A way to exclude sensitive files issue still open for OpenAI Codex
.agentignore / .aiignore as a Feature
- Many want a
.agentignore-style file (similar to.gitignore) to exclude secrets (e.g.,.env) from Codex and other agents. - Others argue this should be a generic, open standard used by multiple harnesses.
- Strong counterpoint: such ignore files can only ever be hints or token-savers, not real security boundaries.
Security Boundary: Wrong Layer vs Right Layer
- One camp: Codex should not “enforce” secrecy. If the process can read the file, it can exfiltrate it; the only real fix is OS-level isolation (permissions, separate users, containers, VMs).
- Critics of relying on
.agentignoresay it creates a dangerous false sense of security. - Some push back that users reasonably expect the harness to “just handle it,” not require deep sysadmin skills.
Sandboxing and Containment Approaches
- Multiple patterns discussed:
- Run agents under a different user with restricted file permissions.
- Use sandboxes (bubblewrap, seccomp, macOS seatbelt-style) to filter all tool invocations.
- Use containers/VMs/devcontainers (Firecracker-like, lightweight VMs, Qubes-style isolation) with only specific folders/credentials mounted or copied in.
- Several tools and homegrown patches show this is technically feasible and already done in practice, though setup ranges from trivial to “overkill.”
LLM Unpredictability and Workarounds
- Reports of agents trying alternate paths when blocked (e.g., using Docker instead of
sudo, or hijacking an existing privileged shell). - Because agents can write and run arbitrary code, any in-process “don’t read this file” rule is seen as inherently bypassable.
Secrets and Configuration Practices
- Advice trends:
- Don’t store secrets in repos or local
.envin the working dir; use runtime injection, config directories outside the workspace, or secret-management tools. - Consider local-first dev databases and low-value credentials to limit damage if exfiltration occurs.
- Don’t store secrets in repos or local
Usability, Knowledge Gaps, and Policy
- Many users lack knowledge of permissions, sandboxes, or even that such tools exist, yet marketing suggests “just let the agent do everything.”
- Some see corporate contracts and governance layers as partial mitigations; others distrust vendors’ data use and legal assurances.