@indigoai-us/hq-cloud 5.2.1 → 5.3.0

package/dist/ignore.d.ts

@@ -1,17 +1,23 @@
 /**
  * Ignore-file parser for cloud sync.
  *
- * Three layers, evaluated in order (later patterns override earlier ones):
- *   1. Built-in defaults — things that should *never* sync (VCS, node_modules,
- *      build artifacts, caches, env files). Cover the common stacks so that a
- *      first-time sync over a random project folder doesn't try to push
- *      `target/`, `node_modules/`, or `.next/` to S3.
- *   2. Repo `.gitignore` at hqRoot — reuses the user's existing exclusions so
- *      we don't re-list every build directory ourselves. Root-level only; we
- *      do not recurse like real git.
- *   3. `.hqignore` (preferred) or `.hqsyncignore` (legacy name) at hqRoot —
- *      sync-specific overrides. Use `!pattern` to re-include something an
- *      earlier layer excluded.
+ * Two modes:
+ *   - **Permissive (default)**: everything syncs except what ignore layers
+ *     subtract. Three layers stack (later overrides earlier):
+ *       1. Built-in defaults — VCS, node_modules, build artifacts, caches,
+ *          env files. Covers the common stacks so a first-time sync over a
+ *          random project folder doesn't push `target/` or `.next/` to S3.
+ *       2. Repo `.gitignore` at hqRoot — reuses existing exclusions so we
+ *          don't re-list every build directory. Root-level only.
+ *       3. `.hqignore` (preferred) or `.hqsyncignore` (legacy) — sync-specific
+ *          overrides. Use `!pattern` to re-include something earlier layers
+ *          excluded.
+ *
+ *   - **Allowlist**: triggered when `.hqinclude` exists at hqRoot. Nothing
+ *     syncs unless its path matches at least one pattern in `.hqinclude`. The
+ *     three exclusion layers still subtract on top — so even allowlisted
+ *     subtrees won't push `node_modules/` or `.env`. Privacy-by-default for
+ *     HQ trees that contain mixed personal + shareable data.
  */
 export declare const DEFAULT_IGNORES: string[];
 export declare function createIgnoreFilter(hqRoot: string): (filePath: string) => boolean;

package/dist/ignore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ignore.d.ts","sourceRoot":"","sources":["../src/ignore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAQH,eAAO,MAAM,eAAe,UAsD3B,CAAC;AAWF,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAsBhF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,QAAQ,SAAmB,GAC1B,OAAO,CAOT"}
+{"version":3,"file":"ignore.d.ts","sourceRoot":"","sources":["../src/ignore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAQH,eAAO,MAAM,eAAe,UAsD3B,CAAC;AAWF,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAiChF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,QAAQ,SAAmB,GAC1B,OAAO,CAOT"}

