# rye:signed:2026-03-17T01:08:19Z:b24e112ebe3f092f00187feca6b5e7c972a792907095c34d22d3ccc226dafb47:JX0l3peptJ0t_PXiwJ5uMY42EUTgI70Yk5Ijv8bA4zp-5uupzJNn4IT0gBGGqlmQfboBILujh0ZduiMsQgdACw==:6ea18199041a1ea8
# CAS manifest policy — exclusion rules for source manifest builder.
#
# The engine loads this via 3-tier resolution (system → user → project).
# Hard excludes are a floor: projects can ADD patterns but never remove
# the system defaults (union, never subtract).
category: "cas"
version: "1.0.0"

manifest:
  # Directories under .ai/ to skip (runtime state / CAS itself)
  skip_dirs:
    - objects
    - agent

  # Hard exclusions — NEVER included regardless of directory.
  # Safety invariant: these cannot be weakened by project/user overrides.
  hard_exclude:
    names:
      - private_key.pem
    patterns:
      - "^\\.env$"
      - "^\\.env\\."
      - ".*\\.secrets?$"
