@indigoai-us/hq-cloud 5.24.0 → 5.25.0

package/dist/personal-vault-exclusions.d.ts

@@ -0,0 +1,128 @@
+/**
+ * Personal-vault default exclusions — second-tier scope filter that complements
+ * `PERSONAL_VAULT_EXCLUDED_TOP_LEVEL` (`.git`, `companies`, `repos`,
+ * `workspace`) in `./personal-vault.ts`.
+ *
+ * Where the top-level constant filters the four big buckets at scope root, this
+ * file filters categories of nested files that ride along with an HQ install
+ * but have no business round-tripping to a personal vault — regardless of
+ * where they sit in the tree:
+ *
+ *   1. Secrets at root or nested. `.env`, `.env.local`, `.env.<anything>`,
+ *      `.mcp.json`. Pre-fix these were being uploaded if the user hadn't
+ *      added `.env` to their `.hqignore` (the default starter `.hqignore`
+ *      only listed `companies/*\/settings/`).
+ *
+ *   2. Machine-local state. `.beads/` (SQLite issue-tracker + WAL/SHM),
+ *      `.obsidian/`, `.vercel/`, `.cache_*`. Per-machine layouts/caches;
+ *      multi-device sync either corrupts (SQLite WAL) or causes spurious
+ *      churn (caches regenerate on demand).
+ *
+ *   3. Update-flow scratch. `output/`, `_legacy-*` directories. Created by
+ *      `/update-hq` / `/promote-hq-core` workflows as checkout scratch;
+ *      naming themselves "legacy" / sitting under "output" is a self-
+ *      declared "do not preserve" signal.
+ *
+ *   4. Pre-5.24 conflict mirror dir. `.hq-conflicts/` is a directory of
+ *      mirror copies from older sync runs (sibling to the now-fixed
+ *      `.conflict-YYYY-MM-DDTHH-MM-SSZ-{hash}.{ext}` ephemeral files
+ *      handled by `EPHEMERAL_PATH_PATTERN` in share.ts). Same logic
+ *      applies: these are local-only safety backups.
+ *
+ *   5. OS / build cruft. `.DS_Store`, `node_modules/`, `dist/`, `.next/`,
+ *      `build/`. Universally noise inside HQ (personal scope should not
+ *      contain code projects, but defense-in-depth catches anyone who
+ *      symlinks a project subtree in).
+ *
+ * Policy: refuse + warn (5.25 default). The walk filter drops these so they
+ * never upload; the delete-plan walker uses the same filter so already-
+ * journaled entries that match a new exclusion get orphaned in the journal
+ * (no DELETE issued, no churn). A one-shot purge script handles the cleanup
+ * of objects that landed on remote before this version.
+ *
+ * Application scope: personal vault only. Company vaults have separate
+ * first-push protection (settings/, data/, workers/, .git/ exclusion in
+ * `src-tauri/src/util/ignore.rs`) and may legitimately ship `output/` or
+ * `.env*` paths inside their data folders. Wired in `share.ts` only when
+ * `options.personalMode === true`.
+ *
+ * Wire-points (parallel to `EPHEMERAL_PATH_PATTERN`):
+ *   - `collectFiles` / `walkDir` (push) — wrap `shouldSync` so excluded
+ *     relative paths are rejected before upload.
+ *   - `computeDeletePlan` (delete) — same `shouldSync` wrap, so journal
+ *     entries matching an exclusion are skipped on the delete pass too.
+ */
+/**
+ * Each entry is matched against the relative path from the personal-vault
+ * sync root (which IS hq_root in personalMode), using forward-slash
+ * separators. Patterns:
+ *
+ *   - `prefix:foo/`   — match if the path starts with `foo/` or equals `foo`
+ *                       (handles both the dir itself and any descendant)
+ *   - `basename:.env` — match if any path segment equals `.env`
+ *   - `basename:.env-prefix:.env.` — match if the basename starts with `.env.`
+ *   - `segment:node_modules` — match if any path segment equals literally
+ *
+ * The literal-segment form catches nested cases (e.g., `repos/foo/node_modules/`
+ * is already excluded by top-level repos/ skip, but `personal/x/node_modules/`
+ * would slip through without segment matching).
+ */
+export interface PersonalVaultExclusion {
+    /** Internal id for telemetry / explainability in events. */
+    id: string;
+    /** Human-readable category for the warning event. */
+    category: "secret" | "machine-local" | "scratch" | "conflict-mirror" | "os-cruft" | "build-output";
+    /**
+     * Predicate. Pure: relative path (forward-slash separated, no leading slash)
+     * + optional isDir hint. Returns true to EXCLUDE.
