| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- # SEC_REVIEW F19: explicit allow/deny for the api build context.
- # `Dockerfile` does `COPY . ./` for the runtime stage, so anything
- # not listed here is baked into the image.
- # Secrets — block any future `.env` / `.env.local` dropped in this
- # directory from silently shipping in the image. Compose loads `.env`
- # from the repo root, not from `api/`, so nothing here is needed.
- .env
- .env.*
- # Version control
- .git
- .gitignore
- .gitattributes
- # Editor / IDE noise
- .idea/
- .vscode/
- *.swp
- *~
- .DS_Store
- # Tests and dev tooling — not needed at runtime, and `tests/` may hold
- # fixtures that double as LFI targets.
- tests/
- .phpunit.cache/
- .phpunit.result.cache
- .phpstan.cache/
- .php-cs-fixer.cache
- .php-cs-fixer.dist.php
- phpstan.neon
- phpunit.xml
- # Host vendor/ — the deps stage installs a clean vendor and copies it
- # in via `COPY --from=deps`; leaving the host vendor in the context
- # would let the subsequent `COPY . ./` clobber the deps-stage tree.
- vendor/
- # Project metadata and docs — not consumed by the runtime.
- CHANGELOG.md
- # Build artifacts that don't belong in the runtime image.
- .dockerignore
- Dockerfile
- # Claude Code session state
- .claude/
|
