.gitignore

# MiOS Root Overlay - Whitelist .gitignore
# This repository mirrors the system root (/) for a "Zero-Day" bootc build.
# STRATEGY: Ignore everything by default, then surgically whitelist only MiOS-owned paths.
# CASCADE RULE: To allow a nested path, every parent dir must be unignored first,
#               then the parent's contents must be re-ignored before the child is unignored.
#
# IMPORTANT: /.gitignore must be a real file (not a symlink) because git opens it
#            with O_NOFOLLOW. After editing this file at the repo root, run:
#            sudo cp ./.gitignore /.gitignore

# ─────────────────────────────────────────────────────────────────────────────
# 1. BLOCK EVERYTHING
# ─────────────────────────────────────────────────────────────────────────────
/*
.*

# ─────────────────────────────────────────────────────────────────────────────
# 2. REPOSITORY METADATA & TOP-LEVEL DOCS
# ─────────────────────────────────────────────────────────────────────────────
!/.gitignore
!/.gitattributes
!/.clinerules
!/.cursorrules
!/.editorconfig
!/.env.mios
!/.github/
!/.github/**
# Forgejo Actions workflows (consumed by mios-forgejo-runner Quadlet
# inside the closed self-replication loop). Forgejo Runner accepts
# both .forgejo/workflows/ and .github/workflows/; the .forgejo/ path
# is canonical for self-hosted-only workflows that shouldn't leak to
# GHCR-side CI.
!/.forgejo/
!/.forgejo/**
# Repo-root files. After the 2026-05-05 FHS-consolidation pass:
#   - operator-facing docs (architecture, engineering, deploy, security,
#     api, sources, credits, licenses, tree, audits, ...) moved to
#     usr/share/doc/mios/{concepts,guides,reference,audits}/
#   - the agent-facing INDEX.md and CLAUDE.AUDIT.md moved to
#     usr/share/mios/ai/{INDEX.md,audit-prompt.md}
#   - GitHub-convention files (README, LICENSE, CONTRIBUTING, SECURITY,
#     AGREEMENTS) and agent-tool discovery redirectors stay at root.
!/AGENTS.md
!/AGREEMENTS.md
!/CLAUDE.md
!/CONTRIBUTING.md
!/Containerfile
# Containerfile.minimal: experimental fedora-bootc-rooted sibling to the
# canonical ucore-hci-rooted Containerfile. Produces a "MiOS-Lite" tag for
# operators who don't need the HCI surface (NVIDIA/libvirt/ZFS pre-bakes).
!/Containerfile.minimal
!/GEMINI.md
!/Justfile
!/LICENSE
!/MiOS-SBOM.csv
!/README.md
!/SECURITY.md
!/VERSION
!/llms-full.txt
!/llms.txt
!/manifest.json
!/system-prompt.md
!/image-versions.yml
!/install.sh
!/install-mios-agents.sh
!/Get-MiOS.ps1
!/install.ps1
!/build-mios.ps1
!/mios-pipeline.ps1
!/mios-build-local.ps1
!/mios-cloud-build.ps1
!/mios-windows-export.ps1
!/preflight.ps1
!/preflight.sh
!/push-to-github.ps1
!/renovate.json

# ─────────────────────────────────────────────────────────────────────────────
# 2b. /usr/share/mios/kb -- KB index (moved from /proc/mios for FHS compliance;
#                          /proc is the kernel virtual filesystem per FHS 3.0)
# ─────────────────────────────────────────────────────────────────────────────
!/usr/share/mios/kb/
!/usr/share/mios/kb/manifest.json

# ─────────────────────────────────────────────────────────────────────────────
# 3. MIOS BUILD & AUTOMATION INFRASTRUCTURE
# ─────────────────────────────────────────────────────────────────────────────
!/automation/
!/automation/**
!/tools/
!/tools/**
!/config/
!/config/**

# ─────────────────────────────────────────────────────────────────────────────
# 4. /v1 -- MiOS AI API surface
# ─────────────────────────────────────────────────────────────────────────────
!/v1/
!/v1/**

