Environment Variables & Secrets in the Sandbox

Secrets management inside the Codex sandbox requires understanding three attack surfaces: environment variable exposure, command output capture, and file content reads. Environment variables set in your shell are inherited by Codex sessions — including API keys, database credentials, and tokens. Commands Codex runs can echo these values, and the output becomes part of the conversation context sent to the API. File reads of .env, credentials.json, or similar files have the same effect.

The defense-in-depth strategy for secrets has four layers. First, minimize the environment: launch Codex from a minimal shell that only exports the variables it needs. Second, scope MCP secrets: use the env block in config.toml to give each MCP server only its required secrets. Third, add AGENTS.md rules: explicitly forbid reading or displaying secret files. Fourth, use the sandbox: workspace-write mode prevents Codex from modifying credential files, even if it can read them.

#!/bin/bash
# Launch Codex with a minimal environment
# Only export what Codex actually needs

# Clear inherited secrets
unset AWS_SECRET_ACCESS_KEY
unset DATABASE_URL
unset GITHUB_TOKEN

# Set only what Codex needs
export OPENAI_API_KEY="${OPENAI_API_KEY}"
export PATH="/usr/local/bin:/usr/bin:/bin"
export HOME="${HOME}"
export CODEX_PROFILE="dev"

# Launch with explicit environment
exec codex "$@"

# For CI, use GitHub Actions secrets:
# env:
#   OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
# No other secrets exposed to the Codex step