Initial commit

.claude-plugin/plugin.json

@@ -0,0 +1,12 @@
+{
+  "name": "secure-env",
+  "description": "Security plugin that helps protect sensitive .env files from accidental access by Claude Code",
+  "version": "1.0.0",
+  "author": {
+    "name": "Björn Allvin"
+  },
+  "commands": [
+    "./commands/check.md",
+    "./commands/apply.md"
+  ]
+}

README.md

@@ -0,0 +1,3 @@
+# secure-env
+
+Security plugin that helps protect sensitive .env files from accidental access by Claude Code

commands/apply.md

@@ -0,0 +1,20 @@
+Apply secure .env permission deny rules to the current project's Claude settings.
+
+This command runs a script that:
+- Adds deny rules for `.env` and `.env.local` files
+- Adds allow rules for `.env.example` files
+- Applies to **BOTH** `.claude/settings.json` AND `.claude/settings.local.json` (if they exist)
+- Preserves all existing project settings (only merges the .env rules)
+- Creates backups before modifying
+- Creates the settings files if they don't exist
+
+**Important**:
+- `.claude/settings.local.json` takes precedence over `.claude/settings.json`
+- That's why the script applies rules to BOTH files to ensure protection
+- Project-level settings override user-level settings
+
+After running this command, use `/local.check-env-permissions` to verify the configuration.
+
+```bash
+~/.claude/plugins/marketplaces/cc-plugins/secure-env/scripts/apply-env-security.sh
+```

commands/check.md

@@ -0,0 +1,37 @@
+Check the current Claude Code permissions for .env files without attempting to read them.
+
+**Important**: Project-level settings completely override user-level settings (they don't merge).
+
+1. Check all three settings locations:
+   - **User settings**: `~/.claude/settings.json`
+   - **Project settings**: `./.claude/settings.json` (if exists)
+   - **Local project settings**: `./.claude/settings.local.json` (if exists)
+
+2. For each file that exists, parse the `permissions` section (both `allow` and `deny` arrays)
+
+3. Look for patterns related to .env files in each:
+   - `**/.env`
+   - `**/.env.*`
+   - `**/.env.example`
+   - `**/.env.local`
+   - Any other .env-related patterns
+
+4. Report findings clearly:
+   - Show what's in each settings file (user, project, local)
+   - **Highlight which settings are actually active** based on precedence:
+     - If `./.claude/settings.local.json` exists → it takes precedence
+     - Else if `./.claude/settings.json` exists → it takes precedence
+     - Else `~/.claude/settings.json` is active
+   - Show the effective permissions that will actually be enforced
+   - Explain if project settings are overriding user settings (especially important if project has empty/missing deny arrays)
+
+5. Provide a summary like:
+   - "✓ Can read/write .env.example files"
+   - "✗ Cannot read/write .env files"
+   - "⚠️  Warning: Project settings override user settings and may allow .env access"
+
+6. **If project settings are missing .env protections**, suggest:
+   - "💡 TIP: Run `/secure-env.apply` to add secure .env deny rules to this project's settings"
+   - Explain that this will merge the deny rules without overwriting existing project settings
+
+Do NOT attempt to read, write, or access any actual .env files - only check the permissions configuration files.

plugin.lock.json

@@ -0,0 +1,49 @@
+{
+  "$schema": "internal://schemas/plugin.lock.v1.json",
+  "pluginId": "gh:bjornallvin/cc-plugins:secure-env",
+  "normalized": {
+    "repo": null,
+    "ref": "refs/tags/v20251128.0",
+    "commit": "178c1403d935b01288b3b76e3a9bccf8afd56bf8",
+    "treeHash": "922cc461c6bce9fe8cf8b001d21c5f30f559c376f1797f6827f5b966d1e54444",
+    "generatedAt": "2025-11-28T10:14:16.269301Z",
+    "toolVersion": "publish_plugins.py@0.2.0"
+  },
+  "origin": {
+    "remote": "git@github.com:zhongweili/42plugin-data.git",
+    "branch": "master",
+    "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
+    "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
+  },
+  "manifest": {
+    "name": "secure-env",
+    "description": "Security plugin that helps protect sensitive .env files from accidental access by Claude Code",
+    "version": "1.0.0"
+  },
+  "content": {
+    "files": [
+      {
+        "path": "README.md",
+        "sha256": "4823248bb67c108d470c583b2676668edd3db5cf8aa67f758a34a465ffb7c83d"
+      },
+      {
+        "path": ".claude-plugin/plugin.json",
+        "sha256": "65466885ecaba7ae360b42cf141deeb3ea3167b1c20aa4bc2840f84dded95b74"
+      },
+      {
+        "path": "commands/apply.md",
+        "sha256": "b0139de51ced4254fb536649d721ff0344445950984f343c76a668e16c900e39"
+      },
+      {
+        "path": "commands/check.md",
+        "sha256": "85dbf009150d1941bd7cb8c19c48bfa8ee4320fb99e8d1a937de441e774b2504"
+      }
+    ],
+    "dirSha256": "922cc461c6bce9fe8cf8b001d21c5f30f559c376f1797f6827f5b966d1e54444"
+  },
+  "security": {
+    "scannedAt": null,
+    "scannerVersion": null,
+    "flags": []
+  }
+}