# Deny all dotfiles by default; allow-list specific ones below.
# Catches .env*, .aws/, .ssh/, .npmrc-with-tokens, .vscode/, .idea/,
# .bash_history, .DS_Store, AI-tooling scratch, and anything else
# that conventionally lives in a dotfile we don't intend to ship.
.*

# Dotfiles we DO want tracked
!.gitignore
!.gitattributes
!.github/
!.editorconfig
!.dockerignore
!.hadolint.yaml
!.nvmrc
!.npmrc
!.clusterfuzzlite/
!.gitleaks.toml
!.pinact.yaml
# Vendor-data integrity surface — pubkey ships in tarball so operators
# verify .data.js signatures against the maintainer's pinned key.
!lib/vendor/.vendor-data-pubkey

# Build / dependencies
node_modules/
dist/
build/
out/
coverage/
*.tsbuildinfo

# Runtime / logs
*.log
*.pid
*.pid.lock
*.seed
tmp/

# OS junk (non-dotfile)
Thumbs.db
desktop.ini

# Editor scratch (non-dotfile)
*.swp
*.swo
*~

# Credential / key material — belt-and-braces over .*
*.pem
*.key
*.crt
*.cert
*.p12
*.pfx
secrets.json
credentials.json
id_rsa*
id_ed25519*

# Vendored cert bundles MUST track — operator-managed assets pinned
# by SHA-256 in lib/vendor/MANIFEST.json. The blanket *.pem / *.crt
# rules above guard against accidental commit of OPERATOR-PRIVATE
# keys; the framework's own published trust roots (BIMI, future CA
# bundles) are public and ship with the package.
!lib/vendor/*.pem
!lib/vendor/*.crt

# Backup / patch artifacts
*.bak
*.orig
*.rej

# Example-app per-instance runtime state (vault keys, SQLite DBs, etc.)
# The example app's repo-tracked content is its source; data/ is local.
examples/*/data/
examples/*/data-e2e/
# On Windows the wiki e2e's data-e2e path can land under a literal
# `C:/` directory inside examples/wiki/ when an env var like
# BLAMEJS_E2E_DATA_DIR holds a Windows-absolute path that Node joins
# onto cwd. The colon is either ASCII `:` or NTFS's Unicode
# substitute U+F03A — match both. Ignore the whole branch so it
# never reaches staging.
examples/*/C\:/
examples/wiki/C*/
examples/*/package-lock.json
# Top-level lockfile — the framework owns its stack via vendoring
# (lib/vendor/) and runs zero npm deps (runtime OR dev). Any
# package-lock.json that appears at the root is from a transient
# `npm install` and shouldn't be tracked.
/package-lock.json
# Bundler output — content-hashed at boot from src/. Only the source
# (src/*.js) is tracked; the hashed artifacts are reproducible.
examples/*/public/dist/

# Local-only release tooling — gen-changelog runs against an
# operator's clone; CHANGELOG.md ships hand-curated from the
# release commit instead of regenerated each release.
scripts/gen-changelog.js

# CycloneDX SBOM — generated by the npm-publish workflow at publish
# time and bundled into the tarball; never committed. Local `npm sbom`
# runs would otherwise leave the file lying around.
sbom.cdx.json
