@web42/cli 0.1.7 → 0.1.8

package/dist/commands/init.js

@@ -169,6 +169,47 @@ export const initCommand = new Command("init")
         console.log(chalk.dim("  Skipped .web42/resources.json (already exists)"));
     }
     mkdirSync(join(web42Dir, "resources"), { recursive: true });
+    const ignorePath = join(cwd, ".web42ignore");
+    if (!existsSync(ignorePath)) {
+        writeFileSync(ignorePath, [
+            "# .web42ignore — files excluded from web42 pack / push",
+            "# Syntax: glob patterns, one per line. Lines starting with # are comments.",
+            "# NOTE: .git, node_modules, .web42/, manifest.json, and other internals",
+            "#       are always excluded automatically.",
+            "",
+            "# Working notes & drafts",
+            "TODO.md",
+            "NOTES.md",
+            "drafts/**",
+            "",
+            "# Environment & secrets",
+            ".env",
+            ".env.*",
+            "",
+            "# IDE / editor",
+            ".vscode/**",
+            ".idea/**",
+            ".cursor/**",
+            "",
+            "# Test & CI",
+            "tests/**",
+            "__tests__/**",
+            ".github/**",
+            "",
+            "# Build artifacts",
+            "dist/**",
+            "build/**",
+            "",
+            "# Large media not needed at runtime",
+            "# *.mp4",
+            "# *.mov",
+            "",
+        ].join("\n"), "utf-8");
+        console.log(chalk.green(`  Created ${chalk.bold(".web42ignore")}`));
+    }
+    else {
+        console.log(chalk.dim("  Skipped .web42ignore (already exists)"));
+    }
     // Offer bundled starter skills
     const bundled = listBundledSkills();
     if (bundled.length > 0) {

package/dist/commands/pack.js

@@ -3,8 +3,9 @@ import { join } from "path";
 import { Command } from "commander";
 import chalk from "chalk";
 import ora from "ora";
-import { openclawAdapter } from "../platforms/openclaw/adapter.js";
+import { openclawAdapter, HARDCODED_EXCLUDES } from "../platforms/openclaw/adapter.js";
 import { parseSkillMd } from "../utils/skill.js";
+const HARDCODED_EXCLUDES_SET = new Set(HARDCODED_EXCLUDES);
 export const packCommand = new Command("pack")
     .description("Pack your agent workspace into a distributable artifact")
     .option("-o, --output <dir>", "Output directory", ".web42/dist")
@@ -57,6 +58,14 @@ export const packCommand = new Command("pack")
         }
         if (opts.dryRun) {
             spinner.stop();
+            const userPatterns = (result.ignorePatterns ?? []).filter((p) => !HARDCODED_EXCLUDES_SET.has(p));
+            if (userPatterns.length > 0) {
+                console.log(chalk.bold("Ignore patterns from .web42ignore:"));
+                for (const p of userPatterns) {
+                    console.log(chalk.yellow(`  ✕ ${p}`));
+                }
+                console.log();
+            }
             console.log(chalk.bold("Dry run — would pack:"));
             console.log();
             for (const f of result.files) {

