diff --git a/environment/environment.go b/environment/environment.go
index 1e50270..d7a97b6 100644
--- a/environment/environment.go
+++ b/environment/environment.go
@@ -295,6 +295,7 @@ var defaultGrepIgnoreDirs = map[string]struct{}{
 	".git":         {},
 	"node_modules": {},
 	".flashduty":   {}, // covers .flashduty/.work and friends
+	".kube":        {}, // read-only kubeconfigs placed by /init; keep tokens out of greps
 }
 
 // Grep searches for a pattern in files.
diff --git a/environment/environment_test.go b/environment/environment_test.go
index 2307f83..80012d0 100644
--- a/environment/environment_test.go
+++ b/environment/environment_test.go
@@ -215,6 +215,9 @@ func TestEnvironment_Grep_DefaultIgnore(t *testing.T) {
 	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), "node_modules", "pkg"), 0o755))
 	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), ".git"), 0o755))
 
+	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), ".kube"), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), ".kube", "prod.config"), []byte("token: needle\n"), 0o600))
+
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), "src", "a.txt"), []byte("needle\n"), 0o644))
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), "node_modules", "pkg", "b.txt"), []byte("needle\n"), 0o644))
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), ".git", "c.txt"), []byte("needle\n"), 0o644))
@@ -225,6 +228,7 @@ func TestEnvironment_Grep_DefaultIgnore(t *testing.T) {
 	for _, m := range res.Matches {
 		assert.NotContains(t, m.Path, "node_modules", "node_modules must be ignored, got %s", m.Path)
 		assert.NotContains(t, m.Path, ".git", ".git must be ignored, got %s", m.Path)
+		assert.NotContains(t, m.Path, ".kube", ".kube must be ignored, got %s", m.Path)
 	}
 
 	// The src/ hit must still be present.