Stats
Actions
Available In
Tags
What's Inside
README
secret-mask
Keep secrets out of Claude Code's context.
Real files stay untouched - masking only happens in the hook layer.
How it works
flowchart LR
subgraph Hooks
A[SessionStart] -->|context.js| B[List placeholders]
C[PreToolUse] -->|mask.js| D{Tool?}
end
D -->|Read| E[Copy file, replace secrets with SECRET_VALUE_*]
D -->|Write/Edit| F[Replace SECRET_VALUE_* back to real values]
D -->|Bash| G[Unmask command, mask output]
D -->|Grep| H[Deny on protected files]
Claude sees SECRET_VALUE_API_KEY instead of sk-live-abc123. When it writes or executes, placeholders are swapped back silently.
Install
claude plugin add enixCode/secret-mask
Setup
- In your target project, create
.secretmask/config.json:
Simple (KEY=VALUE files like .env):
{
".env": [".*KEY.*", ".*SECRET.*", ".*TOKEN.*", ".*PASSWORD.*"]
}
Advanced (custom file formats - JSON, YAML, INI...):
{
"credentials.json": {
"patterns": [".*key.*", ".*secret.*"],
"extractor": "^\\s*\"([^\"]+)\"\\s*:\\s*\"([^\"]+)\"\\s*,?\\s*$"
}
}
- Simple: array of regex patterns matching key names. Default extractor:
KEY=VALUE - Advanced: object with
patterns(same) +extractor(regex with 2 capture groups: key, value) - Both syntaxes can be mixed. See
config.example.jsonfor more examples.
- Start Claude Code in that project - the plugin activates automatically.
Dependencies
- node
License
MIT
Stats
Version0.6.0
Stars0
MaintenanceExcellent
Last Commit
Added
Safety Signals
Caution
Executes bash commands
Hook triggers when Bash tool is used
Modifies files
Hook triggers on file write and edit operations
Tags
Categories
