GPT-5.6 Sol Ultra user claims full-access run deleted most Mac files
Matt Shumer said a full-access GPT-5.6 Sol Ultra run deleted almost all files on his Mac and that OpenAI was looking into it. Follow-up discussion focused on sandbox-off risk, pre-tool hooks, Trash, and rollback safeguards.

TL;DR
- A GPT-5.6 Sol Ultra run allegedly crossed from coding task to local data loss: mattshumer_'s incident post says a review subagent expanded
$HOMEincorrectly and ranrm -rf /Users/mattsdevbox, while mattshumer_'s Ultra reply identified the model as GPT-5.6 Sol on Ultra. - The agent had full local access, not a narrow repo sandbox, according to mattshumer_'s full-access reply; mattshumer_'s follow-up said he had run “many hundreds” of full-access sessions before without seeing this.
- The response shifted fast from model blame to harness controls: dabit3's hook note proposed blocking commands outside the repo, doodlestein's dcg PSA pushed a cross-harness guardrail, and jxnlco's reminder pointed at auto review and Trash-style deletion.
- The incident landed during OpenAI's bigger desktop-app rollout: OpenAIDevs' launch thread brought Codex and ChatGPT together with local files, browser context, Computer Use, and a Chrome extension, while OpenAIDevs' availability post said Work and Codex were available across every ChatGPT plan.
The sharpest detail is the literal command in mattshumer_'s status screenshot: a cleanup path expansion turned into a home-directory wipe. The product context is just as important: OpenAIDevs' launch thread describes a desktop agent with authenticated websites, downloads, local files, and parallel Computer Use, while rasbt's configuration screenshot shows the new action-approval menu sitting next to 30 possible mode, model, and effort combinations.
The destructive command
The incident report shown in the screenshot says the run worked for 1 hour and 21 minutes before a review subagent’s cleanup command expanded $HOME incorrectly and ran rm -rf /Users/mattsdevbox.
The task itself was not described as a filesystem operation. In mattshumer_'s task reply, the prompt was summarized as basically “get xyz done.”
Full access, Ultra, and the sub-agent
Three run details matter:
- Access mode: mattshumer_'s full-access reply says the run had full access.
- Execution path: mattshumer_'s Ultra reply says it was a sub-agent.
- Model setting: the same mattshumer_'s Ultra reply identifies it as GPT-5.6 Sol on Ultra.
The weird part is the prior base rate. mattshumer_'s follow-up says he had done “many hundreds” of sessions with zero issues, including on weaker models, and still thought the odds of a similar event were probably lower than with a human developer.
Feedback and Fable
The OpenAI escalation path started in public. pvncher's feedback reply asked him to use /feedback and said they had never seen anything like it, and mattshumer_'s feedback reply says he sent it.
Shumer said the OpenAI team was looking into it in mattshumer_'s follow-up. Separately, reach_vb's reply asked for the feedback ID by DM and said they would flag it internally.
The model preference context was unusually blunt. mattshumer_'s Ultra context says he had stopped using 5.6 weeks earlier, preferred Fable, and only returned because OpenAI asked him to test Ultra mode.
His Fable comparison was not just about safety. mattshumer_'s Fable comparison says Fable handled out-of-distribution work better, got intent more reliably, made better decisions, and behaved more autonomously from A to Z.
Launch surface area
OpenAI had just widened the desktop agent surface in its launch link and OpenAIDevs' launch thread. The shipped pieces were concrete:
- Codex and ChatGPT in one desktop app.
- Work and Codex available across ChatGPT plans, including Free, according to OpenAIDevs' availability post.
- Sites beta for Pro and Plus, with EU and UK availability later, according to OpenAIDevs' availability post.
- A Chrome extension with access to desktop context such as local files, projects, plugins, and skills.
- An in-app browser with authenticated sites, multiple tabs, file downloads, and annotation mode.
- Faster, more token-efficient Computer Use with batching and parallel operations.
- Codex diffs that support inline code edits and PR review in a side panel.
thsottiaux's rollout post said ChatGPT Work had rolled out to 100% of Pro users and framed the desktop app as the surface for “full access” to apps, browser, and local files.
Permission modes
The permission menu in rasbt's configuration screenshot has three action-approval states:
- Ask for approval: always ask to edit external files and use the internet.
- Approve for me: ask only for actions detected as potentially unsafe.
- Full access: unrestricted access to the internet and any file on the computer.
rasbt's same thread counted the new UX as 2 modes, 3 GPT-5.6 models, and 5 effort levels, for 30 possible configurations. The approval menu is the difference between that being a capability matrix and a footgun matrix.
pvncher framed GPT-5.6 Sol as more “tenacious and thorough” than 5.5 in pvncher's prompting guide. In pvncher's bounds note, the suggested prompt shape was boundaries, a sandbox, verification instructions, and a clear definition of done.
PreToolUse hooks
dabit3's fix was a harness-level block, not a model instruction. dabit3's hook note proposed a PreToolUse hook that hard-blocks commands touching paths outside the repo, with permissions.deny rules as backup, and said it works even in yolo mode.
The linked example in dabit3's hook note turned the mitigation into something installable. mattshumer_'s hook reply says he would use that style of protection going forward.
dcg
doodlestein used the incident to push dcg, a guardrail he linked from doodlestein's dcg PSA and the dcg link. The pitch was middle-ground control: avoid “dangerously bypass permissions” without forcing the user to approve every small action.
The implementation claims were specific:
- doodlestein's harness reply says dcg was built because there was no reliable, expandable, performant way to do this across agent harnesses.
- doodlestein's usage reply says it is used by many thousands of people every day.
- doodlestein's Rust reply says it runs locally, is deterministic, and is written in optimized Rust.
- doodlestein's harness comparison says a competing approach was slower and did not work with Codex or other harnesses.
- doodlestein's latency reply says network-based AI checking can add at least a second or two per tool call.
- doodlestein's security reply says one control exists to prevent the agent from turning dcg off.
The emotional user story was also precise. doodlestein's dcg reply described seeing an agent do something destructive and realizing it was too late to stop it.
Recovery patterns
Once the deletion happened, mattshumer_'s recovery update said other agents were working to piece things back together.
The thread’s recovery and rollback ideas were small, Unix-shaped, and ugly in the useful way:
- Vtrivedy10's Trash snippet suggested replacing
rmwithtrashso deleted files land in macOS Trash. - jxnlco's reminder listed auto review, two-factor authentication, and replacing
rmwithmv ~/.Trash. - mattshumer_'s backup reply says a backup existed for at least one affected thing in the thread.
- doodlestein's backup reply says dcg is more about saving the last 30 minutes of agent work than replacing real backups.
Checkpointed sandboxes
AravSrinivas pointed to a different product primitive: Perplexity sandboxes with checkpointing by default and decoupled storage and compute. In the parent context, AravSrinivas's sandbox reply says its computer harness supports Fable, Sol, Opus, Grok, GLM, Sonnet, GPT-5.5, and smaller subagent models.