fix(gitignore): replace symlink with real file, implement cascade whitelist

mios-dev · claude · web-flow · commit e071798e853c · 2026-04-30T17:32:10.000Z
/.gitignore was a symlink (git opens .gitignore with O_NOFOLLOW, so it was
silently unread — every system file in the / working tree leaked as untracked).

Replaced with a real file. Rewrote the gitignore using a proper cascade
whitelist: each FHS directory level (etc/*, usr/lib/*, etc.) is re-ignored
after its parent is unignored, then only MiOS-named files are selectively
allowed in mixed directories (sysusers.d, tmpfiles.d, systemd/system, etc.).

Result: git status reduced from ~2000 entries to ~393 (all tracked MiOS files).

Note: after editing /workspaces/MiOS/.gitignore, run:
  sudo cp /workspaces/MiOS/.gitignore /.gitignore

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -1,93 +1,297 @@
-# MiOS allow-list. Ignore everything, then unignore what MiOS owns.
+# MiOS Root Overlay - Whitelist .gitignore
+# This repository mirrors the system root (/) for a "Zero-Day" bootc build.
+# STRATEGY: Ignore everything by default, then surgically whitelist only MiOS-owned paths.
+# CASCADE RULE: To allow a nested path, every parent dir must be unignored first,
+#               then the parent's contents must be re-ignored before the child is unignored.
+#
+# IMPORTANT: /.gitignore must be a real file (not a symlink) because git opens it
+#            with O_NOFOLLOW. After editing this file run:
+#            sudo cp /workspaces/MiOS/.gitignore /.gitignore
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 1. BLOCK EVERYTHING
+# ─────────────────────────────────────────────────────────────────────────────
 /*
 .*
 