package/dist/generated/embedded-skills.js

@@ -13,7 +13,7 @@ export const EMBEDDED_SKILLS = [
             },
             {
                 path: "references/file-hygiene.md",
-                content: "# File Hygiene Checklist\n\nBefore packing, audit the workspace for files that should not ship to buyers. The CLI's pack command automatically excludes some patterns, but manual review catches everything else.\n\n## Automatically Excluded by the CLI\n\nThese patterns are hardcoded in the pack command and will never appear in the `.web42/dist/` artifact:\n\n| Pattern | Reason |\n|---------|--------|\n| `auth-profiles.json` | Platform authentication credentials |\n| `MEMORY.md` | Creator's long-term memory — personal context |\n| `memory/**` | Daily memory logs — personal context |\n| `sessions/**` | Session history — personal context |\n| `.git/**` | Version control internals |\n| `node_modules/**` | Dependencies (not portable) |\n| `.DS_Store` | macOS filesystem metadata |\n| `*.log` | Log files |\n| `openclaw.json` | Platform config (contains agent bindings, channel secrets) |\n| `.openclaw/credentials/**` | Platform credentials |\n| `.web42/**` | Metadata folder (marketplace config, sync state, pack output) |\n| `.web42ignore` | Pack ignore config (meta, not content) |\n| `manifest.json` | Shipped separately as structured data |\n| `USER.md` | Always rewritten with a blank template on install |\n\n## `.web42/` Metadata Files (Not Packed)\n\nThe `.web42/` folder contains metadata and assets that are synced separately — they are NOT included in the packed agent files:\n\n| File | Purpose | Editable? |\n|------|---------|-----------|\n| `marketplace.json` | Pricing, license, tags | Yes |\n| `resources.json` | Resource file metadata | Yes |\n| `avatar.*` | Agent profile image | Yes |\n| `resources/` | Screenshots, videos, documents | Yes |\n| `sync.json` | Sync state tracking | No — auto-managed |\n| `dist/` | Pack output | No — auto-generated |\n\n**`sync.json`** should never be edited manually. Doing so will break change detection between local and remote. It is safe to delete if you want to force a full re-sync.\n\n## Files to Flag for Manual Review\n\nThese are NOT auto-excluded but often contain content that should not ship:\n\n### Personal Data\n\n- **`HEARTBEAT.md`** — If it contains creator-specific tasks, reminders, or routines. Reset to the scaffold default (empty with comments) unless the tasks are part of the agent's intended behavior.\n- **`SOUL.md`** — If it references the creator by name, contains personal preferences, or has inside jokes. Generalize to describe the agent's intended persona, not the creator's personality.\n- **`IDENTITY.md`** — If it contains the creator's chosen name/emoji/avatar. The buyer's agent should form its own identity. Reset to the scaffold template or write a persona description that fits the agent's purpose.\n- **`TOOLS.md`** — If it contains the creator's SSH hosts, camera names, device nicknames, etc. Reset to the scaffold template with example placeholders.\n\n### Secrets and Credentials\n\n- **`.env` / `.env.local`** — Should never be in the workspace root. If present, flag immediately.\n- **`.web42.config.json`** — Contains config variable values from the creator's install. Must not ship.\n- **Hardcoded API keys in skill files** — The CLI strips known patterns (`sk-...`, `ghp_...`, bearer tokens), but custom keys may slip through. Grep for suspicious patterns: long hex/base64 strings, `token`, `secret`, `password`, `apikey`.\n\n### Development Artifacts\n\n- **`.vscode/` / `.cursor/` / `.idea/`** — IDE configuration. Not relevant to buyers.\n- **`__pycache__/` / `*.pyc`** — Python bytecode.\n- **`Thumbs.db`** — Windows thumbnail cache.\n- **`*.bak` / `*.swp` / `*.tmp`** — Editor backup/swap files.\n- **`test/` / `tests/` / `__tests__/`** — Test files, unless they are part of the agent's functionality.\n- **Build outputs** — `dist/`, `build/`, `out/` directories.\n\n### Large or Binary Files\n\n- The pack command skips files larger than 1 MB.\n- Binary files (images, compiled executables) are skipped automatically (UTF-8 decode failure).\n- If the agent needs images (e.g., for the README cover), host them externally or manage them as resources in `.web42/resources/`.\n\n## Using `.web42ignore`\n\nCreate a `.web42ignore` file in the workspace root to exclude additional patterns. Syntax follows `.gitignore`:\n\n```\n# Exclude test fixtures\ntests/**\nfixtures/**\n\n# Exclude draft documents\ndrafts/**\n\n# Exclude local scripts not part of the agent\nscripts/local-*.sh\n```\n\nThe `.web42ignore` file itself is automatically excluded from the artifact.\n\n## Verification\n\nAfter auditing, always run:\n\n```\nweb42 pack --dry-run\n```\n\nThis prints every file that would be included. Review the list for:\n\n1. **Unexpected files** — anything you don't recognize or didn't intend to ship\n2. **File count** — a typical agent has 5–30 files. Hundreds of files suggests something is wrong.\n3. **Sensitive content** — spot-check a few files for leaked secrets or personal data\n",
