secret-setup

# Secret Setup Extract hardcoded secrets from CLAUDE.md, `.mcp.json`, and project config into a gitignored env file, then wire up a SessionStart hook to load them automatically via `CLAUDE_ENV_FILE`. Secrets in CLAUDE.md and `.mcp.json` get committed to git, shared with collaborators, and cached in Claude's context. This skill moves them to a gitignored file and loads them through a hook or shell profile. If the user passes `scan-only`, stop after Phase 1 (report findings without modifying anything). ## Phase 1: Scan for secrets Read [references/detection-patterns.md](references/detection-patterns.md) for the full list of regex patterns and scan targets. Run Grep with each pattern against the scan targets. Present findings in a table: ``` | # | File | Line | Type | Value (masked) | |---|------|------|------|----------------| | 1 | CLAUDE.md:42 | API Key | sk-...abc1 | | 2 | CLAUDE.md:55 | DB URL | postgres://...@host/db | ``` Ask the user to confirm which items are actual secrets to extract. Some may be intentional examples or documentation — do not force extraction. ## Phase 2: Variable mapping For each confirmed secret, propose an environment variable name: - If the secret is already referenced by a known env var name in the project (e.g., `DATABASE_URL` in code), reuse that name. - Otherwise, derive a descriptive UPPER_SNAKE_CASE name from context. Present the mapping and ask for confirmation. Mark the source so MCP secrets get handled differently in Phase 4: ...