+     */
+    test: (relPath: string, isDir?: boolean) => boolean;
+    /** Doc-only — shown alongside `id` in the warning event sample. */
+    pattern: string;
+}
+/**
+ * Cheap segment-equality check. Avoids allocating a regex per call.
+ */
+declare function hasSegment(relPath: string, segment: string): boolean;
+declare function basename(relPath: string): string;
+export declare const PERSONAL_VAULT_DEFAULT_EXCLUSIONS: readonly PersonalVaultExclusion[];
+/**
+ * First-match result for a path. Returns the matching exclusion (so callers
+ * can surface category/id in events) or undefined for "not excluded".
+ */
+export declare function matchPersonalVaultExclusion(relPath: string, isDir?: boolean): PersonalVaultExclusion | undefined;
+/**
+ * Boolean version — true if any exclusion matches.
+ */
+export declare function isPersonalVaultExcluded(relPath: string, isDir?: boolean): boolean;
+/**
+ * Wrap an existing path filter (typically from `createIgnoreFilter`) with the
+ * personal-vault default exclusions. The wrapper:
+ *
+ *   1. Calls the underlying filter first; if it already rejects, defer
+ *      (counter does not fire — we only want to count things the underlying
+ *      filter would have allowed but the personal-vault defaults reject).
+ *   2. Computes a relative path from `syncRoot` (the personal-vault sync
+ *      root, which is hq_root in personalMode).
+ *   3. Probes `matchPersonalVaultExclusion`; if it matches, returns false
+ *      and tags the match via `onExcluded` so the runner can emit a single
+ *      `personal-vault-out-of-policy` event with a count + sample at end of
+ *      run.
+ *
+ * The wrapper keeps the `(absolutePath, isDir) => boolean` shape the existing
+ * collectFiles / walkDir / computeDeletePlan code already uses, so wiring is
+ * a single line change at the share() filter construction site.
+ */
+export declare function wrapFilterWithPersonalVaultDefaults(underlying: (absPath: string, isDir?: boolean) => boolean, syncRoot: string, onExcluded: (relPath: string, match: PersonalVaultExclusion) => void): (absPath: string, isDir?: boolean) => boolean;
+/**
+ * Test-only export. Mirrors the `_testing` namespace pattern used by
+ * `share.ts` for `EPHEMERAL_PATH_PATTERN` — direct access to the list +
+ * internal helpers for regression-critical pinning without round-tripping
+ * through share().
+ */
+export declare const _testing: {
+    hasSegment: typeof hasSegment;
+    basename: typeof basename;
+};
+export {};
+//# sourceMappingURL=personal-vault-exclusions.d.ts.map

package/dist/personal-vault-exclusions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-vault-exclusions.d.ts","sourceRoot":"","sources":["../src/personal-vault-exclusions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAIH;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,sBAAsB;IACrC,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,qDAAqD;IACrD,QAAQ,EACJ,QAAQ,GACR,eAAe,GACf,SAAS,GACT,iBAAiB,GACjB,UAAU,GACV,cAAc,CAAC;IACnB;;;OAGG;IACH,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC;IACpD,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,iBAAS,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAI7D;AAED,iBAAS,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAGzC;AAED,eAAO,MAAM,iCAAiC,EAAE,SAAS,sBAAsB,EAsG9E,CAAC;AAEF;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,OAAO,GACd,sBAAsB,GAAG,SAAS,CAKpC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,GAAG,OAAO,CAEjF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mCAAmC,CACjD,UAAU,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,KAAK,OAAO,EACzD,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,KAAK,OAAO,CAY/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,QAAQ;;;CAGpB,CAAC"}

package/dist/personal-vault-exclusions.js

@@ -0,0 +1,231 @@
+/**
+ * Personal-vault default exclusions — second-tier scope filter that complements
+ * `PERSONAL_VAULT_EXCLUDED_TOP_LEVEL` (`.git`, `companies`, `repos`,
+ * `workspace`) in `./personal-vault.ts`.
+ *
+ * Where the top-level constant filters the four big buckets at scope root, this
+ * file filters categories of nested files that ride along with an HQ install
+ * but have no business round-tripping to a personal vault — regardless of
+ * where they sit in the tree:
+ *
+ *   1. Secrets at root or nested. `.env`, `.env.local`, `.env.<anything>`,
+ *      `.mcp.json`. Pre-fix these were being uploaded if the user hadn't
+ *      added `.env` to their `.hqignore` (the default starter `.hqignore`
+ *      only listed `companies/*\/settings/`).
+ *
+ *   2. Machine-local state. `.beads/` (SQLite issue-tracker + WAL/SHM),
+ *      `.obsidian/`, `.vercel/`, `.cache_*`. Per-machine layouts/caches;
+ *      multi-device sync either corrupts (SQLite WAL) or causes spurious
+ *      churn (caches regenerate on demand).
