===== Secrets =====

Never commit any actual secrets. Only .env.example is allowed.

.env .env.local .env.*.local *.key *.pem secrets/ credentials/

Brand-scoped secret files (per-brand convention)

Brands//secrets.env Brands//.env

===== Sensitive raw data =====

Health exports often contain medical-grade data — keep out of any

non-encrypted sync (incl. git remotes that aren't private+encrypted).

Raw/Health/* !Raw/Health/.gitkeep

Comment the next two lines back in if other Raw/ subfolders also

contain sensitive client material you don't want in git history:

Raw/Documents/*

!Raw/Documents/.gitkeep

===== System / OS =====

.DS_Store Thumbs.db *.swp *.swo *~

===== Caches & logs =====

.cache/ *.log

===== Obsidian — per-device state =====

These change every time you open the vault and don't reflect real changes.

(Other .obsidian/*.json files like app/appearance/core-plugins/graph stay tracked

— those carry intentional preferences, not noisy session state.)

.obsidian/workspace.json .obsidian/workspace-mobile.json .obsidian/cache/

===== Python =====

.venv/ pycache/ *.pyc *.egg-info/

===== Misc =====

node_modules/