You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The project root is bind-mounted at /workspace/project (read-only per PR #30). However, the .env file containing ALL secrets is still readable via cat /workspace/project/.env, bypassing existing Claude Code-level protections.
Impact
An agent can read all .env secrets (ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, GITHUB_TOKEN, etc.) — not just the filtered allowedVars subset delivered via the env-dir mount.
Description
The project root is bind-mounted at
/workspace/project(read-only per PR #30). However, the.envfile containing ALL secrets is still readable viacat /workspace/project/.env, bypassing existing Claude Code-level protections.Impact
An agent can read all
.envsecrets (ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, GITHUB_TOKEN, etc.) — not just the filteredallowedVarssubset delivered via the env-dir mount.Existing Defenses (Insufficient)
.claude/settings.jsondeny rule (PR refactor: remove dead agents.ts module and deduplicate db.ts #127) — only blocks Read tool, not Bash/workspace/env-dir/, not/workspace/project/.envFix
PR #43 implements a 3-layer defense-in-depth fix:
/dev/null→/workspace/project/.env)Related: Upstream PR #419