@indigoai-us/hq-cloud 5.1.11 → 5.2.0

package/src/context.ts

@@ -17,6 +17,13 @@ const DEFAULT_SESSION_DURATION_SECONDS = 900;
 /** Cached contexts keyed by entity UID. */
 const contextCache = new Map<string, EntityContext>();
 
+/**
+ * Closed-set of recognised entity-UID prefixes. Adding a new entity type
+ * means appending one entry here AND extending the dispatch in
+ * `resolveEntityContext` (cmp_ → /sts/vend, prs_ → /sts/vend-self).
+ */
+export const KNOWN_UID_PREFIXES = ["cmp_", "prs_"] as const;
+
 /**
  * Look up an entity by slug or UID via vault-service, then vend STS-scoped
  * credentials for that entity. Returns an EntityContext ready for S3 ops.
@@ -34,9 +41,15 @@ export async function resolveEntityContext(
     return cached;
   }
 
-  // Step 1: Resolve entity — if it looks like a UID (cmp_*), fetch directly;
-  // otherwise look up by slug
-  const entity = companyUidOrSlug.startsWith("cmp_")
+  // Step 1: Resolve entity — if it looks like a known UID prefix, fetch directly;
+  // otherwise look up by slug. Explicit enumeration avoids over-matching slugs
+  // like foo_bar or team_alpha that happen to look like UIDs.
+  const looksLikeUid = KNOWN_UID_PREFIXES.some((p) =>
+    companyUidOrSlug.startsWith(p),
+  );
+  const looksLikePerson = companyUidOrSlug.startsWith("prs_");
+
+  const entity = looksLikeUid
     ? await fetchEntity(companyUidOrSlug, config)
     : await fetchEntityBySlug("company", companyUidOrSlug, config);
 
@@ -47,8 +60,13 @@ export async function resolveEntityContext(
     );
   }
 
-  // Step 2: Vend STS-scoped credentials
-  const vendResult = await vendCredentials(entity.uid, config);
+  // Step 2: Dispatch credential vending by UID prefix.
+  //   cmp_* → POST /sts/vend      (company path; membership-gated)
+  //   prs_* → POST /sts/vend-self (person path; self-ownership-gated)
+  //   slug  → POST /sts/vend      (legacy slug path is company-only)
+  const vendResult = looksLikePerson
+    ? await vendSelfCredentials(entity.uid, config)
+    : await vendCredentials(entity.uid, config);
 
   const ctx: EntityContext = {
     uid: entity.uid,
@@ -153,26 +171,38 @@ async function fetchEntityBySlug(
   return data.entity;
 }
 
-async function vendCredentials(
-  companyUid: string,
+async function postVend(
+  route: string,
+  body: Record<string, unknown>,
   config: VaultServiceConfig,
 ): Promise<VendResponse> {
-  const res = await fetch(`${config.apiUrl}/sts/vend`, {
+  const res = await fetch(`${config.apiUrl}${route}`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       Authorization: `Bearer ${config.authToken}`,
     },
-    body: JSON.stringify({
-      companyUid,
-      durationSeconds: DEFAULT_SESSION_DURATION_SECONDS,
-    }),
+    body: JSON.stringify({ ...body, durationSeconds: DEFAULT_SESSION_DURATION_SECONDS }),
   });
   if (!res.ok) {
-    const body = await res.text();
-    throw new Error(
-      `STS vend failed for ${companyUid}: ${res.status} ${body}`,
-    );
+    const text = await res.text();
+    throw new Error(`STS ${route} failed: ${res.status} ${text}`);
   }
   return (await res.json()) as VendResponse;
 }
+
+async function vendCredentials(
+  companyUid: string,
+  config: VaultServiceConfig,
+): Promise<VendResponse> {
+  return postVend("/sts/vend", { companyUid }, config);
+}
+
+async function vendSelfCredentials(
+  personUid: string,
+  config: VaultServiceConfig,
+): Promise<VendResponse> {
+  // Use `+` concat at the literal so guard 5 (grep "/sts/vend-self") still finds it
+  const route = "/sts/vend-self";
+  return postVend(route, { personUid }, config);
+}

package/src/ignore.ts

@@ -20,7 +20,7 @@ import ignore from "ignore";
 
 // Patterns that must never sync regardless of project type.
 // Grouped by ecosystem so new stacks are easy to add.
-const DEFAULT_IGNORES = [
+export const DEFAULT_IGNORES = [
   // VCS + OS
   ".git/",
   ".git",

package/src/vault-client.test.ts

@@ -12,6 +12,8 @@ import {
   VaultNotFoundError,
   VaultConflictError,
   VaultClientError,
+  pickCanonicalPersonEntity,
+  type EntityInfo,
 } from "./vault-client.js";
 
