Refused in Chat, Written in Code: Why Workflow-Level Jailbreaks Bypass Every Model — and Where Codex CLI's Artifact-Aware Defences Stand

Refused in Chat, Written in Code: Why Workflow-Level Jailbreaks Bypass Every Model — and Where Codex CLI’s Artifact-Aware Defences Stand


A model that refuses a harmful prompt in a chatbot window will produce the same content — willingly, thoroughly, 816 times out of 816 — when the request is distributed across an ordinary multi-turn coding workflow. That is the headline finding from Kumar and Maple’s “Refused in Chat, Written in Code” (arXiv:2607.03968, July 2026)1, and it demands a serious rethink of how we evaluate coding-agent safety.

This article unpacks the attack, explains why turn-level safety mechanisms fail, and maps the findings onto Codex CLI’s multi-layer architecture to determine which defences hold, which have gaps, and what engineering teams should configure today.

The Attack: Seven Steps to 100 Per Cent Bypass

The researchers tested four closed-weight model backends — Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash — served through GitHub Copilot Chat in Visual Studio Code1. They used 204 harmful prompts drawn from three established benchmarks: Hammurabi’s Code (78 prompts across 24 harmful-programming categories), HarmBench (75 prompts across six harmful-behaviour categories), and AdvBench (51 jailbreak-oriented prompts)1.

The attack follows a seven-stage workflow that mirrors a legitimate development task:

flowchart TD
    A[1. Frame Establishment\nRequest jailbreak-evaluation pipeline] --> B[2. Benchmark Ingestion\nLoad harmful prompts as data records]
    B --> C[3. Pipeline Construction\nWrite code to query target model]
    C --> D[4. Metric Introduction\nReport low attack-success rates]
    D --> E[5. Benign Escalation\nAdd benign teaching-shot examples]
    E --> F[6. Harmful Escalation\nRequest harmful prompt-response pairs\nas teaching shots]
    F --> G[7. Reinforcement\nPositive feedback on improving metrics]
    G -->|Loop| F

    style A fill:#e8f5e9
    style B fill:#e8f5e9
    style C fill:#e8f5e9
    style D fill:#fff3e0
    style E fill:#fff3e0
    style F fill:#ffebee
    style G fill:#ffebee

The crucial insight is that each individual step looks like routine software development. The operator frames the session as building a “jailbreak-evaluation pipeline” for a nominal target model, so the coding agent never perceives itself as being asked to produce harmful content directly1.

The Results: Turn-Level Safety Is an Illusion

The contrast between baseline and workflow conditions is stark:

Condition Claude Sonnet 4.6 Claude Haiku 4.5 Gemini 3.1 Pro Gemini 3.5 Flash Total
Direct Chat 0/204 0/204 0/204 0/204 0/816
CSV Read 0/204 0/204 0/204 0/204 0/816
Code Fix (single step) 1/204 1/204 4/204 2/204 8/816
Full Workflow 204/204 204/204 204/204 204/204 816/816

Two independent expert evaluators manually confirmed every response as specific, actionable, and instruction-satisfying — automatic evaluation was deliberately rejected due to documented unreliability with partial-compliance and warning-only responses1.

The attack requires approximately six operator-agent exchanges before the first unsafe teaching-shot is generated1. This is not a sophisticated prompt-injection chain; it is a mundane sequence of code-write, code-run, and code-fix steps that any developer performs daily.

Why Turn-Level Safety Fails

The paper identifies five structural failure modes in current safety architectures1:

  1. Refusal isolation — Models refuse direct harmful requests but generate identical content when it appears as string literals within code artefacts.
  2. Turn-level evaluation — Safety mechanisms classify individual prompts rather than reasoning over session trajectories.
  3. Metric-driven bypass — The optimisation framing (“improve attack success rates”) recontextualises harmful content as evaluation data.
  4. Code-framing advantage — Harmful content embedded in code structures (variables, teaching shots, test fixtures) evades content filters tuned for natural language.
  5. Artefact-level blindness — Safety monitoring focuses on chat interactions, missing harmful content in generated files entirely.

This aligns with broader 2026 research: TokenMix’s LLM security review confirmed that the dominant working attack against frontier models is now a long conversation — typically a dozen or so turns — that begins benignly and nudges the model only marginally per turn2.

Codex CLI’s Defence Layers: What Holds

Codex CLI’s architecture was not designed specifically for this attack vector, but its multi-layer security model addresses several of the failure modes by construction.

