@indigoai-us/hq-cloud 5.45.0 → 5.47.0

package/src/object-io.test.ts

@@ -0,0 +1,663 @@
+/**
+ * Unit tests for the ObjectIO transport seam.
+ *
+ * Focus is the PresignObjectIO path (the new transport): it talks to a
+ * VaultClient-shaped stub for URL minting and a mocked global `fetch` for the
+ * byte movement. The S3SdkObjectIO path is already covered transitively by
+ * s3.test.ts (which exercises s3.ts through the default factory), plus a couple
+ * of factory-selection tests here.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import {
+  PresignObjectIO,
+  S3SdkObjectIO,
+  setObjectIOFactory,
+  resolveObjectIO,
+  presignObjectIOFactory,
+  type PresignTransportClient,
+} from "./object-io.js";
+import type { EntityContext } from "./types.js";
+import type { PresignResultRow, VaultListedObject } from "./vault-client.js";
+
+const COMPANY = "cmp_test";
+
+function ctx(): EntityContext {
+  return {
+    uid: COMPANY,
+    slug: "test",
+    bucketName: "bucket-test",
+    region: "us-east-1",
+    credentials: {
+      accessKeyId: "AKIA",
+      secretAccessKey: "secret",
+      sessionToken: "token",
+    },
+    expiresAt: "2099-01-01T00:00:00.000Z",
+  };
+}
+
+/**
+ * Minimal VaultClient stub. Each method returns whatever the per-test config
+ * sets; presign records the inputs it was called with so tests can assert the
+ * op/metadata/key shape the seam sends.
+ */
+function makeVault() {
+  const presignCalls: Array<{
+    companyUid: string;
+    op?: string;
+    keys: unknown[];
+  }> = [];
+  let nextPresign: PresignResultRow[] = [];
+  let nextList: {
+    objects: VaultListedObject[];
+    cursor: string | null;
+    truncated: boolean;
+  } = { objects: [], cursor: null, truncated: false };
+
+  const vault: PresignTransportClient = {
+    presign: async (input) => {
+      presignCalls.push({
+        companyUid: input.companyUid,
+        op: input.op,
+        keys: input.keys,
+      });
+      return { results: nextPresign, expiresAt: "2099-01-01T00:00:00.000Z" };
+    },
+    listFiles: async () => nextList,
+  };
+
+  return {
+    vault,
+    presignCalls,
+    setPresign: (rows: PresignResultRow[]) => {
+      nextPresign = rows;
+    },
+    setList: (v: typeof nextList) => {
+      nextList = v;
+    },
+  };
+}
+
+describe("factory selection", () => {
+  afterEach(() => setObjectIOFactory(null));
+
+  it("defaults to the S3 SDK transport", () => {
+    const io = resolveObjectIO(ctx());
+    expect(io).toBeInstanceOf(S3SdkObjectIO);
+  });
+
+  it("setObjectIOFactory(null) resets to the default", () => {
+    const { vault } = makeVault();
+    setObjectIOFactory(presignObjectIOFactory(vault));
+    expect(resolveObjectIO(ctx())).toBeInstanceOf(PresignObjectIO);
+    setObjectIOFactory(null);
+    expect(resolveObjectIO(ctx())).toBeInstanceOf(S3SdkObjectIO);
+  });
+
+  it("presign factory derives companyUid from ctx.uid", async () => {
+    const { vault, presignCalls, setPresign } = makeVault();
+    setPresign([{ key: "k", op: "get", url: "https://x/get" }]);
+    vi.stubGlobal(
+      "fetch",
+      vi.fn(async () => new Response(Buffer.from("body"), { status: 200 })),
+    );
+    const io = presignObjectIOFactory(vault)(ctx());
+    await io.getObject("k");
+    expect(presignCalls[0].companyUid).toBe(COMPANY);
+    vi.unstubAllGlobals();
+  });
+});
+
+describe("PresignObjectIO.putObject", () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    vi.stubGlobal("fetch", fetchMock);
+  });
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("sends op:put with metadata and replays the signed headers verbatim", async () => {
+    const { vault, presignCalls, setPresign } = makeVault();
+    setPresign([
+      {
+        key: "shared/a.md",
+        op: "put",
+        url: "https://s3/put-url",
+        headers: {
+          "content-type": "text/markdown",
+          "x-amz-server-side-encryption": "aws:kms",
+          "x-amz-meta-created-by": "me@getindigo.ai",
+        },
+      },
+    ]);
+    fetchMock.mockResolvedValue(
+      new Response(null, { status: 200, headers: { etag: '"abc123"' } }),
+    );
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const res = await io.putObject({
+      key: "shared/a.md",
+      body: Buffer.from("hello"),
+      contentType: "text/markdown",
+      metadata: { "created-by": "me@getindigo.ai" },
+    });
+
+    // Presign request carried op + per-key metadata.
