node_modules/
dist/
.wrangler/
.dev.vars
*.log
.DS_Store
# MS Office owner/lock files (`~$_*.docx` etc.) — transient temp files Word
# creates while a doc is open and deletes on close; they kept re-dirtying the
# tree and forcing a stash before deploys. Ignored 2026-06-10.
~$*
.env
.env.local

# Python (packages/saas-sdk-python)
__pycache__/
*.egg-info/
.venv/

# Deployment-specific files (never commit real credentials)
.env.secrets
.env.production
.scaleway-config
scripts/netcup-frozen/.netcup-config
scripts/netcup-frozen/backup.env

# OVH deploy: .ovh-config is COMMITTED but ansible-vault encrypted; only the
# vault password file is gitignored. See scripts/ovh/VAULT.md.
scripts/ovh/.vault_pass

# DR Phase 1: provisioning orchestrator (provision-de1.sh) writes captured
# public IPs here for downstream scripts. Contains no secrets (IPs are public)
# but is per-environment state, not source. The operator copies values from
# this file into the ansible-vault via `ansible-vault edit`.
scripts/ovh/.de1-provisioned.json

# DR Phase 2: etcd cluster TLS certificate material. Generated locally by
# scripts/ovh/etcd/gen-certs.sh, distributed via SSH to the 3 cluster nodes.
# Contains the etcd CA private key — operator MUST back this up to offline
# paper-anchor storage alongside the vault password.
scripts/ovh/etcd/certs/

# DR Phase 2c-prep: Patroni cluster-internal secrets (replication password,
# rewind password, REST API HTTP basic auth). Generated locally by
# scripts/ovh/patroni/setup-patroni-de1-replica.sh, distributed via SSH to
# Patroni nodes. Used by Patroni for inter-node auth + the management API.
# Back up to offline storage alongside etcd/certs/ca-key.pem.
scripts/ovh/patroni/secrets/
redis-data/
.scaleway/
*.scw
*.pem

# Cloudflare backup exports (contain merchant data)
cf-backup/

# Real bank-statement fixtures for parser/ingest testing (never commit)
statements/

# Build outputs
*.tgz

# Eval-harness CSV outputs
out/

# Next.js dev/build artifacts (apps/admin)
.next/

# Deprecated Cloudflare code
deprecated/

# Claude Code session-local artifacts
.claude/

# Smoke-test working dir (scripts/test-sek-canary.ts writes synthetic
# fixtures here; never commit real or synthetic bank-statement payloads)
tmp/

# HTTP archives (DevTools/Charles exports). They capture full
# request/response incl. auth headers, cookies, OAuth code/state and
# App Attest assertions, so they MUST never be committed (privacy policy).
# Two were found tracked in docs/ on 2026-06-01; see HISTORY_PURGE_NEEDED.md.
*.har

# TypeScript incremental build cache. Was tracked by mistake; it is a build
# artifact that re-dirties the tree on every compile. Untracked 2026-06-02.
*.tsbuildinfo

# Local-only docs, kept OUT of git by deliberate choice (2026-06-02):
#  - docs/Distyra-Logo/: brand design working material (mockups, scratch, a ZIP,
#    a generated image) — not code-repo content; lives on the operator's machine.
#  - the Enable Banking agreement: a confidential signed contract that must not
#    sit in clonable git history; keep it in the document store instead.
docs/Distyra-Logo/
docs/Enable_Banking_Agreement.pdf
Distyra-Website/bunny/.live-backups/

# Throwaway browser previews from scripts/preview-email-layout.ts (W13b email
# sign-off). The generator script is committed; its rendered output is not.
.email-preview/

# Per-run zone backups written by scripts/scaleway-dns-import.sh before each
# import (the rollback copy). Operational artifacts containing live DNS records,
# not source; the import tool is committed, its backups are not.
scaleway-dns-backup-*.json
