Codex sensitive-file exclusion debate exposes the limits of ignore files
Original: A way to exclude sensitive files issue still open for OpenAI Codex View original →
OpenAI Codex issue #2847 looks like a straightforward feature request, but it reaches into the core security problem for coding agents. The proposal asks for repository-level and global rules, such as a .codexignore file, that mark files or paths the agent must not read or send to the model. Examples include .env files, private keys, AWS folders, and SSH material. The issue was opened in August 2025 and remains open, with activity continuing on June 28, 2026.
At first glance, this resembles a familiar ignore-file workflow. The HN discussion quickly moved past that. If an agent can run shell commands, then blocking a read_file tool is not enough. A search command can print matching lines from a sensitive file, logs can include secrets, and build tools can echo configuration. Once sensitive bytes appear in tool output, they can enter the model context even if a higher-level file reader never opened the file directly.
That is why many comments framed the real boundary at Unix permissions, containers, devcontainers, or copied low-risk workspaces. One line of argument was simple: the Codex process should not be able to access sensitive files in the first place. Another treated the coding agent like an untrusted human using a separate account. From that perspective, an ignore file can improve UX and team policy, but it is a weak security boundary by itself.
The issue body also separates two use cases that often get mixed together. One is preventing sensitive data from being sent to the model. The other is excluding large or irrelevant files so the agent can work more efficiently. Those are both useful, but their failure modes differ. A performance ignore rule can be imperfect; a secret-protection rule cannot rely on every output path being anticipated.
As coding agents become part of everyday development, “what can the model see?” is no longer just a prompt question. It is a runtime-design question. Ignore files may still be necessary for usability, but serious secret protection needs filesystem permissions, sandbox mounts, container boundaries, or credential proxies. The value of this thread is that it makes those layers explicit.
Related Articles
HN read Codex less as a feature list and more as a permission problem. The thread kept circling desktop agents, non-developer workflows, sensitive files, and whether users really want an AI operating their computer.
Claude products now touch real tools, so the risk question is shifting from model persuasion to execution boundaries. Anthropic says users approved about 93% of Claude Code permission prompts, a number that weakens human-in-the-loop defenses.
OpenAI is giving ChatGPT Enterprise admins a clearer cost map for ChatGPT and Codex. The new console breaks AI credit usage down by user, product, and model, while adding workspace, group, and individual limits.