-# Top-level system docs and metadata
-!README.md
-!VERSION
-!LICENSE
-!LICENSES.md
-!AGENTS.md
-!INDEX.md
-!SECURITY.md
-!SELF-BUILD.md
-!DEPLOY.md
-!SUMMARY.md
-!CONTRIBUTING.md
-
-# Build infrastructure (Containerfile, Justfile, build orchestrators, helpers)
-!Containerfile
-!Justfile
-!build-mios.sh
-!install.sh
-!install.ps1
-!mios-build-local.ps1
-!preflight.ps1
-!push-to-github.ps1
-!image-versions.yml
-!renovate.json
-
-# Repo hygiene
-!.editorconfig
-!.gitattributes
-!.gitignore
-!.github/
-!.devcontainer/
-!.github/**
-!.devcontainer/**
-!.devcontainer/
-
-# Build orchestration trees (placeholder; populated as project grows)
-!automation/
-!automation/**
-!tools/
-!tools/**
-!specs/
-!specs/**
-!config/
-!config/**
-
-# Day 0 AI Artifacts
-!ARCHITECTURE.md
-!ENGINEERING.md
-!llms.txt
-!llms-full.txt
-!system-prompt.md
-!.cursorrules
-!.clinerules
-!root-manifest.json
-!.github/ai-instructions.md
-!.devcontainer/
-
-# FHS overlay -- the deployed system layer
-!usr/
-!usr/**
-!etc/
-!etc/**
-!home/
-!home/**
-!srv/
-!srv/**
-!v1/
-!v1/**
-!artifacts/
-!artifacts/**
-!agents/
-!agents/**
-agents/**/latest-context.json.gz
-
-# Re-ignore noise inside whitelisted dirs
+# ─────────────────────────────────────────────────────────────────────────────
+# 2. REPOSITORY METADATA & TOP-LEVEL DOCS
+# ─────────────────────────────────────────────────────────────────────────────
+!/.gitignore
+!/.gitattributes
+!/.clinerules
+!/.cursorrules
+!/.editorconfig
+!/.github/
+!/.github/**
+!/AGENTS.md
+!/ARCHITECTURE.md
+!/CONTRIBUTING.md
+!/Containerfile
+!/DEPLOY.md
+!/ENGINEERING.md
+!/INDEX.md
+!/Justfile
+!/LICENSE
+!/LICENSES.md
+!/README.md
+!/SECURITY.md
+!/SELF-BUILD.md
+!/SUMMARY.md
+!/VERSION
+!/llms-full.txt
+!/llms.txt
+!/root-manifest.json
+!/image-versions.yml
+!/install.sh
+!/build-mios.sh
+!/mios-build-local.ps1
+!/preflight.ps1
+!/push-to-github.ps1
+!/renovate.json
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 3. MIOS BUILD & AUTOMATION INFRASTRUCTURE
+# ─────────────────────────────────────────────────────────────────────────────
+!/automation/
+!/automation/**
+!/tools/
+!/tools/**
+!/config/
+!/config/**
+!/agents/
+!/agents/**
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 4. /v1 — MiOS AI API surface
+# ─────────────────────────────────────────────────────────────────────────────
+!/v1/
+!/v1/**
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 5. /etc — only MiOS-managed config paths
+# ─────────────────────────────────────────────────────────────────────────────
+!/etc/
+etc/*
+!/etc/.keep
+!/etc/containers/
+etc/containers/*
+!/etc/containers/systemd/
+etc/containers/systemd/*
+!/etc/containers/systemd/mios*
+!/etc/fapolicyd/
+etc/fapolicyd/*
+!/etc/fapolicyd/fapolicyd.rules
+!/etc/mios/
+!/etc/mios/**
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 6. /home — placeholder only (no user data tracked)
+# ─────────────────────────────────────────────────────────────────────────────
+!/home/
+home/*
+!/home/.keep
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 7. /srv — MiOS service data
+# ─────────────────────────────────────────────────────────────────────────────
+!/srv/
+srv/*
+!/srv/.keep
+!/srv/ai/
+!/srv/ai/**
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 8. /root — MiOS shell skeleton for root user
+# ─────────────────────────────────────────────────────────────────────────────
+!/root/
+root/*
+!/root/.bashrc
+!/root/.zshrc
+!/root/.oh-my-zsh/
+!/root/.oh-my-zsh/**
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 9. /usr — full cascade whitelist
+# ─────────────────────────────────────────────────────────────────────────────
+!/usr/
+usr/*
+!/usr/bin/
+!/usr/lib/
+!/usr/libexec/
+!/usr/share/
+
+# usr/bin — only the mios binary
+usr/bin/*
+!/usr/bin/mios
+
+# usr/share — only mios/
+usr/share/*
+!/usr/share/mios/
+!/usr/share/mios/**
+
+# usr/libexec — only mios/
+usr/libexec/*
+!/usr/libexec/mios/
+!/usr/libexec/mios/**
+
+# usr/lib — cascade for each MiOS-owned subdirectory
+usr/lib/*
+
+# Directories containing exclusively MiOS content — allow all via **
+!/usr/lib/NetworkManager/
+!/usr/lib/NetworkManager/**
+!/usr/lib/X11/
+!/usr/lib/X11/**
+!/usr/lib/bootc/
+!/usr/lib/bootc/**
+!/usr/lib/cloud/
+!/usr/lib/cloud/**
+!/usr/lib/cockpit/
+!/usr/lib/cockpit/**
+!/usr/lib/containers/
