OpenAI's Codex can now operate a Mac after the screen locks and the display goes dark — clicking through windows, typing, navigating menus, and reading the clipboard in apps the developer has explicitly authorized. The capability, reported May 22, requires the Computer Use plugin with Screen Recording and Accessibility permissions, and tasks can be triggered and monitored remotely from a phone. It is the clearest signal yet that OpenAI's coding agent has stopped being a code tool and become a machine operator.
From sandboxed runner to machine operator
Through early 2026, Codex ran sandboxed in the cloud, operating only on copies of code with no local file access and no internet by default. In roughly six weeks this spring it was rebuilt into a desktop agent. The April 16 "Codex for (almost) everything" release added computer use — Codex drives the mouse and keyboard in any app, reaches local files, runs an in-app browser, generates images via GPT Image 1.5, and runs multiple background tasks at once. A mobile preview followed on May 14 across all ChatGPT plans, putting a live view of desktop sessions on iOS and Android with remote approve/reject of each command.
OpenAI frames the locked-Mac feature as filling gaps the CLI can't reach: it is "useful for the types of things command-line tools can't easily reach, such as reproducing a GUI-only bug, changing app settings, or running a flow in a desktop app Codex is helping to build."
The authorization and security model
Codex requires explicit permission before operating each new app, with an "Always allow" option per application. It cannot automate Terminal, Codex itself, or system-level admin prompts. That carve-out matters: the agent can manipulate GUI apps but cannot escalate privileges through the shell.
The screen-monitoring layer, Chronicle, is the riskier surface. It captures periodic screenshots, OCRs them, and writes memories as Markdown on device; frames are processed on OpenAI servers but not retained, and screenshots auto-delete after six hours. OpenAI's own documentation warns Chronicle "uses rate limits quickly, increases risk of prompt injection, and stores memories unencrypted on your device" — meaning malicious instructions captured from a web page can land in the memory store and execute later, and any other app on the machine can read those notes. Chronicle is limited to ChatGPT Pro on Apple Silicon.
What changes for builders
Two things. First, the threat model for agentic dev workflows now includes a coding agent with persistent screen memory and unlocked-machine control — prompt injection stops being theoretical once the agent can act on what it reads. Second, the EEA, UK, and Switzerland are excluded at launch, so teams there cannot standardize on these workflows. For everyone else, Codex is now competing for the desktop, not just the repo — and the security review that used to cover "what can run in CI" now has to cover "what can click around my logged-in machine."
