7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
396 lines
10 KiB
Plaintext
396 lines
10 KiB
Plaintext
# WHITELIST APPROACH - Only allow specific file types
|
|
# Deny everything by default
|
|
*
|
|
|
|
# Allow directories (needed for git to traverse)
|
|
!*/
|
|
|
|
# Allow specific source code files (but not .py in root - see below)
|
|
!*.js
|
|
!*.html
|
|
!*.css
|
|
# Auto-generated theme CSS (regenerated on every server start from themes/*/*.css)
|
|
src/local_deep_research/web/static/css/themes.css
|
|
# JSON — path-scoped (root package.json whitelisted below)
|
|
!src/local_deep_research/defaults/**/*.json
|
|
!cookiecutter-docker/**/*.json
|
|
|
|
# YAML — non-root, path-scoped (.github/ and .semgrep/ whitelisted separately)
|
|
!community_benchmark_results/**/*.yaml
|
|
!cookiecutter-docker/**/*.yml
|
|
!examples/elasticsearch/docker-compose.yml
|
|
|
|
# Shell scripts — path-scoped (.github/ and .pre-commit-hooks/ whitelisted separately)
|
|
!scripts/**/*.sh
|
|
!tests/**/*.sh
|
|
!docs/**/*.sh
|
|
!examples/**/*.sh
|
|
|
|
# Templates, Jinja2, XML — explicit paths
|
|
# NOTE: .env.template has a leading-dot basename, so the `.*` catch-all
|
|
# below would re-ignore it -- it is re-allowed in the post-catch-all block
|
|
# instead (a negation here would be a dead rule).
|
|
!src/local_deep_research/notifications/templates/**/*.jinja2
|
|
!unraid-templates/**/*.xml
|
|
|
|
# Allow Python files everywhere except root
|
|
!**/*.py
|
|
|
|
# Block ALL files in root directory - adding files to root should be intentional
|
|
/*.*
|
|
|
|
# Re-allow root-level directories whose name contains a dot.
|
|
#
|
|
# Why: the `/*.*` pattern above is a glob that matches anything at the
|
|
# repo root containing a `.` — it correctly catches files like
|
|
# `something.txt`, but it ALSO matches DIRECTORIES whose name happens to
|
|
# include a dot (e.g. `changelog.d/`). gitignore's pattern engine does
|
|
# not distinguish files from directories at the pattern level unless the
|
|
# pattern ends in `/`.
|
|
#
|
|
# Per git's own gitignore rules:
|
|
# "It is not possible to re-include a file if a parent directory of
|
|
# that file is excluded."
|
|
# So later negations like `!changelog.d/**/*.md` below cannot
|
|
# rescue files inside an excluded parent. They silently fail, and new
|
|
# files in `changelog.d/` get ignored even though contributors expect
|
|
# them to be tracked. This surfaced when adding a new towncrier
|
|
# fragment.
|
|
#
|
|
# Fix: explicitly re-include the directory ITSELF so the parent isn't
|
|
# excluded, leaving the per-file negation below to do its job. If a new
|
|
# dotted directory is added at root in the future, it needs the same
|
|
# treatment here.
|
|
!changelog.d/
|
|
|
|
# Explicitly allow specific Python files in root that are needed
|
|
# (Comment out any you don't need)
|
|
|
|
# Allow specific project files
|
|
!LICENSE
|
|
!README
|
|
!README.md
|
|
!CHANGELOG.md
|
|
!CONTRIBUTING.md
|
|
!SECURITY.md
|
|
!LICENSE.md
|
|
!Dockerfile
|
|
!pyproject.toml
|
|
!pdm.lock
|
|
!package.json
|
|
!MANIFEST.in
|
|
!eslint.config.mjs
|
|
!eslint.config.js
|
|
!playwright.config.js
|
|
!vite.config.js
|
|
!vulture_whitelist.py
|
|
!docker-compose.yml
|
|
|
|
|
|
# Block JSON files in root directory (except package.json which is explicitly allowed above)
|
|
/*.json
|
|
!package.json
|
|
!lighthouserc.json
|
|
|
|
# Block all other dot files/folders
|
|
.*
|
|
.*/
|
|
!.github/
|
|
!.github/**/*.yml
