[FEATURE] Default deny permissions for *.env files

Resolved 💬 3 comments Opened Jun 6, 2026 by jpmckeown Closed Jul 12, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

  • *.env files typically contain sensitive credentials and secrets
  • Users shouldn't have to manually configure settings.json for basic security protection
  • These should be denied by default for Read, Write, and Bash tools

Proposed Solution

"permissions": {
"deny": [
"Bash(**/*.env)",
"Read(**/*.env)",
"Write(**/*.env)"
]
}

Alternative Solutions

_No response_

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

_No response_

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