fix: add security-focused .gitignore entries and .env.example template

[dmccarty666]

Bug Description

The repository was missing security-focused .gitignore entries for sensitive files like .env, API keys, and certificates. Additionally, there was no .env.example template to guide users on environment configuration.

Severity: medium

Root Cause

The initial .gitignore only covered basic build artifacts (node_modules/, dist/) and editor files. It did not include:

• Environment files (.env, .env.local, .env.*.local)
• Security-sensitive files (*.key, *.pem, *.secret)
• Log files (*.log)

There was also no .env.example file to document required environment variables.

Fix

1. Added comprehensive security-focused entries to .gitignore:

   • Environment files (.env, .env.local, .env.*.local)
   • Security files (*.key, *.pem, *.secret)
   • Log files (*.log)

2. Created .env.example template with documented environment variables:

   • OPENCLAW_GATEWAY_PASSWORD
   • OPENCLAW_STATE_DIR (optional)
   • OPENCLAW_CONFIG_PATH (optional)
   • HOME (optional)

3. Updated package-lock.json version from 0.4.1 to 0.5.1 to match package.json

Regression Test

N/A - This is a configuration/documentation change. The security impact was verified by confirming the new .gitignore patterns match common security best practices for Node.js projects.

Verification

• Confirmed .gitignore patterns follow security best practices
• Verified .env.example contains all documented environment variables
• Build passes: npm run build completes successfully
• All tests pass: npm test completes with 105 passing tests

[vercel]

Someone is attempting to deploy a commit to the Ryan Team on Vercel.

A member of the Team first needs to authorize it.