OpenAI Codex Silently Transmits Your Project Context to OpenAI's Servers. The Toggle to Stop It Doesn't Work.
What We Found
On May 4, 2026, during a routine security review of our development toolchain, we discovered that OpenAI's Codex application runs a background feature called "ambient suggestions" that:
- Reads your project context — file paths, recent conversation history, git signals, and instruction files (like
AGENTS.md) - Transmits that context to OpenAI's backend servers
- Generates candidate prompts using that context
- Runs the candidates through a safety filter (also a backend call)
- Caches surviving suggestions locally
- Pre-fills your input box with those suggestions on next launch
This happens silently. There is no notification. There is no consent prompt. If you have ever opened a project in Codex, this process has likely run against your codebase.
The investigation was triggered when a team member opened Codex after a three-day absence and found a prompt pre-filled in the input box — one they had never typed. That prompt was generated from project context that had been transmitted to OpenAI's servers in the background.
Platform Scope
The confirmed data transmission was discovered on the Codex desktop application (Windows). The ambient suggestions cache, the non-functional UI toggle, and the confirmed project-context transmissions were all observed on the Windows desktop build. This is where the investigation focused and where all artifacts were recovered.
We subsequently examined the Codex CLI on Linux. The CLI uses a different state architecture — SQLite instead of a JSON state file, and a stage1_outputs table instead of a cache directory. On our Linux installation, that table was empty and no ambient suggestion artifacts were present. However, the table schema exists, which means the infrastructure for the feature is there even if it has not activated. We added ambient_suggestions = false to the CLI's config.toml as a precaution.
If you run Codex on any platform, assume the feature exists and disable it. The absence of cached artifacts does not mean the absence of transmissions — it may mean the feature hasn't triggered yet, or that artifacts were generated but didn't survive filtering. The Windows desktop app is the confirmed vector. The CLI is unconfirmed but structurally capable.
The Toggle That Doesn't Toggle (Windows Desktop)
The Codex desktop app includes a user-facing toggle in its settings UI that appears to control this behavior. The toggle only works in one direction. Clicking it ON correctly writes "ambient-suggestions-enabled": true to the state file. Clicking it OFF does not propagate — the key remains true in the file, and the feature stays active.
The underlying disable mechanism does exist. It lives in a persisted state file as a JSON key: ambient-suggestions-enabled in .codex-global-state.json. When set to false via direct file edit, the feature stops generating suggestions, and the setting persists across Codex restarts. The UI is wired to this same key — but only the ON action writes successfully. The OFF action fails silently.
Whether this is a bug or an intentional design decision, we can't say — but the practical result is the same: users who believe they've disabled the feature through the provided UI have not. The toggle appears responsive. It gives no error. It simply doesn't do what it says.
How to Check If You're Affected
Windows Desktop App
Step 1: Check for cached ambient suggestions:
dir "%USERPROFILE%\.codex\ambient-suggestions" /sIf this returns results, Codex has generated suggestions from your project context. Each subdirectory corresponds to a project that was scanned.
Step 2: Check the current state of the toggle:
type "%USERPROFILE%\.codex\.codex-global-state.json" | findstr "ambient"If ambient-suggestions-enabled is true or absent, the feature is active.
Linux / macOS CLI
Step 1: Check for cached artifacts:
find ~/.codex/ambient-suggestions -type f -name "*.json" 2>/dev/nullStep 2: Check the SQLite state database for generated suggestions:
sqlite3 ~/.codex/state_5.sqlite "SELECT COUNT(*) FROM stage1_outputs;" 2>/dev/nullIf the count is greater than zero, suggestions have been generated from your project context.
Step 3: Check your config for an existing disable:
grep "ambient" ~/.codex/config.toml 2>/dev/nullThe presence of cached files or database rows confirms transmission. The absence of both does not confirm the absence of transmission — suggestions that failed the safety filter or were generated but not cached would leave no local trace.
How to Disable It (Actually Disable It)
Do not trust the UI toggle. Edit the files directly.
Windows Desktop App
1. Close Codex completely.
2. Back up the state file:
copy "%USERPROFILE%\.codex\.codex-global-state.json" "%USERPROFILE%\.codex\.codex-global-state.json.bak"3. Open .codex-global-state.json in any text editor and find or add the key:
"ambient-suggestions-enabled": false4. Save and relaunch Codex. The setting has been verified to persist across restarts — Codex rewrites the state file on launch but preserves user-set values.