+                content: "# File Hygiene Checklist\n\nBefore packing, audit the workspace for files that should not ship to buyers. The CLI's pack command automatically excludes some patterns, but manual review catches everything else.\n\n## Automatically Excluded by the CLI\n\nThese patterns are hardcoded in the pack command and will never appear in the `.web42/dist/` artifact:\n\n| Pattern | Reason |\n|---------|--------|\n| `auth-profiles.json` | Platform authentication credentials |\n| `MEMORY.md` | Creator's long-term memory — personal context |\n| `memory/**` | Daily memory logs — personal context |\n| `sessions/**` | Session history — personal context |\n| `.git/**` | Version control internals |\n| `node_modules/**` | Dependencies (not portable) |\n| `.DS_Store` | macOS filesystem metadata |\n| `*.log` | Log files |\n| `openclaw.json` | Platform config (contains agent bindings, channel secrets) |\n| `.openclaw/credentials/**` | Platform credentials |\n| `.web42/**` | Metadata folder (marketplace config, sync state, pack output) |\n| `.web42ignore` | Pack ignore config (meta, not content) |\n| `manifest.json` | Shipped separately as structured data |\n| `USER.md` | Always rewritten with a blank template on install |\n\n## `.web42/` Metadata Files (Not Packed)\n\nThe `.web42/` folder contains metadata and assets that are synced separately — they are NOT included in the packed agent files:\n\n| File | Purpose | Editable? |\n|------|---------|-----------|\n| `marketplace.json` | Pricing, license, tags | Yes |\n| `resources.json` | Resource file metadata | Yes |\n| `avatar.*` | Agent profile image | Yes |\n| `resources/` | Screenshots, videos, documents | Yes |\n| `sync.json` | Sync state tracking | No — auto-managed |\n| `dist/` | Pack output | No — auto-generated |\n\n**`sync.json`** should never be edited manually. Doing so will break change detection between local and remote. It is safe to delete if you want to force a full re-sync.\n\n## Files to Flag for Manual Review\n\nThese are NOT auto-excluded but often contain content that should not ship:\n\n### Personal Data\n\n- **`HEARTBEAT.md`** — If it contains creator-specific tasks, reminders, or routines. Reset to the scaffold default (empty with comments) unless the tasks are part of the agent's intended behavior.\n- **`SOUL.md`** — If it references the creator by name, contains personal preferences, or has inside jokes. Generalize to describe the agent's intended persona, not the creator's personality.\n- **`IDENTITY.md`** — If it contains the creator's chosen name/emoji/avatar. The buyer's agent should form its own identity. Reset to the scaffold template or write a persona description that fits the agent's purpose.\n- **`TOOLS.md`** — If it contains the creator's SSH hosts, camera names, device nicknames, etc. Reset to the scaffold template with example placeholders.\n\n### Secrets and Credentials\n\n- **`.env` / `.env.local`** — Should never be in the workspace root. If present, flag immediately.\n- **`.web42.config.json`** — Contains config variable values from the creator's install. Must not ship.\n- **Hardcoded API keys in skill files** — The CLI strips known patterns (`sk-...`, `ghp_...`, bearer tokens), but custom keys may slip through. Grep for suspicious patterns: long hex/base64 strings, `token`, `secret`, `password`, `apikey`.\n\n### Development Artifacts\n\n- **`.vscode/` / `.cursor/` / `.idea/`** — IDE configuration. Not relevant to buyers.\n- **`__pycache__/` / `*.pyc`** — Python bytecode.\n- **`Thumbs.db`** — Windows thumbnail cache.\n- **`*.bak` / `*.swp` / `*.tmp`** — Editor backup/swap files.\n- **`test/` / `tests/` / `__tests__/`** — Test files, unless they are part of the agent's functionality.\n- **Build outputs** — `dist/`, `build/`, `out/` directories.\n\n### Large or Binary Files\n\n- The pack command skips files larger than 1 MB.\n- Binary files (images, compiled executables) are skipped automatically (UTF-8 decode failure).