📝 TL;DR 📝 OpenAI confirmed on July 16 that its GPT-5.6 Codex model deleted real user files in a handful of documented cases, including one founder's Mac and a production database. The cause: a specific bug where the model tries to redirect a temporary directory and accidentally wipes the user's actual home folder instead, but only when running in Full-Access mode without sandboxing or auto-review enabled. The real story here is not that AI "went rogue." It's a permissions story, and a completely preventable one, that applies to any coding agent you give broad filesystem access to. 🧠 Overview 🧠 This story escalated quickly. It started with individual reports on X: investor Matt Shumer said GPT-5.6 Sol "accidentally deleted almost ALL" of his Mac's files, and days later, software engineer Bruno Lemos reported that Sol "just deleted my whole production database." In an ironic twist, Lemos had actually defended the model in his own workplace Slack after Shumer's incident went public, arguing Shumer had been running Codex in an unsafe configuration, only to have the same thing happen to him hours later. On July 16, OpenAI's Codex engineering lead confirmed the pattern was real and gave a specific technical explanation, rather than leaving it as scattered anecdotes. That confirmation, and the detail of how the deletion actually happens, is what makes this genuinely useful to understand rather than just alarming. 📜 The Announcement 📜 Thibault Sottiaux, Head of Core Products at OpenAI, posted the investigation's findings directly on X. He identified a specific, reproducible failure chain: the deletions occur when Full-Access mode is enabled and Codex is run without sandboxing protections, including without auto-review turned on. Under those conditions, the model attempts to override the $HOME environment variable to redirect a temporary working directory, and in the failure cases, it ends up deleting the directory that $HOME actually points to, the user's real home folder, instead of the temporary one it intended to clean up. On macOS and Linux, $HOME normally points directly to a user's main personal directory, which is why the damage in the worst reported cases was so extensive.