> ## Documentation Index
> Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Org-default .gitignore

> A canonical .gitignore baseline shipped from dryvist/.github that every repo adopts. Prevents secrets, credentials, and AI-assistant local state from ever reaching git history.

> One gitignore to rule them all. Never commit secrets or AI local state — not by accident, not by habit.

The `dryvist/.github` repo ships a canonical `.gitignore` baseline at `configs/gitignore`. Every new repo adopts it by appending (not overwriting) to the repo's own `.gitignore`, preserving repo-specific entries while inheriting the org-wide safety floor.

## What it covers

The baseline targets two categories of files that must never reach git history:

**Secrets and credentials**

* `.env`, `.env.*` (except `.env.example`) — never commit real env files
* `*.pem`, `*.key`, `*.p12`, `*.pfx` — private keys
* `terraform.tfvars` (unencrypted), `credentials.json`, `secrets.yaml` (unencrypted)

**AI-assistant local / machine state**

* `.claude/mcp_settings.json` — MCP server list (can contain tokens)
* `CLAUDE.local.md`, `AGENTS.local.md`, `.envrc.local` — local overrides (gitignored by convention)
* `*.local.md` — any local-only markdown

**Intentional carve-outs** (do NOT add these back to `.gitignore`):

| Path                                      | Why it's committed                                                  |
| ----------------------------------------- | ------------------------------------------------------------------- |
| `.envrc`                                  | `use flake` directive; the `SOPS_AGE_KEY_FILE` path is not a secret |
| `*.sops.yaml` / `*.sops.yml`              | SOPS-encrypted ciphertext — safe to commit                          |
| `.terraform.lock.hcl`                     | Provider lock file — committed by convention                        |
| `.claude/settings.json`                   | Project AI config — committed on purpose                            |
| `.claude/rules/`, committed skills/agents | Project Claude Code config                                          |
| `CLAUDE.md`, `AGENTS.md`                  | Project AI instructions                                             |

## Adopting in a new repo

```bash theme={null}
gh api repos/dryvist/.github/contents/configs/gitignore \
  -H "Accept: application/vnd.github.raw" >> .gitignore
```

Use `>>` (append) so repo-specific entries are preserved. De-duplicate afterward if needed.

## Scope

The baseline covers secrets and AI state only — it is not a comprehensive language gitignore. Pair it with a language-specific template (GitHub's `.gitignore` templates, `gitignore.io`) for full coverage.

## Future work

* Automate adoption in the repo scaffold / copier template so new repos inherit the baseline at creation time rather than manually.
* Add a pre-commit hook that checks for `.env` files without the example suffix before every commit.
