@indigoai-us/hq-cloud 5.47.1 → 5.48.0

package/src/cli/index.ts

@@ -23,3 +23,13 @@ export type { AcceptOptions, AcceptResult } from "./accept.js";
 
 export { promote } from "./promote.js";
 export type { PromoteOptions, PromoteResult } from "./promote.js";
+
+// Skill/personal-overlay mirroring + workers-registry regen (formerly the
+// hq-core master-sync.sh hook).
+export { masterSync, masterSyncScriptPath } from "./master-sync.js";
+export type { MasterSyncOptions, MasterSyncResult } from "./master-sync.js";
+
+// Drift-preserving HQ-core re-sync (formerly bundled only inside the HQ Sync
+// menubar app). Now shared between the app and `hq rescue`.
+export { rescue, rescueScriptPath, buildRescueArgs } from "./rescue.js";
+export type { RescueOptions, RescueResult } from "./rescue.js";

package/src/cli/master-sync.test.ts

@@ -0,0 +1,94 @@
+/**
+ * Unit tests for `hq master-sync` (the formerly-bash hq-core hook, now shipped
+ * in this package and invoked via the CLI).
+ *
+ * The logic itself lives in scripts/master-sync.sh; these tests exercise it via
+ * the masterSync() wrapper against a temp HQ tree, asserting the observable
+ * filesystem outcomes (skill wrappers, personal-overlay mirroring) rather than
+ * re-deriving the bash internals.
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { masterSync, masterSyncScriptPath } from "./master-sync.js";
+
+describe("masterSyncScriptPath", () => {
+  it("resolves to the bundled script and the file exists", () => {
+    const p = masterSyncScriptPath();
+    expect(p.endsWith(path.join("scripts", "master-sync.sh"))).toBe(true);
+    expect(fs.existsSync(p)).toBe(true);
+  });
+});
+
+describe("masterSync", () => {
+  let root: string;
+
+  beforeEach(() => {
+    root = fs.mkdtempSync(path.join(os.tmpdir(), "ms-test-"));
+  });
+
+  afterEach(() => {
+    fs.rmSync(root, { recursive: true, force: true });
+  });
+
+  function writeSkill(rel: string): void {
+    const dir = path.join(root, rel);
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(path.join(dir, "SKILL.md"), "skill\n");
+  }
+
+  it("surfaces namespaced skills as .claude/skills/<ns>:<skill>/ wrappers", () => {
+    writeSkill("core/skills/demo");
+    fs.writeFileSync(path.join(root, "core/skills/demo/helper.md"), "h\n");
+    writeSkill("companies/acme/skills/widget");
+
+    const { status } = masterSync({ repoRoot: root });
+    expect(status).toBe(0);
+
+    const coreWrapper = path.join(root, ".claude/skills/core:demo");
+    expect(fs.lstatSync(path.join(coreWrapper, "SKILL.md")).isSymbolicLink()).toBe(true);
+    expect(fs.readlinkSync(path.join(coreWrapper, "SKILL.md"))).toBe(
+      "../../../core/skills/demo/SKILL.md",
+    );
+    // Every source file is mirrored, not just SKILL.md.
+    expect(fs.existsSync(path.join(coreWrapper, "helper.md"))).toBe(true);
+
+    const acmeWrapper = path.join(root, ".claude/skills/acme:widget");
+    expect(fs.readlinkSync(path.join(acmeWrapper, "SKILL.md"))).toBe(
+      "../../../companies/acme/skills/widget/SKILL.md",
+    );
+  });
+
+  it("mirrors the personal overlay into core/<type>/", () => {
+    fs.mkdirSync(path.join(root, "personal/policies"), { recursive: true });
+    fs.writeFileSync(path.join(root, "personal/policies/myrule.md"), "rule\n");
+
+    const { status } = masterSync({ repoRoot: root });
+    expect(status).toBe(0);
+
+    const link = path.join(root, "core/policies/myrule.md");
+    expect(fs.lstatSync(link).isSymbolicLink()).toBe(true);
+    expect(fs.readlinkSync(link)).toBe("../../personal/policies/myrule.md");
+  });
+
+  it("prunes orphan managed wrappers when the source skill disappears", () => {
+    writeSkill("core/skills/demo");
+    masterSync({ repoRoot: root });
+    expect(fs.existsSync(path.join(root, ".claude/skills/core:demo"))).toBe(true);
+
+    fs.rmSync(path.join(root, "core/skills/demo"), { recursive: true, force: true });
+    masterSync({ repoRoot: root });
+    expect(fs.existsSync(path.join(root, ".claude/skills/core:demo"))).toBe(false);
+  });
+
+  it("is idempotent — a second run is a no-op", () => {
+    writeSkill("core/skills/demo");
+    expect(masterSync({ repoRoot: root }).status).toBe(0);
+    expect(masterSync({ repoRoot: root }).status).toBe(0);
+    expect(
+      fs.readlinkSync(path.join(root, ".claude/skills/core:demo/SKILL.md")),
+    ).toBe("../../../core/skills/demo/SKILL.md");
+  });
+});