package/dist/ignore.js

@@ -1,17 +1,23 @@
 /**
  * Ignore-file parser for cloud sync.
  *
- * Three layers, evaluated in order (later patterns override earlier ones):
- *   1. Built-in defaults — things that should *never* sync (VCS, node_modules,
- *      build artifacts, caches, env files). Cover the common stacks so that a
- *      first-time sync over a random project folder doesn't try to push
- *      `target/`, `node_modules/`, or `.next/` to S3.
- *   2. Repo `.gitignore` at hqRoot — reuses the user's existing exclusions so
- *      we don't re-list every build directory ourselves. Root-level only; we
- *      do not recurse like real git.
- *   3. `.hqignore` (preferred) or `.hqsyncignore` (legacy name) at hqRoot —
- *      sync-specific overrides. Use `!pattern` to re-include something an
- *      earlier layer excluded.
+ * Two modes:
+ *   - **Permissive (default)**: everything syncs except what ignore layers
+ *     subtract. Three layers stack (later overrides earlier):
+ *       1. Built-in defaults — VCS, node_modules, build artifacts, caches,
+ *          env files. Covers the common stacks so a first-time sync over a
+ *          random project folder doesn't push `target/` or `.next/` to S3.
+ *       2. Repo `.gitignore` at hqRoot — reuses existing exclusions so we
+ *          don't re-list every build directory. Root-level only.
+ *       3. `.hqignore` (preferred) or `.hqsyncignore` (legacy) — sync-specific
+ *          overrides. Use `!pattern` to re-include something earlier layers
+ *          excluded.
+ *
+ *   - **Allowlist**: triggered when `.hqinclude` exists at hqRoot. Nothing
+ *     syncs unless its path matches at least one pattern in `.hqinclude`. The
+ *     three exclusion layers still subtract on top — so even allowlisted
+ *     subtrees won't push `node_modules/` or `.env`. Privacy-by-default for
+ *     HQ trees that contain mixed personal + shareable data.
  */
 import * as fs from "fs";
 import * as path from "path";
@@ -89,11 +95,23 @@ export function createIgnoreFilter(hqRoot) {
         readIgnoreFile(path.join(hqRoot, ".hqsyncignore"));
     if (hqignore)
         ig.add(hqignore);
+    // Allowlist mode: when `.hqinclude` exists, sync is opt-in. The matcher
+    // here treats include patterns as ignore patterns and inverts the verdict —
+    // a path is "allowed" iff its relative path matches at least one entry.
+    // Exclusion layers above still subtract, so build artifacts inside an
+    // allowlisted subtree (e.g. node_modules/ inside companies/x/repos/y/) are
+    // still skipped.
+    const hqinclude = readIgnoreFile(path.join(hqRoot, ".hqinclude"));
+    const includeMatcher = hqinclude ? ignore().add(hqinclude) : null;
     return (filePath) => {
         const relative = path.relative(hqRoot, filePath);
         if (!relative || relative.startsWith(".."))
             return true; // outside HQ root
-        return !ig.ignores(relative);
+        if (ig.ignores(relative))
+            return false;
+        if (includeMatcher && !includeMatcher.ignores(relative))
+            return false;
+        return true;
     };
 }
 /**

