.env files are not excluded from file discovery, exposing secrets to AI context

[YumaKakuya]

When working in a project that has a .env file, opencode's file search discovers it like any other text file. If the file gets read (manually or by the agent exploring the project), its contents — API keys, database URLs, tokens — end up in the conversation context sent to the model.

.gitignore keeps .env out of version control but has no effect on opencode's file discovery. The built-in ignore list in src/file/ignore.ts filters folders like node_modules and files like *.log, but nothing prevents .env files from being listed, searched, and read.

Steps to reproduce:

1. Create a project with a .env containing a secret (e.g. API_KEY=sk-test-1234)
2. Open opencode in that directory
3. Search for files — .env appears in results
4. Read the file or let the agent discover it during exploration
5. The secret is now in the conversation context

Expected behavior:

.env and its variants (.env.local, .env.production, etc.) should be excluded from file discovery by default, the same way node_modules and .git are excluded.

Proposed fix:

Add **/.env and **/.env.* to the default ignore patterns in FileIgnore. This covers standard dotenv naming conventions while leaving unrelated files (.envrc, env.ts, environment.yaml) unaffected.

I'd like to submit a PR for this — the change is two patterns in ignore.ts plus tests.

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• [FEATURE]: Protect .env files in grep/glob results, not just direct read #17073: Protect .env files in grep/glob results, not just direct read (open, directly related feature request covering similar protection)
• Security: Read tool bypasses .gitignore patterns, exposing sensitive files to agents #12196: Read tool bypasses .gitignore patterns, exposing sensitive files to agents (open, related — broader concern about sensitive files not being excluded)
• [SECURITY] allow ignoring files to prevent secrets being leaked from .env to LLM #539: Allow ignoring files to prevent secrets being leaked from .env to LLM (closed, same core concern)

If your issue is distinct or adds something new beyond these, please clarify how it differs.

[YumaKakuya]

Thanks for flagging the related issues.

• [SECURITY] allow ignoring files to prevent secrets being leaked from .env to LLM #539 requested an ignore mechanism for .env files and was closed as completed, but the default ignore list in src/file/ignore.ts still does not include .env patterns. This issue and PR fix(file): exclude .env files from file discovery #20905 address that specific gap.
• [FEATURE]: Protect .env files in grep/glob results, not just direct read #17073 is about grep/glob permission rules filtering by matched file path rather than query pattern — a broader scope. Adding .env to the default ignore list is complementary: it prevents discovery at the file enumeration layer, while [FEATURE]: Protect .env files in grep/glob results, not just direct read #17073 addresses the search result layer.
• Security: Read tool bypasses .gitignore patterns, exposing sensitive files to agents #12196 is about the read tool bypassing .gitignore patterns generally. Also broader scope, but the .env default exclusion provides an immediate defense for the most common secret file pattern.

Happy to close this if maintainers prefer to fold it into one of those, but #20905 is a minimal two-pattern fix with tests that can land independently.