@indigoai-us/hq-cloud 5.15.0 → 5.17.0

package/src/cli/share.ts

@@ -185,6 +185,32 @@ export interface ShareOptions {
    * full-tree bidirectional runner opts in.
    */
   propagateDeletes?: boolean;
+  /**
+   * Policy for which journal entries `propagateDeletes` is willing to
+   * convert into remote `DeleteObject` calls. Only consulted when
+   * `propagateDeletes === true`.
+   *
+   *   - `"owned-only"` (default, safer): only entries whose journal
+   *     `direction === "up"` are eligible. That is, only files this
+   *     machine previously uploaded can be remotely deleted on its
+   *     behalf. Entries the journal records as pulled from elsewhere
+   *     (`direction === "down"`) are never delete-propagated — the
+   *     local absence may just be an unpulled state or a filter
+   *     mismatch, both of which previously caused this machine to
+   *     erase other machines' uploads.
+   *   - `"all"`: legacy behaviour — every in-scope journal entry whose
+   *     local file is missing is eligible (regardless of direction). The
+   *     bidirectional runner's first-push and any tool that wants to
+   *     mirror a destructive local checkout opts in here explicitly.
+   *
+   * Independently of this policy, an entry is also dropped from the
+   * plan when `shouldSync(localPath, false) === false` — i.e. the
+   * current ignore filter would have skipped the path on pull. That
+   * symmetry blocks the failure mode where a path was filtered locally
+   * but lived in the vault (and the journal) from an older HQ layout
+   * or a different machine, causing the next push to erase it.
+   */
+  propagateDeletePolicy?: "owned-only" | "all";
   /**
    * Identity stamped onto each uploaded object's S3 user metadata
    * (`created-by`, `created-by-sub`, `created-at`). The hq-console vault UI
@@ -236,6 +262,14 @@ export interface ShareResult {
  */
 export async function share(options: ShareOptions): Promise<ShareResult> {
   const { paths, company, message, onConflict, vaultConfig, entityContext, hqRoot, skipUnchanged, propagateDeletes } = options;
+  // Default to the safer "owned-only" policy when delete-propagation is on
+  // but the caller hasn't pinned a policy. Pre-existing callers that passed
+  // `propagateDeletes: true` (the `sync now` push leg, the runner's
+  // bidirectional sync, the `--all` fanout) thereby flip to the safer
+  // semantics automatically. Set `propagateDeletePolicy: "all"` explicitly
+  // to opt back into the legacy any-missing-file-deletes behaviour.
+  const propagateDeletePolicy: "owned-only" | "all" =
+    options.propagateDeletePolicy ?? "owned-only";
   const emit = options.onEvent ?? defaultConsoleLogger;
 
   // Exactly-one-of contract: either we vend (vaultConfig) or the caller did
@@ -316,7 +350,13 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     ? resolveDeleteScopeRoots(paths, hqRoot, syncRoot)
     : [];
   const deletePlan = propagateDeletes === true
-    ? computeDeletePlan(journal, syncRoot, deleteScopeRoots)
+    ? computeDeletePlan(
+        journal,
+        syncRoot,
+        deleteScopeRoots,
+        shouldSync,
+        propagateDeletePolicy,
+      )
     : [];
 
   emit({
@@ -681,18 +721,37 @@ function resolveDeleteScopeRoots(
 
 /**
  * Walk every journal key in `scopeRoots` whose local file is missing from
- * disk, and return the keys to delete. A key is in-scope when it matches
- * (or sits beneath) one of the resolved prefixes. Empty `scopeRoots` ⇒
- * empty plan (caller didn't opt in).
+ * disk and return the keys eligible for a remote `DeleteObject`. An entry
+ * is in the plan only when ALL of the following hold:
+ *
+ *   1. Its key matches (or sits beneath) one of the `scopeRoots` prefixes.
+ *   2. Its local file is missing from disk.
+ *   3. The current ignore filter (`shouldSync`) accepts the key — so paths
+ *      filtered out by `.hqignore` / `.gitignore` / `DEFAULT_IGNORES` are
+ *      never delete-propagated. This blocks the failure mode where a path
+ *      lives in the vault (and the journal) but the local walk skips it
+ *      because of asymmetric ignore rules; without this guard the push
+ *      leg would erase it.
+ *   4. When `policy === "owned-only"`: the journal entry's `direction`
+ *      is `"up"` (i.e. this machine previously uploaded the file). This
+ *      blocks the failure mode where a behind machine's first `sync now`
+ *      push leg would otherwise erase recent uploads from peers, since
+ *      those entries are recorded as `direction: "down"` (pulled) or
+ *      absent (never seen). Set `policy: "all"` to opt back into the
+ *      legacy any-missing-file-deletes behaviour.
+ *
+ * Empty `scopeRoots` ⇒ empty plan (caller didn't opt in).
  */
 function computeDeletePlan(
   journal: SyncJournal,
   syncRoot: string,
   scopeRoots: string[],
+  shouldSync: (filePath: string, isDir?: boolean) => boolean,
+  policy: "owned-only" | "all",
 ): string[] {
   if (scopeRoots.length === 0) return [];
   const out: string[] = [];
-  for (const relativeKey of Object.keys(journal.files)) {
+  for (const [relativeKey, entry] of Object.entries(journal.files)) {
     const inScope = scopeRoots.some(
       (root) =>
         root === "" ||
@@ -701,9 +760,14 @@ function computeDeletePlan(
     );
     if (!inScope) continue;
     const localPath = path.join(syncRoot, relativeKey);
-    if (!fs.existsSync(localPath)) {
-      out.push(relativeKey);
-    }
+    if (fs.existsSync(localPath)) continue;
+    // (3) Symmetric filter guard. `shouldSync` is constructed from the same
+    //     hqRoot the pull leg uses, so a key the pull would have skipped
+    //     ("ignored") is also one we must not delete-propagate.
+    if (!shouldSync(localPath, false)) continue;
+    // (4) Direction guard under "owned-only" policy.
+    if (policy === "owned-only" && entry.direction !== "up") continue;
+    out.push(relativeKey);
   }
   return out;
 }