\n- If the agent needs images (e.g., for the README cover), host them externally or manage them as resources in `.web42/resources/`.\n\n## Using `.web42ignore`\n\n`web42 init` scaffolds a default `.web42ignore` with sensible patterns (IDE folders, env files, test dirs, drafts). Edit it to match your workspace. Syntax: glob patterns, one per line — lines starting with `#` are comments.\n\n```\n# Exclude test fixtures\ntests/**\nfixtures/**\n\n# Exclude draft documents\ndrafts/**\n\n# Exclude local scripts not part of the agent\nscripts/local-*.sh\n```\n\nThe `.web42ignore` file itself is automatically excluded from the packed artifact.\n\n## Verification\n\nAfter auditing, always run:\n\n```\nweb42 pack --dry-run\n```\n\nThis prints:\n\n1. **User ignore patterns** loaded from `.web42ignore` (shown with ✕ prefix)\n2. **Every file** that would be included, with sizes\n3. **File and config variable counts**\n\nReview the output for:\n\n- **Unexpected files** — anything you don't recognize or didn't intend to ship\n- **File count** — a typical agent has 5–30 files. Hundreds of files suggests missing ignore patterns.\n- **Sensitive content** — spot-check a few files for leaked secrets or personal data\n",
             },
             {
                 path: "references/manifest-fields.md",
@@ -29,7 +29,7 @@ export const EMBEDDED_SKILLS = [
             },
             {
                 path: "references/web42-folder.md",
-                content: "# The `.web42/` Folder\n\nThe `.web42/` directory in your agent workspace is the metadata and sync hub for the Web42 marketplace. It is created automatically by `web42 init`.\n\n## Structure\n\n```\n.web42/\n├── marketplace.json     # Pricing, license, tags\n├── resources.json       # Metadata for resource files\n├── sync.json            # Sync state (auto-managed, do not edit)\n├── avatar.png           # Agent profile image (optional)\n├── resources/           # Screenshots, videos, documents\n│   ├── screenshot-1.png\n│   └── demo.mp4\n└── dist/                # Pack output (auto-generated by web42 pack)\n    ├── AGENTS.md\n    ├── IDENTITY.md\n    ├── manifest.json\n    └── ...\n```\n\n## Files You Edit\n\n### `marketplace.json`\n\nControls pricing, licensing, and discoverability on the marketplace.\n\n- Created by `web42 init` with defaults.\n- Edit manually or with agent assistance.\n- Synced to/from the remote on push/pull.\n- See `references/marketplace-config.md` for the full field reference.\n\n### `resources.json`\n\nDescribes the resource files (screenshots, videos, documents) in the `resources/` subdirectory.\n\n- JSON array of `ResourceMeta` objects.\n- Each entry maps a file in `resources/` to a title, description, type, and display order.\n- See `references/resources-guide.md` for the schema and guidance.\n\n### `avatar.{png,jpg,jpeg,webp,svg}`\n\nThe agent's profile image, shown on the marketplace listing and search results.\n\n- Only one avatar file should exist (the CLI picks the first match by extension priority: png, jpg, jpeg, webp, svg).\n- Recommended: 400x400 or larger, square aspect ratio.\n- Uploaded to the server on `web42 push`.\n\n### `resources/`\n\nDirectory containing the actual resource files referenced by `resources.json`.\n\n- Drop images, videos, or PDFs here.\n- Filenames must match the `file` field in `resources.json`.\n\n## Files You Should NOT Edit\n\n### `sync.json`\n\nTracks the sync state between your local workspace and the remote database.\n\n```json\n{\n  \"agent_id\": \"0c4cc49e-...\",\n  \"last_remote_hash\": \"7b1d3ecf...\",\n  \"last_local_hash\": \"d9a10b8a...\",\n  \"synced_at\": \"2026-03-17T03:54:46.124Z\"\n}\n```\n\n- **Auto-managed** by `web42 push`, `web42 pull`, and `web42 sync`.\n- Editing this file manually will break change detection.\n- Safe to delete if you want to force a full re-sync (next push/pull will recreate it).\n\n### `dist/`\n\nThe pack output directory, generated by `web42 pack` or automatically during `web42 push`.\n\n- Contains the processed, distributable version of your agent files.\n- **Auto-generated** — do not edit files here directly.\n- Excluded from the pack itself (no recursion).\n\n## Git Integration\n\nAdd `.web42/sync.json` and `.web42/dist/` to `.gitignore` since they are auto-generated:\n\n```gitignore\n.web42/sync.json\n.web42/dist/\n```\n\nKeep these in version control:\n\n- `.web42/marketplace.json`\n- `.web42/resources.json`\n- `.web42/avatar.*`\n- `.web42/resources/`\n\n## Sync Lifecycle\n\n```\nweb42 init     → Creates .web42/ with marketplace.json, resources.json\nweb42 pack     → Generates .web42/dist/ from workspace files\nweb42 push     → Sends snapshot (manifest + README + marketplace + files + avatar + resources) to remote\nweb42 pull     → Fetches remote snapshot, writes to local files\nweb42 sync     → Shows local vs remote hash comparison without changing anything\n```\n",
