# Plugmont — .gitignore (security hygiene)
#
# This file establishes secret-file patterns from line 1.
# Phase 2 (Next.js scaffolding) will extend with framework-specific patterns.
# Phase 3 onward extends with build artifacts, etc.
#
# Discipline: NEVER commit secrets. Every pattern below is a backstop;
# the primary defense is "don't write secrets to disk in the first place"
# (see docs/SECURITY.md §13.2).

# --- Secret-file patterns (PROHIBITED) ---
# Any file matching these is presumed to contain credentials.
*-secrets*
*credentials*
passwords.*
*.secret.*
secrets.json
secrets.yaml
secrets.yml
secrets.toml
*-key.txt
*-token.txt
.aws/
.gcp/
service-account*.json
firebase-adminsdk*.json

# --- Environment files ---
.env
.env.*
!.env.example

# --- Cryptographic material ---
*.pem
*.key
*.crt
*.p12
*.pfx
id_rsa
id_rsa.*
id_ed25519
id_ed25519.*
*.gpg
*.asc

# --- Cloud provider configs (may contain creds) ---
.terraform/
*.tfstate
*.tfstate.*
.terraformrc
terraform.rc

# --- IDE / OS noise (not secret but standard) ---
.DS_Store
Thumbs.db
.vscode/
.idea/
*.swp
*.swo

# --- Node / package manager (added in Phase 2; placeholders) ---
node_modules/
.next/
out/
dist/
build/
.turbo/
.pnpm-store/

# --- Python (added when Modal worker code lands) ---
__pycache__/
*.pyc
*.pyo
.venv/
venv/
.pytest_cache/

# --- Logs (may contain leaked secrets despite redaction; default-deny) ---
*.log
logs/
npm-debug.log*
pnpm-debug.log*
yarn-debug.log*
yarn-error.log*

# --- Local development databases / dumps ---
*.sqlite
*.sqlite3
*.db
*.dump

# --- Audit: ensure ACCOUNTS.md and other safe metadata DOES get committed ---
# ACCOUNTS.md is safe per its §5 — no secrets. Confirm by review before commit.
# If a file ever matches a pattern above unintentionally, do NOT use !pattern
# to allowlist it — rename the file to remove the secret-marker.
