From 57870abe98fdff4ec76d6f4d2bcc2f4f1055c59e Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Thu, 16 Apr 2026 05:39:31 -0700
Subject: [PATCH] chore(gitignore): exclude .secrets/ + *.pem from tracking

Local-only secrets (GitHub App private keys, future per-tenant
credentials) live in .secrets/ on the host. Belt-and-braces with the
existing .env exclusion so a stray copy / rename can't leak.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitignore | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitignore b/.gitignore
index fc5ca426..759d0fa4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -113,3 +113,7 @@ org-templates/**/.auth-token
 .initial_prompt_done
 .claude-bridge/
 .claude/scheduled_tasks.json
+
+# GitHub App private key + other local-only secrets — never committed.
+.secrets/
+*.pem