Configuration
Security exclusions
What's hidden by default and why.
Defense in depthThese defaults are a safety net. You should still use
.gitignore and never commit secrets to a repo. larkx excludes are layered on top of gitignore.Default exclusions
| Pattern | What it catches |
|---|---|
.env, .env.* | Environment variable files |
*.key, *.pem | Private keys |
*.cert, *.crt | Certificates |
*.p12, *.pfx, *.jks | Certificate stores |
credentials* | Common credentials file names |
secrets/, private/ | Common secret folders |
*.secret, *.token | Token files |
Files matching these patterns:
- Are never parsed
- Don't appear in
index.jsonorgraph.json - Don't appear in MCP tool output or
larkx context - Are invisible to the AI
Adding your own
.larkx/config.json
{
"exclude": [
"*.key", "*.pem", "credentials*",
"src/internal/keys/",
"src/legacy-secrets.ts"
]
}Reviewing what was indexed
bash
larkx context --level 1 | head -100If anything sensitive shows up, add it to the exclude list and reindex.