From b90c8a044534704c94f2608ae5e93815491b71b6 Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sat, 29 Nov 2025 18:01:15 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 12 ++++++++++ README.md | 3 +++ commands/apply.md | 20 ++++++++++++++++ commands/check.md | 37 ++++++++++++++++++++++++++++ plugin.lock.json | 49 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 121 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 commands/apply.md create mode 100644 commands/check.md create mode 100644 plugin.lock.json diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..c907a0e --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,12 @@ +{ + "name": "secure-env", + "description": "Security plugin that helps protect sensitive .env files from accidental access by Claude Code", + "version": "1.0.0", + "author": { + "name": "Björn Allvin" + }, + "commands": [ + "./commands/check.md", + "./commands/apply.md" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..b222e24 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# secure-env + +Security plugin that helps protect sensitive .env files from accidental access by Claude Code diff --git a/commands/apply.md b/commands/apply.md new file mode 100644 index 0000000..8edd48a --- /dev/null +++ b/commands/apply.md @@ -0,0 +1,20 @@ +Apply secure .env permission deny rules to the current project's Claude settings. + +This command runs a script that: +- Adds deny rules for `.env` and `.env.local` files +- Adds allow rules for `.env.example` files +- Applies to **BOTH** `.claude/settings.json` AND `.claude/settings.local.json` (if they exist) +- Preserves all existing project settings (only merges the .env rules) +- Creates backups before modifying +- Creates the settings files if they don't exist + +**Important**: +- `.claude/settings.local.json` takes precedence over `.claude/settings.json` +- That's why the script applies rules to BOTH files to ensure protection +- Project-level settings override user-level settings + +After running this command, use `/local.check-env-permissions` to verify the configuration. + +```bash +~/.claude/plugins/marketplaces/cc-plugins/secure-env/scripts/apply-env-security.sh +``` diff --git a/commands/check.md b/commands/check.md new file mode 100644 index 0000000..cdb6b71 --- /dev/null +++ b/commands/check.md @@ -0,0 +1,37 @@ +Check the current Claude Code permissions for .env files without attempting to read them. + +**Important**: Project-level settings completely override user-level settings (they don't merge). + +1. Check all three settings locations: + - **User settings**: `~/.claude/settings.json` + - **Project settings**: `./.claude/settings.json` (if exists) + - **Local project settings**: `./.claude/settings.local.json` (if exists) + +2. For each file that exists, parse the `permissions` section (both `allow` and `deny` arrays) + +3. Look for patterns related to .env files in each: + - `**/.env` + - `**/.env.*` + - `**/.env.example` + - `**/.env.local` + - Any other .env-related patterns + +4. Report findings clearly: + - Show what's in each settings file (user, project, local) + - **Highlight which settings are actually active** based on precedence: + - If `./.claude/settings.local.json` exists → it takes precedence + - Else if `./.claude/settings.json` exists → it takes precedence + - Else `~/.claude/settings.json` is active + - Show the effective permissions that will actually be enforced + - Explain if project settings are overriding user settings (especially important if project has empty/missing deny arrays) + +5. Provide a summary like: + - "✓ Can read/write .env.example files" + - "✗ Cannot read/write .env files" + - "⚠️ Warning: Project settings override user settings and may allow .env access" + +6. **If project settings are missing .env protections**, suggest: + - "💡 TIP: Run `/secure-env.apply` to add secure .env deny rules to this project's settings" + - Explain that this will merge the deny rules without overwriting existing project settings + +Do NOT attempt to read, write, or access any actual .env files - only check the permissions configuration files. diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..ff8eedc --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,49 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:bjornallvin/cc-plugins:secure-env", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "178c1403d935b01288b3b76e3a9bccf8afd56bf8", + "treeHash": "922cc461c6bce9fe8cf8b001d21c5f30f559c376f1797f6827f5b966d1e54444", + "generatedAt": "2025-11-28T10:14:16.269301Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "secure-env", + "description": "Security plugin that helps protect sensitive .env files from accidental access by Claude Code", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "4823248bb67c108d470c583b2676668edd3db5cf8aa67f758a34a465ffb7c83d" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "65466885ecaba7ae360b42cf141deeb3ea3167b1c20aa4bc2840f84dded95b74" + }, + { + "path": "commands/apply.md", + "sha256": "b0139de51ced4254fb536649d721ff0344445950984f343c76a668e16c900e39" + }, + { + "path": "commands/check.md", + "sha256": "85dbf009150d1941bd7cb8c19c48bfa8ee4320fb99e8d1a937de441e774b2504" + } + ], + "dirSha256": "922cc461c6bce9fe8cf8b001d21c5f30f559c376f1797f6827f5b966d1e54444" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file