+    expect(presignCalls[0].op).toBe("put");
+    expect(presignCalls[0].keys[0]).toMatchObject({
+      key: "shared/a.md",
+      op: "put",
+      contentType: "text/markdown",
+      metadata: { "created-by": "me@getindigo.ai" },
+    });
+
+    // PUT replays the exact signed headers.
+    const [url, init] = fetchMock.mock.calls[0];
+    expect(url).toBe("https://s3/put-url");
+    expect(init.method).toBe("PUT");
+    expect(init.headers).toEqual({
+      "content-type": "text/markdown",
+      "x-amz-server-side-encryption": "aws:kms",
+      "x-amz-meta-created-by": "me@getindigo.ai",
+    });
+    // ETag returned with quotes stripped.
+    expect(res.etag).toBe("abc123");
+  });
+
+  it("throws on a per-key denial (error row)", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([
+      { key: "secret/x", op: "put", error: "forbidden", code: "ACL_DENY" },
+    ]);
+    const io = new PresignObjectIO(vault, COMPANY);
+    await expect(
+      io.putObject({
+        key: "secret/x",
+        body: Buffer.from("z"),
+        contentType: "text/plain",
+      }),
+    ).rejects.toThrow(/denied for secret\/x.*forbidden.*ACL_DENY/);
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("throws when the PUT itself fails", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "k", op: "put", url: "https://s3/put" }]);
+    fetchMock.mockResolvedValue(new Response("AccessDenied", { status: 403 }));
+    const io = new PresignObjectIO(vault, COMPANY);
+    await expect(
+      io.putObject({ key: "k", body: Buffer.from("z"), contentType: "x" }),
+    ).rejects.toThrow(/presigned PUT failed for k: 403/);
+  });
+});
+
+describe("PresignObjectIO.getObject", () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    vi.stubGlobal("fetch", fetchMock);
+  });
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("returns body bytes + x-amz-meta-* metadata", async () => {
+    const { vault, presignCalls, setPresign } = makeVault();
+    setPresign([{ key: "shared/a.md", op: "get", url: "https://s3/get" }]);
+    fetchMock.mockResolvedValue(
+      new Response(Buffer.from("file-bytes"), {
+        status: 200,
+        headers: {
+          "x-amz-meta-created-by": "me@getindigo.ai",
+          "x-amz-meta-hq-mode": "640",
+          "content-type": "text/markdown",
+        },
+      }),
+    );
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const res = await io.getObject("shared/a.md");
+
+    expect(presignCalls[0].op).toBe("get");
+    expect(res.body.toString("utf-8")).toBe("file-bytes");
+    expect(res.metadata).toEqual({
+      "created-by": "me@getindigo.ai",
+      "hq-mode": "640",
+    });
+  });
+
+  it("throws a NotFound-named error on 404 (so s3.ts catch sites match)", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "gone", op: "get", url: "https://s3/get" }]);
+    fetchMock.mockResolvedValue(new Response("", { status: 404 }));
+    const io = new PresignObjectIO(vault, COMPANY);
+    await expect(io.getObject("gone")).rejects.toMatchObject({
+      name: "NotFound",
+    });
+  });
+});
+
+describe("PresignObjectIO.listObjects", () => {
+  it("maps listFiles rows into the RemoteObject shape (etag, Date)", async () => {
+    const { vault, setList } = makeVault();
+    setList({
+      objects: [
+        {
+          key: "shared/a.md",
+          size: 12,
+          lastModified: "2026-01-01T00:00:00.000Z",
+          etag: "deadbeef",
+          permission: "read",
+        },
+        {
+          key: "shared/b.md",
+          size: 0,
+          lastModified: null,
+          etag: null,
+          permission: "write",
+        },
+      ],
+      cursor: "next-token",
+      truncated: true,
+    });
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const res = await io.listObjects({ prefix: "shared/" });
+
+    expect(res.nextContinuationToken).toBe("next-token");
+    expect(res.objects[0]).toEqual({
+      key: "shared/a.md",
+      size: 12,
+      lastModified: new Date("2026-01-01T00:00:00.000Z"),
+      etag: "deadbeef",
+    });
+    // null etag → "" ; null lastModified → a Date (not crash).
