@indigoai-us/hq-cloud 6.10.1 → 6.11.0

package/src/cli/share.test.ts

@@ -3839,6 +3839,71 @@ describe("currency-gated: journal version 2 fixtures", () => {
       expect(litter).toEqual([]);
     });
 
+    // Efficiency follow-up to the directive lock above: a touched-but-identical
+    // file currently re-hashes on EVERY sync because the no-op skip never
+    // refreshes the journal's (mtimeMs, size). Re-stamp them on the skip so the
+    // NEXT sync short-circuits on lstat alone. Pure performance — still no
+    // upload, no conflict, no mirror.
+    it("re-stamps journal mtimeMs after a no-op skip so the next sync hits the fast-path", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(companyRoot, { recursive: true });
+      const testFile = path.join(companyRoot, "touched-then-fast.md");
+      fs.writeFileSync(testFile, "bytes that never change");
+      const originalLstat = fs.lstatSync(testFile);
+
+      const { hashFile } = await import("../journal.js");
+      const realHash = hashFile(testFile);
+      const journalPath = path.join(stateDir, "sync-journal.acme.json");
+      fs.writeFileSync(
+        journalPath,
+        JSON.stringify({
+          version: "2",
+          lastSync: new Date().toISOString(),
+          files: {
+            "touched-then-fast.md": {
+              hash: realHash,
+              size: originalLstat.size,
+              mtimeMs: originalLstat.mtimeMs,
+              syncedAt: new Date().toISOString(),
+              direction: "up",
+            },
+          },
+          pulls: [],
+        }),
+      );
+
+      // Bump mtime — fast-path misses, hash runs, hash matches → no-op skip.
+      const futureTime = new Date(Date.now() + 120_000);
+      fs.utimesSync(testFile, futureTime, futureTime);
+      const bumpedLstat = fs.lstatSync(testFile);
+      expect(bumpedLstat.mtimeMs).not.toBe(originalLstat.mtimeMs);
+
+      const result = await share({
+        paths: [testFile],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        skipUnchanged: true,
+      });
+
+      // Still a pure skip — never an upload or conflict.
+      expect(result.filesUploaded).toBe(0);
+      expect(result.filesSkipped).toBe(1);
+      expect(uploadFile).not.toHaveBeenCalled();
+
+      // Journal mtimeMs is now the BUMPED value (not the stale original), so the
+      // next sync's lstat fast-path matches and skips without re-hashing.
+      const journalAfter = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(journalAfter.files["touched-then-fast.md"].mtimeMs).toBe(
+        bumpedLstat.mtimeMs,
+      );
+      expect(journalAfter.files["touched-then-fast.md"].size).toBe(
+        bumpedLstat.size,
+      );
+      // Content hash untouched — the file genuinely didn't change.
+      expect(journalAfter.files["touched-then-fast.md"].hash).toBe(realHash);
+    });
+
     it("stamps mtimeMs on the journal entry after a successful upload", async () => {
       const companyRoot = path.join(tmpDir, "companies", "acme");
       fs.mkdirSync(companyRoot, { recursive: true });

package/src/cli/share.ts

@@ -288,6 +288,13 @@ type PushPlanItem =
       action: "skip-unchanged";
       absolutePath: string;
       relativePath: string;
+      // Present only when the lstat fast-path MISSED but the re-hash confirmed
+      // the bytes are unchanged (a touched-but-identical file, or a pre-5.36
+      // entry with no mtimeMs). Carries the current (mtimeMs, size) so the
+      // apply loop can refresh the journal entry — otherwise the fast-path
+      // keeps missing and re-hashes the file on every future sync. No content
+      // change: this never uploads or conflicts.
+      restamp?: { mtimeMs: number; size: number };
     };
 
 interface PushPlan {
@@ -394,7 +401,27 @@ function computePushPlan(
     if (skipUnchanged) {
       const existing = journal.files[relativePath];
       if (existing && existing.hash === localHash) {
-        items.push({ action: "skip-unchanged", absolutePath, relativePath });
+        // Reaching here means the fast-path did NOT short-circuit (mtime or
+        // size moved, or the entry predates mtimeMs) yet the re-hash proved the
+        // bytes are unchanged — a no-op skip. Capture the current (mtimeMs,
+        // size) so the apply loop refreshes the journal; without it the
+        // fast-path keeps missing and re-hashes this file on every sync. Only
+        // attach when the stored stat actually differs (avoid a needless
+        // journal write on an already-current entry). Stat failure → no
+        // restamp; the skip still stands.
+        let restamp: { mtimeMs: number; size: number } | undefined;
+        try {
+          const lstat = fs.lstatSync(absolutePath);
+          if (
+            lstat.isFile() &&
+            (existing.mtimeMs !== lstat.mtimeMs || existing.size !== lstat.size)
+          ) {
+            restamp = { mtimeMs: lstat.mtimeMs, size: lstat.size };
+          }
+        } catch {
+          /* best-effort; a stat error just forgoes the fast-path refresh */
+        }
+        items.push({ action: "skip-unchanged", absolutePath, relativePath, restamp });
         continue;
       }
     }
@@ -1045,6 +1072,20 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       continue;
     }
     if (item.action === "skip-unchanged") {
+      // Refresh the journal's (mtimeMs, size) for a touched-but-identical file
+      // so the next sync's lstat fast-path matches and skips without re-hashing.
+      // Guarded on item.restamp (only set when the fast-path missed AND the
+      // stored stat actually differs) and on the entry still carrying a hash —
+      // never alters the content hash, so this stays a pure no-op skip. The
+      // journal is persisted unconditionally by writeJournal at the end of the
+      // run, so this survives even when nothing uploads.
+      if (item.restamp) {
+        const existing = journal.files[item.relativePath];
+        if (existing && existing.hash) {
+          existing.mtimeMs = item.restamp.mtimeMs;
+          existing.size = item.restamp.size;
+        }
+      }
       filesSkipped++;
       continue;
     }

