From 087b09a213074a8cb9178fcd79b90e28235619ff Mon Sep 17 00:00:00 2001
From: Flea Flicker <fleaflicker@groombook.farh.net>
Date: Sat, 18 Apr 2026 10:13:17 +0000
Subject: [PATCH] chore(GRO-720): harden .gitignore against agent runtime leaks

- Add .gh-token, *.gh-token to block token files
- Add .config/gh/ and **/.config/gh/ to block gh CLI config dirs
- Add infra-repo and infra-repo/ to block infra checkouts
- Add **/instructions/.gh-token to block per-agent token files
- Add **/AGENT_HOME/** and $AGENT_HOME/** to block agent home dirs
- Add .claude/ and .codex/ to block runtime directories

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .gitignore | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.gitignore b/.gitignore
index 14923ee..112405c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,16 @@ dist/
 .turbo/
 coverage/
 minimax-output/
+
+# Agent runtime artifacts — never commit
+.gh-token
+*.gh-token
+.config/gh/
+**/.config/gh/
+infra-repo
+infra-repo/
+**/instructions/.gh-token
+**/AGENT_HOME/**
+$AGENT_HOME/**
+.claude/
+.codex/