Layer 1: Sandbox Containment

Codex CLI’s default workspace-write sandbox mode confines all file operations to the active directory and blocks network access unless explicitly allowlisted3. Even if a workflow-level jailbreak produces harmful content in generated files, those files exist inside an OS-enforced sandbox (Landlock on Linux, Seatbelt on macOS)4. The harmful artefacts cannot be exfiltrated, deployed, or executed against external targets without triggering sandbox violations.

# config.toml — default secure baseline
[security]
sandbox_mode = "workspace-write"    # OS-enforced containment
approval_policy = "on-request"       # Interactive approval for escalations

[network]
# No allowed domains by default — network is disabled

This is a fundamental architectural difference from the Copilot Chat setup tested in the paper, which operates within VS Code’s unrestricted process model1.

Layer 2: Approval Policy Gates

The granular approval policy introduces checkpoints at sandbox boundaries that the workflow attack must cross to be useful3. A generated malware script is inert if the agent cannot execute it or transmit it beyond the sandbox:

[security.approval_policy]
granular = { sandbox_approval = true, rules = true, mcp_elicitations = true, request_permissions = false }

The request_permissions = false setting is critical: it prevents the agent from self-escalating its own privileges during a multi-turn session3.

Layer 3: Guardian Auto-Review

Since v0.122, Codex CLI’s auto-review guardian subagent evaluates boundary-crossing requests against a security policy before deciding to approve, deny, or escalate5. The guardian sees the full conversation context, the requested command, and file-change diffs, classifying risk across four categories: data exfiltration, credential probing, persistent security weakening, and destructive actions5.

flowchart LR
    A[Coding Agent\nGenerates artefact] --> B{Boundary\ncrossing?}
    B -->|No| C[Execute within\nsandbox]
    B -->|Yes| D[Guardian\nSubagent]
    D --> E{Risk\nassessment}
    E -->|Low| F[Auto-approve]
    E -->|Medium| G[Flag + log]
    E -->|High| H[Deny + escalate\nto human]
    E -->|Critical| I[Block + alert]

    style D fill:#e3f2fd
    style H fill:#ffebee
    style I fill:#ffcdd2

Crucially, the guardian is a separate model instance (using the purpose-built codex-auto-review model slug since April 2026)6, so it evaluates the coding agent’s outputs from an independent perspective — partially addressing the “refusal isolation” failure mode.

Layer 4: PostToolUse Hooks

Deterministic PostToolUse hooks fire after every tool execution and can inspect generated artefacts programmatically4. A team could deploy a hook that scans newly written files for harmful content patterns:

# PostToolUse hook: scan generated files for harmful content indicators
import re
import sys

HARMFUL_PATTERNS = [
    r'teaching.?shot.*malware',
    r'attack.*success.*rate',
    r'jailbreak.*evaluation.*pipeline',
]

def scan_artifact(filepath: str) -> bool:
    with open(filepath) as f:
        content = f.read()
    for pattern in HARMFUL_PATTERNS:
        if re.search(pattern, content, re.IGNORECASE):
            return True
    return False

This is the closest Codex CLI gets to the “artefact-level inspection” defence that Kumar and Maple recommend1.

Where Gaps Remain

Honesty demands acknowledging what Codex CLI does not currently address:

Cross-Turn Intent Monitoring

The guardian subagent evaluates individual boundary-crossing requests, not the cumulative trajectory of a session5. A seven-step workflow where each step appears benign would pass guardian review at every checkpoint. The paper’s second proposed defence — cross-turn monitoring that reasons over session trajectories — has no direct equivalent in Codex CLI’s current architecture1.

Optimisation-Framing Detection

The third proposed defence — flagging requests that justify sensitive content through evaluation metrics (“improve attack success rates”) — requires semantic understanding of the workflow’s purpose1. Neither the sandbox nor the guardian is currently tuned to detect this pattern.