# ─────────────────────────────────────────────────────────────────────────────
# 5. /etc -- only MiOS-managed config paths
# ─────────────────────────────────────────────────────────────────────────────
!/etc/
etc/*
!/etc/.keep
!/etc/containers/
etc/containers/*
# storage.conf -- rootful containers/storage config. /usr/share/containers/
# storage.conf is NOT read by libcontainers/storage at runtime (only /etc/
# and ~/.config/), so the vendor file there is ignored and the base image's
# /etc/containers/storage.conf wins. Shipping our own here puts kernel
# overlay (mount_program="") in front of the cascade.
!/etc/containers/storage.conf
!/etc/containers/systemd/
etc/containers/systemd/*
!/etc/containers/systemd/mios*
# ai-net.network is the AI-stack bridge that mios-hermes /
# mios-hermes-workspace / ollama / mios-searxng share. Doesn't match the mios*
# glob because the deploy-aistack.sh reference flow names it ai-net,
# and we keep the literal name for cross-deploy interop.
!/etc/containers/systemd/ai-net.network
# storage.conf.d/ -- additionalimagestores bridge so rootless distrobox
# can read images built into rootful podman storage by the system-scope
# .build Quadlets (Universal Blue / Bazzite pattern).
!/etc/containers/storage.conf.d/
etc/containers/storage.conf.d/*
!/etc/containers/storage.conf.d/30-mios-*
# containers.conf.d/ -- per-host podman tunables (rootless network
# backend, runtime defaults). All shipped .conf files are MiOS-authored.
!/etc/containers/containers.conf.d/
etc/containers/containers.conf.d/*
!/etc/containers/containers.conf.d/30-mios-*
!/etc/fapolicyd/
etc/fapolicyd/*
!/etc/fapolicyd/fapolicyd.rules
!/etc/wsl.conf

# /etc/btop/ -- system-wide btop preset + MiOS palette theme. mios-btop.sh
# resolves BTOP_CONFIG_DIR=/etc/btop when the user has no ~/.config/btop,
# so this is the canonical fallback that ships with the image. Operator
# can override per-user; the system-wide copy guarantees `btop` and
# `btop -p 3` render the MiOS preset out of the box.
!/etc/btop/
!/etc/btop/btop.conf
!/etc/btop/themes/
!/etc/btop/themes/mios.theme

# /etc/gtk-3.0/, /etc/gtk-4.0/ -- system-wide GTK CSS overrides that
# add native rounded window corners + drop shadows on top of whatever
# theme the operator is using. Flatpaks see these via the
# xdg-config/gtk-{3,4}.0:ro mount in the global flatpak override.
!/etc/gtk-3.0/
!/etc/gtk-3.0/gtk.css
!/etc/gtk-4.0/
!/etc/gtk-4.0/gtk.css


# /etc/profile.d/ -- login-shell environment resolver (INDEX.md sec 4).
# mios-env.sh walks the five-layer env overlay and exports MIOS_AI_* +
# identity vars system-wide. Bash sources /etc/profile.d/*.sh from
# /etc/profile, so the file must live under /etc to be picked up.
# zz-mios-motd.sh prints the live system dashboard at every interactive
# shell login; mios-prompt.sh wires Oh-My-Posh into bash/zsh.
!/etc/profile.d/
!/etc/profile.d/*mios*.sh

# /etc/xdg/ -- xdg-desktop-portal backend selection + future XDG-spec
# tracked configs. portals.conf with [preferred] default=gnome ensures
# the portal frontend can find a backend even when XDG_CURRENT_DESKTOP
# isn't propagated to the activating shell (WSL2 logind bypass).
!/etc/xdg/
!/etc/xdg/**

# /etc/systemd/user/<upstream-unit>.service.d/ -- drop-in overrides for
# upstream-shipped systemd user units (localsearch-3 et al.). Drop-in
# files MUST be named with the mios- prefix so they're distinguishable
# from operator-authored overrides at /etc/systemd/user/<unit>.d/.
!/etc/systemd/
!/etc/systemd/user/
!/etc/systemd/user/**/
!/etc/systemd/user/**/10-mios-*.conf

# /etc/dconf/ -- system-wide GNOME / GTK defaults (color scheme,
# gtk-theme, icon-theme, fonts). Cascade applied to every user-bus
# at login; operator overrides per-user via gsettings / Tweaks.
!/etc/dconf/
!/etc/dconf/db/
!/etc/dconf/db/local.d/
!/etc/dconf/db/local.d/*
!/etc/dconf/profile/
!/etc/dconf/profile/*

