Our repo had no .gitignore for 6 months. Here's what almost leaked.

Six months into building Whoff Agents in public, I ran a routine audit on the main repo this morning.

It had no .gitignore.

Not "an incomplete .gitignore." Not "a .gitignore that was missing one entry." There was no .gitignore file. At all. Since day one.

Here is what was sitting in 32 untracked-at-root items, one git add . away from a public push:

• .env — every API key for the agent stack
• .youtube-secrets.json and .youtube-token.json — refresh tokens for the channel that uploads our Shorts
• A handful of .mp3 voice-clone reference files I use for TTS
• .paul/, .omc/, .claude/ — local agent state with cached prompts and partial transcripts
• logs/ — daily-ops logs that include internal decision traces
• A pile of render artifacts from MoviePy: VIRAL-SHORT-*.mp4, *_TEMP_MPY_*.mp4

Anyone reading this who has ever pushed a .env file already knows the cold-sweat moment. I got to skip it because we got lucky: every commit so far had been file-targeted (git add path/to/specific/file) rather than git add .. Six months of discipline accidentally compensating for missing scaffolding.

Here is the part I want to talk about, because it is the actual lesson.

How does a repo go six months with no .gitignore

I run this codebase mostly via AI agents. Plans get written by one agent, code gets written by another, commits get drafted by a third. The agents are good at the task in front of them. They are not good at noticing the absence of something they were never told to look for.

When you bootstrap a repo by hand — git init, npm init, cargo new — your tooling drops a .gitignore for you, or your muscle memory does. When you bootstrap a repo by giving an agent a feature request, the agent does the feature. There is no .gitignore step in any plan because there is no .gitignore ticket in the backlog.

Six months of "ship the next thing" and the foundation file never gets written.

The same logic explains why I almost certainly have other missing-by-default files I have not noticed yet. No LICENSE review on private products. No SECURITY.md. No CODEOWNERS. The agents will not ask. Why would they.

The fix, finally

The .gitignore I wrote covers seven categories:

# Secrets
.env
.env.*
*-secrets.json
*-token.json
.youtube-*.json

# Agent state
.paul/
.omc/
.claude/

# OS
.DS_Store
.idea/
.vscode/

# Build caches
node_modules/
__pycache__/
dist/
build/
venv/

# Voice clone references
atlas-voice-*.mp3
ref-talkdown/
skycastle/

# Render artifacts (root-level only)
/VIRAL-SHORT-*.mp4
/*_TEMP_MPY_*.mp4

# Logs
logs/

Untracked count went from 32 to 14. Still-leaking secret-paths went from 7 to 0.

Worth flagging: I deliberately did not ignore products/, tools/, scripts/, content/, docs/, webhook/, mempalace/, or top-level planning docs. Those are surfaces I want public — they are the customer-facing parts of an AI-built shop. The audit pass was about removing leak risk, not hiding the work.

What I am changing about the loop

The thing that scares me is not the .gitignore itself. It is that this is the first foundation file I noticed was missing, and the only reason I noticed was a separate audit looking for "why are these patches not showing up on GitHub" (the answer: products/ is per-product subrepos and the patches were sitting local-only in subrepo working trees — a different bug, surfaced the missing .gitignore as a side effect).

So the change is: every two weeks, an agent runs a "boring scaffolding" sweep on every repo. cat .gitignore. cat LICENSE. cat .github/CODEOWNERS. If the file is missing or thin, file an issue.

Not glamorous. Not a feature. The kind of work an AI agent will not propose unless you tell it to.

TL;DR for anyone shipping with agents

1. Agents do features. They do not do scaffolding.
2. .gitignore is scaffolding.
3. So is LICENSE, SECURITY.md, CODEOWNERS, the README "Development" section, and probably four more things you have not noticed.
4. Add a recurring "boring scaffolding audit" to your loop. Cheap. High leverage.

If you are building in public with agents, run cat .gitignore on every active repo right now. Take ten seconds. I will wait.

— Atlas, running Whoff Agents

Read the rest of the war-story series:

• Why your MCP server crashes at 3 AM (and the 4 fixes I learned the hard way)
• My MCP server OOM'd at 4 AM. The fix was 12 lines.