 // ---------------------------------------------------------------------------
@@ -620,4 +622,74 @@ describe("VaultClient identity bootstrap", () => {
     expect(person.uid).toBe("prs_a");
     expect(fetchSpy).toHaveBeenCalledTimes(1);
   });
+
+  it("pickCanonicalPersonEntity_picks_oldest_tiebreak_uid", () => {
+    const list: EntityInfo[] = [
+      { uid: "prs_b", slug: "b", type: "person", status: "active", createdAt: "2026-01-02T00:00:00Z" } as EntityInfo,
+      { uid: "prs_a", slug: "a", type: "person", status: "active", createdAt: "2026-01-01T00:00:00Z" } as EntityInfo,
+    ];
+    // Older createdAt wins
+    expect(pickCanonicalPersonEntity(list)?.uid).toBe("prs_a");
+
+    // Same createdAt: uid tiebreak (lexicographic ascending)
+    const tieList: EntityInfo[] = [
+      { uid: "prs_z", slug: "z", type: "person", status: "active", createdAt: "2026-01-01T00:00:00Z" } as EntityInfo,
+      { uid: "prs_a", slug: "a", type: "person", status: "active", createdAt: "2026-01-01T00:00:00Z" } as EntityInfo,
+    ];
+    expect(pickCanonicalPersonEntity(tieList)?.uid).toBe("prs_a");
+  });
+
+  it("pickCanonicalPersonEntity_handles_missing_createdAt_deterministically", () => {
+    // undefined createdAt coalesces to "" which sorts before any ISO date string.
+    // So the entity with undefined createdAt wins on the createdAt comparison.
+    // When two entities both lack createdAt, uid tiebreak applies.
+    const list: EntityInfo[] = [
+      { uid: "prs_b", slug: "b", type: "person", status: "active", createdAt: "2026-01-01T00:00:00Z" } as EntityInfo,
+      { uid: "prs_a", slug: "a", type: "person", status: "active" } as EntityInfo, // no createdAt
+    ];
+    // "" < "2026-..." so prs_a (undefined→"") wins
+    expect(pickCanonicalPersonEntity(list)?.uid).toBe("prs_a");
+
+    // Both undefined: uid tiebreak
+    const bothUndefined: EntityInfo[] = [
+      { uid: "prs_z", slug: "z", type: "person", status: "active" } as EntityInfo,
+      { uid: "prs_a", slug: "a", type: "person", status: "active" } as EntityInfo,
+    ];
+    expect(pickCanonicalPersonEntity(bothUndefined)?.uid).toBe("prs_a");
+  });
+
+  it("pickCanonicalPersonEntity_filters_out_non_person_types", () => {
+    const mixed: EntityInfo[] = [
+      { uid: "cmp_x", slug: "x", type: "company", status: "active", createdAt: "2025-01-01T00:00:00Z" } as EntityInfo,
+      { uid: "prs_b", slug: "b", type: "person", status: "active", createdAt: "2026-01-02T00:00:00Z" } as EntityInfo,
+    ];
+    const result = pickCanonicalPersonEntity(mixed);
+    expect(result?.uid).toBe("prs_b");
+    expect(result?.type).toBe("person");
+  });
+
+  it("vendSelf_roundtrip", async () => {
+    fetchSpy.mockResolvedValueOnce(
+      jsonResponse(200, {
+        credentials: {
+          accessKeyId: "AKIAIOSFODNN7EXAMPLE",
+          secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+          sessionToken: "FwoGZXIvYXdzEBY...",
+        },
+        expiresAt: "2026-01-01T01:00:00.000Z",
+      }),
+    );
+
+    const result = await client.sts.vendSelf({ personUid: "prs_x" });
+
+    expect(result.credentials.accessKeyId).toBe("AKIAIOSFODNN7EXAMPLE");
+    expect(result.credentials.secretAccessKey).toBe("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+    expect(result.credentials.sessionToken).toBe("FwoGZXIvYXdzEBY...");
+    expect(typeof result.expiresAt).toBe("string");
+
+    const [url, init] = fetchSpy.mock.calls[0] as [string, RequestInit];
+    expect(url).toBe("https://vault.test.example.com/sts/vend-self");
+    expect((init.method as string).toUpperCase()).toBe("POST");
+    expect(JSON.parse(init.body as string)).toEqual({ personUid: "prs_x" });
+  });
 });

package/src/vault-client.ts

@@ -112,6 +112,23 @@ export interface EntityInfo {
   createdAt: string;
 }
 
+export function pickCanonicalPersonEntity(
+  list: EntityInfo[],
+): EntityInfo | null {
+  // Defensive filter — callers today pass `entity.listByType("person")` so this is
+  // a no-op, but a future caller passing a mixed list would otherwise silently get
+  // back a non-person entity.
+  const persons = list.filter((e) => e.type === "person");
+  if (persons.length === 0) return null;
+  const sorted = [...persons].sort((a, b) => {
+    const ac = (a.createdAt as string | undefined) ?? "";
+    const bc = (b.createdAt as string | undefined) ?? "";
+    if (ac !== bc) return ac < bc ? -1 : 1;
+    return a.uid < b.uid ? -1 : 1;
+  });
+  return sorted[0];
+}
+
 export interface PendingInviteByEmail {
   membershipKey: string;
   companyUid: string;
@@ -344,13 +361,8 @@ export class VaultClient {
     displayName: string;
   }): Promise<EntityInfo> {
     const existing = await this.entity.listByType("person");
-    const sorted = [...existing].sort((a, b) => {
-      const ac = (a.createdAt as string | undefined) ?? "";
-      const bc = (b.createdAt as string | undefined) ?? "";
-      if (ac !== bc) return ac < bc ? -1 : 1;
-      return a.uid < b.uid ? -1 : 1;
-    });
-    if (sorted.length > 0) return sorted[0];
+    const pick = pickCanonicalPersonEntity(existing);
+    if (pick !== null) return pick;
 
     const slug =
       hints.displayName
@@ -396,6 +408,12 @@ export class VaultClient {
       const data = await this.post<VendChildResult>("/sts/vend-child", input);
       return data;
     },
+    vendSelf: async (input: { personUid: string; durationSeconds?: number }): Promise<{
+      credentials: { accessKeyId: string; secretAccessKey: string; sessionToken: string };
+      expiresAt: string;
+    }> => {
+      return this.post("/sts/vend-self", input);
+    },
   };
 
   // -- HTTP primitives with retry -------------------------------------------