node_modules/
.next/
dist/
*.tsbuildinfo
packages/db/generated/
.env
.env.local
.env*.local
.superpowers/
.worktrees/
.playwright-mcp/
.playwright-cli/
.pnpm-store/
docker-compose.override.yml
# Host-side platform-managed backup dumps (root-anchored so the pattern
# does NOT match source-tree directories like apps/web/lib/operate/backups/
# or apps/web/app/(shell)/admin/backups/, which are checked in.)
/backups/
# BI-A8A7CCFD — isolated self-upgrade workspace. A nested git clone of the
# install tree that holds the active upstream merge; transient per upgrade
# run. Root-anchored so it never silently shadows a source-tree directory.
/.upgrade-workspace/

# Git LFS writes generated hook shims into core.hooksPath=.githooks.
.githooks/post-checkout
.githooks/post-commit
.githooks/post-merge
.githooks/pre-push

# Local install runtime state
.host-profile.json
.dpf-instance-id
.admin-credentials
.install-mode
.install-progress
.selected-model
.tmp-codex-config.toml*
/data/uploads/

# Test artifacts
e2e-report/
e2e-results/
e2e/debug/
e2e/.auth/
test-results/

# Local agent / codex caches
.codex/
.claude/*.jsonl
.claude/*.lock
.claude/settings.local.json
.claude/autonomous-e2e-progress.md
.claude/worktrees/

# Local verification and handoff artifacts
output/
tmp/
.codex-runtime/
docs/prompts/

# MCP client configs contain live bearer tokens — must never be committed.
# .mcp.json (Claude Code CLI) and .vscode/mcp.json (Claude Code VS Code
# extension via VS Code's native MCP store) both carry an Authorization
# header in plaintext. Use the "Connect Claude Code" flow from
# Admin > Platform Development to (re)generate these locally.
.mcp.json
.vscode/mcp.json

# services/adp ships in its own Docker image (services/adp/Dockerfile) which
# runs `pnpm install --no-frozen-lockfile` inside an isolated /app/services/adp
# tree, regenerating the lockfile from package.json on each build. The
# committed lockfile drifted across 5+ dep-bump PRs without anyone noticing,
# which is the signal that nothing reads it. Removing it (and ignoring it
# going forward) eliminates a stale source of Dependabot alerts that don't
# reflect the runtime container.
services/adp/pnpm-lock.yaml

# Python bytecode caches
__pycache__/
*.pyc

# Third-party copyrighted reference material is kept outside this repository
# under D:\DPF_References (Windows) — see ACKNOWLEDGMENTS.md for citations.

# Windows-only git-lfs footgun: when a Windows clone has `core.hookspath`
# misconfigured (or git-lfs is installed without the hooks dir resolving
# correctly), the LFS install script writes the four sample hooks
# (post-checkout / post-commit / post-merge / pre-push) into a literal
# `dev\null\` directory at the worktree root instead of the intended
# `.git/hooks/`. Multiple Windows worktrees in this repo have observed it.
# Without this entry, a `git add -A` would happily commit the stray hooks.
dev/null/