+                content: "# The `.web42/` Folder\n\nThe `.web42/` directory in your agent workspace is the metadata and sync hub for the Web42 marketplace. It is created automatically by `web42 init`.\n\n## Structure\n\n```\n.web42/\n├── marketplace.json     # Pricing, license, tags\n├── resources.json       # Metadata for resource files\n├── sync.json            # Sync state (auto-managed, do not edit)\n├── avatar.png           # Agent profile image (optional)\n├── resources/           # Screenshots, videos, documents\n│   ├── screenshot-1.png\n│   └── demo.mp4\n└── dist/                # Pack output (auto-generated by web42 pack)\n    ├── AGENTS.md\n    ├── IDENTITY.md\n    ├── manifest.json\n    └── ...\n```\n\n## Files You Edit\n\n### `marketplace.json`\n\nControls pricing, licensing, and discoverability on the marketplace.\n\n- Created by `web42 init` with defaults.\n- Edit manually or with agent assistance.\n- Synced to/from the remote on push/pull.\n- See `references/marketplace-config.md` for the full field reference.\n\n### `resources.json`\n\nDescribes the resource files (screenshots, videos, documents) in the `resources/` subdirectory.\n\n- JSON array of `ResourceMeta` objects.\n- Each entry maps a file in `resources/` to a title, description, type, and display order.\n- See `references/resources-guide.md` for the schema and guidance.\n\n### `avatar.{png,jpg,jpeg,webp,svg}`\n\nThe agent's profile image, shown on the marketplace listing and search results.\n\n- Only one avatar file should exist (the CLI picks the first match by extension priority: png, jpg, jpeg, webp, svg).\n- Recommended: 400x400 or larger, square aspect ratio.\n- Uploaded to the server on `web42 push`.\n\n### `resources/`\n\nDirectory containing the actual resource files referenced by `resources.json`.\n\n- Drop images, videos, or PDFs here.\n- Filenames must match the `file` field in `resources.json`.\n\n## Files You Should NOT Edit\n\n### `sync.json`\n\nTracks the sync state between your local workspace and the remote database.\n\n```json\n{\n  \"agent_id\": \"0c4cc49e-...\",\n  \"last_remote_hash\": \"7b1d3ecf...\",\n  \"last_local_hash\": \"d9a10b8a...\",\n  \"synced_at\": \"2026-03-17T03:54:46.124Z\"\n}\n```\n\n- **Auto-managed** by `web42 push`, `web42 pull`, and `web42 sync`.\n- Editing this file manually will break change detection.\n- Safe to delete if you want to force a full re-sync (next push/pull will recreate it).\n\n### `dist/`\n\nThe pack output directory, generated by `web42 pack` or automatically during `web42 push`.\n\n- Contains the processed, distributable version of your agent files.\n- **Auto-generated** — do not edit files here directly.\n- Excluded from the pack itself (no recursion).\n\n## Git Integration\n\nAdd `.web42/sync.json` and `.web42/dist/` to `.gitignore` since they are auto-generated:\n\n```gitignore\n.web42/sync.json\n.web42/dist/\n```\n\nKeep these in version control:\n\n- `.web42/marketplace.json`\n- `.web42/resources.json`\n- `.web42/avatar.*`\n- `.web42/resources/`\n\n## `.web42ignore` (Workspace Root)\n\nNot inside `.web42/` — lives at the workspace root alongside `manifest.json`.\n\n- Created by `web42 init` with sensible defaults (IDE dirs, env files, test folders, drafts).\n- Glob patterns, one per line. Lines starting with `#` are comments.\n- Controls which files are excluded when running `web42 pack` or `web42 push`.\n- Use `web42 pack --dry-run` to verify what gets included/excluded.\n- See `references/file-hygiene.md` for full details.\n\nKeep `.web42ignore` in version control so the ignore rules travel with the project.\n\n## Sync Lifecycle\n\n```\nweb42 init     → Creates .web42/, marketplace.json, resources.json, .web42ignore\nweb42 pack     → Generates .web42/dist/ from workspace files (respects .web42ignore)\nweb42 push     → Sends snapshot (manifest + README + marketplace + files + avatar + resources) to remote\nweb42 pull     → Fetches remote snapshot, writes to local files\nweb42 sync     → Shows local vs remote hash comparison without changing anything\n```\n",
             },
             {
                 path: "SKILL.md",