+    expect(res.objects[1].etag).toBe("");
+    expect(res.objects[1].lastModified).toBeInstanceOf(Date);
+  });
+
+  it("exhausted listing yields undefined nextContinuationToken", async () => {
+    const { vault, setList } = makeVault();
+    setList({ objects: [], cursor: null, truncated: false });
+    const io = new PresignObjectIO(vault, COMPANY);
+    const res = await io.listObjects({});
+    expect(res.nextContinuationToken).toBeUndefined();
+  });
+});
+
+describe("PresignObjectIO.deleteObject", () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    vi.stubGlobal("fetch", fetchMock);
+  });
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("sends op:delete and DELETEs the signed URL", async () => {
+    const { vault, presignCalls, setPresign } = makeVault();
+    setPresign([{ key: "shared/a.md", op: "delete", url: "https://s3/del" }]);
+    fetchMock.mockResolvedValue(new Response(null, { status: 204 }));
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.deleteObject("shared/a.md");
+    expect(presignCalls[0].op).toBe("delete");
+    expect(fetchMock.mock.calls[0][1].method).toBe("DELETE");
+  });
+
+  it("treats a 404 DELETE as success (idempotent)", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "gone", op: "delete", url: "https://s3/del" }]);
+    fetchMock.mockResolvedValue(new Response("", { status: 404 }));
+    const io = new PresignObjectIO(vault, COMPANY);
+    await expect(io.deleteObject("gone")).resolves.toBeUndefined();
+  });
+});
+
+describe("PresignObjectIO.headObject", () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    vi.stubGlobal("fetch", fetchMock);
+  });
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("reads headers (etag/size/lastModified/metadata) via a presigned GET", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "shared/a.md", op: "get", url: "https://s3/get" }]);
+    fetchMock.mockResolvedValue(
+      new Response(Buffer.from("ignored-body"), {
+        status: 200,
+        headers: {
+          etag: '"feedface"',
+          "content-length": "123",
+          "last-modified": "Wed, 01 Jan 2026 00:00:00 GMT",
+          "x-amz-meta-created-at": "2026-01-01T00:00:00.000Z",
+        },
+      }),
+    );
+    const io = new PresignObjectIO(vault, COMPANY);
+    const head = await io.headObject("shared/a.md");
+    expect(head).not.toBeNull();
+    expect(head!.etag).toBe("feedface");
+    expect(head!.size).toBe(123);
+    expect(head!.metadata).toEqual({
+      "created-at": "2026-01-01T00:00:00.000Z",
+    });
+    expect(head!.lastModified.getTime()).toBe(
+      Date.parse("Wed, 01 Jan 2026 00:00:00 GMT"),
+    );
+  });
+
+  it("returns null on 404", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "gone", op: "get", url: "https://s3/get" }]);
+    fetchMock.mockResolvedValue(new Response("", { status: 404 }));
+    const io = new PresignObjectIO(vault, COMPANY);
+    expect(await io.headObject("gone")).toBeNull();
+  });
+
+  it("returns null when presign denies the key (no usable head)", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "secret/x", op: "get", error: "forbidden" }]);
+    const io = new PresignObjectIO(vault, COMPANY);
+    expect(await io.headObject("secret/x")).toBeNull();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+});
+
+/**
+ * Echo vault: presign returns one signed row per requested key (url derived
+ * from op+key) and records call count + total keys, so prime/cache tests can
+ * assert "N files → ceil(N/100) presign calls, then zero".
+ */
+function makeEchoVault() {
+  let calls = 0;
+  let totalKeys = 0;
+  const vault: PresignTransportClient = {
+    presign: async (input) => {
+      calls++;
+      totalKeys += input.keys.length;
+      return {
+        results: input.keys.map((k) => ({
+          key: k.key,
+          op: k.op ?? input.op ?? "get",
+          url: `https://signed/${k.op ?? input.op}/${encodeURIComponent(k.key)}`,
+          ...(k.op === "put" || input.op === "put"
+            ? { headers: { "content-type": "text/plain" } }
+            : {}),
+          expiresIn: input.expiresIn ?? 900,
+        })),
+        expiresAt: "2099-01-01T00:00:00.000Z",
+      };
+    },
+    listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+  };
+  return {
+    vault,
+    calls: () => calls,
+    totalKeys: () => totalKeys,
+  };
+}
+
+describe("PresignObjectIO.prime — batch URL cache", () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    fetchMock = vi.fn(async () => new Response(Buffer.from("x"), { status: 200 }));
+    vi.stubGlobal("fetch", fetchMock);
+  });
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("chunks at 1000 keys per presign call (the server batch cap)", async () => {
+    const { vault, calls, totalKeys } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    const keys = Array.from({ length: 2500 }, (_, i) => ({ key: `k${i}` }));
+    await io.prime("get", keys);
+    expect(calls()).toBe(3); // 1000 + 1000 + 500
+    expect(totalKeys()).toBe(2500);
+  });
+
+  it("primed getObject reuses the cache — zero extra presign calls", async () => {
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    const keys = Array.from({ length: 5 }, (_, i) => ({ key: `f${i}` }));
+    await io.prime("get", keys);
+    const afterPrime = calls(); // 1 chunk
+    for (const k of keys) await io.getObject(k.key);
+    expect(calls()).toBe(afterPrime); // no new presign calls
+    expect(fetchMock).toHaveBeenCalledTimes(5); // but the bytes were fetched
+    // The fetched URL is the primed (cached) one.
