node_modules/
.env
.env.local
dist/
.next/
*.js.map
*.d.ts.map
coverage/
.claude/
governance-audit/
**/governance-audit/
# P1-9: dev-time governance audit artifacts (session logs, file-change tracking,
# token tracking). These are written by Claude Code hooks and must never be
# committed to source control -- they can contain dev-environment event data.
.claude/governance/audit/
**/.claude/governance/audit/
.claude/governance/file-changes/
**/.claude/governance/file-changes/
.claude/governance/token-tracking/
**/.claude/governance/token-tracking/
__pycache__/
**/__pycache__/
*.pyc
*.Zone.Identifier
*:Zone.Identifier

# License server cryptographic keys — NEVER commit
packages/license-server/keys/
**/keys/private.pem
**/keys/*.key
*.pem
!packages/**/test-fixtures/**/*.pem
# F-NEW-WEBAUTHN-MDS3-METADATA-INGEST: the FIDO Alliance Global Root CA cert
# is a public out-of-band root distributed by FIDO Alliance. The packaged
# placeholder + operator-installed real cert must be tracked in source so the
# MDS3 verifier has a deterministic trust anchor at boot.
!packages/governance-server/src/auth/webauthn/fido-alliance-root.pem

# TS incremental build info
*.tsbuildinfo

# Migration release-signing private key (dev convenience; prod key is env-var only)
packages/trust-api/.dev-signing-key.hex

# Internal Claude Code agent + skill scaffolds that occasionally land in the
# working tree from sibling repos. These are operational config for the agent
# fleet, never shipped as part of @connexum/ai-governance.
docs/architecture/Claude_Project_Setup/
docs/architecture/Compliance/
docs/architecture/agents/
docs/architecture/skills/

# Chrome Web Store packaged artifact — distributed via Web Store + GitHub
# Releases, not via git. Same rationale as dist/.
packages/browser-extension/dist-webstore/
packages/*/dist-webstore/

# Pytest cache + Next.js cache — runtime caches, not source.
.pytest_cache/
**/.pytest_cache/
