[FEATURE] Default deny permissions for *.env files
Resolved 💬 3 comments Opened Jun 6, 2026 by jpmckeown Closed Jul 12, 2026
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
- *.env files typically contain sensitive credentials and secrets
- Users shouldn't have to manually configure settings.json for basic security protection
- These should be denied by default for Read, Write, and Bash tools
Proposed Solution
"permissions": {
"deny": [
"Bash(**/*.env)",
"Read(**/*.env)",
"Write(**/*.env)"
]
}
Alternative Solutions
_No response_
Priority
Critical - Blocking my work
Feature Category
CLI commands and flags
Use Case Example
_No response_
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