Summary
/sys2:codex runs codex exec '<prompt>' with no isolation. While plain codex exec does not auto-resume a prior session (verified: a codeword planted in one call is not recalled in the next — Codex replies UNKNOWN), Codex persists state to disk that a running agent can read mid-task, causing it to surface past invocations.
Mechanism
Two on-disk stores under $CODEX_HOME (default ~/.codex):
history.jsonl — a running log of every prompt ever sent (default persistence save-all).sessions/**/rollout-*.jsonl — full transcripts of past runs.
The skill passes no sandbox flag, so Codex runs with its default workspace-write policy, which still grants full-disk read. On a substantive task (e.g. "review this project"), the agent can read ~/.codex/ and surface earlier prompts/context. Every run also appends to both stores, so the history grows unbounded.
Fix
Make each invocation hermetic by default (unless the user overrides):
--ephemeral — do not write session rollout files.-c history.persistence=none — do not append to history.jsonl.- Never add
resume / --last / experimental_resume.
Resulting invocation: codex exec --ephemeral -c history.persistence=none '<prompt>' [flags...].
Notes
- This prevents new runs from writing or relying on cross-invocation state. Pre-existing
history.jsonl / sessions/ files remain on disk (separate cleanup, user data).
- A fully hermetic variant (throwaway
CODEX_HOME with symlinked auth.json + user config.toml) is possible but heavier; deferred as overkill.
Verified against codex-cli 0.139.0.
Summary
/sys2:codexrunscodex exec '<prompt>'with no isolation. While plaincodex execdoes not auto-resume a prior session (verified: a codeword planted in one call is not recalled in the next — Codex repliesUNKNOWN), Codex persists state to disk that a running agent can read mid-task, causing it to surface past invocations.Mechanism
Two on-disk stores under
$CODEX_HOME(default~/.codex):history.jsonl— a running log of every prompt ever sent (default persistencesave-all).sessions/**/rollout-*.jsonl— full transcripts of past runs.The skill passes no sandbox flag, so Codex runs with its default
workspace-writepolicy, which still grants full-disk read. On a substantive task (e.g. "review this project"), the agent can read~/.codex/and surface earlier prompts/context. Every run also appends to both stores, so the history grows unbounded.Fix
Make each invocation hermetic by default (unless the user overrides):
--ephemeral— do not write session rollout files.-c history.persistence=none— do not append tohistory.jsonl.resume/--last/experimental_resume.Resulting invocation:
codex exec --ephemeral -c history.persistence=none '<prompt>' [flags...].Notes
history.jsonl/sessions/files remain on disk (separate cleanup, user data).CODEX_HOMEwith symlinkedauth.json+ userconfig.toml) is possible but heavier; deferred as overkill.Verified against
codex-cli0.139.0.