# SEC-04: keep secrets and bulk artefacts out of image layers. # The Dockerfile ends with `COPY . .` — everything not listed here ships in the image. # Secrets — never in an image layer .env .env.* *.pw # VCS / local tooling .git .gitignore .claude .pytest_cache .ruff_cache .venv __pycache__ *.pyc *.pyo .DS_Store *.code-workspace # Bulk data artefacts (rebuildable / operator-side only) *.osm.pbf *.geojson csv/ data/ tools/data/ shell_stations.csv # Not needed at runtime docs/ tests/ agents/ db_audit/ legacy/ SOUL.md README.md CLAUDE.md uv.lock.bak