chore: expand gitignore, gitleaks rules, and PII patterns

.github/pii-patterns.txt

@@ -1,3 +1,13 @@
 # PII detection patterns - one extended regex per line
 192\.168\.0\.
 \+1[0-9]{10}
+alice\.johnson
+\b[Ee]xample\b
+acme-corp
+Springfield
+Baby #[0-9]
+Widget
+due [A-Z][a-z]+ 20[0-9]{2}
+acme-workshop
+Acme Workshop LLC
+[A-Z][a-z]+.s birthday

.github/workflows/ci.yml

@@ -45,6 +45,8 @@ jobs:
             --include='*.md' --include='*.yaml' --include='*.yml' --include='*.toml' \
             . | grep -v 'pii-patterns' | \
             grep -v 'target/' | \
+            grep -v '^./docs/' | \
+            grep -v '^./standards/' | \
             grep -v 'node_modules/' || true)
           if [ -n "$HITS" ]; then
             echo "::error::PII patterns detected in tracked files:"

.gitignore

@@ -1,7 +1,64 @@
-/target
+# Cargo build output
+/target/
 **/*.rs.bk
+.cargo/
+
+# Secrets
+*.env
+**/credentials.json
+**/credentials.yaml
+**/credentials.yml
+**/secrets*
+**/*.key
+**/*.pem
+**/api-key
+
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
 *.swp
 *.swo
-.env
-.DS_Store
+*~
+.vscode/
+.idea/
+
+# Large/binary
+*.pdf
+*.png
+*.jpg
+*.jpeg
+*.gif
+*.svg
+*.mp3
+*.mp4
+*.zip
+*.tar.gz
+
+# Cache/logs
+__pycache__/
+.venv/
+node_modules/
+
+# Syncthing
+.stfolder/
+.stignore
+.stversions/
+
+# Ephemeral state
+.planning/
+**/.task/
+**/.taskrc
+**/heartbeat-state.json
+*sync-conflict*
+
+# Financial data
+**/*relay*.csv
+**/*transaction*.csv
+
+# Backups
+*.bak
+
+# Claude Code local state
 .claude/

.gitleaks.toml

@@ -15,6 +15,18 @@ description = "Phone number (US format)"
 regex = '''\+1[0-9]{10}'''
 tags = ["pii", "phone"]
 
+[[rules]]
+id = "signal-cli-password"
+description = "Signal CLI registration password"
+regex = '''signal-cli.*password["\s:=]+[^\s"]{8,}'''
+tags = ["password", "signal"]
+
+[[rules]]
+id = "jwt-secret"
+description = "JWT secret or token"
+regex = '''eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}'''
+tags = ["token", "jwt"]
+
 [allowlist]
 paths = [
   '''vendor/''',