OpenAI ships Chronicle for Codex: Pro-only screen-capture memory, unencrypted markdown, not in the EU

OpenAI quietly shipped Chronicle this week, a feature for the Codex macOS app that captures what is on your screen, runs the images through sandboxed agents and OCR, and builds a persistent memory Codex can reference without you restating context in every prompt. It is opt-in, Pro-only, in research-preview status, and notably absent from the EU, UK, and Switzerland. helpnetsecurity first flagged the privacy surface, and the specifics are concrete enough to evaluate.

The pipeline, per OpenAI's description: sandboxed background agents analyze captured images, pulling text via OCR along with timing data and local file paths from the active window, then send selected frames to an ephemeral Codex session on OpenAI servers to produce structured memories. Those memories land on your disk as unencrypted markdown files. The raw screen captures are stored temporarily on the local machine and auto-deleted after six hours. OpenAI says the server-side processing is ephemeral, that captures are not retained unless required by law, and that they are not used for training. Users can pause Chronicle while working with sensitive content, and the memory files can be inspected or modified directly.

The trade-off is clear. Chronicle is a genuine usability gain for Codex users who burn tokens restating what they are looking at; it is also a meaningful new attack and exposure surface. Any secret visible on screen, any unrelated content in another window, any colleague's private message during a pair session lands in a sandboxed OCR pipeline and potentially in memory. The prompt-injection surface widens too, since Chronicle is reading content the model did not previously see, content that can now carry adversarial instructions if it originates from an untrusted source. The EU/UK/Switzerland absence is the usual DSA and GDPR caution; it suggests OpenAI is not confident enough in the privacy posture to ship into those regimes yet, which is itself worth reading as a signal.

If you use Codex on macOS, two things to think about. One, Chronicle is opt-in and currently Pro-tier only; do not enable it on workstations that routinely see credentials, customer data, or regulated content unless your organization has separately reviewed the sandboxing and retention posture. Two, the category shift matters. Codex is now a coding assistant plus a screen-context layer; Claude Code and the Gemini CLI are not in this category yet. The "what does my AI know about my desktop" question will shape the next round of enterprise procurement conversations, and Chronicle is the first shipping answer from a major lab.