+ *
+ *   3. Update-flow scratch. `output/`, `_legacy-*` directories. Created by
+ *      `/update-hq` / `/promote-hq-core` workflows as checkout scratch;
+ *      naming themselves "legacy" / sitting under "output" is a self-
+ *      declared "do not preserve" signal.
+ *
+ *   4. Pre-5.24 conflict mirror dir. `.hq-conflicts/` is a directory of
+ *      mirror copies from older sync runs (sibling to the now-fixed
+ *      `.conflict-YYYY-MM-DDTHH-MM-SSZ-{hash}.{ext}` ephemeral files
+ *      handled by `EPHEMERAL_PATH_PATTERN` in share.ts). Same logic
+ *      applies: these are local-only safety backups.
+ *
+ *   5. OS / build cruft. `.DS_Store`, `node_modules/`, `dist/`, `.next/`,
+ *      `build/`. Universally noise inside HQ (personal scope should not
+ *      contain code projects, but defense-in-depth catches anyone who
+ *      symlinks a project subtree in).
+ *
+ * Policy: refuse + warn (5.25 default). The walk filter drops these so they
+ * never upload; the delete-plan walker uses the same filter so already-
+ * journaled entries that match a new exclusion get orphaned in the journal
+ * (no DELETE issued, no churn). A one-shot purge script handles the cleanup
+ * of objects that landed on remote before this version.
+ *
+ * Application scope: personal vault only. Company vaults have separate
+ * first-push protection (settings/, data/, workers/, .git/ exclusion in
+ * `src-tauri/src/util/ignore.rs`) and may legitimately ship `output/` or
+ * `.env*` paths inside their data folders. Wired in `share.ts` only when
+ * `options.personalMode === true`.
+ *
+ * Wire-points (parallel to `EPHEMERAL_PATH_PATTERN`):
+ *   - `collectFiles` / `walkDir` (push) — wrap `shouldSync` so excluded
+ *     relative paths are rejected before upload.
+ *   - `computeDeletePlan` (delete) — same `shouldSync` wrap, so journal
+ *     entries matching an exclusion are skipped on the delete pass too.
+ */
+import * as path from "path";
+/**
+ * Cheap segment-equality check. Avoids allocating a regex per call.
+ */
+function hasSegment(relPath, segment) {
+    if (relPath === segment)
+        return true;
+    if (relPath.startsWith(`${segment}/`))
+        return true;
+    return relPath.includes(`/${segment}/`) || relPath.endsWith(`/${segment}`);
+}
+function basename(relPath) {
+    const i = relPath.lastIndexOf("/");
+    return i === -1 ? relPath : relPath.slice(i + 1);
+}
+export const PERSONAL_VAULT_DEFAULT_EXCLUSIONS = [
+    // ── secrets ───────────────────────────────────────────────────────────
+    {
+        id: "env-file",
+        category: "secret",
+        pattern: "**/.env, **/.env.*",
+        test: (p) => {
+            const b = basename(p);
+            return b === ".env" || b.startsWith(".env.");
+        },
+    },
+    {
+        id: "mcp-config",
+        category: "secret",
+        pattern: "**/.mcp.json",
+        test: (p) => basename(p) === ".mcp.json",
+    },
+    // ── machine-local tooling state ───────────────────────────────────────
+    {
+        id: "beads-db",
+        category: "machine-local",
+        pattern: "**/.beads/**",
+        test: (p) => hasSegment(p, ".beads"),
+    },
+    {
+        id: "obsidian-workspace",
+        category: "machine-local",
+        pattern: "**/.obsidian/**",
+        test: (p) => hasSegment(p, ".obsidian"),
+    },
+    {
+        id: "vercel-link",
+        category: "machine-local",
+        pattern: "**/.vercel/**",
+        test: (p) => hasSegment(p, ".vercel"),
+    },
+    {
+        id: "cache-dir",
+        category: "machine-local",
+        pattern: "**/.cache_*",
+        test: (p) => basename(p).startsWith(".cache_"),
+    },
+    // ── update-flow scratch ───────────────────────────────────────────────
+    {
+        id: "update-output",
+        category: "scratch",
+        pattern: "**/output/**",
+        test: (p) => hasSegment(p, "output"),
+    },
+    {
+        id: "legacy-dir",
+        category: "scratch",
+        pattern: "**/_legacy-*/**",
+        test: (p) => {
+            // Match any segment that starts with `_legacy-` or `_legacy_` or equals `_legacy`.
