⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

chore(repo): Add AI agent security protections for sensitive files #7580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacekradko merged 2 commits into from
Jan 13, 2026
Merged

chore(repo): Add AI agent security protections for sensitive files #7580

jacekradko merged 2 commits into from
Jan 13, 2026
+75 −0

Conversation

@jacekradko
Copy link
Member

@jacekradko jacekradko commented Jan 12, 2026
edited
Loading

Summary

Adds configuration files to prevent AI coding tools from reading sensitive files, mitigating the risk of secrets being exposed to AI service providers.

Files created:

  • .claude/settings.json - Hard deny rules for Claude Code (cannot be bypassed)
  • .cursorignore - Ignore patterns for Cursor (note: shell commands can bypass)
  • .geminiignore - Ignore patterns for Gemini CLI (note: explicit read commands can bypass)

Protected patterns:

  • .env and .env.* (environment files)
  • secrets/ directory
  • **/credentials.json
  • **/*.pem and **/*.key (private keys)
  • **/.keys.json (integration keys)

Also updated:

  • .gitignore - Added .claude/settings.local.json to exclude user-specific Claude settings

Test plan

  • Verified JSON syntax is valid for .claude/settings.json
  • Test that Claude Code correctly denies access to protected files
  • Test that Cursor excludes protected files from indexing

Summary by CodeRabbit

  • Chores
    • Strengthened project security by adding configuration to block AI tooling from accessing environment files, credentials, keys, and other sensitive artifacts.
    • Added ignore rules for AI tools and version control to exclude local/tool-specific settings and secret files, reducing risk of accidental exposure.

✏️ Tip: You can customize this high-level summary in your review settings.

@changeset-bot
Copy link

changeset-bot bot commented Jan 12, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 361b8f5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Jan 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jan 12, 2026 10:46pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 12, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds several configuration and ignore files: a new changeset file .changeset/quick-breads-follow.md; Claude Code settings in .claude/settings.json containing a permissions deny list for environment and secret-related files and forbidden shell commands; AI-tool ignore files .cursorignore and .geminiignore listing sensitive path and file patterns; and an update to .gitignore to exclude .claude/settings.local.json. No source code or exported/public API declarations were modified.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and accurately summarizes the main change: adding AI agent security protections for sensitive files across multiple configuration files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.claude/settings.json:
- Around line 18-23: Update the Bash rule pattern to cover nested files by
changing the rule that currently uses Bash(cat secrets/*) to use Bash(cat
secrets/**) so it matches subdirectories as Read(secrets/**) does; also ensure
the Read(secrets/**) deny rule remains the primary protection and confirm
disableBypassPermissionsMode is enabled so Bash command expansion cannot bypass
Read() restrictions (adding other Bash verbs like less/head/tail is optional but
not a substitute for the Read() deny rules).
🧹 Nitpick comments (1)
.cursorignore (1)

1-20: LGTM!

Patterns are consistent with the other ignore configurations. The coverage is comprehensive for protecting sensitive files from AI indexing.

Optional: Consider adding a note similar to .geminiignore about the bypass limitation mentioned in the PR description ("shell commands can bypass"), so developers are aware of this constraint without needing to reference PR history.

📝 Optional: Add bypass warning 
 # AI Agent Security - Sensitive Files
 # These files should never be read by AI tools to prevent
 # accidental exposure of secrets to AI service providers.
+#
+# NOTE: Cursor may still read these files via shell commands.
 
 # Environment files
📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1e4074d and 7cce42f.

📒 Files selected for processing (5)
  • .changeset/quick-breads-follow.md
  • .claude/settings.json
  • .cursorignore
  • .geminiignore
  • .gitignore
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)
  • GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (machine, chrome)
  • GitHub Check: Integration Tests (machine, chrome, RQ)
  • GitHub Check: Integration Tests (custom, chrome)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (billing, chrome, RQ)
  • GitHub Check: Integration Tests (nextjs, chrome, 16)
  • GitHub Check: Integration Tests (quickstart, chrome, 16)
  • GitHub Check: Integration Tests (quickstart, chrome, 15)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (sessions:staging, chrome)
  • GitHub Check: Integration Tests (handshake:staging, chrome)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (handshake, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (4)
.gitignore (1)

107-109: LGTM!

The addition properly excludes user-specific Claude Code settings from version control, allowing developers to customize their local permissions without affecting the shared configuration. Good placement alongside the existing CLAUDE.local.md entry.

.changeset/quick-breads-follow.md (1)

1-2: LGTM!

Empty changeset is appropriate here since this PR only adds tooling configuration files and doesn't affect any publishable packages.

