# Generated output (root reports directory only; tests/Reports/ is tracked source)
/reports/
*.log

# Build / release artefacts (packages, ZIPs, signed/unsigned outputs, runtime ledger).
# Generated by build\New-WinSecMonPackage.ps1; must never become an editable duplicate
# source tree inside the repo. Keep the directory skeleton + READMEs only.
# Exception: artifacts/VERSIONS.json is the curated, committed release ledger.
artifacts/**
!artifacts/
!artifacts/README.md
!artifacts/**/README.md
!artifacts/.gitkeep
!artifacts/VERSIONS.json

# QA evidence captured during test/validation runs (keep structure + READMEs, ignore blobs)
qa/test-results/**
qa/defender-results/**
qa/evidence/**
qa/golden-reports/**
!qa/**/README.md
!qa/**/.gitkeep

# UAT run raw evidence is SENSITIVE (customer host/user/domain, real findings, packaged
# bundle). Every file under a per-run folder is git-ignored - including any README.md the
# earlier rule would otherwise re-include - so a customer-identifying path never enters git.
# Only the generic top-level uat-runs README is tracked; redacted summaries live in qa/signoff/.
# (Re-include the uat-runs dir itself first - you cannot re-include a file whose parent dir is
# excluded by qa/evidence/** above.)
!qa/evidence/uat-runs/
qa/evidence/uat-runs/**
!qa/evidence/uat-runs/README.md

# Third-party benchmark raw captures (licensing): never commit fetched PingCastle HTML.
# Only the clean-room WINSECMON-authored CSV/JSON derivatives are tracked.
qa/benchmark-mapping/pingcastle-baseline/*.raw.html
qa/benchmark-mapping/pingcastle-baseline/*.gitignored

# Local signing material / private keys (never commit)
*.pfx
*.pvk
*.snk
*-private*.cer

# Machine/tenant-specific validation notes (keep PROJECT_MEMORY.md generic + shareable)
.ai/LOCAL_VALIDATION_MEMORY.md

# Editor / OS noise
.vs/
*.user
Thumbs.db
.DS_Store

# Original recon binaries (large)
96d4a5e464f47993171869c46a7cec69cae3904b/