+            const segs = p.split("/");
+            return segs.some((s) => s === "_legacy" || s.startsWith("_legacy-") || s.startsWith("_legacy_"));
+        },
+    },
+    // ── pre-5.24 conflict mirror directory ────────────────────────────────
+    // Sibling to EPHEMERAL_PATH_PATTERN (handles the .conflict-<iso>-<hash>.ext
+    // file form). This handles the older directory form some HQ installs
+    // accumulated.
+    {
+        id: "hq-conflicts-dir",
+        category: "conflict-mirror",
+        pattern: "**/.hq-conflicts/**",
+        test: (p) => hasSegment(p, ".hq-conflicts"),
+    },
+    // ── OS / build cruft ──────────────────────────────────────────────────
+    {
+        id: "ds-store",
+        category: "os-cruft",
+        pattern: "**/.DS_Store",
+        test: (p) => basename(p) === ".DS_Store",
+    },
+    {
+        id: "node-modules",
+        category: "build-output",
+        pattern: "**/node_modules/**",
+        test: (p) => hasSegment(p, "node_modules"),
+    },
+    {
+        id: "dist-dir",
+        category: "build-output",
+        pattern: "**/dist/**",
+        test: (p) => hasSegment(p, "dist"),
+    },
+    {
+        id: "next-dir",
+        category: "build-output",
+        pattern: "**/.next/**",
+        test: (p) => hasSegment(p, ".next"),
+    },
+    {
+        id: "build-dir",
+        category: "build-output",
+        pattern: "**/build/**",
+        test: (p) => hasSegment(p, "build"),
+    },
+];
+/**
+ * First-match result for a path. Returns the matching exclusion (so callers
+ * can surface category/id in events) or undefined for "not excluded".
+ */
+export function matchPersonalVaultExclusion(relPath, isDir) {
+    for (const ex of PERSONAL_VAULT_DEFAULT_EXCLUSIONS) {
+        if (ex.test(relPath, isDir))
+            return ex;
+    }
+    return undefined;
+}
+/**
+ * Boolean version — true if any exclusion matches.
+ */
+export function isPersonalVaultExcluded(relPath, isDir) {
+    return matchPersonalVaultExclusion(relPath, isDir) !== undefined;
+}
+/**
+ * Wrap an existing path filter (typically from `createIgnoreFilter`) with the
+ * personal-vault default exclusions. The wrapper:
+ *
+ *   1. Calls the underlying filter first; if it already rejects, defer
+ *      (counter does not fire — we only want to count things the underlying
+ *      filter would have allowed but the personal-vault defaults reject).
+ *   2. Computes a relative path from `syncRoot` (the personal-vault sync
+ *      root, which is hq_root in personalMode).
+ *   3. Probes `matchPersonalVaultExclusion`; if it matches, returns false
+ *      and tags the match via `onExcluded` so the runner can emit a single
+ *      `personal-vault-out-of-policy` event with a count + sample at end of
+ *      run.
+ *
+ * The wrapper keeps the `(absolutePath, isDir) => boolean` shape the existing
+ * collectFiles / walkDir / computeDeletePlan code already uses, so wiring is
+ * a single line change at the share() filter construction site.
+ */
+export function wrapFilterWithPersonalVaultDefaults(underlying, syncRoot, onExcluded) {
+    return (absPath, isDir) => {
+        if (!underlying(absPath, isDir))
+            return false;
+        const rel = path.relative(syncRoot, absPath).split(path.sep).join("/");
+        if (rel === "" || rel.startsWith(".."))
+            return true; // outside scope, defer
+        const match = matchPersonalVaultExclusion(rel, isDir);
+        if (match) {
+            onExcluded(rel, match);
+            return false;
+        }
+        return true;
+    };
+}
+/**
+ * Test-only export. Mirrors the `_testing` namespace pattern used by
+ * `share.ts` for `EPHEMERAL_PATH_PATTERN` — direct access to the list +
+ * internal helpers for regression-critical pinning without round-tripping
+ * through share().
