From 9a7b35b677f661cd8b33e9ea61b75873cc09d31b Mon Sep 17 00:00:00 2001
From: indifferentketchup <samkintop@gmail.com>
Date: Sun, 17 May 2026 20:50:37 +0000
Subject: [PATCH] build: harden .dockerignore (secrets/, data/)

The host-side docker-compose mounts secrets/ and data/ read-only at
runtime, but the build context still slurped them in. Add secrets/,
data/, and general SSH key patterns (*.pem, *.key, id_rsa*,
id_ed25519*, known_hosts, .ssh/) so private material can never be
baked into the image even by accident.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .dockerignore | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.dockerignore b/.dockerignore
index 6529695..f24423c 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -10,3 +10,13 @@ dist
 .vite
 coverage
 /tmp
+
+# Secrets and runtime data
+secrets/
+data/
+*.pem
+*.key
+id_rsa*
+id_ed25519*
+known_hosts
+.ssh/