/.env
.env
/.env.auth
# Per-developer Vite/Node local overrides — never commit, may contain secrets
**/.env.local
**/.env.*.local

# Uploaded model artefacts (SPM API model registry).
# Keep the directory in the tree via .gitkeep, ignore its contents.
/services/spm_api/models/*
!/services/spm_api/models/.gitkeep
/.venv/

# Python bytecode
__pycache__/
*.py[cod]
*$py.class

# Node.js dependencies
**/node_modules/

# Persistent docker volume data (Postgres, Redis, Grafana, Keycloak,
# agent-orchestrator). Bind-mounted from docker-compose so the data lives
# on the host filesystem, but the contents must NEVER be committed:
#   - spm-db/   contains hashed API keys for every configured integration
#   - keycloak/ contains realm config + client secrets
#   - grafana/  contains API tokens + dashboard state
#   - redis/    contains session tokens + cached creds
# We keep the directory structure via .gitkeep but ignore everything else.
/DataVolums/*/*
!/DataVolums/*/.gitkeep


# Python bytecode
**/__pycache__/
**/*.pyc

# macOS metadata
**/.DS_Store

# Docker runtime state (recreated on container start)
DataVloliums/grafana/grafana.db
DataVloliums/grafana/dashboards/

__pycache__/
*.pyc
*.pyo

__pycache__/
*.pyc
*.pyo

# Istio downloaded distributions
istio-*/
DataVolumes/
deploy/cosign/*.key

# Dev-artifact SQLite databases (created when running services outside Docker)
/agent_orchestrator.db
/services/agent-orchestrator-service/agent_orchestrator.db

# TLS certs and private keys — per-developer, never commit.
#
#   - bootstrap-cluster.sh (Step 2 mkcert automation) writes the dev
#     ingress cert to keys/aispm-tls.{crt,key} when ingress.certManager
#     is false. Each developer has their own mkcert root CA, so these
#     are not shareable.
#   - Stray top-level mkcert outputs (e.g. running `mkcert aispm.local`
#     manually) end up as ./aispm.local-key.pem + ./aispm.local.pem.
#     Catch those too so they don't leak.
#
# NB: keys/private.pem and keys/public.pem (JWT signing keypair) are
# committed as a known-default dev keypair — they're regenerated by
# bootstrap-cluster.sh into a fresh pair if missing. Do not rotate the
# committed pair; use a real prod keypair via secrets in production.
keys/aispm-tls.*
keys/*.crt
keys/*.key
/aispm.local*.pem
/*.crt
/*.key

# Beads / Dolt files (added by bd init)
.dolt/
*.db
.beads-credential-key
/deploy/sbom/aispm-source.cdx.json
/deploy/sbom/aispm-source.spdx.json
/deploy/sbom/aispm-source.spdx.json.bundle
/deploy/sbom/sbom-aispm-agent.spdx.json
/deploy/sbom/sbom-aispm-agent-orchestrator.spdx.json
/deploy/sbom/sbom-aispm-agent-runtime.spdx.json
/deploy/sbom/sbom-aispm-api.spdx.json
/deploy/sbom/sbom-aispm-executor.spdx.json
/deploy/sbom/sbom-aispm-flink-pyjob.spdx.json
/deploy/sbom/sbom-aispm-freeze-ctrl.spdx.json
/deploy/sbom/sbom-aispm-garak-runner.spdx.json
/deploy/sbom/sbom-aispm-guard-model.spdx.json
/deploy/sbom/sbom-aispm-memory.spdx.json
/deploy/sbom/sbom-aispm-output-guard.spdx.json
/deploy/sbom/sbom-aispm-policy-decider.spdx.json
/deploy/sbom/sbom-aispm-policy-sim.spdx.json
/deploy/sbom/sbom-aispm-processor.spdx.json
/deploy/sbom/sbom-aispm-retrieval-gw.spdx.json
/deploy/sbom/sbom-aispm-spm-aggregator.spdx.json
/deploy/sbom/sbom-aispm-spm-api.spdx.json
/deploy/sbom/sbom-aispm-spm-llm-proxy.spdx.json
/deploy/sbom/sbom-aispm-spm-mcp.spdx.json
/deploy/sbom/sbom-aispm-startup-orch.spdx.json
/deploy/sbom/sbom-aispm-threat-hunter.spdx.json
/deploy/sbom/sbom-aispm-tool-parser.spdx.json
/deploy/sbom/sbom-aispm-ui.spdx.json
/deploy/sbom/vuln-aispm-agent.json
/deploy/sbom/vuln-aispm-agent-orchestrator.json
/deploy/sbom/vuln-aispm-agent-runtime.json
/deploy/sbom/vuln-aispm-api.json
/deploy/sbom/vuln-aispm-executor.json
/deploy/sbom/vuln-aispm-flink-pyjob.json
/deploy/sbom/vuln-aispm-freeze-ctrl.json
/deploy/sbom/vuln-aispm-garak-runner.json
/deploy/sbom/vuln-aispm-guard-model.json
/deploy/sbom/vuln-aispm-memory.json
/deploy/sbom/vuln-aispm-output-guard.json
/deploy/sbom/vuln-aispm-policy-decider.json
/deploy/sbom/vuln-aispm-policy-sim.json
/deploy/sbom/vuln-aispm-processor.json
/deploy/sbom/vuln-aispm-retrieval-gw.json
/deploy/sbom/vuln-aispm-spm-aggregator.json
/deploy/sbom/vuln-aispm-spm-api.json
/deploy/sbom/vuln-aispm-spm-llm-proxy.json
/deploy/sbom/vuln-aispm-spm-mcp.json
/deploy/sbom/vuln-aispm-startup-orch.json
/deploy/sbom/vuln-aispm-threat-hunter.json
/deploy/sbom/vuln-aispm-tool-parser.json
/deploy/sbom/vuln-aispm-ui.json
/.beads/
/.claude/
/keys/client_secret_741909973661-lui97b2depouplp0g8i9b17bd1f11d93.apps.googleusercontent.com.json
deploy/helm/aispm/values.local-secrets.yaml
deploy/helm/values.local-secrets.yaml
# mkcert leftovers — generated in repo root when -cert-file/-key-file not specified
/*.pem