+ */
+export const _testing = {
+    hasSegment,
+    basename,
+};
+//# sourceMappingURL=personal-vault-exclusions.js.map

package/dist/personal-vault-exclusions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-vault-exclusions.js","sourceRoot":"","sources":["../src/personal-vault-exclusions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAqC7B;;GAEG;AACH,SAAS,UAAU,CAAC,OAAe,EAAE,OAAe;IAClD,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,QAAQ,CAAC,OAAe;IAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,MAAM,iCAAiC,GAAsC;IAClF,yEAAyE;IACzE;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE;YACV,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YACtB,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,WAAW;KACzC;IACD,yEAAyE;IACzE;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC;KACrC;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,iBAAiB;QAC1B,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,WAAW,CAAC;KACxC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,SAAS,CAAC;KACtC;IACD;QACE,EAAE,EAAE,WAAW;QACf,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC;KAC/C;IACD,yEAAyE;IACzE;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC;KACrC;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,iBAAiB;QAC1B,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE;YACV,mFAAmF;YACnF,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC,IAAI,CACd,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAC/E,CAAC;QACJ,CAAC;KACF;IACD,yEAAyE;IACzE,4EAA4E;IAC5E,qEAAqE;IACrE,eAAe;IACf;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,iBAAiB;QAC3B,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,eAAe,CAAC;KAC5C;IACD,yEAAyE;IACzE;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,WAAW;KACzC;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,MAAM,CAAC;KACnC;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,OAAO,CAAC;KACpC;IACD;QACE,EAAE,EAAE,WAAW;QACf,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,OAAO,CAAC;KACpC;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAe,EACf,KAAe;IAEf,KAAK,MAAM,EAAE,IAAI,iCAAiC,EAAE,CAAC;QACnD,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAe,EAAE,KAAe;IACtE,OAAO,2BAA2B,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,SAAS,CAAC;AACnE,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,mCAAmC,CACjD,UAAyD,EACzD,QAAgB,EAChB,UAAoE;IAEpE,OAAO,CAAC,OAAe,EAAE,KAAe,EAAE,EAAE;QAC1C,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvE,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,uBAAuB;QAC5E,MAAM,KAAK,GAAG,2BAA2B,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,UAAU;IACV,QAAQ;CACT,CAAC"}

package/dist/personal-vault-exclusions.test.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Tests for `personal-vault-exclusions.ts`. Pin the regex / segment contracts
+ * for every entry in PERSONAL_VAULT_DEFAULT_EXCLUSIONS so a future edit that
+ * relaxes one (e.g. dropping the `_legacy-` prefix match, or changing the
+ * `.cache_*` shape) surfaces here instead of in the field.
+ *
+ * Two test layers:
+ *
+ *   1. Per-rule predicate tests. Each exclusion is exercised with at least
+ *      one match-positive and one match-negative path so the regex shape is
+ *      pinned. The `byId` event field on the runner uses `ex.id` directly,
+ *      so the id stability is part of the contract too — tests assert
+ *      against the literal id string.
+ *
+ *   2. Filter-wrap integration. Confirms that `wrapFilterWithPersonalVaultDefaults`
+ *      defers to the underlying filter, computes the relative path correctly,
+ *      and only fires the `onExcluded` callback when the underlying filter
+ *      WOULD have allowed the path (so the count tracks only "newly blocked
+ *      by these defaults", not "blocked by .hqignore too").
+ */
+export {};
+//# sourceMappingURL=personal-vault-exclusions.test.d.ts.map

package/dist/personal-vault-exclusions.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-vault-exclusions.test.d.ts","sourceRoot":"","sources":["../src/personal-vault-exclusions.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG"}

package/dist/personal-vault-exclusions.test.js

@@ -0,0 +1,198 @@
+/**
+ * Tests for `personal-vault-exclusions.ts`. Pin the regex / segment contracts
+ * for every entry in PERSONAL_VAULT_DEFAULT_EXCLUSIONS so a future edit that
+ * relaxes one (e.g. dropping the `_legacy-` prefix match, or changing the
+ * `.cache_*` shape) surfaces here instead of in the field.
+ *
+ * Two test layers:
+ *
+ *   1. Per-rule predicate tests. Each exclusion is exercised with at least
+ *      one match-positive and one match-negative path so the regex shape is
+ *      pinned. The `byId` event field on the runner uses `ex.id` directly,
+ *      so the id stability is part of the contract too — tests assert
+ *      against the literal id string.
+ *
+ *   2. Filter-wrap integration. Confirms that `wrapFilterWithPersonalVaultDefaults`
+ *      defers to the underlying filter, computes the relative path correctly,
+ *      and only fires the `onExcluded` callback when the underlying filter
+ *      WOULD have allowed the path (so the count tracks only "newly blocked
+ *      by these defaults", not "blocked by .hqignore too").
+ */
+import { describe, expect, it } from "vitest";
+import * as path from "node:path";
+import { PERSONAL_VAULT_DEFAULT_EXCLUSIONS, isPersonalVaultExcluded, matchPersonalVaultExclusion, wrapFilterWithPersonalVaultDefaults, _testing, } from "./personal-vault-exclusions.js";
+describe("PERSONAL_VAULT_DEFAULT_EXCLUSIONS", () => {
+    it("exports a non-empty, frozen-shaped list", () => {
+        expect(PERSONAL_VAULT_DEFAULT_EXCLUSIONS.length).toBeGreaterThan(10);
+        // Every entry has the four required fields; this pins the public shape
+        // so a future addition without `category` or `id` fails fast.
