# Semgrep ignores — same spirit as .gitleaks.toml allowlist.
# Excludes machine-generated, externally-synced, or runtime-state directories
# that aren't part of this repo's review/security boundary.

.beads/
.specialists/
.dolt/
.bv/
.emdash/
.gitnexus
data/
logs/
grafana/data/
traefik/logs/

# .xtrm/ runtime + cache + non-security skills.
# We DO scan the security-pipeline skill source because its scripts ship
# into target repos and must be SAST-clean. Use blanket exclude + explicit
# unignore so new skills don't silently become scan targets.
.xtrm/state.json
.xtrm/statusline-claim
.xtrm/logs/
.xtrm/cache/
.xtrm/config/
.xtrm/ext-src/
.xtrm/packages/
.xtrm/hooks/
.xtrm/skills/active/
.xtrm/skills/optional/
.xtrm/skills/user/
# Use glob '*' on immediate children so the parent stays included; this lets
# the negation actually re-include security-pipeline (gitignore semantics
# refuse to descend into an excluded parent directory).
.xtrm/skills/default/*
!.xtrm/skills/default/security-pipeline

# Test fixtures and snapshots — false positive heavy
**/test_fixtures/
**/snapshots/

# Lock files
package-lock.json
pnpm-lock.yaml
yarn.lock
poetry.lock
Pipfile.lock