|
|
!.github/**/*.yaml
|
|
!.github/**/*.md
|
|
!.github/**/*.sh
|
|
!.github/**/*.py
|
|
!.github/CODEOWNERS
|
|
!.github/security/*.txt
|
|
# Config dotfiles re-allowed AFTER the `.*`/`.*/` catch-all above. A `!`
|
|
# negation placed BEFORE the catch-all is a dead rule -- the catch-all
|
|
# re-ignores the file, which then stays tracked only if it was committed
|
|
# before the catch-all existed (git never ignores an already-tracked path,
|
|
# which masks the bug). Put every new dot-config negation in THIS block --
|
|
# otherwise e.g. a nested `.gitignore` or a `newdir/.gitkeep` is silently
|
|
# dropped by `git add`.
|
|
!.gitignore
|
|
!.gitkeep
|
|
!.nvmrc
|
|
!.pre-commit-config.yaml
|
|
# Linter, whitelist, and security-scan config dotfiles -- masked by the
|
|
# catch-all above like the rest of this block; tracked today only because
|
|
# they predate it. .zap/ mirrors the .github/ / .semgrep/ pattern: re-allow
|
|
# the dir, then its file TYPE (.tsv) -- deliberately NOT a blanket `**`, so a
|
|
# stray key/db/pem dropped into .zap/ stays ignored (deny-by-default).
|
|
!.file-whitelist.txt
|
|
!.hadolint.yaml
|
|
!.yamllint.yaml
|
|
!.zap/
|
|
!.zap/**/*.tsv
|
|
# Shipped source template whose basename starts with a dot -- caught by the
|
|
# `.*` catch-all above, so it must be re-allowed here (not in the templates
|
|
# block near its non-dotfile siblings).
|
|
!src/local_deep_research/defaults/.env.template
|
|
!.gitleaksignore
|
|
!.grype.yaml
|
|
!.dockerignore
|
|
# Security-tool configs. Directory rules mirror the .github/ block above:
|
|
# re-allow the dir first, then its file types, so newly added
|
|
# .semgrep/rules/* files actually get tracked. (bearer.yml is not a dotfile
|
|
# -- the catch-all never affected it -- grouped here by topic.)
|
|
!.gitleaks.toml
|
|
!.semgrepignore
|
|
!bearer.yml
|
|
!.trivyignore
|
|
!.safety-policy.yml
|
|
!.semgrep/
|
|
!.semgrep/**/*.yml
|
|
!.semgrep/**/*.yaml
|
|
!.semgrep/**/*.md
|
|
# Pre-commit hook scripts (dir + file types), re-allowed after the catch-all.
|
|
!.pre-commit-hooks/
|
|
!.pre-commit-hooks/*.py
|
|
!.pre-commit-hooks/*.sh
|
|
|
|
# Allow installer files only in installers directory (text scripts only)
|
|
!installers/**/*.bat
|
|
!installers/**/*.ps1
|
|
!installers/**/*.iss
|
|
|
|
# Block specific problematic directories even if they contain allowed files
|
|
src/data/
|
|
src/research_outputs/
|
|
research_outputs/
|
|
data/
|
|
# Journal quality data: nothing is bundled. All sources are runtime-downloaded
|
|
# into the user data directory by the data_sources package. There is no
|
|
# package-level data directory any more.
|
|
logs/
|
|
cache/
|
|
temp/
|
|
tmp/
|
|
|
|
# Block result directories from examples
|
|
examples/optimization/examples/optimization/results/
|
|
examples/benchmarks/examples/benchmarks/results/
|
|
examples/*/results/
|
|
**/results/*/
|
|
|
|
# Block test output and JSON files
|
|
tests/**/results/
|
|
tests/**/*.json
|
|
tests/ui_tests/*.json
|
|
tests/ui_tests/results/
|
|
|
|
# …but the responsive baseline is checked in on purpose: it's the
|
|
# allowlist of currently-known UI bugs that test_responsive_ui_comprehensive.js
|
|
# compares against. New regressions vs this list fail the test.
|
|
!tests/ui_tests/responsive_baseline.json
|
|
|
|
# Still block Python cache and build artifacts even if they match patterns above
|
|
__pycache__/
|
|
**/__pycache__/
|
|
__pypackages__/
|
|
**/__pypackages__/
|
|
*.py[cod]
