# Plaintext secrets (never commit)
.env

# Encrypted secrets — safe to commit (SOPS-encrypted with age)
!.env.enc
!.env.vault.enc
!.sops.yaml

# Per-box project config (generated by disinto init)
projects/*.toml

# Runtime state
*.log
*.log.*
*.log.old
state.json
*.lock
*.pid
metrics/supervisor-metrics.jsonl

# OS
.DS_Store
dev/ci-fixes-*.json
gardener/dust.jsonl

# Individual encrypted secrets (managed by disinto secrets add)
secrets/

# Pre-built binaries for Docker builds (avoid network calls during build)
docker/agents/bin/