# /etc/skel/ -- default home contents copied to every new user.
# GTK3/GTK4 settings.ini under .config/ ensures fresh accounts boot
# with adw-gtk3-dark + prefer-dark before any gsettings/dconf calls
# need to happen. Flatpak apps read these settings via their
# xdg-config/gtk-{3,4}.0 filesystem overrides.
!/etc/skel/
!/etc/skel/.config/
!/etc/skel/.config/gtk-3.0/
!/etc/skel/.config/gtk-3.0/*
!/etc/skel/.config/gtk-4.0/
!/etc/skel/.config/gtk-4.0/*
# /etc/skel/.config/user-dirs.dirs -- XDG user-dir mapping so flatpak
# `xdg-download` permission resolves to ~/Downloads (not $HOME) and so
# every fresh MiOS user gets the standard sidebar entries (Desktop /
# Documents / Downloads / Music / Pictures / Public / Templates /
# Videos) without having to run `xdg-user-dirs-update` themselves.
!/etc/skel/.config/user-dirs.dirs
# Native Linux home dir tree shipped via /etc/skel so every newly-
# created user (uid >= 1000) inherits the standard XDG layout
# automatically. .keep markers are the only tracked entries; users
# fill the dirs at runtime.
!/etc/skel/Desktop/
!/etc/skel/Desktop/.keep
!/etc/skel/Documents/
!/etc/skel/Documents/.keep
!/etc/skel/Downloads/
!/etc/skel/Downloads/.keep
!/etc/skel/Music/
!/etc/skel/Music/.keep
!/etc/skel/Pictures/
!/etc/skel/Pictures/.keep
!/etc/skel/Public/
!/etc/skel/Public/.keep
!/etc/skel/Templates/
!/etc/skel/Templates/.keep
!/etc/skel/Videos/
!/etc/skel/Videos/.keep
# .local/share/{icons,fonts} -- empty dirs in skel that
# /usr/lib/tmpfiles.d/mios-user.conf populates with symlinks to the
# vendor /usr/share/{icons,fonts} subtrees so flatpak sandboxes can
# find them via xdg-data (flatpak refuses to expose /usr/* directly).
!/etc/skel/.local/
!/etc/skel/.local/share/
!/etc/skel/.local/share/icons/
!/etc/skel/.local/share/icons/.keep
!/etc/skel/.local/share/fonts/
!/etc/skel/.local/share/fonts/.keep

# /etc/mios/ -- KB config (system-prompts, kb.conf.toml, eval-criteria.json) tracked here.
# Runtime secrets and per-host overrides are NOT tracked (handled by mios-bootstrap.git).
!/etc/mios/
etc/mios/*
!/etc/mios/kb.conf.toml
!/etc/mios/eval-criteria.json
!/etc/mios/system-prompts/
!/etc/mios/system-prompts/**
!/etc/mios/ai/
!/etc/mios/ai/system-prompt.md
# opencode Ollama-provider config (canonical SoT). mios-hermes-firstboot
# deploys to each user home that runs opencode.
!/etc/mios/opencode/
!/etc/mios/opencode/opencode.json
# Agent exec sandbox -- seccomp profile + Dockerfile + exec-init.c
# (per FS+OS Control guide §15 deliverable). Vendor-tracked SoT;
# operator overlays in /etc/mios/containers/ override these defaults.
!/etc/mios/containers/
!/etc/mios/containers/**

# /etc/sysusers.d/ -- admin overrides for upstream-RPM sysusers entries
# (e.g. cephadm.conf pins UID >= 1000 so the postcheck #8 invariant passes).
!/etc/sysusers.d/
!/etc/sysusers.d/**

# /home/ is BOOTSTRAP territory. Per-user templates and skel live in mios-bootstrap.
# /agents/ is BOOTSTRAP territory (knowledge graphs / RAG manifests).

