and all their keys, because sooner or later, the harness is gonna read them
Claude code is actually very good at not reading your keys these days.
Not the case for me. I tried .envs, ansible-vault and sops, and it always ends up reading the unencrypted ones for some reason, usually in debugging sessions, it finds a way to read them.
Well it reads them, but (at least for me) it reads them in a way where it filters out the actual key values.
One company's irrational fear is a competitive advantage for someone else.