+        for (const ex of PERSONAL_VAULT_DEFAULT_EXCLUSIONS) {
+            expect(typeof ex.id).toBe("string");
+            expect(ex.id.length).toBeGreaterThan(0);
+            expect(typeof ex.category).toBe("string");
+            expect(typeof ex.test).toBe("function");
+            expect(typeof ex.pattern).toBe("string");
+        }
+    });
+    it("has unique ids (event byId aggregation requires it)", () => {
+        const ids = new Set();
+        for (const ex of PERSONAL_VAULT_DEFAULT_EXCLUSIONS) {
+            expect(ids.has(ex.id)).toBe(false);
+            ids.add(ex.id);
+        }
+    });
+});
+// ── Per-rule predicate matrix ───────────────────────────────────────────────
+//
+// One block per rule. The positives prove "this path SHOULD be excluded"; the
+// negatives prove "this path SHOULD NOT" (guards against over-broad regexes
+// that would block legitimate user content).
+describe("env-file exclusion (secrets)", () => {
+    it.each([".env", ".env.local", ".env.production", "core/.env", "personal/.env.local"])("matches %s", (p) => {
+        expect(isPersonalVaultExcluded(p)).toBe(true);
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("env-file");
+    });
+    it.each(["envconfig.md", ".env-example.md", "core/policies/env-vars.md"])("does NOT match %s", (p) => {
+        // ".env-example.md" is intentionally a negative — the basename starts
+        // with ".env-", not ".env." (dot vs hyphen). We want to allow docs
+        // that reference env-vars without the regex grabbing them.
+        const m = matchPersonalVaultExclusion(p);
+        expect(m?.id).not.toBe("env-file");
+    });
+});
+describe("mcp-config exclusion (secrets)", () => {
+    it.each([".mcp.json", "personal/.mcp.json", "core/.claude/.mcp.json"])("matches %s", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("mcp-config");
+    });
+    it.each(["mcp.json", "core/policies/mcp.md", ".mcp.example.json"])("does NOT match %s", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).not.toBe("mcp-config");
+    });
+});
+describe("beads exclusion (machine-local SQLite)", () => {
+    it.each([
+        ".beads/beads.db",
+        ".beads/beads.db-wal",
+        ".beads/beads.db-shm",
+        ".beads/beads.left.jsonl",
+        "personal/.beads/issue.json",
+    ])("matches %s", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("beads-db");
+    });
+    it.each(["beads.md", "core/knowledge/beads-guide.md"])("does NOT match %s", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).not.toBe("beads-db");
+    });
+});
+describe("obsidian / vercel / cache exclusions", () => {
+    it("matches .obsidian/", () => {
+        expect(matchPersonalVaultExclusion(".obsidian/workspace.json")?.id).toBe("obsidian-workspace");
+    });
+    it("matches .vercel/", () => {
+        expect(matchPersonalVaultExclusion(".vercel/project.json")?.id).toBe("vercel-link");
+    });
+    it("matches .cache_ggshield", () => {
+        expect(matchPersonalVaultExclusion(".cache_ggshield")?.id).toBe("cache-dir");
+    });
+    it("matches .cache_anything", () => {
+        expect(matchPersonalVaultExclusion(".cache_foo")?.id).toBe("cache-dir");
+    });
+    it("does NOT match .cache (no underscore)", () => {
+        // `.cache_*` is the segment shape — bare `.cache` should be left for
+        // other rules / .hqignore. Pinned so a future widen-of-pattern surfaces here.
