Codex $HOME Deletion: GPT-5.6, Full Access, and Tibo's July 16 Investigation
Tibo @thsottiaux confirms GPT-5.6 Codex deleted user home directories when full access bypassed sandboxing. Root causes, harness fixes, and builder guardrails for July 16, 2026.
On July 16, 2026 — the same Thursday as limit reset day across Claude, Codex, and Cursor — Tibo Sottiaux (@thsottiaux, OpenAI Codex) posted a sobering thread on file deletions. OpenAI had investigated a handful of reports where GPT-5.6 unexpectedly deleted files. In the worst cases, users lost entire home directories.
The headline is not "AI went rogue." Tibo named a concrete failure chain: full access mode disabled sandboxing and auto review, the model tried to override $HOME to aim cleanup at a temp folder, then honestly mis-deleted the real $HOME. OpenAI promised harness fixes and a post-mortem within days. For builders riding fresh quota from today's Codex refill, the timing matters — longer autonomous sessions amplify permission mistakes.
TL;DR — what people are asking
Question
Answer (July 16, 2026)
Did Codex delete $HOME?
Yes — a handful of confirmed reports; Tibo called it extremely rare but serious
Sandboxed or jailed environment, auto review ON, hook-level rm guards
What Tibo said — the official investigation
Tibo opened the thread (~11:13 AM, ~33.9K views at publication) with a direct framing:
On file deletions. We've investigated a handful of reports where GPT-5.6 unexpectedly deleted files.
Three root causes, stated in order:
Full access mode enabled — Codex ran without sandboxing protections, including without auto review
Model attempts to override $HOME — the agent tried to redefine the home environment variable to point at a temporary directory before cleanup
Honest mistake on the target — the model deleted $HOME (still the real home directory) instead of the intended temp path
OpenAI's response, per Tibo:
Updating the developer message
Guiding users toward safer permission modes
Adding harness safeguards
Publishing a detailed post-mortem in days
He emphasized the incidents are "extremely rarely" but serious — a framing that matches how agent harness design should treat destructive tool access: low frequency × high severity still demands structural defenses, not approval fatigue.
Why full access is the load-bearing failure
Permission modes are not cosmetic. In a typical Codex run, two layers sit between model intent and your filesystem:
Layer
What it does
Gone in full access
Sandbox
Restricts filesystem and syscall reach
Disabled
Auto review
Flags or blocks risky commands before execution
Disabled
Human approval
You click allow/deny on tool calls
Often bypassed via fatigue
When both sandbox and auto review disappear, the model's shell proposals execute with near-root user power on whatever account launched Codex. That is the same class of risk Destructive Command Guard addresses — but dcg is a hook, not a substitute for OS-level isolation. Full access removes the vendor's first two gates; your hook may be the only remaining filter.
The $HOME override pattern is especially nasty because it looks reasonable in the transcript: the model is trying to confine deletion to a temp enclave. Environment variables are powerful and easy to get wrong — set HOME=/tmp/codex-scratch, run rm -rf $HOME/*, but if the override fails silently or the shell expands the wrong variable, you are still holding a grenade in your real home directory.
This is harness engineering, not model malice. The complete agent harness guide separates what the model decides from what the harness permits — full access effectively deletes the harness's enforcement plane.
What the community said — anecdotal, same day
Reactions under Tibo's thread (cite as community response, not OpenAI policy):
Voice
Takeaway
@thesoragirls
Never give Codex full access on your main computer
@peterfotinis
Joked about usage limit reset — gallows humor on a day quotas refilled
@skore_de
Runs Codex inside a separate Linux user — a "Codex Jail" wrapper harness
@RedBuildsThings
GPT-4o deleted an entire hub — precedent outside GPT-5.6
@StormOrtus
Full access re-enabled randomly on ChatGPT Desktop (Windows) — settings drift
@PatrickJS
Hook-level prevent-rm / shim rm before the agent sees the real binary
@mkagenius
Per-engineer cloud devbox — isolation by default
@lionhead_king
Enabled full access because of approve fatigue — UX pushing users toward danger
Two themes repeat: isolation (jail user, devbox, cloud sandbox) and automation at the shell boundary (hooks, shims). The approve-fatigue point connects to OpenClaw safety debates — when vendors optimize for flow state, operators disable the very controls that would have blocked $HOME deletion.
