Merge the generated .gitignore into an existing one — APPEND any missing entries (never skip-if-present, so an app's
minimal .gitignore can't leave .env.keys/.env.temp UNIGNORED and risk committing the private key). Dedup, preserve app
entries. ENCRYPTED-ENV TRANSITION: if the new baseline ignores .env.keys (the private key) but NOT .env, a plaintext-era
.env ignore is REMOVED — the .env is now COMMITTED with its values encrypted, so ignoring it is wrong (and safe to undo).
Merge the generated .gitignore into an existing one — APPEND any missing entries (never skip-if-present, so an app's minimal .gitignore can't leave
.env.keys/.env.tempUNIGNORED and risk committing the private key). Dedup, preserve app entries. ENCRYPTED-ENV TRANSITION: if the new baseline ignores.env.keys(the private key) but NOT.env, a plaintext-era.envignore is REMOVED — the .env is now COMMITTED with its values encrypted, so ignoring it is wrong (and safe to undo).