# SEC_REVIEW F19: explicit allow/deny for the api build context.
# `Dockerfile` does `COPY . ./` for the runtime stage, so anything
# not listed here is baked into the image.

# Secrets — block any future `.env` / `.env.local` dropped in this
# directory from silently shipping in the image. Compose loads `.env`
# from the repo root, not from `api/`, so nothing here is needed.
.env
.env.*

# Version control
.git
.gitignore
.gitattributes

# Editor / IDE noise
.idea/
.vscode/
*.swp
*~
.DS_Store

# Tests and dev tooling — not needed at runtime, and `tests/` may hold
# fixtures that double as LFI targets.
tests/
.phpunit.cache/
.phpunit.result.cache
.phpstan.cache/
.php-cs-fixer.cache
.php-cs-fixer.dist.php
phpstan.neon
phpunit.xml

# Host vendor/ — the deps stage installs a clean vendor and copies it
# in via `COPY --from=deps`; leaving the host vendor in the context
# would let the subsequent `COPY . ./` clobber the deps-stage tree.
vendor/

# Project metadata and docs — not consumed by the runtime.
CHANGELOG.md

# Build artifacts that don't belong in the runtime image.
.dockerignore
Dockerfile

# Claude Code session state
.claude/