package/src/index.ts

@@ -50,8 +50,14 @@ export {
 } from "./cognito-auth.js";
 export type { CognitoAuthConfig, CognitoTokens } from "./cognito-auth.js";
 
+// Personal-vault scope helpers — shared between hq-sync-runner and `hq sync`
+export {
+  PERSONAL_VAULT_EXCLUDED_TOP_LEVEL,
+  computePersonalVaultPaths,
+} from "./personal-vault.js";
+
 // VaultClient SDK (VLT-7)
-export { VaultClient } from "./vault-client.js";
+export { VaultClient, pickCanonicalPersonEntity } from "./vault-client.js";
 export {
   VaultClientError,
   VaultAuthError,

package/src/personal-vault.ts

@@ -0,0 +1,63 @@
+/**
+ * Personal-vault scope helpers — shared between the menubar runner
+ * (`hq-sync-runner`) and the `hq sync` CLI so every composer of a personal
+ * push uses the same exclusion list.
+ *
+ * The exclusion list mirrors the Rust constant of the same name in
+ * `hq-sync/src-tauri/src/commands/personal.rs` so the Tauri menubar's
+ * first-push and this Node engine's steady-state push enforce identical
+ * scope. Every other top-level entry under hq_root (e.g. `.claude/`,
+ * `knowledge/`, `modules/`, `README.md`, `.codex/`, `core/`, `data/`,
+ * `personal/`) is included, subject to the usual `.hqignore` filter.
+ *
+ * Excluded entries (and why):
+ *   - `.git`: a git repo's own metadata is hostile to multi-machine
+ *     sync; .gitignore alone doesn't cover `.git/` because it's the repo
+ *     itself, not a tracked path.
+ *   - `companies/`: synced separately by the runner's per-membership
+ *     fanout; do not double-write into the personal vault.
+ *   - `repos/`, `workspace/`: per user directive — heavy local-only
+ *     content (cloned remotes, session threads) that has no business in
+ *     the personal vault.
+ *
+ * Note: `core/`, `data/`, and `personal/` were previously excluded but are
+ * INCLUDED as of user directive 2026-05-13. `core/` ships the hq-core
+ * scaffold — policies/, settings/, skills/, workers/, plus the rules
+ * manifest at core/core.yaml. `data/` and `personal/` carry per-user data,
+ * policies, hooks, and skills that follow the user across machines. The
+ * hq-root identity marker `core.yaml` (at hq_root, distinct from
+ * `core/core.yaml`) is filtered separately by the root-anchored
+ * `/core.yaml` DEFAULT_IGNORES rule.
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+
+export const PERSONAL_VAULT_EXCLUDED_TOP_LEVEL: readonly string[] = [
+  ".git",
+  "companies",
+  "repos",
+  "workspace",
+];
+
+/**
+ * Compute absolute paths to share for the personal vault: every top-level
+ * entry under `hqRoot` whose basename is NOT in
+ * `PERSONAL_VAULT_EXCLUDED_TOP_LEVEL`. Mirrors the Rust
+ * `is_personal_vault_path` predicate (just hoisted to the top-level step).
+ * Order is whatever `fs.readdirSync` returns — share() doesn't care, and
+ * the per-file walk inside share() handles recursion uniformly. Missing
+ * hqRoot returns []; callers treat that as "no personal content to push"
+ * rather than a hard error.
+ */
+export function computePersonalVaultPaths(hqRoot: string): string[] {
+  let entries: string[];
+  try {
+    entries = fs.readdirSync(hqRoot);
+  } catch {
+    return [];
+  }
+  return entries
+    .filter((name) => !PERSONAL_VAULT_EXCLUDED_TOP_LEVEL.includes(name))
+    .map((name) => path.join(hqRoot, name));
+}