+    expect(fetchMock.mock.calls[0][0]).toBe("https://signed/get/f0");
+  });
+
+  it("primed GET cache also serves headObject (HEAD reuses GET URLs)", async () => {
+    const { vault, calls } = makeEchoVault();
+    fetchMock.mockResolvedValue(
+      new Response(Buffer.from(""), {
+        status: 200,
+        headers: { etag: '"e"', "content-length": "0" },
+      }),
+    );
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", [{ key: "doc.md" }]);
+    const afterPrime = calls();
+    const head = await io.headObject("doc.md");
+    expect(head).not.toBeNull();
+    expect(calls()).toBe(afterPrime); // head used the cached GET url, no presign
+  });
+
+  it("a key NOT primed falls back to a single presign", async () => {
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", [{ key: "primed" }]);
+    const afterPrime = calls();
+    await io.getObject("not-primed");
+    expect(calls()).toBe(afterPrime + 1);
+  });
+
+  it("empty prime is a no-op (no presign call)", async () => {
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", []);
+    expect(calls()).toBe(0);
+  });
+
+  it("a chunk that throws doesn't fail prime; those keys fall back per-file", async () => {
+    let calls = 0;
+    const vault: PresignTransportClient = {
+      presign: async (input) => {
+        calls++;
+        if (calls === 1) throw new Error("transient");
+        return {
+          results: input.keys.map((k) => ({
+            key: k.key,
+            op: "get" as const,
+            url: `https://signed/get/${k.key}`,
+            expiresIn: 900,
+          })),
+          expiresAt: "2099-01-01T00:00:00.000Z",
+        };
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    const io = new PresignObjectIO(vault, COMPANY);
+    // Single chunk that throws — prime resolves anyway, key stays uncached.
+    await expect(io.prime("get", [{ key: "k" }])).resolves.toBeUndefined();
+    // getObject then single-presigns (call #2 succeeds).
+    await io.getObject("k");
+    expect(calls).toBe(2);
+  });
+});
+
+describe("presignObjectIOFactory — memoization", () => {
+  afterEach(() => setObjectIOFactory(null));
+  it("returns the SAME instance per companyUid so prime + transfer share a cache", () => {
+    const { vault } = makeEchoVault();
+    const factory = presignObjectIOFactory(vault);
+    const a1 = factory(ctx());
+    const a2 = factory(ctx());
+    expect(a1).toBe(a2); // same company → same instance
+    const other = factory({ ...ctx(), uid: "cmp_other" });
+    expect(other).not.toBe(a1); // different company → different instance
+  });
+});
+
+describe("PresignObjectIO — transient-failure retry (SDK parity)", () => {
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.unstubAllGlobals();
+  });
+
+  it("retries a transient 503 then succeeds", async () => {
+    vi.useFakeTimers();
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "k", op: "get", url: "https://s3/get" }]);
+    const fetchMock = vi
+      .fn()
+      .mockResolvedValueOnce(new Response("SlowDown", { status: 503 }))
+      .mockResolvedValueOnce(new Response(Buffer.from("ok"), { status: 200 }));
+    vi.stubGlobal("fetch", fetchMock);
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const pr = io.getObject("k");
+    await vi.runAllTimersAsync();
+    const res = await pr;
+    expect(res.body.toString("utf-8")).toBe("ok");
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+  });
+
+  it("retries a network error (fetch throws) then succeeds", async () => {
+    vi.useFakeTimers();
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "k", op: "get", url: "https://s3/get" }]);
+    const fetchMock = vi
+      .fn()
+      .mockRejectedValueOnce(new Error("socket hang up"))
+      .mockResolvedValueOnce(new Response(Buffer.from("ok"), { status: 200 }));
+    vi.stubGlobal("fetch", fetchMock);
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const pr = io.getObject("k");
+    await vi.runAllTimersAsync();
+    const res = await pr;
+    expect(res.body.toString("utf-8")).toBe("ok");
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+  });
+
+  it("throws after exhausting retries on persistent 503 (initial + 3 retries = 4)", async () => {
+    vi.useFakeTimers();
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "k", op: "get", url: "https://s3/get" }]);
