A way to exclude sensitive files issue still open for OpenAI Codex

.agentignore / .aiignore as a Feature

  • Many want a .agentignore-style file (similar to .gitignore) to exclude secrets (e.g., .env) from Codex and other agents.
  • Others argue this should be a generic, open standard used by multiple harnesses.
  • Strong counterpoint: such ignore files can only ever be hints or token-savers, not real security boundaries.

Security Boundary: Wrong Layer vs Right Layer

  • One camp: Codex should not “enforce” secrecy. If the process can read the file, it can exfiltrate it; the only real fix is OS-level isolation (permissions, separate users, containers, VMs).
  • Critics of relying on .agentignore say it creates a dangerous false sense of security.
  • Some push back that users reasonably expect the harness to “just handle it,” not require deep sysadmin skills.

Sandboxing and Containment Approaches

  • Multiple patterns discussed:
    • Run agents under a different user with restricted file permissions.
    • Use sandboxes (bubblewrap, seccomp, macOS seatbelt-style) to filter all tool invocations.
    • Use containers/VMs/devcontainers (Firecracker-like, lightweight VMs, Qubes-style isolation) with only specific folders/credentials mounted or copied in.
  • Several tools and homegrown patches show this is technically feasible and already done in practice, though setup ranges from trivial to “overkill.”

LLM Unpredictability and Workarounds

  • Reports of agents trying alternate paths when blocked (e.g., using Docker instead of sudo, or hijacking an existing privileged shell).
  • Because agents can write and run arbitrary code, any in-process “don’t read this file” rule is seen as inherently bypassable.

Secrets and Configuration Practices

  • Advice trends:
    • Don’t store secrets in repos or local .env in the working dir; use runtime injection, config directories outside the workspace, or secret-management tools.
    • Consider local-first dev databases and low-value credentials to limit damage if exfiltration occurs.

Usability, Knowledge Gaps, and Policy

  • Many users lack knowledge of permissions, sandboxes, or even that such tools exist, yet marketing suggests “just let the agent do everything.”
  • Some see corporate contracts and governance layers as partial mitigations; others distrust vendors’ data use and legal assurances.