Skip to content
AI Primer
update

OpenAI traces Codex file deletions to $HOME handling bug

OpenAI says GPT-5.6 deletion reports usually involved full-access Codex runs without sandboxing and a temporary $HOME override. Claude Code 2.1.212 also added loop caps and safety fixes.

8 min read
OpenAI traces Codex file deletions to $HOME handling bug
OpenAI traces Codex file deletions to $HOME handling bug

TL;DR

OpenAI’s GPT-5.6 system card already had an accidental data destructive actions eval, including overwrite avoidance. Its GPT-Red post claimed GPT-5.6 Sol had 6x fewer failures on OpenAI’s hardest direct prompt-injection benchmark, while the deletion explanation pointed at a mundane env-var path. Claude’s 2.1.212 changelog reads like a field notebook for runaway agents: 200 WebSearch calls, 200 subagents, and a reset button. The side quests are concrete: BrokerKit adds timed GitHub, Hugging Face, and sudo grants, Kilo Sandbox moves enforcement into the OS, and dcg blocks destructive commands before execution.

$HOME handling bug

Quoting Thibault Sottiaux

On file deletions. We’ve investigated a handful of reports where GPT-5.6 unexpectedly deleted files. What we have found is that this most commonly occurs when: Full access mode is enabled and codex is run without sandboxing protections, including without auto review being enabled The model attempts to override the $HOME env var to define a temporary directory. The model makes an honest mistake and mistakenly deletes $HOME instead. — Thibault Sottiaux, describing a pretty gnarly Codex bug Tags: codex, coding-agents, generative-ai, ai, llms

Willison quoted Thibault Sottiaux’s explanation of the file deletion reports as a three-part failure chain:

  1. Full access mode was enabled.
  2. Codex ran without sandboxing protections, including auto review.
  3. The model tried to redefine $HOME as a temporary directory, then mistakenly deleted $HOME.

OpenAI’s GPT-5.6 launch post described the family as shipping with its “most robust safeguards to date.” The separate system card says GPT-5.6 Sol remained strong on avoiding data overwrites, with an avoidance-only score slightly below GPT-5.5 and a combined metric matching GPT-5.5.

The boring env-var bug is the useful part. The observed failures did not require a sci-fi theory of agency, only a high-privilege harness and a cleanup target pointed at the wrong path.

Full-access blast radius

The production-database report became the screenshot version of the bug class. In ai_for_success’s post, the agent says it ran destructive integration tests against the Neon database in .env, emptied current production tables, and pointed to Neon point-in-time restore.

The same week produced smaller but sharper reports: dexhorthy asked why Codex tried to use dd to wipe a hard drive, while onusoz warned that the next failure mode could be GitHub or Hugging Face org deletion if agents hold tokens with force-push or admin scope.

Trust also moved backward. paul_cal said Codex had earned enough trust to run in yolo mode on personal work, then the deletion reports made sandboxing feel necessary again.

Claude Code loop caps

Claude Code 2.1.212 landed as the same category of engineering response: reduce silent runaway behavior, make background work visible, and narrow places where permission state can surprise the user.

The 2.1.212 changes are easier to scan as controls:

  • Auto-mode reset: claude auto-mode reset restores default auto-mode configuration, per ClaudeCodeLog’s full changelog.
  • WebSearch budget: sessions default to 200 WebSearch tool calls, tunable with CLAUDE_CODE_MAX_WEB_SEARCHES_PER_SESSION, per the changelog.
  • Subagent budget: sessions default to 200 subagent spawns, tunable with CLAUDE_CODE_MAX_SUBAGENTS_PER_SESSION, and /clear resets the budget, per the changelog.
  • Plan-mode Bash fix: file-modifying commands such as touch and rm no longer auto-run without a prompt or SDK callback, per the changelog.
  • Worktree symlink fix: repository-committed .claude/worktrees symlinks no longer send worktree creation outside the repo, per the changelog.
  • /fork semantics: /fork now copies the conversation into a new background session row, while the old in-session subagent behavior moves to /subtask, per ClaudeCodeLog’s overview.

The surface diff also removed a long list of internal env vars and model references, while adding reset and noting a 1,032 KB bundle increase. The prompt mix shifted toward system text, with prompt tokens up 2.7 percent, according to ClaudeCodeLog’s additional update.

The previous two Claude Code releases show the same patch stream. ClaudeCodeLog’s 2.1.211 overview added --forward-subagent-text, neutralized bidi and look-alike characters in permission previews, and stopped auto mode from overriding a PreToolUse hook’s ask decision for unsandboxed Bash. ClaudeCodeLog’s 2.1.210 overview fixed worktree subagents mutating the main checkout, added warnings for broad path permission rules, and hardened the Agent tool against indirect prompt injection via subagent-read content.

Auto mode adoption ladder

Codex and Claude are taking different pain. dzhng said Codex auto mode was too restrictive for long autonomous runs, while Claude’s auto mode worked better for that use case.

