Why .agentignore Should Be Implemented at the Filesystem Level
Thesis: The most reliable way to implement .agentignore is at the filesystem level. Alternative approaches depend on agent behavior, command interception, or model compliance, all of which have significant limitations.
1. MCP-Level Filtering Is No Longer Sufficient
One approach is to implement .agentignore within MCP file access tools. This works only as long as agents access files exclusively through those tools.
In practice, modern coding agents can execute arbitrary shell commands, either directly or through MCP-provided shell execution. Once shell access exists, MCP-level file filtering can be bypassed entirely.
We should treat arbitrary command execution as a reality rather than an edge case.
2. Command-Level Enforcement Does Not Scale
Another approach is to intercept shell commands and inject exclusion rules.
For example, a command such as:
could be rewritten as:
find . -path './node_modules' -prune -o -type f -print
The problem is that this does not scale:
- There are hundreds of commands that can access files.
- Different commands use different exclusion mechanisms.
- Many custom tools provide no exclusion options at all.
- Command rewriting is complex, fragile, and difficult to maintain.
A much simpler solution is to make ignored files appear absent from the filesystem. Any tool, command, or application automatically respects the policy without modification.
3. Model-Level Compliance Is Not Enforcement
A third approach is to train models to avoid ignored files.
This is useful as guidance, but it is not enforcement.
There are several problems:
- Not every command or tool supports exclusion rules.
- Models can make mistakes, ignore instructions, or hallucinate.
- Policy enforcement should not depend on probabilistic behavior.
More fundamentally, model capacity is better spent on solving programming problems than on remembering file-filtering rules that can be enforced deterministically by the operating system.
The Proposal
agentignore implements .agentignore as a FUSE filesystem.
Files matching .agentignore rules are hidden from agent processes and appear not to exist.
A complementary .agentallow mechanism grants unrestricted access to trusted processes, such as compilers, test runners, build tools, and other applications that legitimately require access to the hidden files.
This approach provides deterministic, tool-independent enforcement and works regardless of which commands, agents, models, or development tools are used.
Why
.agentignoreShould Be Implemented at the Filesystem LevelThesis: The most reliable way to implement
.agentignoreis at the filesystem level. Alternative approaches depend on agent behavior, command interception, or model compliance, all of which have significant limitations.1. MCP-Level Filtering Is No Longer Sufficient
One approach is to implement
.agentignorewithin MCP file access tools. This works only as long as agents access files exclusively through those tools.In practice, modern coding agents can execute arbitrary shell commands, either directly or through MCP-provided shell execution. Once shell access exists, MCP-level file filtering can be bypassed entirely.
We should treat arbitrary command execution as a reality rather than an edge case.
2. Command-Level Enforcement Does Not Scale
Another approach is to intercept shell commands and inject exclusion rules.
For example, a command such as:
find . -type fcould be rewritten as:
The problem is that this does not scale:
A much simpler solution is to make ignored files appear absent from the filesystem. Any tool, command, or application automatically respects the policy without modification.
3. Model-Level Compliance Is Not Enforcement
A third approach is to train models to avoid ignored files.
This is useful as guidance, but it is not enforcement.
There are several problems:
More fundamentally, model capacity is better spent on solving programming problems than on remembering file-filtering rules that can be enforced deterministically by the operating system.
The Proposal
agentignoreimplements.agentignoreas a FUSE filesystem.Files matching
.agentignorerules are hidden from agent processes and appear not to exist.A complementary
.agentallowmechanism grants unrestricted access to trusted processes, such as compilers, test runners, build tools, and other applications that legitimately require access to the hidden files.This approach provides deterministic, tool-independent enforcement and works regardless of which commands, agents, models, or development tools are used.