Skip to content
AI Primer
workflow

Developers tighten coding-agent approvals after GPT-5.6 Sol deletion reports

Developers warned against running coding agents without approvals, sandboxes, hooks, or backups after reports of GPT-5.6 Sol deleting files. AgentSweep also shipped a CLI that redacts secrets from agent history files.

8 min read
Developers tighten coding-agent approvals after GPT-5.6 Sol deletion reports
Developers tighten coding-agent approvals after GPT-5.6 Sol deletion reports

TL;DR

  • A GPT-5.6 Sol data-loss report became the week’s coding-agent safety case study: the screenshot in mattshumer_'s report said a review subagent expanded $HOME incorrectly and ran rm -rf /Users/mattsdevbox, while mattshumer_'s reply said Full access was enabled.
  • Developers converged on approvals, rules, and hooks rather than raw yolo mode: reach_vb's PSA named “Approve for me,” .rules, and a PreToolUse hook, and reach_vb's follow-up clarified that user approval is the default.
  • Mechanical command blocking got the strongest security pull: dabit3's hook pattern proposed blocking commands that touch paths outside the repo, while doodlestein's dcg post pointed to a dedicated destructive-command guard.
  • The file-deletion thread was not the only local-agent risk: the AgentSweep launch post said Codex, Cursor, Claude Code, Cline, Aider, Windsurf, and other agents can leave pasted secrets in plaintext history files.
  • Auditability is still uneven across agent surfaces: StasBekman's Cursor report described files disappearing after a restart, and StasBekman's recovery note said the files came back only because they were on a remote filesystem with S3 backup.

The screenshot in mattshumer_'s post is painfully specific: a review subagent, a cleanup command, a bad $HOME expansion, and a live rm -rf process. The approval UI in

now exposes three distinct postures: Ask for approval, Approve for me, and Full access. The AgentSweep repo attacks a quieter failure mode, plaintext secrets in local agent history.

The deletion incident

The core report came from mattshumer_, who said GPT-5.6 Sol “accidentally deleted almost ALL” of his Mac’s files. The attached status text said the agent “caused a serious local data-loss incident” after a review subagent’s cleanup command expanded $HOME incorrectly and ran rm -rf /Users/mattsdevbox.

Full access was enabled, according to mattshumer_'s reply, and the run used a subagent on GPT-5.6 Sol Ultra, according to another reply from mattshumer_. He described the initiating prompt as basically “get xyz done” in a follow-up, not a hand-written shell command.

OpenAI staff entered the thread quickly. pvncher asked for /feedback in the OpenAI feedback reply, and mattshumer_ said he had sent it in his confirmation.

The incident did not become a clean root-cause report inside the evidence pool. mattshumer_ later called it a “freak accident” in his longer follow-up, said OpenAI was looking into it in his angry update, and posted that agents were trying to piece things back together in his recovery note.

Approval modes

reach_vb’s safety checklist had three layers:

  1. Approve for me: Codex can review what it is about to run with a subagent before executing.
  2. Rules: A .rules file can tell Codex not to run destructive commands such as rm -rf.
  3. PreToolUse Hook: A hook can inspect tool calls before they execute.

The default posture is still user approval, according to reach_vb's clarification. The checklist was for users granting more permissions to the agent.

Auto review became the middle ground in the thread. reach_vb “strongly” encouraged auto review rather than yolo mode in a reply about unsafe practice, while btibor91's AMA summary said OpenAI’s Codex team recommended auto review over full access to reduce risk.

Work mode and Codex mode share the same underlying agent with UI differences, according to dkundel's reply. That reply said the product relies on sandboxing and features like auto review to reduce risk while keeping access to the same agent.

Hooks, rules, and dcg

dabit3’s concrete pattern was a PreToolUse hook that hard-blocks commands touching paths outside the repo, with permissions.deny as a backup and cloud agents as the throwaway-machine option.

doodlestein argued for mechanical enforcement over model-level restraint. “Rules are not reliable with LLMs,” doodlestein's reply said, because a pre-tool hook applies mechanically.