5. (Recommended) Set up a file watcher on the ambient-suggestions/ directory so you're alerted if the feature reactivates after a Codex update:
# PowerShell — run in background
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "$env:USERPROFILE\.codex\ambient-suggestions"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Created" -Action {
Write-Host "[ALERT] Ambient suggestions activity detected: $($Event.SourceEventArgs.FullPath)"
} | Out-NullLinux / macOS CLI
1. Open ~/.codex/config.toml in any text editor.
2. Under the [features] section, add:
[features]
ambient_suggestions = falseIf no [features] section exists, add it at the end of the file.
3. Save the file. The CLI reads config on launch — no restart of a background service is needed, but close any active Codex sessions and relaunch.
4. (Recommended) Monitor the SQLite state database periodically:
sqlite3 ~/.codex/state_5.sqlite "SELECT COUNT(*) FROM stage1_outputs;"If this number increases from zero, the feature has activated despite the config flag.
What You Can Recover. What You Can't.
Recoverable: Future generation cycles (disable the feature). Local cache artifacts (delete the ambient-suggestions/ directory). Going forward, the bleed stops.
Not recoverable: Anything already transmitted to OpenAI's backend. There is no client-side mechanism to retract, audit, or compel disclosure of what was received, how long it was retained, or whether it was used for training or any other purpose. Once it left your machine, it's out of your control.
Who Should Care
- Anyone working on proprietary code in Codex. Your file paths, code patterns, architectural decisions, and instruction files were likely transmitted.
- Teams with trade secret obligations. If your IP protection strategy depends on controlling who sees your internals — and most trade secret strategies do — unintended transmission to a third party may affect that status. Document your discovery and containment. Consult counsel.
- Enterprises with data residency or compliance requirements. GDPR, SOC 2, HIPAA-adjacent workflows. Background data transmission to a third party without explicit consent is a compliance event.
- Anyone building on OpenAI's platform and trusting its privacy controls. If a user-facing toggle doesn't function, what other controls are you trusting that haven't been verified?
Our Exposure
We're disclosing this because we were affected. Approximately two months of development work was performed inside Codex across multiple projects, some containing proprietary IP. Cached ambient-suggestion artifacts confirm that project context was transmitted for multiple workspaces. We discovered the issue, contained it within hours, and implemented monitoring to detect reactivation.
We are not naming specific projects or quantifying the sensitivity of what was exposed, because doing so would compound the problem. What we will say is that the exposure included work product that is designated as trade secret under our IP strategy, and we are treating this accordingly.
A Note on Other Tools
This advisory is about Codex specifically. Other AI coding tools — including the one we use for most of our work — have similar suggestion features. We investigated those as well and found a structural distinction: some tools generate suggestions from conversation context that is already being transmitted as part of normal operation (you're sending it to the API to get a response; the suggestion piggybacks on that same data). That is a different situation from what Codex does, which is to mine project state you are not actively engaging with and transmit it through a separate pipeline.
That said: verify, don't trust. If you rely on any AI coding tool for sensitive work, audit its data flows yourself. Check what gets sent, when, and whether the controls you think exist actually function. We did. That's how we found this.
Timeline
- ~March 2026: Ambient suggestions feature active across multiple projects (based on cache timestamps)
- May 4, 2026, ~1:00 PM CDT: Anomalous pre-filled prompt discovered on Codex launch
- May 4, 2026, ~1:30 PM CDT: Investigation confirms ambient-suggestions mechanism and cached artifacts
- May 4, 2026, ~1:49 PM CDT: Feature disabled via direct JSON edit; state file backed up
- May 4, 2026, ~2:23 PM CDT: Disable verified persistent across Codex restart
- May 4, 2026, ~2:30 PM CDT: File-system watcher installed on cache directory
- May 4, 2026: This advisory published
Disclosure: This advisory was written by ShipItClean. We are a code security company. We use multiple AI coding tools in our development workflow, including Codex and Claude Code. We have no commercial relationship with OpenAI or Anthropic beyond being customers of their products. We are publishing this because developers building on proprietary codebases deserve to know what their tools are doing with their code, and the vendor-provided control to stop it does not work.