July 2026 has already surfaced adjacent agent harm paths: Claude Memory Heist exfiltrated PII via browsing, GitLost weaponized prompt injection in CI agents, and Grok Build uploaded entire repos without clear opt-in. File deletion via shell is cruder — but the blast radius on an unsandboxed laptop can exceed exfiltration in recovery cost.
Builder guidance — before you burn reset quota tonight
Limit reset day refilled Claude 5-hour and weekly buckets, brought another Codex quota celebration, and doubled Cursor included usage for Grok 4.5 and Composer 2.5. That is a retention gift, not a safety upgrade. Longer runs on full access multiply exposure.
1. Never full-access on your primary machine
Treat your daily-driver laptop like production: Codex full access belongs in disposable environments only. If you would not rm -rf test on the machine, do not grant an agent unrestricted shell there.
2. Separate user, devcontainer, or cloud devbox
Patterns from the thread:
Linux "Codex Jail" user (@skore_de) — dedicated UID, minimal home, no SSH keys or cloud creds in $HOME
Devcontainer / devbox per engineer (@mkagenius) — rebuildable image; deletion loses the container, not your life
context-mode-style sandboxing for bulky tool output — complementary to shell isolation, not a replacement
3. Keep auto review ON
Auto review is the harness layer that would have flagged rm -rf $HOME before execution. Disabling it to move faster is the direct predicate in Tibo's chain. If you are clicking "always allow" until prompts disappear, you are manually re-enabling full access behavior.
4. Understand the $HOME override risk pattern
When you see an agent export or assign HOME=... before cleanup:
Stop the run and inspect whether the override actually applied (echo $HOME in the same shell session)
Prefer explicit paths (rm -rf /tmp/codex-abc123/) over environment indirection
Log working directory and effective UID in harness telemetry
5. Hook-level rm guards (PatrickJS pattern)
Add a PreToolUse or shell wrapper hook that:
Denies bare rm -rf outside approved temp prefixes
Blocks rm targeting $HOME, ~, or /
Optionally shims /usr/bin/rm inside the jail user to a script that requires --i-know-what-im-doing
Destructive Command Guard implements this class of policy for Codex CLI 0.125.0+ — verify a real block on your OS; hooks can fail open on parse errors.
6. Tie-in to limit reset — without repeating that post
Today's refill is the wrong day to experiment with full access on your main checkout. Use fresh quota inside an isolated workspace to benchmark GPT-5.6 Sol tasks — not to test whether you trust the model with your dotfiles. For reset mechanics (5-hour vs weekly vs banked), see limit reset day and the 5-hour cap removal timeline.
What people are asking — settings drift and precedents
Did full access turn itself back on?
@StormOrtus reported full access re-enabled randomly on ChatGPT Desktop for Windows — settings drift without an explicit user toggle. Treat permission mode as session-start checklist material: confirm sandbox + auto review before a long autonomous job, especially after app updates.
Is GPT-5.6 uniquely dangerous?
Tibo's investigation centers on GPT-5.6, but @RedBuildsThings cited GPT-4o deleting an entire hub — evidence that destructive shell mistakes span model generations when harness gates are open. The fix is environmental, not "wait for GPT-5.7."
How is this different from prompt injection?
GitLost and Memory Heist attacks trick agents via untrusted content. The $HOME deletion chain is operator-configured over-permissioning plus a variable expansion mistake — no malicious webpage required. Both classes need least privilege; only one looks like "security news."
What OpenAI is changing — and what builders should still do
Tibo committed to three vendor-side moves:
Developer message updates — clearer warnings when full access removes sandbox + auto review
Safer permission mode guidance — routing users away from the failure configuration
Tibo's July 16, 2026 thread and community replies are cited as primary and anecdotal sources. Permission modes, sandbox behavior, and harness safeguards may change when OpenAI publishes its post-mortem. Verify Codex settings before autonomous runs — especially on limit reset day when fresh quota encourages longer sessions. This article is developer tooling coverage, not legal or investment advice.