+        expect(matchPersonalVaultExclusion(".cache")).toBeUndefined();
+    });
+});
+describe("update-output / legacy / hq-conflicts exclusions (scratch)", () => {
+    it.each([
+        "output/hatch-pet/scaffold.md",
+        "personal/data/output/hatch-pet/file.md",
+        "core/output/x.md",
+    ])("matches %s as update-output", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("update-output");
+    });
+    it.each([
+        "_legacy-pre14.2/x.md",
+        "personal/_legacy-2024/old.md",
+        "_legacy_v1/y.md",
+        "_legacy/z.md",
+    ])("matches %s as legacy-dir", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("legacy-dir");
+    });
+    it.each([".hq-conflicts/file.md", "personal/.hq-conflicts/x.md"])("matches %s as hq-conflicts-dir", (p) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe("hq-conflicts-dir");
+    });
+    it("does NOT match 'output.md' (basename collision guard)", () => {
+        expect(matchPersonalVaultExclusion("core/output.md")).toBeUndefined();
+    });
+});
+describe("OS / build cruft exclusions", () => {
+    it("matches .DS_Store anywhere", () => {
+        expect(matchPersonalVaultExclusion(".DS_Store")?.id).toBe("ds-store");
+        expect(matchPersonalVaultExclusion("personal/.DS_Store")?.id).toBe("ds-store");
+    });
+    it.each([
+        ["node_modules/x.js", "node-modules"],
+        ["personal/x/node_modules/y.js", "node-modules"],
+        ["dist/bundle.js", "dist-dir"],
+        [".next/build/file.js", "next-dir"],
+        ["build/output.js", "build-dir"],
+    ])("matches %s as %s", (p, expectedId) => {
+        expect(matchPersonalVaultExclusion(p)?.id).toBe(expectedId);
+    });
+});
+// ── _testing internals ───────────────────────────────────────────────────────
+describe("_testing internals", () => {
+    it("hasSegment matches exact / prefix / middle / suffix forms", () => {
+        expect(_testing.hasSegment("foo", "foo")).toBe(true);
+        expect(_testing.hasSegment("foo/bar", "foo")).toBe(true);
+        expect(_testing.hasSegment("a/foo/b", "foo")).toBe(true);
+        expect(_testing.hasSegment("a/foo", "foo")).toBe(true);
+        expect(_testing.hasSegment("foobar", "foo")).toBe(false);
+        expect(_testing.hasSegment("a/foobar", "foo")).toBe(false);
+    });
+    it("basename returns the trailing segment", () => {
+        expect(_testing.basename("a/b/c.md")).toBe("c.md");
+        expect(_testing.basename("c.md")).toBe("c.md");
+        expect(_testing.basename("")).toBe("");
+    });
+});
+// ── Filter-wrap integration ──────────────────────────────────────────────────
+describe("wrapFilterWithPersonalVaultDefaults", () => {
+    // Use a syncRoot path independent of the test runner's cwd so the
+    // path.relative() calls inside the wrapper produce predictable results
+    // regardless of where the test runs from.
+    const syncRoot = "/tmp/hq-root";
+    it("defers to the underlying filter when it rejects", () => {
+        const calls = [];
+        const wrapped = wrapFilterWithPersonalVaultDefaults(() => false, // underlying rejects everything
+        syncRoot, (rel, match) => calls.push({ rel, id: match.id }));
+        // Even though `.env` matches a default exclusion, the underlying
+        // filter already rejected it — onExcluded must NOT fire (we only
+        // want to count things that would have made it past the user's
+        // .hqignore but are blocked by our defaults).
+        expect(wrapped(path.join(syncRoot, ".env"))).toBe(false);
+        expect(calls).toEqual([]);
+    });
+    it("rejects and tags onExcluded when underlying allows + default blocks", () => {
+        const calls = [];
+        const wrapped = wrapFilterWithPersonalVaultDefaults(() => true, // underlying allows everything
+        syncRoot, (rel, match) => calls.push({ rel, id: match.id }));
+        expect(wrapped(path.join(syncRoot, ".env"))).toBe(false);
+        expect(wrapped(path.join(syncRoot, "personal", ".env.local"))).toBe(false);
+        expect(wrapped(path.join(syncRoot, "personal", "agents.md"))).toBe(true);
+        expect(calls).toEqual([
+            { rel: ".env", id: "env-file" },
+            { rel: "personal/.env.local", id: "env-file" },
+            // "personal/agents.md" was allowed — no onExcluded callback fired.
+        ]);
+    });
+    it("does not fire onExcluded for paths outside syncRoot (defensive)", () => {
+        const calls = [];
+        const wrapped = wrapFilterWithPersonalVaultDefaults(() => true, syncRoot, (rel, match) => calls.push({ rel, id: match.id }));
+        // Outside-syncRoot paths come back with a `..` prefix from path.relative;
+        // the wrapper defers (returns true) without consulting the exclusion
+        // list since "outside scope" is the upstream containment check's job.
