.env
*.env
vm.env
!example.env
__pycache__/
*.pyc
*.pyo
.pytest_cache/
.coverage
htmlcov/
dist/
*.egg-info/
.venv/
venv/
node_modules/
.vite/

# === Security: keys, credentials, secrets — NEVER commit ===
# See docs/SECURITY_OVERVIEW.md and the no-secrets-in-git policy.
# SSH / TLS / PGP private keys
*.pem
*.p12
*.pfx
*.key
*.ppk
*.jks
*.keystore
id_rsa
id_rsa.*
id_ed25519
id_ed25519.*
id_ecdsa
id_ecdsa.*
id_dsa
id_dsa.*
# Common secret filenames
keys.txt
keys.json
secrets.json
secrets.yaml
secrets.yml
credentials
credentials.json
service-account*.json
# Cloud provider credentials
.aws/
aws-credentials
gcp-credentials.json
azure-credentials.json

# ---------------------------------------------------------------------------
# Pre-sale repo cleanup (added 2026-05-07) — never commit dev scratch / dumps
# ---------------------------------------------------------------------------
# Database dumps (production data — must never enter the repo)
backup_*.sql
backup_*.dump
*.pg_dump

# Dev scratch files (per-session helpers, never meant to ship)
tmp_*.py
tmp_*.json
e2e_*.py
kyc_*.py

# Stale tooling output (re-run on demand, don't commit)
bandit_out.json
bandit_out_*.json
pip_audit*.json

# Tarballs / archives (rarely belong in a code repo)
*.tar.gz
*.tar.xz
*.zip
!docs/**/*.tar.gz

# VM-side env snapshots (never commit, even redacted — the file name itself
# signals "secrets template", and a slip on redaction would be CRITICAL)
vm.env
vm-*.env
*.env.production
*.env.live

# Pre-hybrid main.py snapshots (operator scratch from rollback dance)
*.local-pre-hybrid
content/.outreach_log.jsonl
