# macOS
.DS_Store
.DS_Store?
._*

# Backup artifacts
*.bak
*.orig

# SSH private keys — never commit unencrypted private keys
# Remove a line below only if you store GPG-encrypted versions
.ssh/id_rsa
.ssh/id_ed25519
.ssh/id_ecdsa
.ssh/id_dsa
.ssh/keys/*_rsa
.ssh/keys/*_ed25519
.ssh/keys/*_ecdsa
.ssh/keys/*.pem
# Public keys and config are fine
!.ssh/*.pub
!.ssh/keys/*.pub
!.ssh/config
!.ssh/known_hosts

# GPG-encrypted private key backups are safe to commit
!.ssh/keys/*.gpg

# Secrets / tokens — never commit
.env
.env.*
*.token
*.secrets
vault/

# Machine-local overrides at HOME level — never commit (written by setup_enterprise_ai_bash.sh)
.bashrc.local
.bash_profile.local

# Per-host .bashrc.local files ARE committed — managed centrally in dotfiles/hosts/
# Files are named <hostname>.bashrc.local and deployed via: dotfiles deploy-to user@host
# hosts/*.bashrc.local is intentionally tracked (gitignore rules above only match exact name)
