node_modules/
__pycache__/
*.py[cod]
dist/
data/
.env
config.yaml
.superpowers/
*.db
*.db-wal
*.db-shm
input/
output/
logs/
.worktrees/
.claude/
.playwright-mcp/
.superpowers/
# Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling,
# not project source.
.agents/
skills-lock.json
orch.pid
.server.pid
src/generated/
.worktrees/
vendor/
# Added by code-review-graph
.code-review-graph/

# Local debugging / scratch scripts (kept out of tree)
scripts/dump_payload.mjs

# Benchmark output (run results / copied workspaces)
bench/results/
.context/

data/secrets/master.key
data/browser-sessions/*
!data/browser-sessions/.gitkeep
.gstack/

# Core dumps from native crashes (sqlite/playwright/sharp). These contain raw
# process memory — including the decrypted master key, SSH private keys and the
# session secret — so they must never be committed.
# NOTE: keep this narrow. A bare `core.*` also matches source files like
# src/engine/tools/core.ts / core.test.ts, which silently dropped them from the
# OSS mirror during oss-sync (its `git add -A` honours .gitignore). Core dumps
# are named `core` or `core.<pid>`, so match only a numeric suffix.
core
core.[0-9]*