package/dist/platforms/base.d.ts

@@ -19,6 +19,7 @@ export interface PackResult {
     files: PackedFile[];
     configTemplate: Record<string, unknown> | null;
     configVariables: ConfigVariable[];
+    ignorePatterns?: string[];
 }
 export interface InstallOptions {
     agentSlug: string;

package/dist/platforms/openclaw/adapter.d.ts

@@ -1,4 +1,5 @@
 import type { InitConfig, InstalledAgent, InstallOptions, InstallResult, PackOptions, PackResult, PlatformAdapter, UninstallOptions, UninstallResult } from "../base.js";
+export declare const HARDCODED_EXCLUDES: string[];
 export declare class OpenClawAdapter implements PlatformAdapter {
     name: string;
     home: string;

package/dist/platforms/openclaw/adapter.js

@@ -7,7 +7,7 @@ import { stripSecrets, stripChannelSecrets } from "../../utils/secrets.js";
 import { USER_MD } from "./templates.js";
 const OPENCLAW_HOME = join(homedir(), ".openclaw");
 const OPENCLAW_CONFIG_PATH = join(OPENCLAW_HOME, "openclaw.json");
-const HARDCODED_EXCLUDES = [
+export const HARDCODED_EXCLUDES = [
     "auth-profiles.json",
     "MEMORY.md",
     "memory/**",
@@ -411,7 +411,7 @@ export class OpenClawAdapter {
             configTemplate = extraction.configTemplate;
             configVariables = extraction.configVariables;
         }
-        return { files, configTemplate, configVariables };
+        return { files, configTemplate, configVariables, ignorePatterns };
     }
     async install(options) {
         const { agentSlug, username, workspacePath, files, configTemplate, configAnswers, } = options;

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const CLI_VERSION = "0.1.7";
+export declare const CLI_VERSION = "0.1.8";

package/dist/version.js

@@ -1 +1 @@
-export const CLI_VERSION = "0.1.7";
+export const CLI_VERSION = "0.1.8";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@web42/cli",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "CLI for the Web42 Agent Marketplace - push, install, and remix OpenClaw agent packages",
   "type": "module",
   "bin": {

package/skills/web42-publish-prep/references/file-hygiene.md

@@ -72,7 +72,7 @@ These are NOT auto-excluded but often contain content that should not ship:
 
 ## Using `.web42ignore`
 
-Create a `.web42ignore` file in the workspace root to exclude additional patterns. Syntax follows `.gitignore`:
+`web42 init` scaffolds a default `.web42ignore` with sensible patterns (IDE folders, env files, test dirs, drafts). Edit it to match your workspace. Syntax: glob patterns, one per line — lines starting with `#` are comments.
 
 ```
 # Exclude test fixtures
@@ -86,7 +86,7 @@ drafts/**
 scripts/local-*.sh
 ```
 
-The `.web42ignore` file itself is automatically excluded from the artifact.
+The `.web42ignore` file itself is automatically excluded from the packed artifact.
 
 ## Verification
 
@@ -96,8 +96,14 @@ After auditing, always run:
 web42 pack --dry-run
 ```
 
-This prints every file that would be included. Review the list for:
+This prints:
 
-1. **Unexpected files** — anything you don't recognize or didn't intend to ship
-2. **File count** — a typical agent has 5–30 files. Hundreds of files suggests something is wrong.
-3. **Sensitive content** — spot-check a few files for leaked secrets or personal data
+1. **User ignore patterns** loaded from `.web42ignore` (shown with ✕ prefix)
+2. **Every file** that would be included, with sizes
+3. **File and config variable counts**
+
+Review the output for:
+
+- **Unexpected files** — anything you don't recognize or didn't intend to ship
+- **File count** — a typical agent has 5–30 files. Hundreds of files suggests missing ignore patterns.
+- **Sensitive content** — spot-check a few files for leaked secrets or personal data

package/skills/web42-publish-prep/references/web42-folder.md

@@ -97,11 +97,23 @@ Keep these in version control:
 - `.web42/avatar.*`
 - `.web42/resources/`
 
+## `.web42ignore` (Workspace Root)
+
+Not inside `.web42/` — lives at the workspace root alongside `manifest.json`.
+
+- Created by `web42 init` with sensible defaults (IDE dirs, env files, test folders, drafts).
+- Glob patterns, one per line. Lines starting with `#` are comments.
+- Controls which files are excluded when running `web42 pack` or `web42 push`.
+- Use `web42 pack --dry-run` to verify what gets included/excluded.
+- See `references/file-hygiene.md` for full details.
+
+Keep `.web42ignore` in version control so the ignore rules travel with the project.
+
 ## Sync Lifecycle
 
 ```
-web42 init     → Creates .web42/ with marketplace.json, resources.json
-web42 pack     → Generates .web42/dist/ from workspace files
+web42 init     → Creates .web42/, marketplace.json, resources.json, .web42ignore
+web42 pack     → Generates .web42/dist/ from workspace files (respects .web42ignore)
 web42 push     → Sends snapshot (manifest + README + marketplace + files + avatar + resources) to remote
 web42 pull     → Fetches remote snapshot, writes to local files
 web42 sync     → Shows local vs remote hash comparison without changing anything