@indigoai-us/hq-cloud 6.11.0 → 6.11.2

package/src/cli/sync-scope.test.ts

@@ -190,6 +190,43 @@ describe("sync — scope-aware download (US-005)", () => {
     expect(result.filesOutOfScope).toBe(2);
   });
 
+  // FILE_TOMBSTONE fetch is COMPANY-scoped (GET /v1/files/tombstones?company=…).
+  // For the personal vault the target uid is a personUid (prs_…), which the
+  // server correctly 403s ("No active membership for caller in company prs_…"),
+  // spamming hq-pro's Sentry with a per-user no-membership cluster. The pull
+  // must SKIP the fetch for the personal target (delete-resync was never a
+  // committed personal-vault feature). Differential: company-mode fetches,
+  // personal-mode does not.
+  const hitTombstones = (m: ReturnType<typeof setupFetchMock>) =>
+    m.mock.calls.some((c: unknown[]) =>
+      String(c[0]).includes("/v1/files/tombstones"),
+    );
+
+  it("company-mode pull fetches FILE_TOMBSTONEs (baseline for the personal guard)", async () => {
+    const fetchMock = setupFetchMock();
+    await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "all",
+      prefixSet: [],
+    });
+    expect(hitTombstones(fetchMock)).toBe(true);
+  });
+
+  it("personal-vault pull SKIPS the company-scoped tombstone fetch (no 403 → no Sentry no-membership spam)", async () => {
+    const fetchMock = setupFetchMock();
+    await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "all",
+      prefixSet: [],
+      personalMode: true,
+    });
+    expect(hitTombstones(fetchMock)).toBe(false);
+  });
+
   it("is idempotent: a second shared pull downloads and removes nothing", async () => {
     const opts = {
       company: "acme",

package/src/cli/sync.ts

@@ -708,7 +708,24 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
   // a clean read of `ctx`; best-effort — a failed read degrades to an empty map
   // (no suppression), preserving the pre-fix behavior. ctx.uid is the verified
   // companyUid the tombstone rows are keyed under.
-  const tombstones = await fetchCompanyTombstones(vaultConfig, ctx.uid);
+  //
+  // SKIP for the personal vault: its `ctx.uid` is a personUid (`prs_…`), but
+  // `GET /v1/files/tombstones?company=…` is COMPANY-scoped server-side
+  // (findCallerWithMembership), so a personal-vault request resolves
+  // `company=prs_…` to no membership and is correctly rejected with
+  // `403 "No active membership for caller in company prs_…"`. That 403 is
+  // benign for the pull (it already degrades to the empty map below), but
+  // hq-pro captures EVERY one as a Sentry warning — the per-personal-vault
+  // no-membership cluster (one Sentry issue per signed-in user). Personal-vault
+  // delete-resync was never a committed feature and there is no person-scoped
+  // tombstone path, so for the personal target we skip the fetch and use an
+  // empty map — byte-for-byte the current degraded behavior, minus the 403 spam.
+  // FUTURE FOLLOW-UP (not built here): if personal-vault delete-resync is
+  // wanted, it needs a real person-scoped tombstone endpoint + client read.
+  const tombstones =
+    options.personalMode === true
+      ? new Map<string, CompanyTombstone>()
+      : await fetchCompanyTombstones(vaultConfig, ctx.uid);
 
   // Stage 1: classify every remote file against the journal + local disk.
   // Hashing happens here (not in the transfer loop) so the plan event below

package/src/sync/pull-scope.ts

@@ -82,6 +82,20 @@ export async function resolvePullScope(
     const memberships = await client.listMyMemberships();
     const m = memberships.find((x) => x.companyUid === companyUid);
     if (!m) return { syncMode: "all" };
+    // Agent memberships (`agt_…#cmp_…`) belong to an agent identity that owns NO
+    // person entity. hq-pro's per-membership sync-config endpoint sits behind an
+    // up-front person-gate, so an agent caller is rejected with
+    // `403 "Caller has no person entity — call POST /entity with type=person
+    // first"` BEFORE the route's own ownership check ever runs — captured
+    // server-side as the Sentry warning HQ-1R (one event per agent sync pass).
+    // Agents never set a scoped sync-config (that is a human-only menubar
+    // action) and a failed/absent config already degrades to `all` here, so the
+    // call is guaranteed to 403 and change nothing. Skip it for agent
+    // memberships and resolve `all` directly — behavior-preserving, minus the
+    // 403 spam. (A server-side alternative would be to exempt sync-config from
+    // the up-front person-gate and let its own `authorizeSyncConfigAccess`
+    // handle agent ownership; tracked as a possible follow-up.)
+    if (m.membershipKey?.startsWith("agt_")) return { syncMode: "all" };
     const cfg = await client.getMembershipSyncConfig(m.membershipKey);
     if (cfg.syncMode === "all") return { syncMode: "all" };