# ── Python runtime ────────────────────────────────────────────────────────────
__pycache__/
**/__pycache__/
*.py[cod]
*.pyo
*.pyd
*.so

# ── Python type checkers & linters ────────────────────────────────────────────
.mypy_cache/
**/.mypy_cache/
.ruff_cache/
**/.ruff_cache/
.pytype/

# ── Virtual environments ──────────────────────────────────────────────────────
venv/
.venv/
env/
.env/

# ── Secrets & environment variables ──────────────────────────────────────────
# Block ALL .env variants everywhere
.env
.env.*
**/.env
**/.env.*
# Block secret/credential files by name
secrets.toml
**/secrets.toml
credentials
credentials.json
**/credentials
**/credentials.json
# Block private keys and certificates
*.pem
*.key
*.p12
*.pfx
*.crt
*.cer
# Block AWS credential files
.aws/credentials
**/.aws/credentials
# Keep example/template files committed
!.env.example
!**/.env.example

# ── Testing & coverage ────────────────────────────────────────────────────────
.pytest_cache/
**/.pytest_cache/
.coverage
.coverage.*
htmlcov/
.tox/
coverage.xml

# ── Databases & generated data ────────────────────────────────────────────────
*.db
*.sqlite
*.sqlite3
*.db-shm
*.db-wal
# keep the data/ placeholder committed
!**/data/.gitkeep

# ── Python build & packaging ──────────────────────────────────────────────────
dist/
build/
*.egg-info/
*.egg
wheels/
*.dist-info/
site/

# ── Node / frontend runtime ───────────────────────────────────────────────────
node_modules/
**/node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
.pnpm-debug.log*
*.tsbuildinfo

# ── Next.js ───────────────────────────────────────────────────────────────────
.next/
**/.next/
out/
**/out/
.vercel/

# ── IDE & OS ──────────────────────────────────────────────────────────────────
.vscode/
.idea/
*.iml
.DS_Store
.DS_Store?
Thumbs.db
ehthumbs.db
Desktop.ini

# ── Logs ──────────────────────────────────────────────────────────────────────
*.log
*.log.*
logs/
application.log

# ── Streamlit ─────────────────────────────────────────────────────────────────
# Block runtime caches and the real secrets file, but keep the committed
# config.toml and the secrets.toml.example template.
.streamlit/*
!.streamlit/config.toml
!.streamlit/secrets.toml.example

# ── AWS SAM ───────────────────────────────────────────────────────────────────
.aws-sam/
**/.aws-sam/
samconfig.toml
**/samconfig.toml

# ── Docker ────────────────────────────────────────────────────────────────────
.dockerenv
docker-compose.override.yml
.docker/

# ── Databricks ────────────────────────────────────────────────────────────────
.databricks/
**/.databricks/
.databrickscfg
databricks.yml.local
*.dbc
.bundle/
**/.bundle/

# ── Terraform ────────────────────────────────────────────────────────────────
.terraform/
**/.terraform/
*.tfstate
*.tfstate.*
*.tfplan
*.tfvars
crash.log
crash.*.log
override.tf
override.tf.json
*_override.tf
*_override.tf.json
backend.generated.tf
!*.tfvars.example

# ── Jupyter ───────────────────────────────────────────────────────────────────
.ipynb_checkpoints/
**/.ipynb_checkpoints/

# ── Kubernetes ────────────────────────────────────────────────────────────────
# Never commit kubeconfig — it contains cluster credentials
kubeconfig
kubeconfig.yaml
kubeconfig.yml
*.kubeconfig
.kube/

# ── Security scan artefacts ────────────────────────────────────────────────────
# SARIF files are generated at CI time; no need to track them locally
*.sarif

# ── Editor swap & backup files ────────────────────────────────────────────────
*.swp
*.swo
*.swn
*~
.#*
\#*\#

# ── Python extras ─────────────────────────────────────────────────────────────
.python-version
pip-log.txt
pip-wheel-metadata/
__pypackages__/

# ── Next.js local env overrides ───────────────────────────────────────────────
# (top-level .env.* already covers these, but be explicit for clarity)
.env.local
.env.development.local
.env.test.local
.env.production.local

# ── Misc ──────────────────────────────────────────────────────────────────────
*.tmp
*.temp
*.bak
.claude/
claude_desktop_config.json