package/src/cli/master-sync.ts

@@ -0,0 +1,56 @@
+/**
+ * hq master-sync — surfaces namespaced skills as Claude Code skill wrappers,
+ * mirrors personal/{knowledge,policies,workers,settings} into core/, prunes
+ * orphan wrappers, and regenerates the workers registry.
+ *
+ * The implementation lives in scripts/master-sync.sh, shipped with this
+ * package. This module resolves that script relative to the package (dist/cli
+ * → package root) and execs it against the caller's HQ root. Historically the
+ * script ran directly as a Claude Code hook inside hq-core; it now lives here
+ * so a single copy is maintained, and the hq-core hook is a thin shim over
+ * `hq master-sync`.
+ */
+import { spawnSync } from "child_process";
+import { fileURLToPath } from "url";
+import path from "path";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+/**
+ * Absolute path to the bundled master-sync.sh. From the compiled module at
+ * dist/cli/master-sync.js, the package root is two levels up; the script lives
+ * at <package-root>/scripts/master-sync.sh.
+ */
+export function masterSyncScriptPath(): string {
+  return path.resolve(__dirname, "..", "..", "scripts", "master-sync.sh");
+}
+
+export interface MasterSyncOptions {
+  /** HQ root to operate on. Defaults to process.cwd(). */
+  repoRoot?: string;
+}
+
+export interface MasterSyncResult {
+  /** Exit status of the underlying script (0 = success). */
+  status: number;
+}
+
+/**
+ * Run master-sync against an HQ root. Synchronous — the script is cheap and
+ * idempotent, and callers (the hook shim, tests) want the exit status.
+ * stdout/stderr from the script are forwarded to stderr so the caller's stdout
+ * stays clean (hooks must not emit stdout that the agent interprets).
+ */
+export function masterSync(opts: MasterSyncOptions = {}): MasterSyncResult {
+  const repoRoot = opts.repoRoot ?? process.cwd();
+  const script = masterSyncScriptPath();
+  const res = spawnSync("bash", [script, repoRoot], {
+    stdio: ["ignore", "inherit", "inherit"],
+  });
+  if (res.error) {
+    process.stderr.write(`master-sync: failed to run ${script}: ${res.error.message}\n`);
+    return { status: 1 };
+  }
+  return { status: res.status ?? 1 };
+}

package/src/cli/rescue.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect } from "vitest";
+import { buildRescueArgs, rescueScriptPath } from "./rescue.js";
+
+describe("rescueScriptPath", () => {
+  it("resolves to the bundled script at the package root", () => {
+    const p = rescueScriptPath();
+    expect(p.endsWith("scripts/replace-rescue.sh")).toBe(true);
+    // From dist/cli/rescue.js the package root is two levels up; ensure we
+    // don't accidentally point inside dist/.
+    expect(p).not.toContain("/dist/scripts/");
+  });
+});
+
+describe("buildRescueArgs", () => {
+  it("emits no args for an empty option set (script defaults apply)", () => {
+    expect(buildRescueArgs()).toEqual([]);
+  });
+
+  it("maps the prod-update shape the menubar app uses", () => {
+    const args = buildRescueArgs({
+      hqRoot: "/Users/x/HQ",
+      source: "indigoai-us/hq-core",
+      ref: "v12.3.0",
+      floorSha: "a".repeat(40),
+      assumeYes: true,
+    });
+    expect(args).toEqual([
+      "--hq-root",
+      "/Users/x/HQ",
+      "--source",
+      "indigoai-us/hq-core",
+      "--ref",
+      "v12.3.0",
+      "--floor-sha",
+      "a".repeat(40),
+      "--yes",
+    ]);
+  });
+
+  it("joins narrow paths and repeats preserve flags", () => {
+    const args = buildRescueArgs({
+      paths: ["core", ".claude"],
+      preserve: ["foo", "bar"],
+      preserveSubpaths: ["core/keep.md"],
+    });
+    expect(args).toContain("--paths");
+    expect(args[args.indexOf("--paths") + 1]).toBe("core,.claude");
+    expect(args.filter((a) => a === "--preserve")).toHaveLength(2);
+    expect(args).toContain("foo");
+    expect(args).toContain("bar");
+    expect(args).toContain("--preserve-subpath");
+    expect(args).toContain("core/keep.md");
+  });
+
+  it("passes dry-run and no-backup toggles through", () => {
+    const args = buildRescueArgs({ dryRun: true, noBackup: true, noHistoryCheck: true });
+    expect(args).toContain("--dry-run");
+    expect(args).toContain("--no-backup");
+    expect(args).toContain("--no-history-check");
+  });
+
+  it("does not emit --paths for an empty path list", () => {
+    expect(buildRescueArgs({ paths: [] })).toEqual([]);
+  });
+});

