepoJournal
OpenAI

OpenAI

Codex, the SDKs, and the engine behind ChatGPT

Pick a date

  1. Sat 2 may
  2. Sun 3 may
  3. Mon 4 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

SANDBOX ENFORCEMENT STACK LANDS: Windows permissions now runtime-resolved across three major migrations

By RepoJournal · Filed · About OpenAI

Codex shipped the final piece of its Windows sandbox permission architecture, moving from legacy enum questions to resolved runtime capability checks across setup, spawn, and enforcement layers.

The sandbox `SandboxPolicy` to `PermissionProfile` migration reached critical mass overnight with three interconnected PRs landing in sequence [1] [2] [3]. PR #22923 completes the setup/spawn helper migration, replacing questions like 'is this WorkspaceWrite?' with 'does this profile require write roots?' [1]. Meanwhile, MITM hook enforcement wired into the request path [2], enforcing hooked HTTPS hosts to require MITM, evaluating inner requests post-CONNECT, and blocking unmatched hooks. On the lifecycle side, `SessionStart` hooks now support compaction by queuing pending states alongside compact rewrites, letting durable context re-inject after conversation history replacement [3]. Plugin creator tooling gained a dedicated personal-marketplace update flow for iterating on existing local plugins [4], keeping scaffold paths intact while making the development loop explicit. Finally, `codex exec-server` now accepts `--strict-config` validation [5], closing the gap left when earlier commands got fast-fail support for misspelled keys.

Action items

References

  1. [1] windows-sandbox: drive write roots from resolved permissions ↗ openai/codex
  2. [2] Wire MITM hooks into runtime enforcement ↗ openai/codex
  3. [3] Support compact SessionStart hooks ↗ openai/codex
  4. [4] [skills] Create a personal update flow for plugin creator ↗ openai/codex
  5. [5] cli: add strict config to exec-server ↗ openai/codex

FAQ

What changed in OpenAI on May 21, 2026?
Codex shipped the final piece of its Windows sandbox permission architecture, moving from legacy enum questions to resolved runtime capability checks across setup, spawn, and enforcement layers.
What should OpenAI teams do about it?
Review Windows permission profile integration in your sandbox policies - the resolved permission model is now the standard path • Test MITM hook enforcement in staging before production deployment - header mutation and blocking behavior is now active • Update plugin creator workflows to use new personal-marketplace update flow for local iteration
Which OpenAI repositories shipped on May 21, 2026?
openai/codex

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.