# Decrypted helm values — never commit plaintext secrets
helm/*.yaml
!helm/*.sops.yaml
!helm/*.yaml.template
!helm/openbao-values.yaml
!helm/openbao-middleware.yaml
!helm/openbao-ui-overlay-k8s.yaml
# Kubernetes manifests (no secrets) are safe to commit
!helm/*-cluster.yaml
!helm/*-networkpolicies.yaml
!helm/*-databases.yaml

# ArgoCD repository credentials — encrypt locally, never commit
argocd/repositories/*.repository.sops.yaml
!argocd/repositories/*.repository.sops.yaml.template

# Kubeconfig
*.kubeconfig

# Credential broker local lease/token material
.local/credential-leases/
*.openbao-token