package/src/cli/rescue.ts

@@ -0,0 +1,122 @@
+/**
+ * hq rescue — re-sync a local HQ tree to an upstream hq-core release (or a
+ * staging branch) WITHOUT destroying the user's local edits ("drift").
+ *
+ * The implementation lives in scripts/replace-rescue.sh, shipped with this
+ * package. This module resolves that script relative to the package (dist/cli
+ * → package root) and execs it against the caller's HQ root. The script was
+ * historically bundled inside the HQ Sync menubar app; it now lives here so a
+ * single copy is maintained and BOTH consumers — the menubar app (which
+ * bundles this package's copy) and `@indigoai-us/hq-cli`'s `hq rescue`
+ * command — drive the exact same rescue logic.
+ *
+ * The script is channel-agnostic: `--source <repo>` + `--ref <tag|branch>`
+ * select prod vs staging, and `--floor-sha` pins the three-way history floor.
+ * See scripts/replace-rescue.sh for the full classify/overlay/stamp algorithm.
+ */
+import { spawnSync } from "child_process";
+import { fileURLToPath } from "url";
+import path from "path";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+/**
+ * Absolute path to the bundled replace-rescue.sh. From the compiled module at
+ * dist/cli/rescue.js, the package root is two levels up; the script lives at
+ * <package-root>/scripts/replace-rescue.sh.
+ */
+export function rescueScriptPath(): string {
+  return path.resolve(__dirname, "..", "..", "scripts", "replace-rescue.sh");
+}
+
+export interface RescueOptions {
+  /** HQ root to operate on. Passed as `--hq-root`. Defaults to the script's
+   *  own resolution (cwd-based) when omitted. */
+  hqRoot?: string;
+  /** Upstream repo, e.g. `indigoai-us/hq-core`. Script default:
+   *  `indigoai-us/hq-core-staging`. */
+  source?: string;
+  /** Git ref (tag or branch). Script default: `main`. */
+  ref?: string;
+  /** 40-char lowercase hex SHA pinning the three-way history floor. When
+   *  omitted the script reads the on-disk sync stamp from core/core.yaml. */
+  floorSha?: string;
+  /** Narrow the wipe set to an explicit list of top-level paths (`--paths`,
+   *  comma-joined). */
+  paths?: string[];
+  /** Extra top-level entries to always preserve (`--preserve`, repeatable). */
+  preserve?: string[];
+  /** Extra relative subpaths to carve out + restore (`--preserve-subpath`,
+   *  repeatable). */
+  preserveSubpaths?: string[];
+  /** Plan only — classify + report, change nothing on disk (`--dry-run`). */
+  dryRun?: boolean;
+  /** Skip the interactive confirmation prompt (`--yes`). Required for any
+   *  non-interactive caller. */
+  assumeYes?: boolean;
+  /** Skip the pre-op safety snapshot under ~/.hq/backups (`--no-backup`). */
+  noBackup?: boolean;
+  /** Override the backup root (`--backup-dir`). */
+  backupDir?: string;
+  /** Shallow-clone the source and skip the history-floor compare
+   *  (`--no-history-check`). */
+  noHistoryCheck?: boolean;
+  /** Cloud-update mode (`--cloud-update`). */
+  cloudUpdate?: boolean;
+  /** GitHub token forwarded to the script as `GH_TOKEN` (avoids the
+   *  anonymous-clone rate limit; required for private sources). */
+  ghToken?: string;
+  /** Escape hatch — additional raw args appended verbatim. */
+  extraArgs?: string[];
+}
+
+export interface RescueResult {
+  /** Exit status of the underlying script (0 = success). */
+  status: number;
+}
+
+/**
+ * Build the argv passed to bash (after the script path itself). Pure +
+ * exported so callers and tests can assert the flag mapping without spawning.
+ */
+export function buildRescueArgs(opts: RescueOptions = {}): string[] {
+  const args: string[] = [];
+  if (opts.hqRoot) args.push("--hq-root", opts.hqRoot);
+  if (opts.source) args.push("--source", opts.source);
+  if (opts.ref) args.push("--ref", opts.ref);
+  if (opts.floorSha) args.push("--floor-sha", opts.floorSha);
+  if (opts.paths && opts.paths.length > 0) args.push("--paths", opts.paths.join(","));
+  for (const p of opts.preserve ?? []) args.push("--preserve", p);
+  for (const sp of opts.preserveSubpaths ?? []) args.push("--preserve-subpath", sp);
+  if (opts.noHistoryCheck) args.push("--no-history-check");
+  if (opts.noBackup) args.push("--no-backup");
+  if (opts.backupDir) args.push("--backup-dir", opts.backupDir);
+  if (opts.cloudUpdate) args.push("--cloud-update");
+  if (opts.dryRun) args.push("--dry-run");
+  if (opts.assumeYes) args.push("--yes");
+  for (const extra of opts.extraArgs ?? []) args.push(extra);
+  return args;
+}
+
+/**
+ * Run the rescue script against an HQ root. Synchronous — the script is
+ * long-running (clone + scan) and callers want the exit status + live output.
+ * stdout/stderr from the script are inherited so the user sees the scan log
+ * and the confirmation prompt (unless `assumeYes` is set).
+ */
+export function rescue(opts: RescueOptions = {}): RescueResult {
+  const script = rescueScriptPath();
+  const args = buildRescueArgs(opts);
+  const env = { ...process.env };
+  if (opts.ghToken) env.GH_TOKEN = opts.ghToken;
+  const res = spawnSync("bash", [script, ...args], {
+    stdio: "inherit",
+    env,
+  });
+  if (res.error) {
+    process.stderr.write(`rescue: failed to run ${script}: ${res.error.message}\n`);
+    return { status: 1 };
+  }
+  return { status: res.status ?? 1 };
+}

