Initial commit

commands/check.md

@@ -0,0 +1,37 @@
+Check the current Claude Code permissions for .env files without attempting to read them.
+
+**Important**: Project-level settings completely override user-level settings (they don't merge).
+
+1. Check all three settings locations:
+   - **User settings**: `~/.claude/settings.json`
+   - **Project settings**: `./.claude/settings.json` (if exists)
+   - **Local project settings**: `./.claude/settings.local.json` (if exists)
+
+2. For each file that exists, parse the `permissions` section (both `allow` and `deny` arrays)
+
+3. Look for patterns related to .env files in each:
+   - `**/.env`
+   - `**/.env.*`
+   - `**/.env.example`
+   - `**/.env.local`
+   - Any other .env-related patterns
+
+4. Report findings clearly:
+   - Show what's in each settings file (user, project, local)
+   - **Highlight which settings are actually active** based on precedence:
+     - If `./.claude/settings.local.json` exists → it takes precedence
+     - Else if `./.claude/settings.json` exists → it takes precedence
+     - Else `~/.claude/settings.json` is active
+   - Show the effective permissions that will actually be enforced
+   - Explain if project settings are overriding user settings (especially important if project has empty/missing deny arrays)
+
+5. Provide a summary like:
+   - "✓ Can read/write .env.example files"
+   - "✗ Cannot read/write .env files"
+   - "⚠️  Warning: Project settings override user settings and may allow .env access"
+
+6. **If project settings are missing .env protections**, suggest:
+   - "💡 TIP: Run `/secure-env.apply` to add secure .env deny rules to this project's settings"
+   - Explain that this will merge the deny rules without overwriting existing project settings
+
+Do NOT attempt to read, write, or access any actual .env files - only check the permissions configuration files.