|
|
*$py.class
|
|
*.so
|
|
.Python
|
|
build/
|
|
develop-eggs/
|
|
dist/
|
|
downloads/
|
|
eggs/
|
|
.eggs/
|
|
lib/
|
|
lib64/
|
|
parts/
|
|
sdist/
|
|
var/
|
|
wheels/
|
|
*.egg-info/
|
|
.installed.cfg
|
|
*.egg
|
|
|
|
# Block virtual environments
|
|
.venv/
|
|
venv/
|
|
ENV/
|
|
env/
|
|
.env
|
|
.pdm*
|
|
|
|
# Block IDE files
|
|
.idea/
|
|
.vscode/
|
|
*.swp
|
|
*.swo
|
|
.DS_Store
|
|
.qodo/
|
|
.cursorrules
|
|
|
|
# Project specific
|
|
temp_output.txt
|
|
temp_output_findings.txt
|
|
formatted_output.txt
|
|
Output.txt
|
|
research_outputs
|
|
report.md
|
|
src/data/*
|
|
# Logs
|
|
*.log
|
|
logs/
|
|
|
|
# Database
|
|
research_history.db
|
|
data/ldr.db
|
|
*.db
|
|
|
|
# Data
|
|
*.pdf
|
|
.cache
|
|
*.jsonl
|
|
data/cache/pricing/pricing_cache.json
|
|
|
|
# Tools
|
|
python-db/
|
|
js-db/
|
|
*.sarif
|
|
codeql_analysis_results.txt
|
|
.coverage
|
|
coverage/
|
|
|
|
# benchmark results for examples
|
|
examples/benchmark_results/
|
|
|
|
# benchmark and optimization results
|
|
src/benchmark_results/
|
|
data/benchmark_results/
|
|
data/optimization_results/
|
|
examples/*/benchmark_results/
|
|
examples/*/optimization_*/
|
|
examples/benchmarks/results/
|
|
examples/optimization/results/
|
|
tests/import_tests/
|
|
benchmark_results/
|
|
strategy_benchmark_results/
|
|
strategy_sim_results_*/
|
|
*_results_*/
|
|
optimization_results_*/
|
|
optimization_demo_*/
|
|
|
|
# Utility scripts for benchmarks
|
|
update_api_key.py
|
|
update_max_tokens.py
|
|
verify_grader_config.py
|
|
/run_*_benchmark.sh
|
|
/run_fixed_benchmark.sh
|
|
/run_verification.sh
|
|
/run_update_*.sh
|
|
/run_*.sh
|
|
/*_benchmark.py
|
|
benchmark_cleanup.sh
|
|
benchmark_*summary.md
|
|
simulation_*summary.md
|
|
|
|
# Exceptions for benchmark example scripts
|
|
!examples/benchmarks/**/run_*.sh
|
|
!examples/benchmarks/**/*.py
|
|
|
|
**/.claude/settings.local.json
|
|
|
|
# Folders created by Docker.
|
|
local_collections/
|
|
|
|
# Node.js dependencies and artifacts
|
|
node_modules/
|
|
package-lock.json
|
|
!/package-lock.json
|
|
!tests/ui_tests/package-lock.json
|
|
!tests/ui_tests/playwright/package-lock.json
|
|
!tests/api_tests_with_login/package-lock.json
|
|
!tests/infrastructure_tests/package-lock.json
|
|
!tests/accessibility_tests/package.json
|
|
!tests/accessibility_tests/package-lock.json
|
|
!tests/puppeteer/package-lock.json
|
|
!tests/package-lock.json
|
|
npm-debug.log*
|
|
yarn-debug.log*
|
|
yarn-error.log*
|
|
|
|
# Temporary debug files
|
|
debug_*.js
|
|
test_*.html
|
|
|
|
# Test screenshots and artifacts
|
|
*.png
|
|
charts_*.png
|
|
research_*.png
|
|
star_reviews_*.png
|
|
web*.png
