# Archive (ML checkpoints, compressed backups)
.archive/

# Python cache
__pycache__/
*.pyc
*.pyo
*.egg-info/
.pytest_cache/

# Virtual environments
venv/
env/
.venv/
.env/
**/venv/
**/env/

# Logs (generated at runtime)
logs/*.log
logs/*.out
logs/*.jsonl
logs/*.bak*
!logs/.gitkeep

# IDE
.vscode/
.idea/
*.swp
*.swo

# Backups
*.bak
*.tmp

# OS
.DS_Store
Thumbs.db
*:Zone.Identifier

# Runtime state (regenerated)
run/aar/
run/*.css
run/*.js

# Temporary
temp/
tmp/
nohup.out

# Demo logs
demo_logs/*.log
adapter_logs/*.log
*.json.json

# Security: Prevent committing private keys
logs/keyprobe/
*.raw
**/ml_dsa_*

# Secrets and keys (added by prod_one_click_fix)
.env
.keys/
keys/

# A2A Gateway runtime data (API key store, payment ledger — NEVER commit)
a2a_gateway/data/

# Workforce runtime data (roster, ledgers, HR records, DBs — generated at bootstrap)
workforce/data/roster.jsonl
workforce/data/ledgers/
workforce/data/hr/*.json
workforce/data/*.db
workforce/data/outreach_ledger.jsonl
workforce/data/social_posts.jsonl
workforce/data/sla_events.jsonl
workforce/data/social/
workforce/data/reports/
workforce/data/inbox/
workforce/data/processed_ids.json
workforce/data/event_log.jsonl

# Snapshots (HTML captures, screenshots, CSVs — working artifacts, not source)
docs/snapshots/

# Backups and archives
backups/
logs/archive/

# Production artifacts and vaults
taskhawk_production/
taskhawk_vault/
vault/
kernel/

# WASM artifacts
wasm_kernel/
wasm_kernel.zip

# Evidence and audit files
taskhawk_evidence_*.json
commit_audit_*.md

# Runtime generated
run/*.json
run/*.npy
!run/.keep

# Temporary docker compose files (keep only main, prod, and autogen)
docker-compose.override.yml
docker-compose.artifact_stable.yml
docker-compose.enforcer_module.yml
docker-compose.fix_enforcer_cmd.yml
docker-compose.fixpkg.yml
docker-compose.fixrun.yml
docker-compose.healthfix.yml
docker-compose.prod.hotfix.yml
docker-compose.runtime.stable.yml
docker-compose.verify.yml
*.pyd
run/
logs/
**/node_modules/
frontend/dist/
backend/__pycache__/
sdk/**/__pycache__/
formal/states/
formal/tla2tools.jar
*.st
*.fp

# --- local secrets ---
.secrets/
secrets/
*.key
*.pem
*.hex

# --- backups / junk ---
*.bak
*.bak.*
*.swp
*.tmp

# --- large artifacts ---
dist/images/
*.tar
*.tgz
*.zip
publish/

# Extra safety
**/.keys/

# Frontend build artifacts (do not commit)
frontend/*.tsbuildinfo
frontend/vite.config.d.ts
frontend/vite.config.js

# Git hooks are tracked (shared across team)
# .githooks/ is NOT ignored - it's version-controlled

# Managed app build artifacts (root-level only, allow marketplace plans)
mainTemplate.json
!marketplace/**/plans/**/mainTemplate.json
!marketplace-commercial/**/plans/**/mainTemplate.json
!marketplace-gov/**/plans/**/mainTemplate.json

# Marketplace distribution zips (built by packaging scripts)
**/dist/*.zip

# local per-worktree overrides
.env.local
.vs/

# RTL verification artifacts (untracked)
RTL-KAT/

# Marketing and documentation (untracked)
website-content/
/agents/
*.pptx
webflow.md
/wsl_ram_reset.ps1

# Business documents and proposals (confidential, not for code repo)
proposals/
patents/
*.docx
!correspondence_federal/TaskHawk_CAISI_RFI_Response_*.docx
!TaskHawk_CAISI_RFI_Response_*.docx
*_ORIGINAL_BACKUP.docx
*.xlsx
!NISTIR-8596-Comments_*.xlsx
csv/

# Rust build artifacts
**/target/

# C++ build artifacts
cpp_enforcer/out/
cpp_enforcer/build/
cpp_enforcer/_codeql_build_dir/
**/CMakeFiles/
**/cmake-build-*/

