Protect sensitive files from AI coding tools
Project description
aifence
Your AI coding assistant can read your .env files. Right now. No warning, no permission prompt.
We tested this: asked GitHub Copilot Agent to help with a publish workflow. It ran cat .env without hesitation.
aifence generates the strongest available protection for each AI tool in one command.
$ aifence init
Scanning for sensitive files...
Found: .env, config/secrets.yaml, certs/server.pem, .npmrc
Claude Code (detected):
✓ permissions.deny — 20 Read rules added
✓ sandbox.denyRead — 20 patterns added
⚠ Sandbox not enabled — run /sandbox in Claude Code for OS-level Bash protection
Cursor (detected):
✓ .cursorignore — 20 patterns added
⚠ Shell commands (cat .env) not blocked — Cursor limitation
Copilot (not detected):
✓ .copilotignore — 20 patterns added
⚠ Agent mode ignores .copilotignore — completions context only
Windsurf (not detected):
✓ .windsurfignore — 20 patterns added
⚠ Enforcement depth unverified
Gemini CLI (not detected):
✗ No protection mechanism available
One command. Every AI tool in your project gets the strongest protection it supports. Honest warnings about what each tool can't block.
Install
pipx install aifence
Or with pip:
pip install aifence
Usage
# Scan workspace, show exposure, apply protections
aifence init
# Audit only (no files modified)
aifence scan
The problem
AI coding tools can read any file your user account can access. Most developers have .env files, SSH keys, and credentials sitting in their project directories.
- Claude Code can read files via its Read tool and via
cat .envin Bash - Cursor indexes files for AI context automatically
- Copilot Agent mode runs shell commands with full file access
- Gemini CLI has no file access restrictions at all
Each tool has different protection mechanisms — some strong, some weak, some nonexistent. Figuring out what works for each tool means reading 4 different docs.
What aifence generates
| Tool | What's generated | Protection level |
|---|---|---|
| Claude Code | permissions.deny (Read rules) + sandbox.filesystem.denyRead |
Full — OS-level when sandbox enabled |
| Cursor | .cursorignore |
Partial — blocks AI reads, not shell |
| Copilot | .copilotignore |
Partial — completions only, not Agent mode |
| Windsurf | .windsurfignore |
Partial — enforcement depth unverified |
| Gemini CLI | Nothing | None — no mechanism exists |
Claude Code: the full picture
Claude Code is the only tool with OS-level protection via its sandbox. aifence generates two layers:
permissions.deny— blocks the Read tool from accessing sensitive filessandbox.filesystem.denyRead— blocks all processes (includingcat,grep,python) from reading those files at the OS level (Seatbelt on macOS, bubblewrap on Linux)
You still need to enable the sandbox yourself: run
/sandboxin Claude Code. aifence adds the deny rules, but enabling sandbox is a workflow decision only you should make.
Other tools: honest limits
For Cursor, Copilot, and Windsurf, ignore files block the AI from using your secrets as context — but they don't prevent shell commands like cat .env from working. aifence warns about every gap it can't fix.
Default protected patterns
.env, .env.*, *.pem, *.key, *.p12, *.pfx, *.jks, *.keystore,
credentials, credentials.*, secrets.json, secrets.yaml, secrets.yml,
.secrets, .npmrc, .pypirc, id_rsa, id_ed25519, id_ecdsa,
service-account*.json
Safe by design
- Pattern-based only — aifence never reads file contents, only matches filenames
- Merge, never overwrite — existing configs are preserved, new rules are appended
- Idempotent — running
aifence inittwice produces the same result - No runtime component — generates static config files, then gets out of the way
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aifence-0.1.0.tar.gz.
File metadata
- Download URL: aifence-0.1.0.tar.gz
- Upload date:
- Size: 7.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.10 {"installer":{"name":"uv","version":"0.10.10","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a22aa54bf41bdb03ba566d01f61194b50fe132f58cfa8bf5e629170dd762f45
|
|
| MD5 |
08aa20b3491e4734cf3a3312702ca2de
|
|
| BLAKE2b-256 |
761e0e6670cf6f8a09fd00a7e1d0ba31caa304e316398d49dabb49ee831acce4
|
File details
Details for the file aifence-0.1.0-py3-none-any.whl.
File metadata
- Download URL: aifence-0.1.0-py3-none-any.whl
- Upload date:
- Size: 12.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.10 {"installer":{"name":"uv","version":"0.10.10","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
98646c9b0d02220e76f139a7b4908642f877913dc43af8a9ec46d79617d09548
|
|
| MD5 |
9a05f4fb6e53d4aaf61cdac318a213b9
|
|
| BLAKE2b-256 |
5949ea6a8c1f5374876823494495ddeb6f50858e1ab4a05e9b9d61ae55d648ae
|