# -- Python bytecode / caches ------------------------------------------------
__pycache__/
*.py[cod]
*$py.class
*.so

# -- Python packaging artifacts ----------------------------------------------
*.egg-info/
*.egg
dist/
build/
wheels/
pip-wheel-metadata/
.eggs/
MANIFEST

# Generated by hatch-vcs on every build; source of truth is the git tag.
src/ansible_security_scanner/_version.py

# -- Virtual environments ----------------------------------------------------
# Ignore common venv names regardless of where they live, so a contributor
# using any of these conventions doesn't accidentally commit their local env.
.venv/
venv/
env/
ENV/
.env/
.virtualenv/
.python-version

# -- Tool caches -------------------------------------------------------------
.pytest_cache/
.mypy_cache/
.ruff_cache/
.pytype/
.tox/
.nox/
.cache/
.hypothesis/

# -- Coverage ----------------------------------------------------------------
.coverage
.coverage.*
htmlcov/
coverage.xml
*.cover
nosetests.xml

# -- Hugo (generated in CI) --------------------------------------------------
.hugo/content/
.hugo/public/
.hugo/resources/
.hugo/static/assets/
.hugo/static/images/
.hugo/.hugo_build.lock

# -- Editors / IDEs ----------------------------------------------------------
.vscode/
.idea/
.cursor/
*.swp
*.swo
*~
.project
.pydevproject
.spyderproject
.spyproject

# -- OS metadata -------------------------------------------------------------
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
desktop.ini

# -- Logs & runtime ----------------------------------------------------------
*.log
*.pid
*.seed
*.pid.lock

# -- Secrets / local overrides (defense in depth) ----------------------------
# These should never be committed. Keeping them explicit even though they
# shouldn't be introduced in the first place.
.env
.env.local
.env.*.local
*.pem
*.key
!tests/**/*.pem
!tests/**/*.key
secrets.yml
!.security-scanner-allowlist.yml

# -- Scanner-generated reports and artifacts ---------------------------------
# The scanner emits reports in the repo root during local dev; keep them out
# of git. Allow-list the docs / meta markdown we DO want to track.
*.md
!README.md
!CONTRIBUTING.md
!RELEASING.md
!NOTICE.md
!/.github/**/*.md
!/docs/**/*.md
!/.hugo/**/*.md
*.csv
*.html
!/.hugo/**/*.html
*.xml
*.json
!/tests/data/*.json
*.sarif
*.cdx.json
*.patch

# -- Local scratch -----------------------------------------------------------
scratch/
tmp/
*.bak
*.orig

# -- Local playbook corpus for the stress-audit tool -------------------------
# Top-level audit/dev scripts live in /scripts; do not match nested paths
# like .hugo/scripts/ which contains the legitimate docs build helpers.
/scripts/
security_reports/
security-reports/
tests/playbooks/ansible/
tests/playbooks/multifile/
