How to add a writable directory for Codex

Running Codex in a locked-down workspace prevents accidental edits to the wider filesystem while still enabling automation. Some tasks still need a safe place to write generated files, temporary artifacts, or caches outside the primary working directory.

For each codex exec run, Codex applies a writable-path allowlist that limits where file changes are permitted. Adding a directory with --add-dir extends that allowlist for the current run, allowing writes only under the specified path.

The extra directory must exist before starting Codex and should be scoped as narrowly as possible, preferably to a dedicated scratch folder. Granting write access to broad locations such as /home or /etc increases the risk of unintended edits and makes cleanup harder if an automation step misbehaves.

1. Create a dedicated scratch directory for Codex output.

   $ mkdir -p /tmp/codex-writable

   No output indicates the directory already existed or was created successfully.

2. Restrict access to the scratch directory.

   $ chmod 700 /tmp/codex-writable

   Restrictive permissions reduce accidental access to temporary artifacts created during automation.

3. Run Codex with an additional writable directory.

   $ codex exec --add-dir /tmp/codex-writable "Return OK."
   OK.

   Avoid adding broad paths (for example /tmp, /home, /etc, or a repository root), since automation can overwrite unrelated files under the writable tree.

   Related: How to fix Codex trusted directory errors

4. Create a marker file in the added directory to confirm write access.

   $ codex exec -s workspace-write --add-dir /tmp/codex-writable "Create /tmp/codex-writable/codex-marker."
   Created `/tmp/codex-writable/codex-marker`.

   If a trust or permission error occurs, the path is not writable for the current run.

   Related: How to fix Codex trusted directory errors

5. Remove the marker file after verification.

   $ rm -f /tmp/codex-writable/codex-marker