tooling/spool/receipt.log

# Option C — workspace mirror (cache; not sovereign)
/control/mirror/

# Credentials — never in repo
.env
.env.*
!.env.example
!.env.*.example
*.secrets
*credentials*
!platform/dashboard/scripts/seed-credentials.ts
*.key
**/secrets/*
!**/secrets/*.example
!**/secrets/README.md

# Claude Code atomic-write temporary files (never committed)
**/.claude/settings.local.json.tmp.*
**/.claude/*.tmp.*
__pycache__/
*.pyc
*.py[cod]
*$py.class
*.so

# Python testing + linting caches (P0-13)
.pytest_cache/
.coverage
.coverage.*
htmlcov/
.mypy_cache/
.ruff_cache/
# Hypothesis example DB · BX-GIT.prevencion-f0 · exclusión durable cross-clone
# (el .gitignore anidado de Hypothesis tiene una ventana antes de su 1ª escritura ·
#  un `git add` amplio capturaría f0.txt → blob pruned → índice corrupto recurrente)
.hypothesis/
f0.txt

# DeepEval framework local telemetry + cache (BX-SOTA Phase A baseline 2026-05-11)
.deepeval/

# Virtual environments
.venv/
.venv-eval/
.venv-mutation/
venv/
env/
ENV/

# Mutation testing ephemeral output (sub-bloque 1.3 D2 · mutmut work dir)
mutants/

# Packaging / distribution
dist/
build/
*.egg-info/
*.egg

# uv
# uv.lock SÍ se versiona (A6 · BX-PIPEVAL.uvlock-gitignored-sync · 2026-06-02):
# reproducibilidad SLSA + habilita gate OSV/CVE + A3 requirements.txt derivable.

# IDE / OS
.idea/
.vscode/
*.swp
*.swo
.DS_Store

# CI artifacts — generated, not source
tooling/ci/artifacts/*.log
tooling/ci/artifacts/bom-staging.json
tooling/ci/artifacts/bom-staging.json.cosign.bundle
tooling/ci/artifacts/SHA256SUMS-bom.txt

# A5 · OPA bundle local generado (regenerar: opa build -b policy-library/ --ignore '*_test.rego')
distribution/docker/data-plane/bundle.tar.gz

# Node build artifacts · BX-HYGIENE.sdk-ts-node-modules-gitignore 2026-06-08
# evita commit accidental de node_modules vía git add amplio (índice compartido peer).
# NOTA: package-lock.json NO se ignora (debe commitearse al publicar SDK · T16 · reproducibilidad).
node_modules/
