Skip to main content

Protect sensitive files from AI coding tools

Project description

aifence

Your AI coding assistant can read your .env files. Right now. No warning, no permission prompt.

We tested this: asked GitHub Copilot Agent to help with a publish workflow. It ran cat .env without hesitation.

Copilot reading .env file without warning

aifence generates the strongest available protection for each AI tool in one command.

$ aifence init

Scanning for sensitive files...
  Found: .env, config/secrets.yaml, certs/server.pem, .npmrc

  Claude Code (detected):
     permissions.deny  20 Read rules added
     sandbox.denyRead  20 patterns added
     Sandbox not enabled  run /sandbox in Claude Code for OS-level Bash protection

  Cursor (detected):
     .cursorignore  20 patterns added
     Shell commands (cat .env) not blocked  Cursor limitation

  Copilot (not detected):
     .copilotignore  20 patterns added
     Agent mode ignores .copilotignore  completions context only

  Windsurf (not detected):
     .windsurfignore  20 patterns added
     Enforcement depth unverified

  Gemini CLI (not detected):
     No protection mechanism available

One command. Every AI tool in your project gets the strongest protection it supports. Honest warnings about what each tool can't block.

Install

pipx install aifence

Or with pip:

pip install aifence

Usage

# Scan workspace, show exposure, apply protections
aifence init

# Audit only (no files modified)
aifence scan

The problem

AI coding tools can read any file your user account can access. Most developers have .env files, SSH keys, and credentials sitting in their project directories.

  • Claude Code can read files via its Read tool and via cat .env in Bash
  • Cursor indexes files for AI context automatically
  • Copilot Agent mode runs shell commands with full file access
  • Gemini CLI has no file access restrictions at all

Each tool has different protection mechanisms — some strong, some weak, some nonexistent. Figuring out what works for each tool means reading 4 different docs.

What aifence generates

Tool What's generated Protection level
Claude Code permissions.deny (Read rules) + sandbox.filesystem.denyRead Full — OS-level when sandbox enabled
Cursor .cursorignore Partial — blocks AI reads, not shell
Copilot .copilotignore Partial — completions only, not Agent mode
Windsurf .windsurfignore Partial — enforcement depth unverified
Gemini CLI Nothing None — no mechanism exists

Claude Code: the full picture

Claude Code is the only tool with OS-level protection via its sandbox. aifence generates two layers:

  1. permissions.deny — blocks the Read tool from accessing sensitive files
  2. sandbox.filesystem.denyRead — blocks all processes (including cat, grep, python) from reading those files at the OS level (Seatbelt on macOS, bubblewrap on Linux)

You still need to enable the sandbox yourself: run /sandbox in Claude Code. aifence adds the deny rules, but enabling sandbox is a workflow decision only you should make.

Other tools: honest limits

For Cursor, Copilot, and Windsurf, ignore files block the AI from using your secrets as context — but they don't prevent shell commands like cat .env from working. aifence warns about every gap it can't fix.

Default protected patterns

.env, .env.*, *.pem, *.key, *.p12, *.pfx, *.jks, *.keystore,
credentials, credentials.*, secrets.json, secrets.yaml, secrets.yml,
.secrets, .npmrc, .pypirc, id_rsa, id_ed25519, id_ecdsa,
service-account*.json

Safe by design

  • Pattern-based only — aifence never reads file contents, only matches filenames
  • Merge, never overwrite — existing configs are preserved, new rules are appended
  • Idempotent — running aifence init twice produces the same result
  • No runtime component — generates static config files, then gets out of the way

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aifence-0.1.0.tar.gz (7.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aifence-0.1.0-py3-none-any.whl (12.0 kB view details)

Uploaded Python 3

File details

Details for the file aifence-0.1.0.tar.gz.

File metadata

  • Download URL: aifence-0.1.0.tar.gz
  • Upload date:
  • Size: 7.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.10 {"installer":{"name":"uv","version":"0.10.10","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for aifence-0.1.0.tar.gz
Algorithm Hash digest
SHA256 9a22aa54bf41bdb03ba566d01f61194b50fe132f58cfa8bf5e629170dd762f45
MD5 08aa20b3491e4734cf3a3312702ca2de
BLAKE2b-256 761e0e6670cf6f8a09fd00a7e1d0ba31caa304e316398d49dabb49ee831acce4

See more details on using hashes here.

File details

Details for the file aifence-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: aifence-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 12.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.10 {"installer":{"name":"uv","version":"0.10.10","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for aifence-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 98646c9b0d02220e76f139a7b4908642f877913dc43af8a9ec46d79617d09548
MD5 9a05f4fb6e53d4aaf61cdac318a213b9
BLAKE2b-256 5949ea6a8c1f5374876823494495ddeb6f50858e1ab4a05e9b9d61ae55d648ae

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page