# ─────────────────────────────────────────────────────────────────────────────
# 6. /root -- MiOS shell skeleton for root user (system layer)
# ─────────────────────────────────────────────────────────────────────────────
!/root/
root/*
!/root/.bashrc
!/root/.zshrc
!/root/.oh-my-zsh/
!/root/.oh-my-zsh/**

# ─────────────────────────────────────────────────────────────────────────────
# 9. /usr -- full cascade whitelist
# ─────────────────────────────────────────────────────────────────────────────
!/usr/
usr/*
!/usr/bin/
!/usr/lib/
!/usr/libexec/
!/usr/share/

# usr/bin -- only MiOS-owned CLIs. Glob covers all mios-* operator
# verbs (mios-dash, mios-update, mios-rebuild, mios-build, mios-deploy,
# mios-pull, mios-flatpaks, mios-vfio-*, mios-backup, mios-ollama, plus
# future additions). Each is a thin shell wrapper around the underlying
# mechanism (bootc / podman / git-against-/.git / the local Forgejo at
# localhost:3000) so operators don't have to remember the long
# invocations.
usr/bin/*
!/usr/bin/mios
!/usr/bin/mios-*
# iommu-groups doesn't carry the mios- prefix (it's the canonical Linux
# verb name) but ships alongside mios-vfio-* as part of the MiOS CLI.
!/usr/bin/iommu-groups
# (mios-ollama is an OpenAI-compat wrapper around upstream `ollama`;
# matches the !/usr/bin/mios-* pattern above but listed for clarity.)
# Agent-CLI shortcuts: thin bash wrappers that delegate to /usr/bin/mios
# (the OpenAI-compatible Python client). Three names, one behavior:
#   @<prompt>       -- shell-position-free shortcut (also handled by
#                      command_not_found_handle in mios-verbs.sh for the
#                      glued `@hello` form; this binary covers pipes /
#                      scripts: `echo Q | @`)
#   hermes <prompt> -- explicit-name variant for "talk to Hermes"
!/usr/bin/@
!/usr/bin/hermes

# usr/share -- mios/ build files + doc/mios/ KB docs
usr/share/*
!/usr/share/doc/
usr/share/doc/*
!/usr/share/doc/mios/
!/usr/share/doc/mios/**
!/usr/share/mios/
!/usr/share/mios/**
# Desktop-entry .desktop files for the GNOME Dock / Activities (deployed
# hosts) and the WSLg-published Windows Start Menu (MiOS-DEV). Only
# MiOS-owned entries are tracked.
!/usr/share/applications/
usr/share/applications/*
!/usr/share/applications/mios-*.desktop
# AI runtime state (memory, knowledge graphs, scratch) belongs in
# mios-bootstrap.git -- it is per-host and seeded into /var at first
# boot. The OpenAI-API surface manifests in usr/share/mios/ai/v1/
# (models.json + mcp.json) ARE shipped from MiOS because INDEX.md sec 2
# declares them as the canonical /v1/* manifest source.
usr/share/mios/ai/*
!/usr/share/mios/ai/v1/
!/usr/share/mios/ai/v1/**
!/usr/share/mios/ai/system.md
# hermes-soul.md -- the MiOS-managed hardened Hermes-Agent persona /
# grounding against fabricated output. Seeded to $HERMES_HOME/SOUL.md + the
# operator's ~/.hermes/SOUL.md by mios-hermes-firstboot. Vendor-shipped
# (like system.md), so it must be tracked.
!/usr/share/mios/ai/hermes-soul.md
# hermes-soul-full.md -- long-form companion (when-X tables, verifier
# recipes, full forbidden-phrase list). NOT prepended to every prompt
# (slim hermes-soul.md is); the agent reads this on demand via
# `cat /usr/share/mios/ai/hermes-soul-full.md`. Vendor-tracked.
!/usr/share/mios/ai/hermes-soul-full.md
usr/share/mios/knowledge/
usr/share/mios/memory/
usr/share/mios/user-preferences.md
!/usr/share/containers/
usr/share/containers/*
!/usr/share/containers/systemd/
!/usr/share/containers/systemd/**
!/usr/share/containers/containers.conf.d/
!/usr/share/containers/containers.conf.d/**
# Vendor-default containers/storage.conf -- shipped at the lowest precedence
# layer so /etc and ~/.config layers can override. Switches the rootless
# default driver from fuse-overlayfs (broken inside WSL2/nested-container
# without /dev/fuse) to kernel-native overlay, which works in unprivileged
# user namespaces since Linux 5.11.
!/usr/share/containers/storage.conf

# usr/share/ollama -- build-baked model seed dir bind-mounted RO into
# the ollama.container Quadlet. Tracked because on MiOS-DEV (WSL2
# overlay seed) the build phase that would populate it is skipped, and
# `podman run` fails with `statfs /usr/share/ollama: no such file` when
# the path is absent. Only the .keep markers are tracked; actual model
# blobs are emitted at build time by automation/37-ollama-prep.sh and
# remain ignored.
!/usr/share/ollama/
!/usr/share/ollama/.keep
!/usr/share/ollama/models/
!/usr/share/ollama/models/.keep

