# Large build/data artifacts — no source content, no secret risk
dist/
data/nodes.db
ui-apps/dist/
node_modules/

# Local environment files (already gitignored, but secretlint doesn't read
# .gitignore). Listing here keeps local scans consistent with CI.
.env
.env.*

# Local clones of upstream n8n-docs (already gitignored). These are upstream
# documentation with example credentials in markdown; not our code to fix.
n8n-docs/
temp/

# Package lock files contain integrity hashes and registry URLs that trip
# high-entropy rules. They are machine-generated and reviewed separately.
package-lock.json
ui-apps/package-lock.json

# Extracted/imported test fixtures (mock data, not real secrets)
tests/extracted-nodes-db/
tests/node-storage-export.json

# Tests that deliberately contain fake tokens to exercise our own
# credential-scanner and telemetry redaction code paths. These fixtures
# are what proves those features work.
tests/unit/services/credential-scanner.test.ts
tests/unit/telemetry/telemetry-events.test.ts
tests/unit/telemetry/workflow-sanitizer.test.ts

# SSRF-related tests contain literal userinfo URLs (e.g. http://user:pw@host)
# as negative fixtures proving the validator rejects URLs with embedded basic
# auth. These are not real credentials — they're the inputs the code refuses.
tests/unit/utils/ssrf-protection.test.ts
tests/unit/services/n8n-api-client.test.ts
tests/unit/http-server/ssrf-gate.test.ts
tests/unit/flexible-instance-security.test.ts

# Template fixtures (user workflow JSON; any embedded credentials are
# mock data from public n8n.io templates — scanned separately by the
# sanitize-templates script)
data/workflow-patterns.json
