# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.so.*
*.dylib
bin/

# Frontend
web/node_modules/
web/dist/

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool
*.out
coverage.out
coverage.html

# Go workspace file
go.work

# Dependency directories
vendor/

# Environment variables
.env
.env.local
.env.*.local

# IDE
.idea/
.vscode/
*.swp
*.swo
*~
.DS_Store
*.iml

# Temporary files
tmp/
temp/
*.log
*.bak

# Private keys (agent-generated, never commit)
cmd/agent/*.key
cmd/agent/*.pem

# Database
*.db
*.sqlite3

# Allow migration SQL files (don't ignore *.sql globally)
# SQL files in migrations/ are tracked

# Build artifacts
certctl-server
certctl-agent
certctl-cli
/server
/agent
/cli
/mcp-server

# Private strategy docs
SECURITY_REMEDIATION.md

# OS
.DS_Store
Thumbs.db

# Local Go build/module caches (session-scoped, never committed)
/.gocache/
/.gomodcache/
/.gopath/
/.gomodcache-gopath/

# Design scratch files (session-scoped)
/.i004-design.md
/.i005-design.md

# HTTPS-Everywhere (M-007) Phase 6: the docker-compose.test.yml tls-init
# container writes ca.crt / server.crt / server.key into this directory so
# the host-side integration_test.go binary can pin the CA via
# CERTCTL_TEST_CA_BUNDLE=./certs/ca.crt. Material is regenerated on every
# `docker compose up` and never belongs in git.
/deploy/test/certs/