# SEC_REVIEW F19: explicit allow/deny for the ui build context.
# `Dockerfile` does `COPY . ./` for the runtime stage, so anything
# not listed here is baked into the image.

# Secrets — block any future `.env` / `.env.local` dropped in this
# directory from silently shipping in the image. Compose loads `.env`
# from the repo root, not from `ui/`, so nothing here is needed.
.env
.env.*

# Version control
.git
.gitignore
.gitattributes

# Editor / IDE noise
.idea/
.vscode/
*.swp
*~
.DS_Store

# Tests and dev tooling — not needed at runtime, and `tests/` may hold
# fixtures that double as LFI targets.
tests/
.phpunit.cache/
.phpunit.result.cache
.phpstan.cache/
.php-cs-fixer.cache
.php-cs-fixer.dist.php
phpstan.neon
phpunit.xml

# Dependencies — the deps / assets stages install clean trees and
# copy them in via `COPY --from=...`; leaving the host versions in
# the context would let the subsequent `COPY . ./` clobber them.
vendor/
node_modules/

# Project metadata and docs — not consumed by the runtime.
CHANGELOG.md

# Build artifacts that don't belong in the runtime image.
.dockerignore
Dockerfile

# Claude Code session state
.claude/