Clarify when copying .env files is safe

[helizaga]

Summary by CodeRabbit

• Documentation
  • Enhanced security documentation with a new "Security Best Practices" section offering comprehensive guidance on managing development versus production secrets, environment file handling with practical example commands, and path traversal prevention strategies. These updates help users strengthen their application's security posture and protect sensitive configuration data.

[coderabbitai]

📝 Walkthrough

Walkthrough

The README documentation was updated to replace a brief inline warning about copying sensitive files with a comprehensive "Security Best Practices" section. This new section provides clearer guidance distinguishing development from production secrets, includes example commands for selective file inclusion/exclusion, and adds a note about path traversal risks.

Changes

Cohort / File(s)	Summary
Documentation Update README.md	Replaced inline warning block with expanded "Security Best Practices" section covering development vs. production secrets, example commands for env file handling, and path traversal guidance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Documentation-only change with no code logic or functional modifications
• Content reorganization and enhancement for clarity and user guidance

Poem

🐰 A cautious hop through secrets kept,
Where dev and prod in safety stepped,
Best practices now brightly penned,
To guard the files 'round every bend! ✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: clarifying when copying .env files is safe, which directly corresponds to the pull request's objective of adding security best practices for environment file handling.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/clarify-env-file-security

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

README.md (1)

337-349: Clear, honest security guidance that fits the tool's scope well.

The distinction between development and production secrets is appropriately framed for a local worktree tool. The examples are practical, the exclusion of .env.production is explicit, and the TIP honestly describes the tool's security boundary (path traversal prevention only). This strikes a good balance between enabling developers and being transparent about limits.

Optional enhancement: The security section currently focuses on .env.* files. Consider mentioning other common secret file naming patterns (e.g., .env.secret, .env.encrypted, .secrets, credentials.json) to give developers a more complete mental model for configuring patterns in their projects. You could add a brief comment like:

# Examples of other secret file patterns to exclude:
# gtr config add gtr.copy.exclude "**/.env.secret"
# gtr config add gtr.copy.exclude "**/.secrets"
# gtr config add gtr.copy.exclude "**/credentials.json"

This would help users think beyond the standard .env convention without adding verbosity to the main guidance.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 46443ba and 39b9ed8.

📒 Files selected for processing (1)

• README.md (1 hunks)