# MiOS-managed fontconfig drop-ins (Geist Mono primary monospace,
# Symbols-Only Nerd Font icon-glyph fallback). Symlinked into
# /etc/fonts/conf.d/ at boot via usr/lib/tmpfiles.d/mios-fontconfig.conf.
!/usr/share/fontconfig/
!/usr/share/fontconfig/**

# usr/libexec -- mios/ subdir and mios-* top-level stubs
usr/libexec/*
!/usr/libexec/mios/
!/usr/libexec/mios/**
!/usr/libexec/mios-boot-diag
!/usr/libexec/mios-flatpak-install
!/usr/libexec/mios-grd-setup
!/usr/libexec/mios-hyperv-enhanced
!/usr/libexec/mios-verify

# usr/lib -- cascade for each MiOS-owned subdirectory
usr/lib/*
!/usr/lib/mios/
!/usr/lib/mios/**
# /usr/lib/os-release: MiOS overrides the FCOS-inherited identity file so
# fastfetch / motd / postcheck see NAME=MiOS / ID=mios instead of the base
# image's "Fedora CoreOS 44". Single tracked file at the canonical path
# the os-release(5) spec requires.
!/usr/lib/os-release

# Directories containing exclusively MiOS content -- allow all via **
!/usr/lib/NetworkManager/
!/usr/lib/NetworkManager/**
!/usr/lib/X11/
!/usr/lib/X11/**
!/usr/lib/bootc/
!/usr/lib/bootc/**
!/usr/lib/cloud/
!/usr/lib/cloud/**
!/usr/lib/cockpit/
!/usr/lib/cockpit/**
!/usr/lib/containers/
!/usr/lib/containers/**
!/usr/lib/crowdsec/
!/usr/lib/crowdsec/**
!/usr/lib/dnf/
!/usr/lib/dnf/**
# dracut: only MiOS-authored conf.d drop-ins are tracked. The dracut RPM
# owns the binaries (dracut-init.sh, dracut-functions.sh, dracut-install,
# dracut-cpio, ...) and the 100+ upstream modules under modules.d/. Carrying
# verbatim copies in this repo would silently shadow newer dracut RPMs --
# 292 vestigial files were dropped on 2026-05-05 (audit finding F10).
!/usr/lib/dracut/
usr/lib/dracut/*
!/usr/lib/dracut/dracut.conf.d/
usr/lib/dracut/dracut.conf.d/*
!/usr/lib/dracut/dracut.conf.d/*-mios-*.conf
!/usr/lib/firewalld/
!/usr/lib/firewalld/**
!/usr/lib/greenboot/
!/usr/lib/greenboot/**
!/usr/lib/libvirt/
!/usr/lib/libvirt/**
!/usr/lib/locale.conf
!/usr/lib/multipath.conf
!/usr/lib/ostree/
!/usr/lib/ostree/**
!/usr/lib/rancher/
!/usr/lib/rancher/**
!/usr/lib/repart.d/
!/usr/lib/repart.d/**
!/usr/lib/ssh/
!/usr/lib/ssh/**
!/usr/lib/sssd/
!/usr/lib/sssd/**
!/usr/lib/sudoers.d/
!/usr/lib/sudoers.d/**
!/usr/lib/sysupdate.d/
!/usr/lib/sysupdate.d/**
!/usr/lib/usbguard/
!/usr/lib/usbguard/**
!/usr/lib/uupd/
!/usr/lib/uupd/**
!/usr/lib/waydroid/
!/usr/lib/waydroid/**
!/usr/lib/wsl-distribution.conf
!/usr/lib/wsl.conf
!/usr/lib/xrdp/
!/usr/lib/xrdp/**

# Mixed directories (MiOS + OS files) -- cascade with MiOS-specific patterns

# environment.d -- MiOS named *mios*.conf only; blocks 99-environment.conf etc.
!/usr/lib/environment.d/
usr/lib/environment.d/*
!/usr/lib/environment.d/*mios*

