agent-approvals-security.md +20 −0
73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.
74- Protection is recursive, so everything under those paths is read-only.74- Protection is recursive, so everything under those paths is read-only.
75 75
76### Deny reads with filesystem profiles
77
78Named permission profiles can also deny reads for exact paths or glob patterns.
79This is useful when a workspace should stay writable but specific sensitive
80files, such as local environment files, must stay unreadable:
81
82```toml
83default_permissions = "workspace"
84
85[permissions.workspace.filesystem]
86":project_roots" = { "." = "write", "**/*.env" = "none" }
87glob_scan_max_depth = 3
88```
89
90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy
91evaluates globs for local macOS and Linux command execution. On platforms that
92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for
93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and
94`*/*/*.env`.
95
76### Run without approval prompts96### Run without approval prompts
77 97
78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).