package/dist/ignore.js.map

@@ -1 +1 @@
-{"version":3,"file":"ignore.js","sourceRoot":"","sources":["../src/ignore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,4DAA4D;AAC5D,sDAAsD;AACtD,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,WAAW;IACX,OAAO;IACP,MAAM;IACN,WAAW;IACX,WAAW;IAEX,YAAY;IACZ,eAAe;IACf,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,cAAc;IACd,SAAS;IACT,gBAAgB;IAChB,QAAQ;IACR,WAAW;IAEX,eAAe;IACf,SAAS;IAET,SAAS;IACT,cAAc;IACd,OAAO;IACP,gBAAgB;IAChB,cAAc;IACd,cAAc;IACd,QAAQ;IACR,OAAO;IAEP,mBAAmB;IACnB,SAAS;IACT,MAAM;IACN,SAAS;IAET,wBAAwB;IACxB,SAAS;IACT,MAAM;IACN,OAAO;IAEP,kDAAkD;IAClD,OAAO;IACP,cAAc;IACd,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IAEd,sDAAsD;IACtD,QAAQ;IAER,gBAAgB;IAChB,MAAM;IACN,QAAQ;CACT,CAAC;AAEF,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAEpB,6BAA6B;IAC7B,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAExB,4EAA4E;IAC5E,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;IAClE,IAAI,SAAS;QAAE,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjC,sEAAsE;IACtE,mDAAmD;IACnD,MAAM,QAAQ,GACZ,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC9C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IACrD,IAAI,QAAQ;QAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE/B,OAAO,CAAC,QAAgB,EAAW,EAAE;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,kBAAkB;QAC3E,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,QAAQ,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI;IAE3B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"ignore.js","sourceRoot":"","sources":["../src/ignore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,4DAA4D;AAC5D,sDAAsD;AACtD,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,WAAW;IACX,OAAO;IACP,MAAM;IACN,WAAW;IACX,WAAW;IAEX,YAAY;IACZ,eAAe;IACf,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,cAAc;IACd,SAAS;IACT,gBAAgB;IAChB,QAAQ;IACR,WAAW;IAEX,eAAe;IACf,SAAS;IAET,SAAS;IACT,cAAc;IACd,OAAO;IACP,gBAAgB;IAChB,cAAc;IACd,cAAc;IACd,QAAQ;IACR,OAAO;IAEP,mBAAmB;IACnB,SAAS;IACT,MAAM;IACN,SAAS;IAET,wBAAwB;IACxB,SAAS;IACT,MAAM;IACN,OAAO;IAEP,kDAAkD;IAClD,OAAO;IACP,cAAc;IACd,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IAEd,sDAAsD;IACtD,QAAQ;IAER,gBAAgB;IAChB,MAAM;IACN,QAAQ;CACT,CAAC;AAEF,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAEpB,6BAA6B;IAC7B,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAExB,4EAA4E;IAC5E,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;IAClE,IAAI,SAAS;QAAE,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjC,sEAAsE;IACtE,mDAAmD;IACnD,MAAM,QAAQ,GACZ,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC9C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IACrD,IAAI,QAAQ;QAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE/B,wEAAwE;IACxE,4EAA4E;IAC5E,wEAAwE;IACxE,sEAAsE;IACtE,2EAA2E;IAC3E,iBAAiB;IACjB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAElE,OAAO,CAAC,QAAgB,EAAW,EAAE;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,kBAAkB;QAC3E,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,IAAI,cAAc,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,QAAQ,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI;IAE3B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/ignore.test.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Unit tests for createIgnoreFilter.
+ *
+ * Covers both modes: legacy permissive (no .hqinclude) and allowlist mode
+ * (.hqinclude present). The allowlist tests guard against accidentally
+ * leaking sensitive subtrees like data/ or workers/ to S3 — a regression
+ * here would silently push private content on the next sync.
+ */
+export {};
+//# sourceMappingURL=ignore.test.d.ts.map

package/dist/ignore.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ignore.test.d.ts","sourceRoot":"","sources":["../src/ignore.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/ignore.test.js

@@ -0,0 +1,57 @@
+/**
+ * Unit tests for createIgnoreFilter.
+ *
+ * Covers both modes: legacy permissive (no .hqinclude) and allowlist mode
+ * (.hqinclude present). The allowlist tests guard against accidentally
+ * leaking sensitive subtrees like data/ or workers/ to S3 — a regression
+ * here would silently push private content on the next sync.
+ */
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { createIgnoreFilter } from "./ignore.js";
+describe("createIgnoreFilter", () => {
+    let hqRoot;
+    beforeEach(() => {
+        hqRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-ignore-test-"));
+    });
+    afterEach(() => {
+        fs.rmSync(hqRoot, { recursive: true, force: true });
+    });
+    it("permissive mode: regular files sync, defaults are ignored", () => {
+        const shouldSync = createIgnoreFilter(hqRoot);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/notes.md"))).toBe(true);
+        expect(shouldSync(path.join(hqRoot, "node_modules/foo/x.js"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, ".env"))).toBe(false);
+    });
+    it("permissive mode: .hqignore patterns are honored", () => {
+        fs.writeFileSync(path.join(hqRoot, ".hqignore"), "companies/*/data/\n");
+        const shouldSync = createIgnoreFilter(hqRoot);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/data/x.csv"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/notes.md"))).toBe(true);
+    });
+    it("allowlist mode: presence of .hqinclude switches to opt-in", () => {
+        fs.writeFileSync(path.join(hqRoot, ".hqinclude"), "companies/*/knowledge/\ncompanies/*/projects/\n");
+        const shouldSync = createIgnoreFilter(hqRoot);
+        // Allowlisted paths sync.
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/knowledge/foo.md"))).toBe(true);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/prd.json"))).toBe(true);
+        // Anything else stays local — this is the privacy guarantee.
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/data/leads.csv"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/workers/cmo/skill.md"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/settings/aws.json"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, "personal/journal/2026-04-26.md"))).toBe(false);
+    });
+    it("allowlist mode: exclusion layers still subtract on top", () => {
+        // Even when a subtree is allowlisted, default ignores like node_modules/
+        // and .env must still apply. Otherwise an allowlisted subdir would sync
+        // gigabytes of dependency junk or leak secret env files.
+        fs.writeFileSync(path.join(hqRoot, ".hqinclude"), "companies/*/projects/\n");
+        const shouldSync = createIgnoreFilter(hqRoot);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/prd.json"))).toBe(true);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/node_modules/react/index.js"))).toBe(false);
+        expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/.env"))).toBe(false);
+    });
+});
+//# sourceMappingURL=ignore.test.js.map

