zhongwei/gh-bjornallvin-cc-plugins-secure-env
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:01:15 +08:00
commit b90c8a0445
5 changed files with 121 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
commands/apply.md Normal file
View File

@@ -0,0 +1,20 @@
Apply secure .env permission deny rules to the current project's Claude settings.
This command runs a script that:
- Adds deny rules for `.env` and `.env.local` files
- Adds allow rules for `.env.example` files
- Applies to **BOTH** `.claude/settings.json` AND `.claude/settings.local.json` (if they exist)
- Preserves all existing project settings (only merges the .env rules)
- Creates backups before modifying
- Creates the settings files if they don't exist
**Important**:
- `.claude/settings.local.json` takes precedence over `.claude/settings.json`
- That's why the script applies rules to BOTH files to ensure protection
- Project-level settings override user-level settings
After running this command, use `/local.check-env-permissions` to verify the configuration.
```bash
~/.claude/plugins/marketplaces/cc-plugins/secure-env/scripts/apply-env-security.sh
```

37
commands/check.md Normal file
View File

@@ -0,0 +1,37 @@
Check the current Claude Code permissions for .env files without attempting to read them.
**Important**: Project-level settings completely override user-level settings (they don't merge).
1. Check all three settings locations:
- **User settings**: `~/.claude/settings.json`
- **Project settings**: `./.claude/settings.json` (if exists)
- **Local project settings**: `./.claude/settings.local.json` (if exists)
2. For each file that exists, parse the `permissions` section (both `allow` and `deny` arrays)
3. Look for patterns related to .env files in each:
- `**/.env`
- `**/.env.*`
- `**/.env.example`
- `**/.env.local`
- Any other .env-related patterns
4. Report findings clearly:
- Show what's in each settings file (user, project, local)
- **Highlight which settings are actually active** based on precedence:
- If `./.claude/settings.local.json` exists → it takes precedence
- Else if `./.claude/settings.json` exists → it takes precedence
- Else `~/.claude/settings.json` is active
- Show the effective permissions that will actually be enforced
- Explain if project settings are overriding user settings (especially important if project has empty/missing deny arrays)
5. Provide a summary like:
- "✓ Can read/write .env.example files"
- "✗ Cannot read/write .env files"
- "⚠️ Warning: Project settings override user settings and may allow .env access"
6. **If project settings are missing .env protections**, suggest:
- "💡 TIP: Run `/secure-env.apply` to add secure .env deny rules to this project's settings"
- Explain that this will merge the deny rules without overwriting existing project settings
Do NOT attempt to read, write, or access any actual .env files - only check the permissions configuration files.