Securie for Claude Code — catch what `.claude/settings.local.json` leaks before npm publish

roadmap

Claude Code is Anthropic's CLI agent. The April 2026 wave exposed two structural risks: Mar 2026 sourcemap leak of the full Claude Code source (512K LOC mirrored on GitHub) and the Lakera Apr 2026 study finding 33 of 428 npm packages with live `.claude/settings.local.json` credentials. Securie's role: secrets specialist live-validation of `.claude/` directory inclusion, secrets-lifecycle rotation playbooks, and AuthAuthz/BOLA on Claude Code-generated route handlers.

Updated

What it does

Claude Code captures local config + conversation history into `.claude/` dot-directories. When developers publish from a workspace where Claude Code has captured credentials, the credentials ship along. Securie's secrets specialist's live_validate step actively probes for `.claude/` directory inclusion in publish artifacts — every commit that adds these dot-dirs to a package gets a critical-severity finding before npm publish. Combined with the secrets-lifecycle specialist, rotation flow is one click.

When to use it

Every Claude Code user shipping packages to npm. Every team where Claude Code has access to production-grade Anthropic API keys.

Limitations

Available by request. Direct CLI integration (security findings inline in the Claude Code session) ships later.

Install

  1. Install Securie GitHub App on the repo Claude Code edits
  2. Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore
  3. Audit existing npm publish history: `npm view <pkg> versions` then download + grep for sk-ant-
  4. Rotate any Anthropic key that may have shipped in a public package
  5. Push any Claude-Code-edited commit; Securie reviews on the PR

Listed on

Anthropic Docs