permissions.<name>.filesystem
unsetPublished Jul 15, 2026 · Verified against the official config docs
Filesystem access rules for a custom permission profile. Under permissions.<name>.filesystem you map absolute paths or globs to read, write, or deny. The :workspace_roots token scopes rules to your workspace, so denying **/*.env keeps Codex out of your secrets while it edits code. Unset by default; point default_permissions at the profile to turn it on, and don't combine that with sandbox_mode.
People have been asking for a way to keep Codex out of .env files since the early releases. Issue #2847 collected 91 comments asking for a .codexignore, and #5237 documented Codex running List .. above the launch directory. Named permission profiles are the answer that shipped: a [permissions.<name>] table in config.toml with filesystem rules inside.
Values
Each key under filesystem is an absolute path or a special token, mapped to "read", "write", or "deny" (config reference). The ":workspace_roots" token holds workspace-relative rules: "." means the root itself, and glob subpaths like "**/*.env" work. One housekeeping key sits alongside the path rules: glob_scan_max_depth, a number that must be at least 1, capping how deep deny-read globs expand on platforms that snapshot matches before the sandbox starts.
default_permissions = "no-secrets"
[permissions.no-secrets]
description = "Workspace access, secrets denied"
extends = ":workspace"
[permissions.no-secrets.filesystem]
glob_scan_max_depth = 4
"/etc" = "read"
[permissions.no-secrets.filesystem.":workspace_roots"]
"**/*.env" = "deny"
"**/*.pem" = "deny"
Profiles inherit through extends: another named profile, :read-only, or :workspace. Setting it to :danger-full-access, an undefined parent, or a cycle gets rejected.
When to change it
- Secrets in the repo. Deny
**/*.env,**/*.pem, and key files under":workspace_roots"and Codex can still edit code without reading credentials. This is the fix the #2847 crowd waited for. - Codex wandering upstream. If you have watched it read parent directories from a subfolder (the #5237 complaint), a profile scoped to workspace roots pins it down.
- Monorepo with an off-limits subtree — deny that absolute path in one line.
Gotchas
- Don’t combine
default_permissionswithsandbox_modeor[sandbox_workspace_write]. The reference says to pick one approach. - Deny-read globs get expanded before sandbox startup on some platforms. The docs don’t name which platforms this hits, and there’s no published
glob_scan_max_depthdefault to fall back on. They also say nothing about whether a file created mid-session gets covered. Test on your OS before trusting it with real secrets. - The docs mention a
:minimalspecial token as a valid filesystem key but never define what it grants.
Related settings
default_permissionspicks which profile applies to sandboxed tool calls.permissions.<name>.networkdoes the same job for domains and sockets.sandbox_modecovers the three built-in modes if you don’t need custom rules.