# ===== Basis: alles ignorieren, dann gezielt erlauben =====
/*

# ===== explizit tracken =====
!.gitignore
!README.md
!LICENSE
!scripts/
!scripts/**
!infra/
!infra/**
!archiv/
!archiv/**
# Setup/Bootstrap-Skripte im Root behalten
!setup-vault-agent.sh
!setup-vault-agent2.sh
!setup-vault-agent3.sh
!setup-vault-agent4.sh
!setup-vault-agent5.sh
!bootstrap-proxytest-approle.sh

# Tests (nur Code/Docs, keine Artefakte)
!test/
!test/**/*.sh
!test/**/*.md
!test/**/*.txt
# (alles andere in test/ bleibt ignoriert)

# ===== niemals commiten (Secrets/Runtime/Artefakte) =====
# generische Secrets & Vault-Kram
secrets/
.vault/
.vault-*/
**/role_id
**/secret_id
**/token
**/pidfile
**/.issue.json

# TLS/Cert-Artefakte
**/*.key
**/*privkey*.pem
**/*_key.pem
**/*.pem
**/*.crt
**/*.csr
**/*.p12
**/*.pfx
**/*.jks
**/.staging*/

# Logs & Temp
**/*.log
**/*.tmp
**/*.temp
**/logs/
**/tmp/

# Environment-Dateien
.env
.env.*
**/.env
**/.env.*
infra/config/apps.yaml
infra/config/apps.yaml.bk
infra/config/apps.yam.bkl
infra/config/*.local.yaml

# Editor/OS-Junk
*.swp
*.swo
*~
.DS_Store
Thumbs.db
.idea/
.vscode/