+    const fetchMock = vi.fn().mockResolvedValue(new Response("err", { status: 503 }));
+    vi.stubGlobal("fetch", fetchMock);
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    const pr = io.getObject("k").catch((e) => e);
+    await vi.runAllTimersAsync();
+    const err = await pr;
+    expect(String(err)).toMatch(/503/);
+    expect(fetchMock).toHaveBeenCalledTimes(4);
+  });
+
+  it("does NOT retry a definitive 404", async () => {
+    const { vault, setPresign } = makeVault();
+    setPresign([{ key: "gone", op: "get", url: "https://s3/get" }]);
+    const fetchMock = vi.fn().mockResolvedValue(new Response("", { status: 404 }));
+    vi.stubGlobal("fetch", fetchMock);
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    await expect(io.getObject("gone")).rejects.toMatchObject({ name: "NotFound" });
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+});
+
+import { VaultClientError } from "./vault-client.js";
+
+describe("PresignObjectIO — 429 circuit breaker", () => {
+  afterEach(() => vi.unstubAllGlobals());
+
+  it("trips on a 429: uncached keys fail fast (no further presign), primed keys still work", async () => {
+    let presignCalls = 0;
+    const vault: PresignTransportClient = {
+      presign: async (input) => {
+        presignCalls++;
+        if (input.keys.some((k) => k.key === "primed")) {
+          return {
+            results: input.keys.map((k) => ({
+              key: k.key,
+              op: k.op ?? "get",
+              url: `https://s/${k.key}`,
+              expiresIn: 900,
+            })),
+            expiresAt: "2099-01-01T00:00:00.000Z",
+          };
+        }
+        throw new VaultClientError("Rate limit exceeded: 100 requests per hour", 429);
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    vi.stubGlobal(
+      "fetch",
+      vi.fn(async () => new Response(Buffer.from("x"), { status: 200 })),
+    );
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", [{ key: "primed" }]); // caches "primed"
+
+    await expect(io.getObject("uncached1")).rejects.toMatchObject({
+      name: "RateLimited",
+    });
+    const afterTrip = presignCalls;
+    // Second uncached key fails fast — NO new presign call.
+    await expect(io.getObject("uncached2")).rejects.toMatchObject({
+      name: "RateLimited",
+    });
+    expect(presignCalls).toBe(afterTrip);
+    // The primed key still resolves from cache (no presign needed).
+    const r = await io.getObject("primed");
+    expect(r.body.toString("utf-8")).toBe("x");
+  });
+
+  it("prime stops minting once a chunk 429s (breaker trips, remaining chunks skipped)", async () => {
+    let calls = 0;
+    const vault: PresignTransportClient = {
+      presign: async () => {
+        calls++;
+        throw new VaultClientError("rate", 429);
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    const io = new PresignObjectIO(vault, COMPANY);
+    // 10 chunks (10k keys @ 1000); concurrency is 4, so at most the first
+    // concurrent batch fires before the breaker trips — far fewer than 10.
+    await io.prime(
+      "get",
+      Array.from({ length: 10_000 }, (_, i) => ({ key: `k${i}` })),
+    );
+    expect(calls).toBeLessThanOrEqual(4);
+    expect(calls).toBeLessThan(10);
+  });
+});
+
+describe("PresignObjectIO.hasPrimedPut", () => {
+  it("reflects a put prime", async () => {
+    const { vault } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    expect(io.hasPrimedPut("k")).toBe(false);
+    await io.prime("put", [
+      { key: "k", op: "put", contentType: "text/plain", metadata: { "hq-mode": "644" } },
+    ]);
+    expect(io.hasPrimedPut("k")).toBe(true);
+    // A different, unprimed key stays false.
+    expect(io.hasPrimedPut("other")).toBe(false);
+  });
+});
+
+describe("presignObjectIOFactory — personal vaults route to S3 SDK", () => {
+  it("routes a person entity (prs_*) to S3SdkObjectIO, a company (cmp_*) to presign", () => {
+    const { vault } = makeEchoVault();
+    const factory = presignObjectIOFactory(vault);
+    const company = factory({ ...ctx(), uid: "cmp_real" });
+    const personal = factory({ ...ctx(), uid: "prs_real" });
+    expect(company).toBeInstanceOf(PresignObjectIO);
+    // Personal vaults use the membership-less vend-self model; the
+    // membership-gated presign endpoints 403 for them, so they stay on STS.
+    expect(personal).toBeInstanceOf(S3SdkObjectIO);
+  });
+});