@indigoai-us/hq-cloud 5.4.4 → 5.4.6

package/src/cli/sync.ts

@@ -10,7 +10,7 @@ import * as path from "path";
 import type { VaultServiceConfig } from "../types.js";
 import { resolveEntityContext, isExpiringSoon, refreshEntityContext } from "../context.js";
 import { downloadFile, listRemoteFiles } from "../s3.js";
-import { readJournal, writeJournal, hashFile, updateEntry, getEntry } from "../journal.js";
+import { readJournal, writeJournal, hashFile, updateEntry, getEntry, normalizeEtag } from "../journal.js";
 import { createIgnoreFilter } from "../ignore.js";
 import { resolveConflict } from "./conflict.js";
 import type { ConflictStrategy, ConflictResolution } from "./conflict.js";
@@ -147,9 +147,14 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
 
     if (fs.existsSync(localPath)) {
       const localHash = hashFile(localPath);
+      const localChanged = !!journalEntry && journalEntry.hash !== localHash;
+      const remoteChanged = !!journalEntry && hasRemoteChanged(remoteFile, journalEntry);
 
-      // If local file has changed since last sync, it's a conflict
-      if (journalEntry && journalEntry.hash !== localHash) {
+      // A real conflict requires BOTH sides to have moved since the last
+      // sync. If only local changed, push will handle it; pulling here would
+      // clobber the local edit. If only remote changed, fall through to
+      // download. If neither moved, skip.
+      if (localChanged && remoteChanged) {
         conflicts++;
         conflictPaths.push(remoteFile.key);
 
@@ -187,17 +192,18 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
           continue;
         }
         // "overwrite" falls through to download
-      } else if (journalEntry && journalEntry.hash === localHash) {
-        // Local unchanged since last sync — check if remote changed
-        // by comparing etag/timestamp
-        const lastSyncTime = new Date(journalEntry.syncedAt).getTime();
-        const remoteModTime = remoteFile.lastModified.getTime();
-        if (remoteModTime <= lastSyncTime) {
-          // Remote hasn't changed either — skip
-          filesSkipped++;
-          continue;
-        }
+      } else if (journalEntry && localChanged && !remoteChanged) {
+        // Local-only edit: leave it for the push phase to upload. Pulling
+        // would silently overwrite the user's work.
+        filesSkipped++;
+        continue;
+      } else if (journalEntry && !localChanged && !remoteChanged) {
+        // Neither side moved — nothing to do.
+        filesSkipped++;
+        continue;
       }
+      // Otherwise (no journal entry, or remote-only changed) fall through
+      // to download.
     }
 
     // Download
@@ -206,7 +212,9 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
 
       const hash = hashFile(localPath);
       const stat = fs.statSync(localPath);
-      updateEntry(journal, remoteFile.key, hash, stat.size, "down");
+      // Capture the listing's ETag so subsequent syncs can detect remote
+      // drift independently of mtime drift.
+      updateEntry(journal, remoteFile.key, hash, stat.size, "down", remoteFile.etag);
 
       // Attach message from journal entry if present
       const remoteJournalMessage = (journalEntry as { message?: string } | undefined)?.message;
@@ -262,6 +270,23 @@ function resolveActiveCompany(hqRoot: string): string | undefined {
   return undefined;
 }
 
+/**
+ * Returns true when the remote object appears to have moved since the
+ * journal entry's last-recorded sync. Prefers ETag equality; falls back to
+ * `lastModified > syncedAt` for legacy entries written before remoteEtag
+ * was tracked. Conservative on tie (`<=` skews "remote unchanged").
+ */
+function hasRemoteChanged(
+  remote: { lastModified: Date; etag: string },
+  entry: { syncedAt: string; remoteEtag?: string },
+): boolean {
+  if (entry.remoteEtag) {
+    return normalizeEtag(remote.etag) !== entry.remoteEtag;
+  }
+  const syncedAt = new Date(entry.syncedAt).getTime();
+  return remote.lastModified.getTime() > syncedAt;
+}
+
 /**
  * Check if an error is an S3 access denied (expected for filtered guests).
  */

package/src/ignore.test.ts

@@ -61,6 +61,15 @@ describe("createIgnoreFilter", () => {
     expect(shouldSync(path.join(hqRoot, "company.yaml"))).toBe(false);
   });
 
