devsafe shield
One command to protect your secrets from AI coding tools. Scans for exposures, installs git hooks, writes deny rules for Cursor, Copilot, and Windsurf, and hardens MCP configs. Free, no account needed.
Usage
$ devsafe shield [on|off|scan] [--mcp]
Shield has three modes. Run scan to see what is exposed. Run on to fix everything. Run off to reverse the changes.
shield scan
Scans your project for secret exposures without changing anything. This is a read-only operation. It checks for .env files that are not gitignored, AI tool configs that could read your secrets, and git history that already contains leaked keys.
$ devsafe shield scan Scanning ~/projects/api-server... ! .env is NOT in .gitignore ! .env.local is NOT in .gitignore ! No AGENTS.md deny rules found ! No .cursor/rules deny rules found ! No pre-commit hook blocking secrets ✓ .github/copilot-instructions.md has deny rules ✓ No secrets found in git history Result: 4 exposures found Run devsafe shield on to fix all of them.
The scan checks five things:
- .gitignore coverage. Are .env, .env.local, and .env.production listed in your .gitignore?
- AI deny rules. Do AGENTS.md, .cursor/rules, and .github/copilot-instructions.md tell AI tools to stay away from secret files?
- Pre-commit hooks. Is there a hook that blocks commits containing API keys or tokens?
- Git history. Have any secrets already been committed?
- MCP configs (with
--mcp). Do any MCP server configs contain plaintext secrets?
shield on
Enables secret interception across your project. This is the "fix everything" button. After running devsafe diagnose to see what is wrong, run shield on to fix it.
$ devsafe shield on Protecting ~/projects/api-server... ✓ Added .env, .env.local, .env.production to .gitignore ✓ Created AGENTS.md with deny rules ✓ Created .cursor/rules/no-secrets.mdc ✓ Created .github/copilot-instructions.md with deny rules ✓ Installed pre-commit hook (.git/hooks/pre-commit) ✓ Wrote Windsurf deny rules to .windsurfrules Shield is ON. 6 protections applied. Your secrets are now blocked from AI tools and git commits.
What shield on does
Each protection targets a specific attack vector. Here is exactly what gets written:
- .gitignore rules. Appends
.env,.env.local,.env.production, and.env.*to your .gitignore. If the file does not exist, it creates one. Existing entries are not duplicated. - AGENTS.md. Creates (or appends to) an AGENTS.md file at the project root. This file tells AI agents: "Never read, display, or include the contents of .env files in your output." Most AI coding tools read AGENTS.md automatically.
- .cursor/rules/no-secrets.mdc. Writes a Cursor-specific rule file that blocks the Cursor AI from reading .env files. Cursor loads rules from this directory on every prompt.
- .github/copilot-instructions.md. Writes deny rules in the format GitHub Copilot reads. Tells Copilot to never suggest or include secret values.
- .windsurfrules. Writes a Windsurf-specific deny file at the project root.
- Pre-commit hook. Installs a git pre-commit hook that scans staged files for patterns that look like API keys, tokens, and passwords. If it finds one, the commit is blocked with a clear message explaining which file and line triggered the block.
MCP hardening
Add the --mcp flag to also harden MCP (Model Context Protocol) server configurations. MCP configs often contain plaintext API keys passed as environment variables or command arguments.
$ devsafe shield on --mcp Protecting ~/projects/api-server... ✓ Added .env, .env.local, .env.production to .gitignore ✓ Created AGENTS.md with deny rules ✓ Created .cursor/rules/no-secrets.mdc ✓ Created .github/copilot-instructions.md with deny rules ✓ Installed pre-commit hook (.git/hooks/pre-commit) ✓ Wrote Windsurf deny rules to .windsurfrules ✓ Hardened 3 MCP configs (moved secrets to env refs) Shield is ON. 7 protections applied.
With --mcp, shield finds MCP config files (like claude_desktop_config.json or .cursor/mcp.json), identifies plaintext secrets in them, and replaces the values with environment variable references. The original secrets are not deleted. They are moved to your .env file so the MCP servers still work, but the config files no longer contain raw keys.
shield off
Disables secret interception. Removes the pre-commit hook and the deny rule files that shield created. Your .gitignore entries are left in place (removing those would re-expose your secrets).
$ devsafe shield off Removing protections from ~/projects/api-server... ✓ Removed pre-commit hook ✓ Removed AGENTS.md deny rules ✓ Removed .cursor/rules/no-secrets.mdc ✓ Removed .github/copilot-instructions.md deny rules ✓ Removed .windsurfrules Shield is OFF. .gitignore entries preserved.
With shield off, AI tools can read your .env files again, and the pre-commit hook no longer blocks secret commits. Only turn shield off if you have a specific reason, and turn it back on when you are done.
Flags
--mcp. Also harden MCP server configurations. Moves plaintext secrets to environment variable references.--path <dir>. Run shield in a specific directory instead of the current one.--dry-run. Show what would be changed without writing any files. Useful for previewing before committing.--verbose. Print the full contents of each file written.
Typical workflow
Shield is designed to run right after devsafe diagnose. The typical flow looks like this:
# Step 1: See what's exposed $ devsafe diagnose # Step 2: Fix everything $ devsafe shield on --mcp # Step 3: Verify the fix $ devsafe shield scan ✓ 0 exposures found. Your project is protected.
devsafe shield works without signing up or logging in. Install the CLI, run the command, and your project is protected. No data leaves your machine.
Files created
For reference, here is every file that shield on may create or modify:
.gitignore. Appended (or created).AGENTS.md. Created at project root..cursor/rules/no-secrets.mdc. Created..github/copilot-instructions.md. Created (or appended)..windsurfrules. Created at project root..git/hooks/pre-commit. Installed. If a pre-commit hook already exists, shield appends to it rather than overwriting..env. Modified only with--mcp, to receive secrets moved out of MCP configs.