package/src/cli/share.test.ts

@@ -15,6 +15,7 @@ import type { VaultServiceConfig } from "../types.js";
 // preserving sibling that puts a zero-byte object with target metadata
 // instead of dereferencing the link.
 vi.mock("../s3.js", () => ({
+  toPosixKey: (key: string) => key.split("\\").join("/"),
   uploadFile: vi.fn().mockResolvedValue({ etag: '"upload-etag"' }),
   uploadSymlink: vi.fn().mockResolvedValue({ etag: '"upload-symlink-etag"' }),
   downloadFile: vi.fn().mockResolvedValue(undefined),

package/src/cli/share.ts

@@ -12,6 +12,7 @@ import { resolveEntityContext, isExpiringSoon, refreshEntityContext } from "../c
 import {
   uploadFile,
   uploadSymlink,
+  toPosixKey,
   headRemoteFile,
   deleteRemoteFile,
   downloadFile,
@@ -1384,7 +1385,7 @@ function collectFiles(
         console.error(`  Warning: ${p} is outside company folder, skipping.`);
         continue;
       }
-      const relativePath = path.relative(syncRoot, absolutePath);
+      const relativePath = toPosixKey(path.relative(syncRoot, absolutePath));
       // Probe the filter with both isDir hints — we don't know whether
       // the link's target is a file or a directory without
       // stat-following the link, which we explicitly avoid (it would
@@ -1414,7 +1415,7 @@ function collectFiles(
       if (!filter(absolutePath, true)) continue;
       results.push(...walkDir(absolutePath, syncRoot, filter));
     } else if (lstat.isFile()) {
-      const relativePath = path.relative(syncRoot, absolutePath);
+      const relativePath = toPosixKey(path.relative(syncRoot, absolutePath));
       if (filter(absolutePath)) {
         results.push({ kind: "file", absolutePath, relativePath });
       }
@@ -1464,7 +1465,7 @@ function walkDir(
       results.push({
         kind: "symlink",
         absolutePath,
-        relativePath: path.relative(syncRoot, absolutePath),
+        relativePath: toPosixKey(path.relative(syncRoot, absolutePath)),
         target: fs.readlinkSync(absolutePath),
       });
       continue;
@@ -1480,7 +1481,7 @@ function walkDir(
       results.push({
         kind: "file",
         absolutePath,
-        relativePath: path.relative(syncRoot, absolutePath),
+        relativePath: toPosixKey(path.relative(syncRoot, absolutePath)),
       });
     }
   }

