I feel like “not stored” and “if added to cursorignore” isn’t enough.
For well known file(-extensions) that store secrets, the default should be to never transfer those files or their partial contents ever.
For my understanding at least such patterns as these should be auto-ignored, no matter what the .gitignore or .cursorignore say:
.env(.*?).git-credentials- Maybe even everything that starts with a dot?
- .npmrc
- config.json
- composer.auth.json
- credentials.json
- id_rsa**,** id_rsa.pub
- aws_credentials
- .dockercfg
- secrets.json**,** apikey.txt,…
- .pem, .crt,…
I guess with a bit of research this list easily gets superlong