Cross-tool guard that stops AI coding agents from reading your secrets and .env files

dev tool real project ••• trending

Across Codex, Claude Code, and Cursor, developers keep asking for a reliable way to stop coding agents from reading .env files and other secrets and dumping them into transcripts that get sent to model providers. Per-tool ignore mechanisms are best-effort and inconsistent, so security-conscious devs want a tool-agnostic guard that enforces the boundary instead of trusting each vendor's redaction.

builder note

Don't reimplement per-tool ignore lists (every vendor is racing to add those)... the defensible version enforces at the OS/filesystem or proxy layer, denying the agent process read access to secret paths or feeding it placeholders and resolving real values out-of-band, so protection doesn't depend on the model behaving.

landscape (3 existing solutions)

The demand shows up as a separate 'exclude sensitive files' request in every agent's tracker, plus HN threads about agents slurping .env contents into provider-bound context. Partial per-tool fixes exist, but nobody offers a tool-agnostic, enforce-don't-trust guarantee, and that's the gap.

varlock Gives agents a schema with no secret values and redacts secrets from logs/output, but its own docs confirm it does not stop a process from reading the real secrets loaded into the environment at runtime.

Per-tool best-effort file ignore (Codex/Claude Code/Cursor) Best-effort and inconsistent across tools; commenters note exclusion isn't guaranteed given LLM unpredictability, and each agent handles it differently.

Vendor-side redaction (e.g. Claude Code secret-masking) Each vendor ships its own partial, opaque redaction; there's no single guarantee across the multiple agents a developer actually runs day to day.

sources (1)

other https://github.com/openai/codex/issues/2847 "A way to exclude sensitive files" 2025-08-28

ai-agentssecretssecuritydotenvdeveloper-tools