package/src/cli/sync.test.ts

@@ -69,9 +69,25 @@ const mockVendResponse = {
   expiresAt: new Date(Date.now() + 15 * 60 * 1000).toISOString(),
 };
 
-function setupFetchMock() {
+function setupFetchMock(
+  opts: { tombstones?: Array<{ key: string; deletedAt: string }> } = {},
+) {
   const fetchMock = vi.fn().mockImplementation(async (url: string) => {
     const urlStr = String(url);
+    // FILE_TOMBSTONE read surface (delete-resync). Defaults to an empty list so
+    // every legacy test exercises the no-suppression path; tests that need
+    // suppression pass `{ tombstones }`.
+    if (urlStr.includes("/v1/files/tombstones")) {
+      return {
+        ok: true,
+        status: 200,
+        json: async () => ({
+          companyUid: mockEntity.uid,
+          tombstones: opts.tombstones ?? [],
+        }),
+        text: async () => "",
+      };
+    }
     // New per-user-namespace slug resolver (hq-pro PR 67). Returns the
     // mockEntity's uid as the in-namespace match; the caller then
     // re-fetches it via `/entity/{uid}`, which is matched by the
@@ -1049,6 +1065,230 @@ describe("sync", () => {
     expect(journal.files["docs/really-deleted.md"]).toBeUndefined();
   });
 
