@indigoai-us/hq-cloud 5.48.4 → 6.0.1

package/dist/cli/share.test.js

@@ -898,6 +898,112 @@ describe("share", () => {
         const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
         expect(journal.files["dangling-link.md"]).toBeDefined();
     });
+    it("personal-vault override: `owned-only` is coerced to `currency-gated` so a direction:'down' " +
+        "entry whose local file is gone DOES tombstone in the vault (the May-27 .drift-* leak class)", async () => {
+        // The personal vault is a single-human-many-machines target. The
+        // owned-only "I won't tombstone peer content" rule has no peer to
+        // protect against, so it traps legitimate local deletes as permanent
+        // vault litter — exactly what the May-27 `personal/.obsidian/*.drift-*`
+        // pair did on this EC2 (journal direction "down", local rm, push
+        // silently swallowed the delete). Coercing to currency-gated keeps the
+        // only safety intent that still applies (HEAD-verify etag matches the
+        // journal before tombstone) without the multi-user premise.
+        const stateDirPersonal = fs.mkdtempSync(path.join(os.tmpdir(), "hq-state-prs-"));
+        process.env.HQ_STATE_DIR = stateDirPersonal;
+        try {
+            // Personal-vault syncRoot is `hqRoot` itself in personalMode, so the
+            // missing file's absolute path resolves to <hqRoot>/<key>.
+            // No on-disk file = local missing. Journal records a prior pull.
+            const journalPath = path.join(stateDirPersonal, "sync-journal.__hq_personal_vault__.json");
+            fs.writeFileSync(journalPath, JSON.stringify({
+                version: "1",
+                lastSync: new Date().toISOString(),
+                files: {
+                    "personal/scripts/run-project.sh.drift-1779863862-42519": {
+                        hash: "personal-vault-drift-hash",
+                        size: 1054,
+                        syncedAt: new Date(Date.now() - 86400000).toISOString(),
+                        direction: "down",
+                        remoteEtag: "personal-vault-drift-etag",
+                    },
+                },
+            }));
+            // Currency-gated HEADs the candidate; return an etag matching the
+            // journal so the entry resolves as "remote still current → safe to
+            // tombstone."
+            vi.mocked(headRemoteFile).mockResolvedValueOnce({
+                lastModified: new Date(),
+                etag: '"personal-vault-drift-etag"',
+                size: 1054,
+            });
+            const personalCtx = makeEntityContext({
+                uid: "prs_01HASSAANTESTUSER",
+                slug: "__hq_personal_vault__",
+                bucketName: "hq-vault-prs-01HASSAANTESTUSER",
+            });
+            const result = await share({
+                paths: [tmpDir],
+                entityContext: personalCtx,
+                hqRoot: tmpDir,
+                personalMode: true,
+                skipUnchanged: true,
+                propagateDeletes: true,
+                // Caller pinned owned-only. The override MUST take precedence on a
+                // personal-vault entity — the whole point of the fix is that owned-
+                // only's "don't tombstone peer-uploaded content" rule has no peer
+                // to protect against here, so we coerce to currency-gated.
+                propagateDeletePolicy: "owned-only",
+            });
+            expect(result.filesDeleted).toBe(1);
+            expect(deleteRemoteFile).toHaveBeenCalledWith(expect.anything(), "personal/scripts/run-project.sh.drift-1779863862-42519");
+            const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+            expect(journal.files["personal/scripts/run-project.sh.drift-1779863862-42519"]).toBeUndefined();
+        }
+        finally {
+            fs.rmSync(stateDirPersonal, { recursive: true, force: true });
+            delete process.env.HQ_STATE_DIR;
+        }
+    });
+    it("personal-vault override does NOT apply to company vaults: `owned-only` on cmp_ entity still " +
+        "refuses to tombstone a direction:'down' entry (multi-user curation intact)", async () => {
+        // Sibling guard for the previous test: the override is scoped strictly
+        // to `prs_` entities. Company vaults preserve owned-only's multi-user
+        // semantics — a behind machine pulling Alice's upload, then rm'ing it
+        // locally, must NOT tombstone Alice's file. Without this guard the
+        // override could silently widen its blast radius the next time someone
+        // refactors share()'s entity-typing.
+        const companyRoot = path.join(tmpDir, "companies", "acme");
+        fs.mkdirSync(companyRoot, { recursive: true });
+        // No file on disk under companies/acme/peer-uploaded.md → local missing.
+        const journalPath = path.join(stateDir, "sync-journal.acme.json");
+        fs.writeFileSync(journalPath, JSON.stringify({
+            version: "1",
+            lastSync: new Date().toISOString(),
+            files: {
+                "peer-uploaded.md": {
+                    hash: "alice-hash",
+                    size: 100,
+                    syncedAt: new Date(Date.now() - 86400000).toISOString(),
+                    direction: "down",
+                    remoteEtag: "alice-etag",
+                },
+            },
+        }));
+        const result = await share({
+            paths: [companyRoot],
+            company: "acme",
+            vaultConfig: mockConfig,
+            hqRoot: tmpDir,
+            skipUnchanged: true,
+            propagateDeletes: true,
+            // Company-vault entity (cmp_) → owned-only stays in effect.
+            propagateDeletePolicy: "owned-only",
+        });
+        expect(result.filesDeleted).toBe(0);
+        expect(deleteRemoteFile).not.toHaveBeenCalled();
+        const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+        expect(journal.files["peer-uploaded.md"]).toBeDefined();
+    });
     it("propagateDeletes: deletes journal-tracked files whose local copy is gone", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
         fs.mkdirSync(companyRoot, { recursive: true });
@@ -1899,7 +2005,7 @@ describe("share", () => {
         // target's bytes under the link's key while a nested symlink was
         // silently dropped from every push. The link topology never survived a
         // round trip — fresh-machine pulls landed in a state where overlay
-        // symlinks just didn't exist until master-sync.sh recreated them
+        // symlinks just didn't exist until reindex.sh recreated them
         // locally. The fix detects symlinks via lstat / Dirent.isSymbolicLink
         // and routes them to a new uploadSymlink primitive that PUTs a
         // zero-byte object with x-amz-meta-hq-symlink-target carrying the
@@ -1933,7 +2039,7 @@ describe("share", () => {
             const realPolicy = path.join(policiesDir, "real.md");
             fs.writeFileSync(realPolicy, "real content");
             const linkPolicy = path.join(policiesDir, "link.md");
-            // Mirrors the master-sync.sh overlay shape: relative target pointing
+            // Mirrors the reindex.sh overlay shape: relative target pointing
             // to a sibling in the same dir.
             fs.symlinkSync("real.md", linkPolicy);
             const result = await share({