# Sandboxed-claude runtime config (bootstrapped per launch — not for commit)
.claude/

# Nix build outputs
result
result-*

# direnv
.direnv/

# Editor scratch
*~
.#*
*.swp
*.swo

# Secrets — track only sops-encrypted .yaml files + the README;
# block plaintext keys and any other content under secrets/
*.key
*.pem
secrets/*
!secrets/*.yaml
!secrets/README.md
