/check

Check the current Claude Code permissions for .env files without attempting to read them.

Important: Project-level settings completely override user-level settings (they don't merge).

1. Check all three settings locations:

   • User settings: ~/.claude/settings.json
   • Project settings: ./.claude/settings.json (if exists)
   • Local project settings: ./.claude/settings.local.json (if exists)

2. For each file that exists, parse the permissions section (both allow and deny arrays)

3. Look for patterns related to .env files in each:

   • **/.env
   • **/.env.*
   • **/.env.example
   • **/.env.local
   • Any other .env-related patterns

4. Report findings clearly:

   • Show what's in each settings file (user, project, local)
   • Highlight which settings are actually active based on precedence:
     • If ./.claude/settings.local.json exists → it takes precedence
     • Else if ./.claude/settings.json exists → it takes precedence
     • Else ~/.claude/settings.json is active
   • Show the effective permissions that will actually be enforced
   • Explain if project settings are overriding user settings (especially important if project has empty/missing deny arrays)

5. Provide a summary like:

   • "✓ Can read/write .env.example files"
   • "✗ Cannot read/write .env files"
   • "⚠️ Warning: Project settings override user settings and may allow .env access"

6. If project settings are missing .env protections, suggest:

   • "💡 TIP: Run /secure-env.apply to add secure .env deny rules to this project's settings"
   • Explain that this will merge the deny rules without overwriting existing project settings

Do NOT attempt to read, write, or access any actual .env files - only check the permissions configuration files.