package/src/cli/sync-scope.test.ts

@@ -39,6 +39,7 @@ vi.mock("../s3.js", async () => {
   const innerPath = await import("path");
   const { vi: innerVi } = await import("vitest");
   return {
+    toPosixKey: (key: string) => key.split("\\").join("/"),
     uploadFile: innerVi.fn().mockResolvedValue(undefined),
     downloadFile: innerVi
       .fn()

package/src/cli/sync.test.ts

@@ -21,6 +21,7 @@ vi.mock("../s3.js", async () => {
   ];
 
   return {
+    toPosixKey: (key: string) => key.split("\\").join("/"),
     uploadFile: innerVi.fn().mockResolvedValue(undefined),
     downloadFile: innerVi.fn().mockImplementation(async (_ctx: unknown, _key: string, localPath: string) => {
       const dir = innerPath.dirname(localPath);

package/src/index.ts

@@ -18,6 +18,7 @@ export {
   listRemoteFiles,
   deleteRemoteFile,
   headRemoteFile,
+  toPosixKey,
 } from "./s3.js";
 
 export type { RemoteFile, UploadAuthor } from "./s3.js";
@@ -211,6 +212,14 @@ export type { AcceptOptions, AcceptResult } from "./cli/index.js";
 export { promote } from "./cli/index.js";
 export type { PromoteOptions, PromoteResult } from "./cli/index.js";
 
+// Skill/personal-overlay mirroring + workers-registry regen (`hq master-sync`).
+export { masterSync, masterSyncScriptPath } from "./cli/index.js";
+export type { MasterSyncOptions, MasterSyncResult } from "./cli/index.js";
+
+// Drift-preserving HQ-core re-sync — shared by the HQ Sync app and `hq rescue`.
+export { rescue, rescueScriptPath, buildRescueArgs } from "./cli/index.js";
+export type { RescueOptions, RescueResult } from "./cli/index.js";
+
 export type {
   EntityContext,
   VaultCredentials,

package/src/s3.test.ts

@@ -82,6 +82,7 @@ vi.mock("@aws-sdk/client-s3", () => {
 import {
   uploadFile,
   uploadSymlink,
+  toPosixKey,
   downloadFile,
   listRemoteFiles,
   SYMLINK_BODY_PREFIX,
@@ -108,6 +109,55 @@ function makeCtx(): EntityContext {
   };
 }
 
+describe("backslash key normalization (Windows client → POSIX S3 key)", () => {
+  // Regression for the Ridges vault bug: a non-POSIX (Windows) HQ Sync client
+  // built object keys from path.relative(), whose separator is "\\". Stored
+  // verbatim, `knowledge\books-eoi.md` had no "/", so the vault listing (which
+  // splits keys on "/") rendered it flat at the root as one oddly-named file.
+  let tmpFile: string;
+
+  beforeEach(() => {
+    sentCommands.length = 0;
+    tmpFile = path.join(
+      os.tmpdir(),
+      `s3-backslash-test-${Date.now()}-${Math.random()}.md`,
+    );
+    fs.writeFileSync(tmpFile, "hello");
+  });
+
+  it("toPosixKey converts every backslash to a forward slash", () => {
+    expect(toPosixKey("knowledge\\books-eoi.md")).toBe("knowledge/books-eoi.md");
+    expect(toPosixKey("data\\sub\\boots-accounts.json")).toBe(
+      "data/sub/boots-accounts.json",
+    );
+  });
+
+  it("toPosixKey leaves an already-POSIX key unchanged (idempotent)", () => {
+    expect(toPosixKey("knowledge/books-eoi.md")).toBe("knowledge/books-eoi.md");
+    expect(toPosixKey("flat.md")).toBe("flat.md");
+  });
+
+  it("uploadFile stores a POSIX key when given a Windows-style backslash path", async () => {
+    await uploadFile(makeCtx(), tmpFile, "knowledge\\books-eoi.md");
+
+    const put = sentCommands.find((c) => c.name === "PutObjectCommand");
+    expect(put).toBeDefined();
+    expect(put!.input.Key).toBe("knowledge/books-eoi.md");
+  });
+
+  it("uploadSymlink stores a POSIX key when given a Windows-style backslash path", async () => {
+    await uploadSymlink(
+      makeCtx(),
+      "../knowledge-ridges/target.md",
+      "data\\boots-accounts.json",
+    );
+
+    const put = sentCommands.find((c) => c.name === "PutObjectCommand");
+    expect(put).toBeDefined();
+    expect(put!.input.Key).toBe("data/boots-accounts.json");
+  });
+});
+
 describe("uploadFile", () => {
   let tmpFile: string;
 

