# Worktrees
.worktrees/

# Dependencies
node_modules/
vendor/

# Build outputs
dist/
build/
.next/
out/
*.egg-info/
# Go binaries
apps/control-zero-platform/backend/server

# Test & Coverage
coverage/
htmlcov/
.coverage
*.lcov
.pytest_cache/
.vitest/
test-results/
playwright-report/
.playwright/
__pycache__/
*.pyc
*.pyo

# Environment and secrets (deny-all, allow explicitly)
.env*
production-secrets*
vault-backup.key
*.pem
*.key
*.p12
*.pfx
id_rsa
id_ed25519
*.keystore
# Firebase credentials and config (contains API keys / service account)
firebase.js
firebase.json
firebase-service-account*.json
*-firebase-adminsdk-*.json
firebase-adminsdk-*.json
serviceAccountKey.json
cz-service-account.json
firebase-credentials.json/
google-services.json
GoogleService-Info.plist
!*.pub
!.env.example
!.env.local.example
!.env.production.template
!.env.production.example
!.env.test

# Explicitly block files that contain or may contain real credentials (override allowlist above)
.env.dev
.env.production
.env.production.complete
.env.production.local
.env.local
.env.*.local
*.env.real
*.env.secret
.env.vercel

# IDE & Editors
.idea/
.vscode/
*.swp
*.swo
*.sublime-workspace
*.sublime-project

# OS files
.DS_Store
Thumbs.db
*.log

# Go
*.exe
*.exe~
*.dll
*.so
*.dylib

# Docker
docker-compose.override.yml
.docker/

# Production logs and certificates
logs/
letsencrypt/
*.log

# DLP test reports (generated, not committed)
reports/

# MkDocs
site/

# Turbo (if adopted)
.turbo/

# Changeset
.changeset/*.md
!.changeset/config.json
!.changeset/README.md

# Vercel
.vercel/

# Rust
target/
Cargo.lock
*.rlib

# Python virtual environments
venv/
.venv/
*.egg-info/

# Gateway
apps/control-zero-gateway/.venv/
apps/control-zero-gateway/__pycache__/

# Selenium test outputs
tests/selenium/screenshots/
tests/selenium/report.html

# Miscellaneous
*.bak
*.tmp
*.temp
.cache/
.vercel
# Internal documentation (sensitive -- do not track)
docs/internal/

# Playwright MCP
.playwright-mcp/

# Session artifacts (prevent future accumulation)
*_SUMMARY.md
*_STATUS.md
*_COMPLETE.md

# E2E test screenshots
e2e-*.png
cz-*.png
.superpowers/

# AI tooling directories
.gemini/
.claude/launch.json

# Docusaurus build cache (should not be tracked)
docs-site/.docusaurus/

# Test/governance tester scripts (generated during testing sessions)
*_tester.py
verify_and_screenshot.js

# HTML reports generated during testing sessions
*_AUDIT.html
*_REPORT.html
*_ANALYSIS.html
e2e-report.html
sit-uat-report.html
UAT_COMPREHENSIVE_REPORT.html
uat-screenshots/

# Offensive summary reports
SUMMARY_OFFENSIVE_*.md
.gstack/

# Deployment docs (contain server-specific credentials)
docs/deployment/
docs/SSH_RECOVERY_GUIDE.md
docs/HETZNER_OS_INSTALLATION.md
docs/BACKUP_RECOVERY.md
docs/VERCEL_SETUP_WEBAPPS.md
scripts/fix-ssh-config.sh
scripts/hetzner-post-install.sh
docs/knowledge-base/
docs/superpowers/
scripts/doppler/doppler-env.values.sh

# Air-gap build artifacts (generated tarballs and package directories)
cz-air-gap-*/
cz-air-gap-*.tar.gz
cz-support-*.tar.gz

# SSL Proxy -- customer CA certs and generated certs (never track secrets)
services/ssl-proxy/certs/

# UAT screenshot artifacts
uat-*.png

# Stray HTML reports in docs/. These are large exported artifacts
# (SIT/UAT reports, factsheet, launch readiness) that accumulate
# untracked and risk being swept up by `git add .`. The
# sit-uat-report-2026-03-22.html in particular is 128MB and would
# explode the repo. Real docs go under docs/knowledge-base/ or
# docs/designs/ instead.
docs/sit-uat-report-*.html
docs/launch-readiness-report-*.html
docs/control-zero-factsheet.html
docs/control-zero-review.html

# Reference screenshots (keep local, not in repo)
agentdefenders-full.png
cz-revamp-live.png

# Agent worktrees (created by Claude Code during parallel work)
.claude/worktrees/