package/dist/ignore.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ignore.test.js","sourceRoot":"","sources":["../src/ignore.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9E,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3E,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,qBAAqB,CAAC,CAAC;QACxE,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,EAAE,CAAC,aAAa,CACd,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAC/B,iDAAiD,CAClD,CAAC;QACF,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC9C,0BAA0B;QAC1B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,mCAAmC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uCAAuC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1F,6DAA6D;QAC7D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,iCAAiC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uCAAuC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3F,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,oCAAoC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,gCAAgC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,yEAAyE;QACzE,wEAAwE;QACxE,yDAAyD;QACzD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,yBAAyB,CAAC,CAAC;QAC7E,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,CACJ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uCAAuC,CAAC,CAAC,CACvE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CACJ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,0DAA0D,CAAC,CAAC,CAC1F,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,mCAAmC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@indigoai-us/hq-cloud",
-  "version": "5.2.1",
+  "version": "5.3.0",
   "description": "HQ by Indigo cloud sync engine — bidirectional S3 sync for mobile access",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/ignore.test.ts

@@ -0,0 +1,71 @@
+/**
+ * Unit tests for createIgnoreFilter.
+ *
+ * Covers both modes: legacy permissive (no .hqinclude) and allowlist mode
+ * (.hqinclude present). The allowlist tests guard against accidentally
+ * leaking sensitive subtrees like data/ or workers/ to S3 — a regression
+ * here would silently push private content on the next sync.
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { createIgnoreFilter } from "./ignore.js";
+
+describe("createIgnoreFilter", () => {
+  let hqRoot: string;
+
+  beforeEach(() => {
+    hqRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-ignore-test-"));
+  });
+
+  afterEach(() => {
+    fs.rmSync(hqRoot, { recursive: true, force: true });
+  });
+
+  it("permissive mode: regular files sync, defaults are ignored", () => {
+    const shouldSync = createIgnoreFilter(hqRoot);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/notes.md"))).toBe(true);
+    expect(shouldSync(path.join(hqRoot, "node_modules/foo/x.js"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, ".env"))).toBe(false);
+  });
+
+  it("permissive mode: .hqignore patterns are honored", () => {
+    fs.writeFileSync(path.join(hqRoot, ".hqignore"), "companies/*/data/\n");
+    const shouldSync = createIgnoreFilter(hqRoot);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/data/x.csv"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/notes.md"))).toBe(true);
+  });
+
+  it("allowlist mode: presence of .hqinclude switches to opt-in", () => {
+    fs.writeFileSync(
+      path.join(hqRoot, ".hqinclude"),
+      "companies/*/knowledge/\ncompanies/*/projects/\n",
+    );
+    const shouldSync = createIgnoreFilter(hqRoot);
+    // Allowlisted paths sync.
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/knowledge/foo.md"))).toBe(true);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/prd.json"))).toBe(true);
+    // Anything else stays local — this is the privacy guarantee.
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/data/leads.csv"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/workers/cmo/skill.md"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/settings/aws.json"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "personal/journal/2026-04-26.md"))).toBe(false);
+  });
+
+  it("allowlist mode: exclusion layers still subtract on top", () => {
+    // Even when a subtree is allowlisted, default ignores like node_modules/
+    // and .env must still apply. Otherwise an allowlisted subdir would sync
+    // gigabytes of dependency junk or leak secret env files.
+    fs.writeFileSync(path.join(hqRoot, ".hqinclude"), "companies/*/projects/\n");
+    const shouldSync = createIgnoreFilter(hqRoot);
+    expect(
+      shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/prd.json")),
+    ).toBe(true);
+    expect(
+      shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/node_modules/react/index.js")),
+    ).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "companies/indigo/projects/p1/.env"))).toBe(false);
+  });
+});