+  it("permissive mode: INDEX.md and policies/_digest.md are ignored", () => {
+    // Both are auto-generated locally — INDEX.md by the tools indexer and
+    // policies/_digest.md by the policies digest builder.
+    const shouldSync = createIgnoreFilter(hqRoot);
+    expect(shouldSync(path.join(hqRoot, "INDEX.md"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "companies/ghq/tools/INDEX.md"))).toBe(false);
+    expect(shouldSync(path.join(hqRoot, "policies/_digest.md"))).toBe(false);
+  });
+
   it("permissive mode: .hq-* internal state is ignored, .hqignore family + .hq/ still sync", () => {
     const shouldSync = createIgnoreFilter(hqRoot);
     // Internal state files that must never round-trip through the bucket.

package/src/ignore.ts

@@ -81,6 +81,9 @@ export const DEFAULT_IGNORES = [
   "modules/modules.yaml",
   // per-company identity file — written locally on first sync, never round-tripped.
   "company.yaml",
+  // auto-generated tool index and policy digest — regenerated locally per-machine.
+  "INDEX.md",
+  "policies/_digest.md",
 
   // HQ repos directory (managed separately, not synced)
   "repos/",

package/src/journal.ts

@@ -80,16 +80,31 @@ export function updateEntry(
   hash: string,
   size: number,
   direction: "up" | "down",
+  remoteEtag?: string,
 ): void {
-  journal.files[relativePath] = {
+  const entry: JournalEntry = {
     hash,
     size,
     syncedAt: new Date().toISOString(),
     direction,
   };
+  if (remoteEtag !== undefined && remoteEtag !== "") {
+    entry.remoteEtag = normalizeEtag(remoteEtag);
+  }
+  journal.files[relativePath] = entry;
   journal.lastSync = new Date().toISOString();
 }
 
+/**
+ * S3 returns ETags wrapped in literal double-quotes (e.g. `"d41d8cd9..."`).
+ * Strip them so equality comparisons across HEAD / GET / PUT responses are
+ * stable regardless of which AWS SDK call surfaced the value.
+ */
+export function normalizeEtag(etag: string): string {
+  if (!etag) return "";
+  return etag.replace(/^"|"$/g, "");
+}
+
 export function getEntry(
   journal: SyncJournal,
   relativePath: string,

package/src/s3.ts

@@ -38,11 +38,11 @@ export async function uploadFile(
   ctx: EntityContext,
   localPath: string,
   key: string,
-): Promise<void> {
+): Promise<{ etag: string }> {
   const client = buildClient(ctx);
   const body = fs.readFileSync(localPath);
 
-  await client.send(
+  const response = await client.send(
     new PutObjectCommand({
       Bucket: ctx.bucketName,
       Key: key,
@@ -50,6 +50,8 @@ export async function uploadFile(
       ContentType: getMimeType(key),
     }),
   );
+
+  return { etag: response.ETag || "" };
 }
 
 export async function downloadFile(

package/src/types.ts

@@ -26,6 +26,14 @@ export interface JournalEntry {
   size: number;
   syncedAt: string;
   direction: "up" | "down";
+  /**
+   * S3 ETag of the remote object as of last successful sync, normalized (no
+   * surrounding quotes). Optional for backwards compatibility: entries
+   * written before this field existed won't have it, in which case
+   * conflict detection falls back to comparing remote `lastModified`
+   * against `syncedAt`.
+   */
+  remoteEtag?: string;
 }
 
 export interface SyncJournal {

package/src/watcher.ts

@@ -113,8 +113,8 @@ export class SyncWatcher {
           const existing = journal.files[relativePath];
           if (existing && existing.hash === hash) continue;
 
-          await uploadFile(this.ctx, change.absolutePath, relativePath);
-          updateEntry(journal, relativePath, hash, stat.size, "up");
+          const { etag } = await uploadFile(this.ctx, change.absolutePath, relativePath);
+          updateEntry(journal, relativePath, hash, stat.size, "up", etag);
         }
       } catch (err) {
         console.error(