package/src/s3.ts

@@ -391,12 +391,35 @@ export async function primeUploads(
   await io.prime("put", putKeys);
 }
 
+/**
+ * Normalize an S3 object key to POSIX ("/") separators.
+ *
+ * S3 keys are always "/"-separated, and the vault listing reconstructs the
+ * folder tree by splitting keys on "/". A non-POSIX (Windows) sync client
+ * builds a key from `path.relative(...)`, whose separator is the native "\\";
+ * stored verbatim, a nested key like `knowledge\books-eoi.md` contains no "/"
+ * and the listing renders it flat at the vault root as one oddly-named file.
+ * Converting every "\\" to "/" makes the stored key POSIX regardless of the
+ * client OS.
+ *
+ * Mirrors the prefix guard in hq-pro files-acl (`FORBIDDEN_CHARS = /[?#\\[\]]/`,
+ * which already rejects "\\" on browse/grant prefixes). Uploads go direct to
+ * S3 via vended STS creds, so the server never re-validates the uploaded key —
+ * the upload primitives (uploadFile / uploadSymlink) are the only shared choke
+ * point, and they call this so a backslash key can never be stored again.
+ */
+export function toPosixKey(key: string): string {
+  return key.split("\\").join("/");
+}
+
 export async function uploadFile(
   ctx: EntityContext,
   localPath: string,
   key: string,
   author?: UploadAuthor,
 ): Promise<{ etag: string }> {
+  // Boundary guardrail: never store a non-POSIX key (see toPosixKey).
+  key = toPosixKey(key);
   const io = resolveObjectIO(ctx);
   const body = fs.readFileSync(localPath);
 
@@ -459,6 +482,8 @@ export async function uploadSymlink(
   key: string,
   author?: UploadAuthor,
 ): Promise<{ etag: string }> {
+  // Boundary guardrail: never store a non-POSIX key (see toPosixKey).
+  key = toPosixKey(key);
   const io = resolveObjectIO(ctx);
   const symlinkBody = encodeSymlinkBody(target);
 

package/src/watcher.ts

@@ -16,7 +16,7 @@ import type { FSWatcher } from "chokidar";
 import type { EntityContext } from "./types.js";
 import { createIgnoreFilter, isWithinSizeLimit } from "./ignore.js";
 import { readJournal, writeJournal, hashFile, updateEntry } from "./journal.js";
-import { uploadFile, deleteRemoteFile } from "./s3.js";
+import { uploadFile, deleteRemoteFile, toPosixKey } from "./s3.js";
 import type { UploadAuthor } from "./s3.js";
 import { isPersonalVaultExcluded } from "./personal-vault-exclusions.js";
 import { PERSONAL_VAULT_EXCLUDED_TOP_LEVEL } from "./personal-vault.js";
@@ -259,7 +259,7 @@ export class SyncWatcher {
   }
 
   private queueChange(type: "add" | "change" | "unlink", absolutePath: string): void {
-    const relativePath = path.relative(this.hqRoot, absolutePath);
+    const relativePath = toPosixKey(path.relative(this.hqRoot, absolutePath));
 
     // Skip files that exceed size limit
     if (type !== "unlink" && !isWithinSizeLimit(absolutePath)) {