OpenAI Codex release notes: 0.144.5 catches more dangerous rm commands
Part of the series: OpenAI Codex release notes

Codex can now recognize more forms of a command that force-deletes files, even when the command is embedded in a longer shell script. That sounds narrow. For teams that let a coding agent clean build files, worktrees, or temporary directories, it is a concrete change.
Codex CLI is OpenAI's terminal coding agent: it can read a codebase, propose changes, and use local tools within the permissions you choose.
OpenAI Codex release notes: what changes in CLI 0.144.5
OpenAI published Codex CLI 0.144.5 on July 16, 2026. The release expands dangerous-command detection to cover more forced rm forms and gives Codex a clearer reason when one of those commands is denied.
The pull request behind the release describes three parts: detection now runs in the mode the code calls danger-full-access, literal Bash parsing recognizes more forced-deletion forms, and the model receives a specific explanation when a command is stopped. The tests cover separate flags, --force, commands wrapped by sudo or env, and deletion inside loops, pipelines, and subshells.
Source: OpenAI Codex changelog for CLI 0.144.5
Source: GitHub PR #33455: expand is_dangerous_command
Why the change matters in practical agent workflows
Cleanup commands often appear late in an agent run, after tests, builds, or file conversions. It is easy to approve the next step out of habit. Codex 0.144.5 is better at recognizing destructive variants and gives a clearer explanation when it stops one.
This does not replace a well-scoped workspace or sensible permissions. Give the agent access to the right project, keep secrets in environment variables or a secret manager, and retain an approval gate for irreversible actions. Codex now has a better final check when cleanup logic takes a dangerous route.
Human step: update Codex CLI
OpenAI lists this installation command for version 0.144.5:
npm install -g @openai/[email protected]
The npm registry also listed 0.144.5 as the current stable version when this post was published.
Source: OpenAI Codex release 0.144.5 on GitHub
Source: npm metadata for @openai/codex 0.144.5
Short example: use the new Codex feature
Use this prompt after you have opened the right project in Codex:
Inspect this repository for cleanup commands that use rm with a force flag. Do not execute commands or edit files. Return file and line evidence, explain which patterns Codex 0.144.5 is designed to catch, and propose a reversible replacement for each one. Separate verified findings from uncertainty.
Good output should:
- Cite a file and line for every finding.
- Confirm that no commands ran and no files changed.
- Propose reversible alternatives instead of forced deletion.
- Separate verified findings from items that need manual review.
What to test now
Start with a workflow that genuinely creates and cleans temporary files. Ask Codex to review the cleanup logic without running it, then use a bounded test project to confirm that your approval rules create the stop point you expect.
For teams building repeatable agent workflows, this belongs in Tool Forge: workspace, permissions, approval, and run logs need to work together. Version 0.144.5 improves one important control, while the full setup makes the integration dependable in real work.
FAQ
What changes in OpenAI Codex CLI 0.144.5?
The release recognizes more forms of rm with a force flag, including patterns embedded in longer Bash commands, and gives the model a clearer reason when a command is denied.
How do I update to Codex CLI 0.144.5?
OpenAI lists npm install -g @openai/[email protected]. First check how your organization installs and manages Codex.
Does the new check replace an approval gate?
No. It improves Codex detection and denials, but teams should still use scoped permissions, the right workspace, and human approval for irreversible actions.
The Forge newsletter
Get new articles in your inbox
Pick the topics you care about. No noise, at most one email a week.
We follow GDPR. Unsubscribe anytime.