The dcg details in the thread were unusually implementation-specific:

One operational wrinkle surfaced immediately: a hook may need to be approved once in the CLI before it becomes active in Codex Desktop, because the trusted hash has to be generated, according to kevinkern's setup note.

Sandboxes

The shortest version came from mattpocockuk: “ABS. Always be sandboxing.”

LangChain framed the hard boundary as write access. Read-only agents are easy to branch and test, but agents that touch production data remain an unsolved eval problem for many teams, according to LangChain's post.

Sandbox vendors are now shipping around that assumption. Daytona announced Linux VM sandboxes with pause and fork features in its launch post, while dabit3’s hook thread treated a cloud agent on a throwaway machine as the alternate blast-radius control.

The same theme showed up in broader agent-security messaging. OpenHandsDev's event post described prompt injection and agent-specific threats as a separate attack surface, and claud_fuen's security thread argued that agents can run infrastructure probing in parallel against targets that previously only saw shallow automated scans.

Tenacious long runs

The safety debate is sharper because the same autonomy is producing real wins. petergostev said GPT-5.6 Sol rebuilt a local app over 47.21 tracked hours, cutting production plus test LOC from 105,704 to 31,711 and validating 954 of 954 controls in the attached table.

pvncher described Sol as more “tenacious and thorough” than previous models, and his bounds-and-verification follow-up said users should define the sandbox, explain verification, and specify what “done” means because ambiguity invites longer runtime and token use.

Other hands-on reports pointed at the same behavior from different angles:

The useful and dangerous part is the same part: agentic runs are getting long enough to do meaningful cleanup, migration, QA, and damage.

Backups and audit trails

StasBekman reported a separate file-loss case around Cursor: the app got stuck, he quit and restarted it normally, and files created directly by Claude were gone. He later said the likely deletion happened on Cursor restart rather than from an agent command, but the absence of an audit trace made the exact cause hard to assign in his follow-up.

The recovery path was external to Cursor. StasBekman's recovery note said the files came back via S3 backup because they lived on a remote filesystem.

His thread turned into a small checklist of missing primitives:

  • Atomic writes: StasBekman's longer note said rewrites could use a temp file and swap to avoid lost data on non-atomic operations.
  • Traceable audit: the same note said Cursor did not appear to have one.
  • Frequent versioned backup: StasBekman's backup comment proposed remirroring every 10 minutes with a few days of revisions.
  • Recoverable deletes: Vtrivedy10's Trash wrapper showed an rm() shell wrapper that sends paths to Trash, and jxnlco's reminder paired auto review with replacing rm by a move to ~/.Trash.

Plaintext agent histories

r/OpenAI

agentsweep: a CLI that finds & redacts the secrets your AI coding agent (Codex, etc.) saved to disk in plaintext

0 comments

AgentSweep targets a quieter local-agent failure mode: secrets copied into agent chats and saved in local history files. The author said API keys, database URLs, .env files, and crypto wallet seed phrases can sit in plaintext and be re-read by agents as future context.

The CLI’s mechanics are specific enough to matter:

  • Detection: about 191 secret-detection rules ported from gitleaks, plus a BIP-39 seed-phrase detector.
  • Coverage: roughly 30 agents, including Codex, Cursor, Claude Code, Cline, Aider, and Windsurf.
  • Redaction: in-place writes with atomic writes, .bak backups, post-write validation, and undo.
  • Safety posture: read-only by default, with typed confirmation before destructive changes.
  • Install path: pipx install agentsweep, then agentsweep.

The project is MIT-licensed, according to the Reddit post, and the linked GitHub repo is the primary implementation reference.

Further reading

Discussion across the web

Where this story is being discussed, in original context.

On X· 7 threads
TL;DR3 posts
The deletion incident9 posts
Approval modes6 posts
Hooks, rules, and dcg7 posts
Sandboxes3 posts
Tenacious long runs6 posts
Backups and audit trails5 posts
Share on X