# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.

# dependencies
node_modules
.pnp
.pnp.*

# turborepo
.turbo

# build outputs
dist
build
.next
out
*.tsbuildinfo

# misc
.DS_Store
*.pem
coverage

# local Cursor agent-skill caches (tooling-local, not application code)
.agents/
skills-lock.json

# local one-off helper/seed scripts (not shipped) — but apps/web/scripts/ holds
# real, CI-referenced tooling (gen-openapi, api-contract-check) and infra/scripts/
# holds the deploy + secrets tooling CI and every engineer runs, so keep both
# tracked. The leading slash limits this to a top-level ./scripts/ only.
/scripts/
!apps/web/scripts/
!apps/web/scripts/**
!infra/scripts/
!infra/scripts/**

# debug
npm-debug.log*
yarn-debug.log*
yarn-error.log*
.pnpm-debug.log*

# env files (can opt-in for committing if needed)
.env*
!.env.example
# *.env.aws hold ONLY AWS Secrets Manager `aws://secret#field` references (no
# secret values) and are the committed source of truth for which secrets each
# app needs. Keep them tracked.
!.env.aws
# Local-only stamp of the AWS secret VersionId we last pulled (conflict detection).
.aws-secrets-version

# vercel
.vercel

# terraform
**/.terraform/*
*.tfstate
*.tfstate.*
*.tfplan
tfplan.out
crash.log
crash.*.log
# tfvars hold NON-SECRET config and ARE committed (CI + local must apply the same
# file). Real secrets never live here — they flow via TF_VAR_* env in CI and
# `aws login` locally. Ignore any *.secret.tfvars as a safety net for stray secrets.
infra/terraform/envs/*/*.secret.tfvars