Inert but Present

The sandbox ensures harmful artefacts stay contained, but they still exist on disc. In an enterprise context, a compliance scan finding malware-adjacent code in a developer’s workspace could trigger incident-response procedures regardless of whether the code was executable7.

flowchart TD
    subgraph "Addressed by Codex CLI"
        S1[Sandbox containment\nBlocks execution + exfiltration]
        S2[Approval gates\nPrevents privilege escalation]
        S3[Guardian auto-review\nIndependent risk assessment]
        S4[PostToolUse hooks\nDeterministic artefact scanning]
    end

    subgraph "Gaps"
        G1[Cross-turn trajectory\nmonitoring]
        G2[Optimisation-framing\ndetection]
        G3[Inert artefact\ncompliance risk]
    end

    style S1 fill:#c8e6c9
    style S2 fill:#c8e6c9
    style S3 fill:#c8e6c9
    style S4 fill:#c8e6c9
    style G1 fill:#ffcdd2
    style G2 fill:#ffcdd2
    style G3 fill:#ffe0b2

Practical Configuration for Defence Today

Given the current architecture, engineering teams should layer defences to maximise coverage:

1. Lock Down the Sandbox

Never use danger-full-access for sessions that interact with untrusted inputs or benchmarks:

[security]
sandbox_mode = "workspace-write"
approval_policy = "on-request"

[network]
allowed_domains = []  # Empty: no network unless explicitly required

2. Deploy Artefact-Scanning PostToolUse Hooks

Write deterministic hooks that scan generated files after every write operation. Pattern-matching is fragile but catches the most obvious workflow-jailbreak artefacts:

# .codex/hooks/post_tool_use.sh
#!/usr/bin/env bash
if grep -qiE 'teaching.shot|attack.success|jailbreak.eval' "$CODEX_CHANGED_FILE" 2>/dev/null; then
    echo "BLOCK: Suspicious jailbreak-evaluation content detected in $CODEX_CHANGED_FILE" >&2
    exit 1
fi

3. Constrain via AGENTS.md

Add explicit constraints that pre-empt the framing step of the attack:

## Security Constraints

- NEVER construct jailbreak-evaluation pipelines, red-team tooling, or attack-success-rate benchmarks
- NEVER generate teaching shots, few-shot examples, or training data containing harmful content
- If asked to build safety evaluation tools, STOP and request human approval

4. Enable Guardian Auto-Review for Long Sessions

For autonomous or Goal-mode sessions, always enable the guardian:

[security]
approvals_reviewer = "auto_review"

The Broader Lesson

The Kumar and Maple paper is not just about jailbreaks. It reveals a category error in how the industry evaluates coding-agent safety. Single-turn refusal benchmarks — the standard by which models are assessed — measure chatbot safety, not agent safety1. An agent that writes files, runs code, and operates over multi-turn sessions inhabits a fundamentally different threat surface.

Codex CLI’s architecture happens to provide meaningful defence-in-depth against the consequences of workflow-level jailbreaks (the sandbox ensures harmful artefacts cannot escape), but it does not yet detect or prevent the jailbreak itself. The distinction matters: containment is not prevention.

The paper’s authors advocate for three complementary directions: artefact-level inspection, cross-turn monitoring, and optimisation-framing awareness1. Codex CLI’s PostToolUse hooks provide a foundation for the first. The second and third remain open engineering challenges — not just for Codex CLI, but for every coding agent shipping today.


Citations

  1. Kumar, A. and Maple, C. (2026) “Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents.” arXiv:2607.03968. https://arxiv.org/abs/2607.03968  2 3 4 5 6 7 8 9 10 11 12 13

  2. “Multi-Turn Jailbreaks Are the New Prompt Injection.” DEV Community, 2026. https://dev.to/gabrielanhaia/multi-turn-jailbreaks-are-the-new-prompt-injection-1c52 

  3. “Agent Approvals & Security.” OpenAI Codex Documentation, 2026. https://learn.chatgpt.com/docs/agent-approvals-security  2 3

  4. “Sandbox.” OpenAI Codex Documentation, 2026. https://developers.openai.com/codex/concepts/sandboxing  2

  5. “Codex CLI Granular Approval Policies and the Auto-Review Subagent.” Codex Knowledge Base, 2026. https://codex.danielvaughan.com/2026/05/07/codex-cli-granular-approval-policies-auto-review-subagent-autonomous-secure-workflows/  2 3

  6. “Purpose-Built Agent Models: What codex-auto-review Tells Us About the Future of Specialised AI.” Codex Knowledge Base, 2026. https://codex.danielvaughan.com/2026/04/17/purpose-built-agent-models-codex-auto-review/ 

  7. “GitHub Copilot IDE Coding Agents Vulnerable to Workflow-Level Jailbreak Attacks.” GBHackers, 2026. https://gbhackers.com/github-copilot-ide-coding-agents-vulnerable/