+        expect(wrapped("/tmp/other/.env")).toBe(true);
+        expect(calls).toEqual([]);
+    });
+});
+//# sourceMappingURL=personal-vault-exclusions.test.js.map

package/dist/personal-vault-exclusions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-vault-exclusions.test.js","sourceRoot":"","sources":["../src/personal-vault-exclusions.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EACL,iCAAiC,EACjC,uBAAuB,EACvB,2BAA2B,EAC3B,mCAAmC,EACnC,QAAQ,GACT,MAAM,gCAAgC,CAAC;AAExC,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,iCAAiC,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;QACrE,uEAAuE;QACvE,8DAA8D;QAC9D,KAAK,MAAM,EAAE,IAAI,iCAAiC,EAAE,CAAC;YACnD,MAAM,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACpC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACxC,MAAM,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACxC,MAAM,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;QAC9B,KAAK,MAAM,EAAE,IAAI,iCAAiC,EAAE,CAAC;YACnD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,+EAA+E;AAC/E,EAAE;AACF,8EAA8E;AAC9E,4EAA4E;AAC5E,6CAA6C;AAE7C,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC,CACpF,YAAY,EACZ,CAAC,CAAC,EAAE,EAAE;QACJ,MAAM,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9D,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,iBAAiB,EAAE,2BAA2B,CAAC,CAAC,CACvE,mBAAmB,EACnB,CAAC,CAAC,EAAE,EAAE;QACJ,sEAAsE;QACtE,mEAAmE;QACnE,2DAA2D;QAC3D,MAAM,CAAC,GAAG,2BAA2B,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,oBAAoB,EAAE,wBAAwB,CAAC,CAAC,CACpE,YAAY,EACZ,CAAC,CAAC,EAAE,EAAE;QACJ,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,sBAAsB,EAAE,mBAAmB,CAAC,CAAC,CAChE,mBAAmB,EACnB,CAAC,CAAC,EAAE,EAAE;QACJ,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACpE,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACtD,EAAE,CAAC,IAAI,CAAC;QACN,iBAAiB;QACjB,qBAAqB;QACrB,qBAAqB;QACrB,yBAAyB;QACzB,4BAA4B;KAC7B,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;QACrB,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,+BAA+B,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;QAChF,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;IACpD,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,2BAA2B,CAAC,0BAA0B,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjG,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAC1B,MAAM,CAAC,2BAA2B,CAAC,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,2BAA2B,CAAC,iBAAiB,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,2BAA2B,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,qEAAqE;QACrE,8EAA8E;QAC9E,MAAM,CAAC,2BAA2B,CAAC,QAAQ,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4DAA4D,EAAE,GAAG,EAAE;IAC1E,EAAE,CAAC,IAAI,CAAC;QACN,8BAA8B;QAC9B,wCAAwC;QACxC,kBAAkB;KACnB,CAAC,CAAC,6BAA6B,EAAE,CAAC,CAAC,EAAE,EAAE;QACtC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC;QACN,sBAAsB;QACtB,8BAA8B;QAC9B,iBAAiB;QACjB,cAAc;KACf,CAAC,CAAC,0BAA0B,EAAE,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,6BAA6B,CAAC,CAAC,CAC/D,gCAAgC,EAChC,CAAC,CAAC,EAAE,EAAE;QACJ,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACtE,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,2BAA2B,CAAC,gBAAgB,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACxE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,2BAA2B,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtE,MAAM,CAAC,2BAA2B,CAAC,oBAAoB,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC;QACN,CAAC,mBAAmB,EAAE,cAAc,CAAC;QACrC,CAAC,8BAA8B,EAAE,cAAc,CAAC;QAChD,CAAC,gBAAgB,EAAE,UAAU,CAAC;QAC9B,CAAC,qBAAqB,EAAE,UAAU,CAAC;QACnC,CAAC,iBAAiB,EAAE,WAAW,CAAC;KACjC,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC,EAAE,UAAU,EAAE,EAAE;QACvC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAEhF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAEhF,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,kEAAkE;IAClE,uEAAuE;IACvE,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,cAAc,CAAC;IAEhC,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,KAAK,GAAuC,EAAE,CAAC;QACrD,MAAM,OAAO,GAAG,mCAAmC,CACjD,GAAG,EAAE,CAAC,KAAK,EAAE,gCAAgC;QAC7C,QAAQ,EACR,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAClD,CAAC;QAEF,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,8CAA8C;QAC9C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,KAAK,GAAuC,EAAE,CAAC;QACrD,MAAM,OAAO,GAAG,mCAAmC,CACjD,GAAG,EAAE,CAAC,IAAI,EAAE,+BAA+B;QAC3C,QAAQ,EACR,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAClD,CAAC;QAEF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3E,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;YACpB,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE;YAC/B,EAAE,GAAG,EAAE,qBAAqB,EAAE,EAAE,EAAE,UAAU,EAAE;YAC9C,mEAAmE;SACpE,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,KAAK,GAAuC,EAAE,CAAC;QACrD,MAAM,OAAO,GAAG,mCAAmC,CACjD,GAAG,EAAE,CAAC,IAAI,EACV,QAAQ,EACR,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAClD,CAAC;QAEF,0EAA0E;QAC1E,qEAAqE;QACrE,sEAAsE;QACtE,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@indigoai-us/hq-cloud",
-  "version": "5.24.0",
+  "version": "5.25.0",
   "description": "HQ by Indigo cloud sync engine — bidirectional S3 sync for mobile access",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",