OpenAI’s public framing leaned conservative. In Daniel Kundel’s reply, Kundel quoted the GPT-5.6 launch language saying Sol cyber safeguards block roughly ten times more potentially harmful activity than previous models, and that benign users can retry prompts on lower-capability models when safeguards create friction.

Anthropic’s adoption story went wider than toggles. bcherny said he keeps hearing the same pattern from other companies: one person is multiplying output with Claude while the rest of the organization has not caught up.

His practical stack for higher adoption levels was specific, in bcherny’s follow-up:

  • end-to-end verification by Claude,
  • auto mode for permissions,
  • automated code review and security review,
  • interfaces for managing multiple agents,
  • Agent view in CLI, Desktop, mobile apps, and Tag,
  • /loop,
  • /batch,
  • dynamic workflows,
  • worktree isolation for subagents.

Usage dashboards were not his return metric. bcherny’s ROI note framed return as work the team would have spent engineering time on anyway, measured against manual eng-hours.

Credential brokers

BrokerKit is the cleanest artifact in the evidence pool because it turns “agent credentials” into a brokered workflow. onusoz said he deleted separate agent accounts and moved GitHub, Hugging Face, and sudo access behind BrokerKit.

The BrokerKit repo describes three brokers:

  • gh-broker, for GitHub App credentials, repository reads, Git operations, PRs, and API access.
  • hf-broker, for Hugging Face credentials across Git, LFS, Hub, and inference workflows.
  • sudo-broker, for approved exact commands via a root helper.

The policy shape is client request, authentication, classification, policy decision, optional operator grant, provider execution, and audit log. The tweet’s timed examples were the point: push to main for two hours, or release a package once in five minutes, with access closed after expiry.

The screenshot attached to onusoz’s post showed an approval bot asking to merge a PR, an expiry timestamp, and Approve or Deny buttons. That is the control-plane object agent builders keep reinventing.

Command guards and OS sandboxes

Kilo’s version is confinement. The Kilo Sandbox post says agent tools can read broadly, but writes are restricted to the workspace or explicit allow paths, .git stays read-only, and optional network-deny mode routes outbound HTTP and HTTPS through an authenticated loopback proxy with TLS SNI filtering.

Platform details matter:

  • macOS uses Seatbelt and sandbox-exec.
  • Linux uses Bubblewrap, seccomp, and a network namespace.
  • Windows fails closed because sandboxing is not supported yet.

The command-hook version got social proof. doodlestein’s GitHub Trending screenshot showed destructive_command_guard as the top trending repo, and the dcg README describes a Rust hook for Claude Code, Codex CLI, Gemini CLI, Copilot CLI, Cursor, Hermes, and related tools.

Dcg’s scope is pattern-heavy rather than model-heavy:

  • dangerous Git and filesystem commands,
  • database, Docker, Kubernetes, cloud, and Terraform packs,
  • inline script and heredoc scanning,
  • human-readable denial output on stderr,
  • machine-readable stdout for agent pipelines,
  • default catastrophic protections without full configuration.

Nested delegation got its own patch path. thdxr said opencode subagents cannot call other subagents by default, but a user had explicitly allowed it, and the next update would require another config to enable that behavior. The linked opencode PR adds a subagent_depth configuration and rejects dispatch after the configured nesting limit.

Harness layer

The week also reopened the harness-transparency argument. elder_plinius claimed the Codex Desktop prompt and tools extraction exposed 51 missing callable tool definitions out of 76 captured capabilities, beyond the open-source core.

Sam Altman’s one-line reaction was blunt: sama called it “a reason to favor open-source harnesses.” Vtrivedy10 expanded the point into inspectable context boundaries, harness bloat, and shared techniques for controlling agents.

The fix boundary was also framed as harness-level. Simon Willison’s reply said Codex was the harness layer that enabled the deletion behavior and where he expected the fix to land. A same-day reply from nicoalbanese10 said a fix was coming in the next version.

Sandbox substrate

The bottom of the stack is getting specified like infrastructure, not just product UX. thdxr said he was evaluating sandbox providers against three requirements:

  • fast disk, not networked disk,
  • fast CPU, preferably virtualized on bare metal,
  • pause and resume.

A managed-hosting pitch from ai_for_success packaged the same substrate problem as persistent agent runtime: Docker setup, sandboxing, terminal lifetime, and model-key routing. The attached MyClaw screenshot advertised always-on agents with one-click setup and 24/7 uptime.

Further reading

Discussion across the web

Where this story is being discussed, in original context.

On X· 7 threads
TL;DR3 posts
Full-access blast radius2 posts
Claude Code loop caps3 posts
Auto mode adoption ladder3 posts
Command guards and OS sandboxes4 posts
Harness layer4 posts
Sandbox substrate1 post
Share on X