|
|
tests/screenshots/
|
|
screenshots/
|
|
|
|
# Explicitly allowed binary files — keep this list small.
|
|
# Binary files bloat the repo; do NOT add new ones without maintainer approval.
|
|
!docs/images/Local Search.png
|
|
!docs/images/local_search_embedding_model_type.png
|
|
!docs/images/local_search_paths.png
|
|
!src/local_deep_research/web/static/favicon.png
|
|
!src/local_deep_research/web/static/sounds/error.mp3
|
|
!src/local_deep_research/web/static/sounds/success.mp3
|
|
|
|
# Block mobile UI test artifacts (html/json reports, screenshot directories)
|
|
tests/ui_tests/mobile/**/*.html
|
|
tests/ui_tests/mobile/**/*.json
|
|
tests/ui_tests/mobile/*-screenshots/
|
|
|
|
# Ignore cookiecutter-generated docker-compose files (root only).
|
|
/docker-compose.*.yml
|
|
!docker-compose.gpu.override.yml
|
|
!docker-compose.unraid.yml
|
|
# Ignore backup data directories (but not backup code modules)
|
|
/backup/
|
|
!src/**/backup/
|
|
!tests/**/backup/
|
|
|
|
# Security - ignore generated secret keys
|
|
.secret_key
|
|
.cache_key_secret
|
|
|
|
# Allow MD files only in specific directories
|
|
!docs/**/*.md
|
|
!examples/**/*.md
|
|
!cookiecutter-docker/**/*.md
|
|
# towncrier news fragments — directory itself is re-allowed near the
|
|
# `/*.*` rule above (consolidated so the re-include lives in one place).
|
|
!changelog.d/**/*.md
|
|
|
|
# Block MD files in tests directories by default
|
|
tests/**/*.md
|
|
# To whitelist specific test MD files, add them explicitly like:
|
|
# !tests/specific-file-to-include.md
|
|
|
|
# Whitelist Playwright test infrastructure
|
|
!tests/ui_tests/playwright/
|
|
!tests/ui_tests/playwright/package.json
|
|
!tests/ui_tests/playwright/README.md
|
|
!tests/ui_tests/playwright/playwright.config.js
|
|
!tests/ui_tests/playwright/tests/
|
|
!tests/ui_tests/playwright/tests/*.js
|
|
!tests/ui_tests/playwright/tests/helpers/
|
|
!tests/ui_tests/playwright/tests/helpers/*.js
|
|
# NOTE: Playwright snapshot PNGs are NOT tracked in git.
|
|
# Visual regression tests use --update-snapshots to generate baselines locally.
|
|
# See: tests/ui_tests/playwright/README.md
|
|
|
|
# Block Playwright authentication state (contains session cookies/tokens)
|
|
tests/ui_tests/playwright/.auth/
|
|
|
|
# Block Playwright generated reports and test artifacts
|
|
tests/ui_tests/playwright/playwright-report/
|
|
tests/ui_tests/playwright/test-results/
|
|
|
|
# Block accessibility test auth state and generated reports
|
|
tests/accessibility_tests/.auth/
|
|
tests/accessibility_tests/playwright-report/
|
|
tests/accessibility_tests/test-results/
|
|
tests/accessibility_tests/.lighthouseci/
|