+  // ── delete-resync: FILE_TOMBSTONE suppression (issue [6]) ──────────────────
+  // These four cover the brief's regression contract: a scoped-delete tombstone
+  // makes a delete STICK across a pull even when the object is still in the
+  // remote LIST (a peer re-pushed it / the delete-marker hasn't propagated),
+  // while a genuine re-create still syncs and a post-tombstone local edit is
+  // never silently destroyed.
+
+  it("delete-resync: a tombstoned key present in the remote LIST is removed locally and NOT re-downloaded", async () => {
+    // The core stays-deleted assertion. A peer ran `hq files delete docs/` (the
+    // scoped-delete path), which wrote a FILE_TOMBSTONE. This machine still
+    // holds the file and the object is still visible in the remote LIST (a peer
+    // re-push, or an un-propagated delete-marker). Pre-fix the planner saw
+    // "remote present, local present, unchanged" and KEPT it; worse, on a fresh
+    // machine "remote present, local absent" re-DOWNLOADED it — the resurrection
+    // loop. Now the FILE_TOMBSTONE (newer than the remote object) is
+    // authoritative: delete locally, drop the journal entry, never download.
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const sharedPath = path.join(companyRoot, "docs", "shared.md");
+    fs.writeFileSync(sharedPath, "shared content");
+    const crypto = await import("node:crypto");
+    const baseline = crypto
+      .createHash("sha256")
+      .update("shared content")
+      .digest("hex");
+    const now = Date.now();
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date(now - 120_000).toISOString(),
+        files: {
+          "docs/shared.md": {
+            hash: baseline,
+            size: 14,
+            syncedAt: new Date(now - 120_000).toISOString(),
+            direction: "down",
+            remoteEtag: "remote-old",
+          },
+        },
+      }),
+    );
+    // Remote object is the STALE deleted version: lastModified BEFORE the
+    // tombstone, still present in the LIST.
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: "docs/shared.md",
+        size: 14,
+        lastModified: new Date(now - 60_000),
+        etag: '"remote-old"',
+      },
+    ]);
+    // FILE_TOMBSTONE deleted AFTER the remote object's lastModified.
+    setupFetchMock({
+      tombstones: [
+        { key: "docs/shared.md", deletedAt: new Date(now).toISOString() },
+      ],
+    });
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // Stays deleted locally …
+    expect(fs.existsSync(sharedPath)).toBe(false);
+    // … and was NEVER re-downloaded (no download, no conflict-probe download).
+    expect(s3Module.downloadFile).not.toHaveBeenCalled();
+    expect(result.filesDownloaded).toBe(0);
+    expect(result.filesTombstoned).toBeGreaterThanOrEqual(1);
+    // Journal entry dropped so it converges (no re-tombstone next run).
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files["docs/shared.md"]).toBeUndefined();
+  });
+
+  it("delete-resync: a re-created object NEWER than the tombstone DOES sync (tombstone is not permanent)", async () => {
+    // The tombstone must not permanently suppress a key. After a delete, a user
+    // writes a brand-new object at the same path; its lastModified post-dates
+    // the tombstone, so it is a genuine re-create and must download normally.
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const recreatedPath = path.join(companyRoot, "docs", "recreated.md");
+    const now = Date.now();
+    // Empty journal + absent local: the file was deleted earlier; this is a
+    // fresh re-create arriving from the vault.
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({ version: "1", lastSync: new Date(now).toISOString(), files: {} }),
+    );
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: "docs/recreated.md",
+        size: 17,
+        lastModified: new Date(now), // newer than the tombstone below
+        etag: '"remote-new"',
+      },
+    ]);
+    setupFetchMock({
+      tombstones: [
+        {
+          key: "docs/recreated.md",
+          deletedAt: new Date(now - 3_600_000).toISOString(), // an hour ago
+        },
+      ],
+    });
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // Re-create wins: downloaded, present locally, not tombstoned.
+    expect(s3Module.downloadFile).toHaveBeenCalled();
+    expect(fs.existsSync(recreatedPath)).toBe(true);
+    expect(result.filesDownloaded).toBeGreaterThanOrEqual(1);
+    expect(result.filesTombstoned).toBe(0);
+  });
+
+  it("delete-resync: a local edit made after the tombstone surfaces a CONFLICT, not a silent delete", async () => {
+    // Safety guard: the authoritative delete must never destroy unsynced local
+    // work. This machine edited the file locally (diverged from the synced
+    // baseline) and only then learned of the tombstone — surface a conflict and
+    // PRESERVE local, rather than unlinking it.
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const editedPath = path.join(companyRoot, "docs", "edited.md");
+    fs.writeFileSync(editedPath, "my local edits");
+    const crypto = await import("node:crypto");
+    const baseline = crypto
+      .createHash("sha256")
+      .update("original synced content")
+      .digest("hex");
+    const now = Date.now();
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date(now - 120_000).toISOString(),
+        files: {
+          "docs/edited.md": {
+            hash: baseline, // local has since diverged → localChanged
+            size: 23,
+            syncedAt: new Date(now - 120_000).toISOString(),
+            direction: "down",
+            remoteEtag: "remote-old",
+          },
+        },
+      }),
+    );
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: "docs/edited.md",
+        size: 23,
+        lastModified: new Date(now - 60_000),
+        etag: '"remote-old"',
+      },
+    ]);
+    setupFetchMock({
+      tombstones: [
+        { key: "docs/edited.md", deletedAt: new Date(now).toISOString() },
+      ],
+    });
+
+    const result = await sync({
+      company: "acme",
+      onConflict: "keep",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // Conflict surfaced; local edits preserved; nothing tombstoned away.
+    expect(result.conflicts).toBeGreaterThanOrEqual(1);
+    expect(result.conflictPaths).toContain("docs/edited.md");
+    expect(fs.existsSync(editedPath)).toBe(true);
+    expect(fs.readFileSync(editedPath, "utf-8")).toBe("my local edits");
+    expect(result.filesTombstoned).toBe(0);
+  });
+
+  it("delete-resync: suppression is per-key and the fetch is company-scoped (no cross-tenant bleed)", async () => {
+    // Two guards in one: (a) a tombstone for `docs/a.md` must NOT suppress a
+    // different key `docs/b.md` — suppression is keyed exactly; (b) the
+    // tombstone fetch is scoped to the ACTIVE company's uid, so a sync for one
+    // company never consults another company's tombstones (the client half of
+    // the cross-tenant isolation the server enforces via the
+    // FILE_TOMBSTONE#<companyUid># begins_with query).
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const now = Date.now();
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({ version: "1", lastSync: new Date(now).toISOString(), files: {} }),
+    );
+    // a.md = stale tombstoned version (suppressed); b.md = a normal new file.
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "docs/a.md", size: 10, lastModified: new Date(now - 60_000), etag: '"a-old"' },
+      { key: "docs/b.md", size: 10, lastModified: new Date(now), etag: '"b-new"' },
+    ]);
+    const fetchMock = setupFetchMock({
+      tombstones: [
+        { key: "docs/a.md", deletedAt: new Date(now).toISOString() },
+      ],
+    });
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // a.md suppressed (never downloaded); b.md downloaded normally.
+    expect(fs.existsSync(path.join(companyRoot, "docs", "a.md"))).toBe(false);
+    expect(fs.existsSync(path.join(companyRoot, "docs", "b.md"))).toBe(true);
+    expect(result.filesDownloaded).toBe(1);
+
+    // The tombstone read was scoped to THIS company's uid.
+    const tombstoneCall = fetchMock.mock.calls.find((c) =>
+      String(c[0]).includes("/v1/files/tombstones"),
+    );
+    expect(tombstoneCall).toBeDefined();
+    expect(String(tombstoneCall![0])).toContain(`company=${mockEntity.uid}`);
+  });
+
   it("does NOT tombstone keys when HEAD returns AccessDenied (Codex P1 — defensive STS skip)", async () => {
     // Same Codex P1, AccessDenied branch: a guest STS session may deny
     // both LIST and HEAD on out-of-scope keys. The tombstone planner