From 91abacf876364ef036659ba1fbb3ff678f7ae803 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 11 Dec 2025 21:33:09 +0000
Subject: [PATCH 1/3] Fix .gitignore to catch all .env file variations

The previous patterns were too specific (e.g., .env.development.local)
and missed common variations like .env.development, .env.production,
and .env.local.local. Updated to use .env.* wildcard pattern.
---
 .gitignore | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index c92196dcf..0b854c5ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,10 +9,12 @@
 
 # misc
 .DS_Store
+
+# environment files - catch all variations
+.env
+.env.*
 .env.local
-.env.development.local
-.env.test.local
-.env.production.local
+.env.*.local
 
 npm-debug.log*
 yarn-debug.log*
@@ -35,7 +37,6 @@ claude-flow.log
 .frigg-infrastructure-cache.json
 .frigg-infrastructure-lock
 
-.env
 .npmrc
 .autorc
 /.nx/

From 595cc5f16c48fda6a48b798aa042c488222f82c0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 11 Dec 2025 21:43:17 +0000
Subject: [PATCH 2/3] Add file exclusions to devtools package to prevent .env
 leakage

- Add `files` field to package.json to whitelist only necessary files
- Add .npmignore to explicitly exclude .env files and test directory

This prevents .env files from being accidentally included when the
devtools package is published to npm or bundled for deployment.
---
 packages/devtools/.npmignore   | 15 +++++++++++++++
 packages/devtools/package.json |  7 +++++++
 2 files changed, 22 insertions(+)
 create mode 100644 packages/devtools/.npmignore

diff --git a/packages/devtools/.npmignore b/packages/devtools/.npmignore
new file mode 100644
index 000000000..4fc23daaf
--- /dev/null
+++ b/packages/devtools/.npmignore
@@ -0,0 +1,15 @@
+# Test files
+test/
+
+# Dev config
+.eslintrc.json
+
+# Environment files - never publish these
+.env
+.env.*
+.env.local
+.env.*.local
+*.env
+
+# Changelog (optional, can be included if desired)
+CHANGELOG.md
diff --git a/packages/devtools/package.json b/packages/devtools/package.json
index d54b31dda..aab301c99 100644
--- a/packages/devtools/package.json
+++ b/packages/devtools/package.json
@@ -5,6 +5,13 @@
   "bin": {
     "frigg": "./frigg-cli/index.js"
   },
+  "files": [
+    "frigg-cli/",
+    "migrations/",
+    "management-ui/dist/",
+    "index.js",
+    "README.md"
+  ],
   "dependencies": {
     "@aws-sdk/client-cloudformation": "^3.705.0",
     "@aws-sdk/client-ec2": "^3.835.0",

From c4c7e7277d03023f85e7a596bf7fb451b216057c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 11 Dec 2025 22:00:55 +0000
Subject: [PATCH 3/3] Exclude .env files from serverless package deployment

The base-definition-factory.js was missing .env file exclusions in both
skipEsbuildPackageConfig and functionPackageConfig. This caused local
.env files to be included in deployed Lambda packages.

Added exclusion patterns for:
- .env
- .env.*
- .env.local
- .env.*.local
- **/.env
- **/.env.*

This ensures environment files are never deployed to Lambda, preventing
accidental exposure of secrets.
---
 .../shared/utilities/base-definition-factory.js  | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/packages/devtools/infrastructure/domains/shared/utilities/base-definition-factory.js b/packages/devtools/infrastructure/domains/shared/utilities/base-definition-factory.js
index e350da93a..d39afd9d3 100644
--- a/packages/devtools/infrastructure/domains/shared/utilities/base-definition-factory.js
+++ b/packages/devtools/infrastructure/domains/shared/utilities/base-definition-factory.js
@@ -81,7 +81,13 @@ function createBaseDefinition(
             'node_modules/serverless-kms-grants/**',
             // Note: DO NOT exclude serverless-http - it's a runtime dependency!
 
-            // Exclude local dev files
+            // Exclude local dev files and environment files (NEVER deploy .env files!)
+            '.env',
+            '.env.*',
+            '.env.local',
+            '.env.*.local',
+            '**/.env',
+            '**/.env.*',
             'deploy.log',
             '.env.backup',
             'docker-compose.yml',
@@ -124,6 +130,14 @@ function createBaseDefinition(
             'node_modules/@friggframework/core/node_modules/**',
             'node_modules/@friggframework/devtools/node_modules/**',
 
+            // Exclude environment files (NEVER deploy .env files!)
+            '.env',
+            '.env.*',
+            '.env.local',
+            '.env.*.local',
+            '**/.env',
+            '**/.env.*',
+
             // Exclude development/test files from backend project
             'coverage/**',
             'test/**',