package/src/ignore.ts

@@ -1,17 +1,23 @@
 /**
  * Ignore-file parser for cloud sync.
  *
- * Three layers, evaluated in order (later patterns override earlier ones):
- *   1. Built-in defaults — things that should *never* sync (VCS, node_modules,
- *      build artifacts, caches, env files). Cover the common stacks so that a
- *      first-time sync over a random project folder doesn't try to push
- *      `target/`, `node_modules/`, or `.next/` to S3.
- *   2. Repo `.gitignore` at hqRoot — reuses the user's existing exclusions so
- *      we don't re-list every build directory ourselves. Root-level only; we
- *      do not recurse like real git.
- *   3. `.hqignore` (preferred) or `.hqsyncignore` (legacy name) at hqRoot —
- *      sync-specific overrides. Use `!pattern` to re-include something an
- *      earlier layer excluded.
+ * Two modes:
+ *   - **Permissive (default)**: everything syncs except what ignore layers
+ *     subtract. Three layers stack (later overrides earlier):
+ *       1. Built-in defaults — VCS, node_modules, build artifacts, caches,
+ *          env files. Covers the common stacks so a first-time sync over a
+ *          random project folder doesn't push `target/` or `.next/` to S3.
+ *       2. Repo `.gitignore` at hqRoot — reuses existing exclusions so we
+ *          don't re-list every build directory. Root-level only.
+ *       3. `.hqignore` (preferred) or `.hqsyncignore` (legacy) — sync-specific
+ *          overrides. Use `!pattern` to re-include something earlier layers
+ *          excluded.
+ *
+ *   - **Allowlist**: triggered when `.hqinclude` exists at hqRoot. Nothing
+ *     syncs unless its path matches at least one pattern in `.hqinclude`. The
+ *     three exclusion layers still subtract on top — so even allowlisted
+ *     subtrees won't push `node_modules/` or `.env`. Privacy-by-default for
+ *     HQ trees that contain mixed personal + shareable data.
  */
 
 import * as fs from "fs";
@@ -102,10 +108,21 @@ export function createIgnoreFilter(hqRoot: string): (filePath: string) => boolea
     readIgnoreFile(path.join(hqRoot, ".hqsyncignore"));
   if (hqignore) ig.add(hqignore);
 
+  // Allowlist mode: when `.hqinclude` exists, sync is opt-in. The matcher
+  // here treats include patterns as ignore patterns and inverts the verdict —
+  // a path is "allowed" iff its relative path matches at least one entry.
+  // Exclusion layers above still subtract, so build artifacts inside an
+  // allowlisted subtree (e.g. node_modules/ inside companies/x/repos/y/) are
+  // still skipped.
+  const hqinclude = readIgnoreFile(path.join(hqRoot, ".hqinclude"));
+  const includeMatcher = hqinclude ? ignore().add(hqinclude) : null;
+
   return (filePath: string): boolean => {
     const relative = path.relative(hqRoot, filePath);
     if (!relative || relative.startsWith("..")) return true; // outside HQ root
-    return !ig.ignores(relative);
+    if (ig.ignores(relative)) return false;
+    if (includeMatcher && !includeMatcher.ignores(relative)) return false;
+    return true;
   };
 }