.claude/settings.json (1)

1-17: LGTM on the Read/Edit deny rules.

Comprehensive coverage of sensitive file patterns including environment files, secrets directory, credentials, and cryptographic key material. The structure follows the expected Claude Code settings format.

.geminiignore (1)

1-23: LGTM!

Good documentation of the limitation that Gemini CLI can bypass these rules if explicitly instructed. The patterns are consistent with the other ignore files in this PR (.cursorignore and .claude/settings.json).

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 12, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7580

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7580

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7580

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7580

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7580

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7580

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7580

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7580

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7580

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7580

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7580

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7580

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7580

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7580

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7580

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7580

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7580

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7580

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7580

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7580

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7580

commit: 361b8f5

@jacekradko
chore(repo): add AI agent security protections for sensitive files
128b912 
Add configuration files to prevent AI tools from reading secrets:
- .claude/settings.json: Hard deny rules for Claude Code
- .cursorignore: Ignore patterns for Cursor
- .geminiignore: Ignore patterns for Gemini CLI

Protected patterns include .env files, secrets/, credentials.json,
private keys (.pem, .key), and integration/.keys.json
@jacekradko jacekradko force-pushed the jacek/ai-agent-security-protections branch from 7cce42f to 128b912 Compare January 12, 2026 16:31
coderabbitai[bot]
coderabbitai bot reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.cursorignore (1)

1-4: Add bypass warning for consistency and user awareness.

The .geminiignore file includes a warning that "Gemini CLI may still read these files if explicitly instructed." According to the PR objectives, Cursor can also bypass these protections via shell commands. Consider adding a similar warning to inform users of this limitation.

📝 Proposed documentation addition 
 # AI Agent Security - Sensitive Files
 # These files should never be read by AI tools to prevent
 # accidental exposure of secrets to AI service providers.
 #
+# NOTE: Shell commands executed through Cursor can bypass these protections.
+
📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7cce42f and 128b912.

📒 Files selected for processing (5)
  • .changeset/quick-breads-follow.md
  • .claude/settings.json
  • .cursorignore
  • .geminiignore
  • .gitignore
🚧 Files skipped from review as they are similar to previous changes (2)
  • .gitignore
  • .claude/settings.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)
  • GitHub Check: Integration Tests (machine, chrome, RQ)
  • GitHub Check: Integration Tests (nextjs, chrome, 16)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (custom, chrome)
  • GitHub Check: Integration Tests (quickstart, chrome, 15)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
  • GitHub Check: Integration Tests (quickstart, chrome, 16)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (billing, chrome, RQ)
  • GitHub Check: Integration Tests (handshake, chrome)
  • GitHub Check: Integration Tests (machine, chrome)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (sessions:staging, chrome)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (handshake:staging, chrome)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Formatting | Dedupe | Changeset
  • GitHub Check: Build Packages
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (4)
.changeset/quick-breads-follow.md (1)

1-2: Verify if an empty changeset is intentional.

This changeset file contains only YAML delimiters with no package changes or description. For a chore PR that adds configuration files without affecting published packages, an empty changeset might be appropriate. However, please confirm this is intentional rather than incomplete.

.geminiignore (2)

6-6: GitHub issue reference is valid and publicly accessible.

The issue google-gemini/gemini-cli#13385 exists and returns HTTP 200, confirming it is properly referenced and accessible.

9-10: The .env patterns are already protecting subdirectories recursively.

According to gitignore semantics (which .geminiignore uses), patterns without a leading / match at any directory level. The .env and .env.* patterns on lines 9-10 will match files anywhere in the repository, not just the root. The **/ prefix on other patterns (like **/credentials.json) is redundant for this use case—both syntaxes achieve the same effect. Additionally, a search of the repository found no actual .env files in subdirectories; only example and sample files exist (.env.example, .env.sample, etc.).

Likely an incorrect or invalid review comment.

.cursorignore (1)

6-7: The review comment's premise is factually incorrect. According to gitignore pattern specifications (which Cursor's .cursorignore follows exactly), the pattern .env without a leading slash matches .env files at any depth in the repository—it is recursive by default. The patterns .env and **/.env are functionally equivalent. Therefore, the existing patterns in lines 6–7 already protect .env files in subdirectories, and the proposed fix is unnecessary. No security gap exists for environment file patterns in this file.

Likely an incorrect or invalid review comment.

@jacekradko jacekradko merged commit 77ff215 into main Jan 13, 2026
48 checks passed
@jacekradko jacekradko deleted the jacek/ai-agent-security-protections branch January 13, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@wobsoriano wobsoriano wobsoriano approved these changes

Assignees

No one assigned

Labels

core-3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacekradko @wobsoriano