A privacy-first wrapper for Claude Code. Scans your environment for secrets before launch, hardens config, and gives you a one-command launcher that won't accidentally leak credentials into a prompt.
Status: personal tool. Use at your own risk; treat as a starting point, not a vetted security product.
- Secret pre-flight — scans the working directory and shell environment for likely credentials (API keys, tokens, private keys,
.envfiles) and warns before Claude Code starts - Env hardening — strips known-noisy environment variables from the child process so they can't be echoed into the conversation
- Quiet launcher — wraps
claude(and the PowerShell variant) with sane defaults: no telemetry leakage, predictable working dir, scoped permissions
src/claude-secure.sh— POSIX launchersrc/claude-secure.ps1— Windows / PowerShell launchersrc/config.json— privacy toggles, filename patterns, and content-secret regexessrc/claudeignore.template— drop-in.claudeignorefor your projects
I run Claude Code across a lot of projects, some of which sit next to .env files I'd rather not see paged into a chat. This is the smallest possible thing that catches that case before it happens.
./src/claude-secure.sh
# or
pwsh ./src/claude-secure.ps1config.json lives next to the launcher by default; override with --config PATH or the CLAUDE_SECURE_CONFIG env var.
Personal tool. No warranty. Read the source before you trust it.