# Security - Never commit sensitive information
# Ignore ALL .json config files (may contain credentials)
# Templates use .json.txt extension and are safe to commit
configs/*.json

# Ignore local per-repo runtime config files
# Templates use .json.txt extension and are safe to commit
_config/*.json

# Allow template files (.json.txt) to be committed for spacebar preview
!configs/*.json.txt
!_config/*.json.txt
!configs/mcp-templates/

# Allow agent directory to be committed
!.agents/

# User-owned plist env override working file (gitignored; template: .agents/configs/plist-env-overrides.json.txt)
.agents/configs/plist-env-overrides.json

# Password files and credentials
*.password
*_password
closte_*
hostinger
hostinger.*
hostinger_*
.env
*.key
*.pem
*.p12
*.pfx

# SSH keys and configs
id_*
known_hosts
authorized_keys

# API tokens and credentials
*token*
*secret*
*credential*
*api_key*
*apikey*

# Exceptions for secretlint tool (security linter, not actual secrets)
!.secretlintrc.json
!.secretlintignore
!.agents/scripts/secretlint-helper.sh

# Exception for pool_ops_token_utils (code module, not a credential)
!.agents/scripts/oauth-pool-lib/pool_ops_token_utils.py

# Exception for oauth-pool-token-endpoint (token endpoint fetch logic, not a credential)
!.agents/plugins/opencode-aidevops/oauth-pool-token-endpoint.mjs

# Exception for worker token helper (manages tokens, doesn't contain them)
!.agents/scripts/worker-token-helper.sh
!.agents/secretlint.md

# Exception for credential/secret management scripts (not actual credentials)
!.agents/scripts/credential-helper.sh
!.agents/scripts/secret-helper.sh
!.agents/scripts/secret-hygiene-helper.sh
!.agents/scripts/tests/test-secret-helper.sh
!.agents/scripts/tests/test-credential-sanitizer.sh
!.agents/scripts/tests/test-credential-emission-guard.sh
!.agents/scripts/tests/test-credential-transcript-scrub.sh
!.agents/hooks/credential-emission-pre-push.sh
!.agents/hooks/credential-transcript-scrub.py

# Exception for secret handling reference doc (guidance, not actual secrets)
!.agents/reference/secret-handling.md

# Environment files
.env*
*.env
env.local
env.production
env.development

# Common secret file patterns
secrets/
.secrets/
credentials/
.credentials/

# Exception: agent credential documentation (not actual credentials)
!.agents/tools/credentials/
!.agents/tools/credentials/**

# Private scripts (never commit)
.agents/scripts-private/
scripts-private/

# Python cache
__pycache__/
*.pyc

# Backup files
*.backup
*.bak
*~

# Generated reports and exports
audit-report-*.json
vault-export-*.json
vault-export-*.csv
*-backup-*.json
setup-wizard-responses.json
tmp.*.json
quality-report.md
.beads/

# Logs
*.log
logs/

# Python virtual environments
python-env/
venv/
env/
.venv/

# DSPy and DSPyGround data directories
data/dspy/
data/dspyground/
.dspyground/

# Node.js dependencies
node_modules/
package-lock.json
pnpm-lock.yaml
yarn.lock
bun.lock

# OS generated files
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# Spotlight exclusion marker, written by worktree-exclusions-helper.sh (t2885)
.metadata_never_index

# Editor files
.vscode/
.idea/
*.swp
*.swo
*~

# MCP server files and runtime data
mcp-server-*.pid
mcp-server-*.log
*.mcp

# Git platform clones and local repos (if created in repo directory)
cloned-repos/
local-repos/

# Domain purchasing receipts and confirmations
domain-purchase-*.json
domain-receipt-*.json

# Temporary files
tmp/
temp/
*.tmp
tmp.*.json

# AI Assistant working directories
# Ignore all files in tmp and memory directories except README.md
.agents/tmp/*
!.agents/tmp/README.md
.agents/memory/*
!.agents/memory/README.md

# Analysis reports and results
*.sarif
reports/
.scannerwork/
.playwright-cli/

# Backups (should not be in public repos)
backups/
*.backup
*.bak

# Test files (keep examples in examples/ directory)
test-*.txt
test-*.json
test-*.yaml
.aider*

# SQLite databases (generated by config-cache, etc.)
*.sqlite
*.sqlite3
*.db

# AI Tool Symlinks - Track these (they point to .agents and AGENTS.md)
# Rules files - only actual files tracked, not symlinks
!CLAUDE.md
!AGENT.md

# Rules symlinks removed - cause duplicate refs in OpenCode
.cursorrules
.windsurfrules
.continuerules

# Agent/skills folders - only .opencode tracked (has actual config)
!.opencode/

# AI tool directories removed - cause duplicate @ refs in OpenCode
# These tools should use ~/.aidevops/agents/ (deployed location)
# See .agents/AGENTS.md "AI Tool Configuration" section
.ai
.kiro
.continue
.claude/
.codex/
.cursor/
.factory/

# Multi-tenant credential selection (per-project, not committed)
.aidevops-tenant

# Loop state files (local to each worktree, not committed)
.agents/loop-state/

# Superset local config
.superset/

# Repomix generated outputs (generate on-demand, don't commit)
repomix-output.*
*-repomix-*.xml
*-repomix-*.md
*-repomix-*.json
.osgrep

# Bundle detection cache (runtime artifact)
.aidevops.json

# ML model caches (downloaded at runtime)
mlx_models/
__pycache__/

# Research corpus data (generated, large, contains PR diffs)
todo/research/tier-corpus/
todo/research/*-results.tsv

# Accidentally committed binaries
bv
.agents
# Re-negate .agents/ directory (the binary ignore above overrides the earlier !.agents/)
!.agents/
aidevops-bugfix-upgrade-planning-subsections

# User-data plane safety rails
# Keep unreviewed, generated, transient, and private plane data out of git.
_knowledge/inbox/
_knowledge/staging/
_knowledge/index/
_campaigns/intel/
_campaigns/active/
_campaigns/index/
_inbox/*
!_inbox/README.md
!_inbox/.gitignore
!_inbox/triage.log
