# =============================================================================
# .cleo/.gitignore — Deny-by-default for CLEO project data
# =============================================================================
# STRATEGY: Ignore everything, then explicitly allow only tracked files.
# This prevents runtime data (databases, logs, caches, metrics) from ever
# being accidentally committed.
#
# Canonical audit: .cleo/agent-outputs/T5159-cleo-file-audit.md
# ADR: ADR-013-data-integrity-checkpoint-architecture.md
#
# ADR-013 §9 (2026-04-07, T5158) — IMPORTANT:
#   tasks.db / brain.db / config.json / project-info.json are NOT tracked
#   in EITHER the project git repo OR the isolated .cleo/.git checkpoint
#   repo. They are regenerated deterministically by `cleo init` and are
#   backed up via VACUUM INTO snapshots (SQLite) + atomic copies (JSON)
#   stored under .cleo/backups/. See the ADR for the full recovery story.
#
#   Because git treats nested .gitignore allow rules (`!foo`) as overriding
#   parent-repo ignore rules, this file must NOT re-include those four
#   files — doing so would unignore them at the project repository level
#   and re-open the T5158 data-loss vector.
# =============================================================================

# Step 1: Ignore everything in .cleo/
*

# =============================================================================
# ALLOW LIST — files and directories that SHOULD be tracked
# =============================================================================

# Step 2: Allow this .gitignore itself
!.gitignore

# Step 3: Allow project configuration files that are SAFE to track
# (detected project facts and bootstrap scripts — not runtime state).
!project-context.json
!setup-otel.sh
!DATA-SAFETY-IMPLEMENTATION-SUMMARY.md

# Step 4: Allow ADRs directory (architecture decisions — project-level, not CLEO-specific)
!adrs/
!adrs/**

# Step 5: Allow RCASD lifecycle provenance directory
# Structure: rcasd/{epic#}/research/, consensus/, architecture/, specs/, contributions/
!rcasd/
!rcasd/**

# Step 6: Allow agent-outputs directory
!agent-outputs/
!agent-outputs/**

# =============================================================================
# EXPLICIT DENY — safety net that overrides allow rules above
# =============================================================================

# SQLite databases — NEVER track (data loss root cause, ADR-013)
*.db
*.db-shm
*.db-wal
*.db-journal

# Runtime config snapshots — regenerated by `cleo init`, backed up via
# `cleo backup add`. NEVER track (ADR-013 §9).
config.json
project-info.json

# Logs — NEVER track (append-only runtime data)
log.json
tasks-log.jsonl
todo-log.jsonl
bypass-log.json
qa-log.json

# Caches and transient state
.deps-cache/
.context-alert-state.json
.context-state*.json
context-states/
.git-checkpoint-state
.migration-state.json

# Instance-specific runtime data
migrations.json
sync/
metrics/

# Backups — NEVER track
.backups/
backups/