# modprobe.d -- MiOS blacklist/nvidia/kvmfr/mios-* only; blocks dist-blacklist.conf, systemd.conf
!/usr/lib/modprobe.d/
usr/lib/modprobe.d/*
!/usr/lib/modprobe.d/blacklist-*
!/usr/lib/modprobe.d/kvmfr.conf
!/usr/lib/modprobe.d/*mios*
!/usr/lib/modprobe.d/nvidia*

# modules-load.d -- MiOS *mios* only; blocks fuse-overlayfs.conf etc.
!/usr/lib/modules-load.d/
usr/lib/modules-load.d/*
!/usr/lib/modules-load.d/*mios*

# pam.d -- MiOS PAM files only; blocks systemd-run0, systemd-user etc.
!/usr/lib/pam.d/
usr/lib/pam.d/*
!/usr/lib/pam.d/mios-*
!/usr/lib/pam.d/password-auth
!/usr/lib/pam.d/system-auth

# profile.d -- all MiOS content
!/usr/lib/profile.d/
!/usr/lib/profile.d/**

# sysctl.d -- MiOS *mios* only; blocks 10-default-yama-scope.conf, 50-*.conf etc.
!/usr/lib/sysctl.d/
usr/lib/sysctl.d/*
!/usr/lib/sysctl.d/*mios*

# systemd -- only MiOS-managed subdirs; blocks user-generators/, timesyncd.conf etc.
# user/ and user-preset/ are admitted for MiOS-shipped user services
# (ConditionVirtualization-gated bridges that need the per-user dbus
# session, like mios-wsl-theme-bridge); the *mios* filter below keeps
# distro defaults out the same way it does for system-preset.
!/usr/lib/systemd/
usr/lib/systemd/*
!/usr/lib/systemd/journald.conf.d/
!/usr/lib/systemd/journald.conf.d/**
!/usr/lib/systemd/system/
!/usr/lib/systemd/system-preset/
!/usr/lib/systemd/user/
!/usr/lib/systemd/user-preset/
!/usr/lib/systemd/zram-generator.conf.d/
!/usr/lib/systemd/zram-generator.conf.d/**

# systemd/system-preset -- *mios* only; blocks 90-default.preset, 90-systemd.preset etc.
usr/lib/systemd/system-preset/*
!/usr/lib/systemd/system-preset/*mios*

# systemd/user -- MiOS-shipped user services only; blocks dbus.service,
# pipewire.service, etc. that the distro packages own.
usr/lib/systemd/user/*
!/usr/lib/systemd/user/mios-*.service
!/usr/lib/systemd/user/mios-*.timer
!/usr/lib/systemd/user/mios-*.target
!/usr/lib/systemd/user/mios-*.path
!/usr/lib/systemd/user/mios-*.socket

# systemd/user-preset -- *mios* only; blocks distro defaults like
# 90-systemd-user.preset.
usr/lib/systemd/user-preset/*
!/usr/lib/systemd/user-preset/*mios*

# systemd/system -- MiOS units and drop-in dirs only; blocks sshd.service, NetworkManager.service etc.
usr/lib/systemd/system/*
!/usr/lib/systemd/system/mios-*.service
!/usr/lib/systemd/system/mios-*.timer
!/usr/lib/systemd/system/mios-*.target
!/usr/lib/systemd/system/mios-*.path
!/usr/lib/systemd/system/mios-*.socket
!/usr/lib/systemd/system/var-*.mount
# hermes-agent.service -- the DIRECT host install of Hermes-Agent
# (automation/38-hermes-agent.sh). Doesn't carry the mios- prefix
# because it IS Hermes-Agent, not a MiOS wrapper; whitelisted explicitly.
!/usr/lib/systemd/system/hermes-agent.service
!/usr/lib/systemd/system/*.service.d/
!/usr/lib/systemd/system/*.service.d/**
!/usr/lib/systemd/system/*.socket.d/
!/usr/lib/systemd/system/*.socket.d/**
!/usr/lib/systemd/system/*.mount.d/
!/usr/lib/systemd/system/*.mount.d/**
!/usr/lib/systemd/system/*.target.d/
!/usr/lib/systemd/system/*.target.d/**
# Exclude all CONTENTS of system-owned service.d dirs MiOS doesn't manage,
# but keep the dirs themselves traversable so the file-level whitelist below
# can re-add MiOS drop-ins. Cascade order matters: parent dirs must be
# unignored before child file patterns can match.
usr/lib/systemd/system/systemd-udev-trigger.service.d/*
usr/lib/systemd/system/user@.service.d/*
usr/lib/systemd/system/user@0.service.d/*
# Allow MiOS-named drop-ins under those system-owned dirs.
# Required for usr/lib/systemd/system/user@.service.d/10-mios-wsl-runtime.conf
# which seeds XDG_RUNTIME_DIR for the systemd user manager when logind is
# skipped under WSL2. Only files matching 10-mios-*.conf are tracked.
!/usr/lib/systemd/system/user@.service.d/10-mios-*.conf
!/usr/lib/systemd/system/user@0.service.d/10-mios-*.conf
!/usr/lib/systemd/system/systemd-udev-trigger.service.d/10-mios-*.conf

