# =========================================================
# OMEGAENGINE — ZERO-LEAK .gitignore (MAXIMUM SECURITY)
# =========================================================
# Rule: If it leaks IP, secrets, customer data, or behavior,
#       it NEVER enters git. Ever.
# =========================================================

# ---------------------------------------------------------
# Dependencies / Runtime
# ---------------------------------------------------------
node_modules/
/.pnp/
/.pnp.*
/.yarn/*
!/.yarn/patches
!/.yarn/plugins
!/.yarn/releases
!/.yarn/versions

# ---------------------------------------------------------
# Build / Execution Output
# ---------------------------------------------------------
/.next/
/out/
/build/
/coverage/
/dist/

# ---------------------------------------------------------
# OS / Editor Junk
# ---------------------------------------------------------
.DS_Store
*.swp
*.swo
*.tmp
*.bak
*.cache
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
.pnpm-debug.log*
.idea/

# VSCode
.vscode/
!.vscode/settings.json

# ---------------------------------------------------------
# ENVIRONMENT & SECRETS (CRITICAL)
# ---------------------------------------------------------
# Glob catches all .env variants: .env, .env.local,
# .env.production, .env.staging, .env.dev, .env.test,
# .env.*.bak, .env*.local — in one rule.
# ---------------------------------------------------------
.env*
.env.*
!.env.example
!.env.template

# ---------------------------------------------------------
# CLOUD / DEPLOYMENT
# ---------------------------------------------------------
/.vercel/
/.firebase/
/.supabase/
/.aws/
/.gcp/
/.azure/

# Kubernetes production secrets (generated by scripts/k8s-generate-secrets.sh)
k8s/base/secrets.production.yaml
k8s/base/sealed-secrets.yaml
k8s/base/secrets.*.yaml
!k8s/base/secrets.yaml

# ---------------------------------------------------------
# CRYPTO / KEYS / CERTS
# ---------------------------------------------------------
*.pem
*.key
*.crt
*.p12
*.pfx
*.jks
*.keystore
*.der
*.csr
*.sig

# ---------------------------------------------------------
# DATABASE / SNAPSHOTS
# ---------------------------------------------------------
*.sqlite
*.db
*.dump
*.sql
*.psql
*.parquet
*.csv
*.arrow

# ---------------------------------------------------------
# TYPESCRIPT / GENERATED
# ---------------------------------------------------------
*.tsbuildinfo
next-env.d.ts
/src/generated/**
/prisma/generated/**
/prisma/migrations/**/migration.sql

# ---------------------------------------------------------
# FUZZING / CHAOS / JUDGMENT OUTPUT (NEVER COMMIT)
# ---------------------------------------------------------
/data/**
!/data/policies/**
!/data/seed/**

/data/fuzz-results/**
/data/fuzz-runs/**
/data/fuzz-exports/**
/data/fuzz-failures/**
/data/crashes/**
/data/repros/**
/data/artifacts/**
/data/**/*.jsonl
!/data/seed/*.jsonl

# ---------------------------------------------------------
# AI / TELEMETRY / DECISIONS (NEVER COMMIT)
# ---------------------------------------------------------
/data/telemetry/**
/data/learning/**
/data/decisions/**
/data/decision-logs/**
/data/audit-logs/**
/.omega/*.json

# ---------------------------------------------------------
# LOCAL SNAPSHOTS (DO NOT COMMIT)
# ---------------------------------------------------------
omegaengine-BASELINE-*.zip
omegaengine-WIP-*.tgz
# Local-only admin helper + disabled pages (never commit)
app/dashboard/_adminKey.ts
app/_*_disabled/

# prisma generated (never commit)
app/generated/prisma/client/

# Fuzz / chaos / judgment outputs (outside /data)
fuzz/**
chaos/**
judgment/**
reports/**
artifacts/**
telemetry/**
metrics/**
# Local prisma backups
prisma/schema.prisma.bak.*

# MAXSEC: ignore omega json artifacts
.omega/*.json

# (Optional)
.ci-artifacts/
# open-source-repos: framework drop-in packages, published to npm/PyPI.
# The verified, published TOP-6 source is TRACKED (so the packages are inspectable
# — the top-company standard); everything else here + all build/dep artifacts stay
# ignored. Bring more drop-ins in by adding a `!` line once they're publish-ready.
open-source-repos/*
!open-source-repos/openai-omega
!open-source-repos/anthropic-omega
!open-source-repos/langchain-omega
!open-source-repos/crewai-omega
!open-source-repos/llamaindex-omega
!open-source-repos/vercel-ai-omega
# Batch 2 (build-verified): 12 PyPI + 5 npm + omega-go. Two are EXCLUDED as
# duplicates of the canonical SDKs (would collide on publish): omega-node
# (@omegaengine/sdk == sdk/typescript) and omega-python (omegaengine == sdk/python).
!open-source-repos/autogen-omega
!open-source-repos/cohere-omega
!open-source-repos/continue-omega
!open-source-repos/copilot-omega
!open-source-repos/cursor-omega
!open-source-repos/dspy-omega
!open-source-repos/gemini-omega
!open-source-repos/haystack-omega
!open-source-repos/instructor-omega
!open-source-repos/langfuse-omega
!open-source-repos/langgraph-omega
!open-source-repos/mistral-omega
!open-source-repos/omega-cli
!open-source-repos/omega-go
!open-source-repos/omega-vscode
!open-source-repos/policy-templates
!open-source-repos/redteam-toolkit
!open-source-repos/semantic-kernel-omega
open-source-repos/**/node_modules/
open-source-repos/**/dist/
open-source-repos/**/build/
open-source-repos/**/out/
open-source-repos/**/__pycache__/
open-source-repos/**/*.egg-info/
open-source-repos/**/.venv/
open-source-repos/**/.pytest_cache/
open-source-repos/**/.mypy_cache/
open-source-repos/**/coverage/
open-source-repos/**/.git/
open-source-repos/**/*.tsbuildinfo
docs/.internal/

# ---------------------------------------------------------
# INTERNAL GOVERNANCE (never commit to public repo)
# ---------------------------------------------------------
BRAND.md
NORTH_STAR.md
OMEGA_MESH.md
CONTINUITY.md
EPISODES.md
MASTER_RUNBOOK.md
EPISODES/
docs/PRODUCTION_PROFILE_REPORT.md

# Internal engine artifacts
kernel_bitstream.json
verifier_bitstream.json
.*-checksums

# Stale dev/test scripts (use scripts/ directory instead)
chaos-test.js
cluster-test.js
simulate-agents.js
surge.sh
load-test.sh
metrics.sh
audit.html
fuzzer-*.json
test_*_payload.json
playwright-report/
test-results/

# Fuzzer regression snapshots
.fuzzer-snapshots/
.omega-data/
.env.local.bak*
scripts/rotate-secrets.sh

# Test database connection URL (generated by testcontainers)
.test-db-url
coverage/
.stryker-tmp/
tmp/
sdk/python/dist/

# Agent red-team scan artifacts (generated by the CLI / action)
*.sarif.json


# Claude Code session dirs / agent worktrees
.claude/
