Postmortem · macOS
Lately, the moment I open Codex on the laptop (M4 Max), it runs hot. Not warm — hot, fans maxed. Open Activity Monitor and two processes are flying off the chart: syspolicyd at 160%+ and trustd at 60%+.
I guessed wrong at first, every time. Suspected the M4 Max just runs hot, suspected Computer Use, MCP, all kinds of hooks. Ruled them out one by one.
The culprit I finally dug up was buried deep: under ~/Documents/Playground/ there was a broken .git.
It wasn't a real repo anymore. Open it up and there's only objects/pack — no HEAD, config, refs, or index — plus about 25GB of tmp_pack_* temp files. Clearly the half-finished leftovers of a clone or a gc that died partway through.
Why would this thing cook the machine?
Codex (and Claude Code — same idea), the moment it opens a workspace, first feels around: is this a git repo, anything changed, which branch. For a normal repo, one check and it's done. But mine was a cripple. Codex sees a .git, assumes it's a repo, and calls git over and over. git looks, finds no HEAD and no refs, and fails over and over. Here's the key part — every time a subprocess spawns, macOS runs it past Gatekeeper: syspolicyd checks the signature and security policy, trustd checks certificate trust. Stack up enough high-frequency failing git calls and these two security daemons get maxed out.
The sneaky part: the Codex front end looks perfectly fine. You have no idea it's spinning its wheels in the background. All the effort is burning in system daemons you never look at.
I didn't delete it right away — I renamed it to isolate it, .git → .git.invalid-…, to keep the evidence. Within seconds: syspolicyd dropped from 160% to 0, trustd from 60% to 0, Codex went back to normal, and the machine visibly cooled down. Once I'd confirmed that was it, I deleted it and reclaimed the 25GB.
While I was at it, I checked the other machine. Same setup, two different outcomes.
The laptop got hit. The desktop, a Mac Studio — I scanned the whole thing, 45-plus .git all healthy, no broken repos, no tmp_pack leftovers, home not accidentally git'd. Clean. So this isn't the sweeping "Codex makes your Mac hot." It's a specific, reproducible trap — your directory happened to have a mine buried in it, and that's why it went off. A machine without a mine has zero problem.
Now the damage. This does more harm than "wastes a little power" — but not the way I first thought.
I assumed it was "frequent disk reads wearing out the drive." Looking into it, this is just reading — the harm to the drive really isn't much. But I found another kind of damage, the invisible kind: heat. The irreversible damage heat does is far bigger than frequent reads.
What that heat wears on:
- With the security daemons maxed, the chip stays hot, fans roar, the M-series throttles.
- Sustained high temperature is what actually ages hardware — especially the battery; heat is the number-one killer of laptop batteries.
- It also drags the whole machine:
syspolicydandtrustdare shared security daemons; max them out and every other app's signature checks queue up behind them, so the whole machine feels sticky. - Plus the wasted battery drain and 25GB of junk sitting on the disk.
So here's what I'm keeping from this — three things:
- Don't let any AI tool use
~or some giant parent directory as its workspace. It'll feel up every.gitinside, and one broken one is enough to make it spin and sweat. - When the machine runs hot for no clear reason, look at the background daemons first, not the front-end app. What's actually burning power is usually
syspolicyd,trustd,mds— the stuff you never watch. - When something's broken, isolate before you delete. Rename it, watch whether the symptom disappears — if it does, you've caught the right culprit; then delete, no rush.
A crippled .git — no error, no popup, dead quiet on the surface — was quietly using my computer as a space heater for days.
The worst failures are always this kind: the kind where everything looks fine.