# sysusers.d -- MiOS user/group definitions only; blocks basic.conf, dbus.conf etc.
!/usr/lib/sysusers.d/
usr/lib/sysusers.d/*
!/usr/lib/sysusers.d/*mios*
!/usr/lib/sysusers.d/20-podman-machine.conf

# tmpfiles.d -- MiOS tmpfiles only; blocks podman.conf, sudo.conf, systemd-*.conf etc.
!/usr/lib/tmpfiles.d/
usr/lib/tmpfiles.d/*
!/usr/lib/tmpfiles.d/*mios*

# udev -- only MiOS rules; blocks system udev binaries and all other rules
!/usr/lib/udev/
usr/lib/udev/*
!/usr/lib/udev/rules.d/
usr/lib/udev/rules.d/*
!/usr/lib/udev/rules.d/99-kvmfr.rules
!/usr/lib/udev/rules.d/99-mios-gpu.rules

# ─────────────────────────────────────────────────────────────────────────────
# 9b. /var -- KB RAG, training, and evals data (runtime state)
# ─────────────────────────────────────────────────────────────────────────────
!/var/
var/*
!/var/lib/
var/lib/*
!/var/lib/mios/
!/var/lib/mios/**

# /var/lib/flatpak/overrides/ -- per-app environment overrides that
# get applied INSIDE the flatpak sandbox. Tracked here so software-
# rendering defaults survive operator deletions + re-install.
!/var/lib/flatpak/
!/var/lib/flatpak/overrides/
!/var/lib/flatpak/overrides/*
# Cookbooks (was /usr/local/share/mios/cookbooks/), prompt templates
# (was /opt/mios/prompts/), and API examples (was /srv/mios/api/) all
# moved to /usr/share/mios/{cookbooks,prompts,api}/ as of v0.2.3 path-
# consolidation. The single /usr/share/mios/ vendor-read-only home is
# whitelisted further up via !/usr/share/mios/** so no per-subdir
# entries needed.

# ─────────────────────────────────────────────────────────────────────────────
# 9f. /var/lib/mios -- exclude runtime state written by services after boot.
# These files are operationally produced (firstboot sentinels, build-output
# pointers, switch history) and MUST NOT round-trip through `git push`.
# Whitelisted directories are still tracked; only specific runtime files
# are excluded.
# ─────────────────────────────────────────────────────────────────────────────
var/lib/mios/forge/.firstboot-done
var/lib/mios/forge-runner/
var/lib/mios/bootc-switch-history.tsv
var/lib/mios/.wsl-firstboot-done

# ─────────────────────────────────────────────────────────────────────────────
# 10. SAFETY OVERRIDES -- sensitive, volatile, or OS-managed files
# These exclusions always win regardless of section 9 allows above.
# ─────────────────────────────────────────────────────────────────────────────
etc/.pwd.lock
etc/.updated
etc/shadow*
etc/gshadow*
etc/passwd*
etc/group*
etc/subuid*
etc/subgid*
etc/adjtime
etc/ld.so.cache
usr/lib/containers/storage/
usr/lib/node_modules/
**/__pycache__/
**/*.pyc
**/.DS_Store
**/Thumbs.db
/artifacts/
logs/
*.log

# Operator-authorized passwordless sudo for the mios-hermes agent
# (the user the local Hermes-Agent runs as). Default MiOS posture
# is the opposite (mios-hermes locked down) -- this file is the
# explicit operator authorization. Tracked so it survives builds.
!/etc/sudoers.d/
!/etc/sudoers.d/10-mios-hermes