# External repositories (cloned locally, not submodules)
github-mcp-server/
enforcer-cpp/build/

# Binary documents (not source code)
*.pbix
*.pdf
!website/public/research/*.pdf

# Data exports (regenerable from Azure/compliance tools)
ControlsExport*.csv
GroupsExport*.csv
PolicyComplianceExport*.csv

# Build output (regenerable)
dist/
dist-gov/

# Scratch markers (accidental empty files)
/=
/reading
/transferring

# Benchmark and analysis output
analyze_*/
benchmarks/
compliance_report_*.txt

# Session artifacts (notes, dumps)
resume_session.md
interesting.md
think_on_this.md

# Traceability generated artifacts (regenerable via tools/generate_traceability_matrix.py)
TRACEABILITY_MATRIX.csv
TRACEABILITY_MATRIX.json

# Windsurf (not used)
.windsurf/

# Local exploration / scratch
potential/

# Benchmark dataset cache (downloaded from HuggingFace, regenerable)
data/benchmark_cache/

# Federal contracting documents (confidential, not for code repo)
Federal/

# Cost analysis (business document)
cost-analysis.csv

# MCP server artifacts (external, packaged separately)
quick_xfer/

# Azure Marketplace UI definition (generated artifacts)
createUiDefinition.json
!marketplace/**/plans/**/createUiDefinition.json
!marketplace-commercial/**/plans/**/createUiDefinition.json
!marketplace-gov/**/plans/**/createUiDefinition.json
viewDefinition.json
!marketplace/**/plans/**/viewDefinition.json
!marketplace-commercial/**/plans/**/viewDefinition.json
!marketplace-gov/**/plans/**/viewDefinition.json

# PyPI recovery codes (NEVER commit)
PyPI-Recovery-Codes-*

# npm recovery codes (NEVER commit)
npm_recovery_codes.txt

# MCP registry auth tokens (NEVER commit)
.mcpregistry_*

# CDP API keys (NEVER commit)
cdp_api_key*.json

# mcp-publisher binary (downloaded tool, not source)
mcp-publisher

# SDK lockfiles (transitive deps have unfixable CVEs from upstream — Coinbase/Solana/ethers chain)
sdk/agentkit-ts/package-lock.json

# Revenue loop runtime artifacts
tools/.revenue_loop_state.json
tools/revenue_loop.log

# Audit and security tools (sensitive, not for repo)
tools/generate_audit_report.py

# VPN management scripts (infrastructure secrets)
vpn/
nvidia/
entitlement-*.pdf

# Temporary credential files (NEVER commit)
*_delete_after_use*

# GPU training artifacts (large, regenerable)
ml/governance/checkpoints/
ml/governance/checkpoints_v2/
ml/governance/checkpoints_v3/
ml/governance/checkpoints_sagemaker/
ml/governance/checkpoints_philosophy_v1/
ml/governance/quantized_v1/
ml/governance/dataset*.jsonl
ml/governance/eval_benchmark.jsonl
ml/governance/*.log
# Model binaries (too large for git, stored on S3/Modal)
*.onnx
*.safetensors
*.gguf
.venv-gpu/

# Research archive (large, not source code)
.research/

# DMARC reports (email deliverability XML reports)
*.xml.gz

# Reference images (not source code)
HDQYkI5XMAAzBzZ.jpg
HDQYkJKbQAIMhZ3.jpg

# Root-level npm stubs (no frontend at root)
/package.json
/package-lock.json

# Claude Code ephemeral
.claude/worktrees/
.claude/scheduled_tasks.lock
tools/.revenue_agent_state.json

# ONNX model checkpoints (downloaded from Modal, too large for git)
ml/governance/checkpoints_v3/*.onnx
ml/shield/checkpoints_onnx/onnx-int8/*.onnx
ml/shield/checkpoints_onnx/onnx-int8/*.model
a2a_gateway/_models/
.local/

# Foundry / Forge build artifacts (regenerable via forge build)
contracts/out/
contracts/cache/
contracts/broadcast/
contracts/.certora_internal/
contracts/foundry.lock

# Deployer wallet QR (sensitive, never commit)
deployer-wallet-qr.png

# Root-level screenshots and images (not source code)
/52684278*.jpg
/4C83C73C*.jpg

# Branding PNGs at root level (keep favicon/ tracked)
branding/*.png
/agent-card.json
contracts/lib/