+!/usr/lib/containers/**
+!/usr/lib/crowdsec/
+!/usr/lib/crowdsec/**
+!/usr/lib/dnf/
+!/usr/lib/dnf/**
+!/usr/lib/dracut/
+!/usr/lib/dracut/**
+!/usr/lib/firewalld/
+!/usr/lib/firewalld/**
+!/usr/lib/greenboot/
+!/usr/lib/greenboot/**
+!/usr/lib/libvirt/
+!/usr/lib/libvirt/**
+!/usr/lib/locale.conf
+!/usr/lib/multipath.conf
+!/usr/lib/ostree/
+!/usr/lib/ostree/**
+!/usr/lib/rancher/
+!/usr/lib/rancher/**
+!/usr/lib/repart.d/
+!/usr/lib/repart.d/**
+!/usr/lib/ssh/
+!/usr/lib/ssh/**
+!/usr/lib/sssd/
+!/usr/lib/sssd/**
+!/usr/lib/sudoers.d/
+!/usr/lib/sudoers.d/**
+!/usr/lib/sysupdate.d/
+!/usr/lib/sysupdate.d/**
+!/usr/lib/usbguard/
+!/usr/lib/usbguard/**
+!/usr/lib/uupd/
+!/usr/lib/uupd/**
+!/usr/lib/waydroid/
+!/usr/lib/waydroid/**
+!/usr/lib/wsl-distribution.conf
+!/usr/lib/wsl.conf
+!/usr/lib/xrdp/
+!/usr/lib/xrdp/**
+
+# Mixed directories (MiOS + OS files) — cascade with MiOS-specific patterns
+
+# environment.d — MiOS named *mios*.conf only; blocks 99-environment.conf etc.
+!/usr/lib/environment.d/
+usr/lib/environment.d/*
+!/usr/lib/environment.d/*mios*
+
+# modprobe.d — MiOS blacklist/nvidia/kvmfr/mios-* only; blocks dist-blacklist.conf, systemd.conf
+!/usr/lib/modprobe.d/
+usr/lib/modprobe.d/*
+!/usr/lib/modprobe.d/blacklist-*
+!/usr/lib/modprobe.d/kvmfr.conf
+!/usr/lib/modprobe.d/*mios*
+!/usr/lib/modprobe.d/nvidia*
+
+# modules-load.d — MiOS *mios* only; blocks fuse-overlayfs.conf etc.
+!/usr/lib/modules-load.d/
+usr/lib/modules-load.d/*
+!/usr/lib/modules-load.d/*mios*
+
+# pam.d — MiOS PAM files only; blocks systemd-run0, systemd-user etc.
+!/usr/lib/pam.d/
+usr/lib/pam.d/*
+!/usr/lib/pam.d/mios-*
+!/usr/lib/pam.d/password-auth
+!/usr/lib/pam.d/system-auth
+
+# profile.d — all MiOS content
+!/usr/lib/profile.d/
+!/usr/lib/profile.d/**
+
+# sysctl.d — MiOS *mios* only; blocks 10-default-yama-scope.conf, 50-*.conf etc.
+!/usr/lib/sysctl.d/
+usr/lib/sysctl.d/*
+!/usr/lib/sysctl.d/*mios*
+
+# systemd — only MiOS-managed subdirs; blocks user/, user-generators/, timesyncd.conf etc.
+!/usr/lib/systemd/
+usr/lib/systemd/*
+!/usr/lib/systemd/journald.conf.d/
+!/usr/lib/systemd/journald.conf.d/**
+!/usr/lib/systemd/system/
+!/usr/lib/systemd/system-preset/
+!/usr/lib/systemd/zram-generator.conf.d/
+!/usr/lib/systemd/zram-generator.conf.d/**
+
+# systemd/system-preset — *mios* only; blocks 90-default.preset, 90-systemd.preset etc.
+usr/lib/systemd/system-preset/*
+!/usr/lib/systemd/system-preset/*mios*
+
+# systemd/system — MiOS units and drop-in dirs only; blocks sshd.service, NetworkManager.service etc.
+usr/lib/systemd/system/*
+!/usr/lib/systemd/system/mios-*.service
+!/usr/lib/systemd/system/mios-*.timer
+!/usr/lib/systemd/system/mios-*.target
+!/usr/lib/systemd/system/var-*.mount
+!/usr/lib/systemd/system/*.service.d/
+!/usr/lib/systemd/system/*.service.d/**
+# Exclude system-owned service.d dirs that MiOS doesn't manage
+usr/lib/systemd/system/systemd-udev-trigger.service.d/
+usr/lib/systemd/system/user@.service.d/
+usr/lib/systemd/system/user@0.service.d/
+
+# sysusers.d — MiOS user/group definitions only; blocks basic.conf, dbus.conf etc.
+!/usr/lib/sysusers.d/
+usr/lib/sysusers.d/*
+!/usr/lib/sysusers.d/*mios*
+!/usr/lib/sysusers.d/20-podman-machine.conf
+
+# tmpfiles.d — MiOS tmpfiles only; blocks podman.conf, sudo.conf, systemd-*.conf etc.
+!/usr/lib/tmpfiles.d/
+usr/lib/tmpfiles.d/*
+!/usr/lib/tmpfiles.d/*mios*
+
+# udev — only MiOS rules; blocks system udev binaries and all other rules
+!/usr/lib/udev/
+usr/lib/udev/*
+!/usr/lib/udev/rules.d/
+usr/lib/udev/rules.d/*
+!/usr/lib/udev/rules.d/99-kvmfr.rules
+!/usr/lib/udev/rules.d/99-mios-gpu.rules
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 10. SAFETY OVERRIDES — sensitive, volatile, or OS-managed files
+# These exclusions always win regardless of section 9 allows above.
+# ─────────────────────────────────────────────────────────────────────────────
+etc/.pwd.lock
+etc/.updated
+etc/shadow*
+etc/gshadow*
+etc/passwd*
+etc/group*
+etc/subuid*
+etc/subgid*
+etc/adjtime
+etc/ld.so.cache
+usr/lib/containers/storage/
+usr/lib/node_modules/
 **/__pycache__/
 **/*.pyc
 **/.DS_Store
 **/Thumbs.db
-
-# MiOS Runtime/Build Artifacts
+/artifacts/
 logs/
 *.log
-/artifacts/*.gz
-/artifacts/*.iso
-/artifacts/*.qcow2
-/artifacts/*.vhdx
-/artifacts/*.xz
-/artifacts/*.raw
