@indigoai-us/hq-cloud 6.11.10 → 6.11.12

package/src/cli/rescue-core.ts

@@ -813,7 +813,7 @@ function doRescue(
   // Actions run in classification (walk) order — the same order the old
   // interleaved walk mutated in — so per-file output and on-disk results are
   // unchanged versus before the two-phase split.
-  for (const act of ctx.actions) act();
+  applyClassifiedActions(ctx, backupDir);
 
   // --- Back up preserve-subpaths to a mktemp shuttle ---
   const shuttle = path.join(tmpdir, "preserve");
@@ -869,6 +869,16 @@ function doRescue(
     }
   }
 
+  // --- Restore executable bit on shipped shebang scripts (defense-in-depth) ---
+  // rsync -a already propagated each file's upstream git tree mode; this guards
+  // the case where upstream itself committed an executable script as 0644 -- a
+  // hook the runtime exec's then dies with EACCES and is silently disabled. A
+  // shebang is an unambiguous "meant to be run" marker. See restoreShebangExecBits.
+  const execBitFixes = restoreShebangExecBits(srcDir, hqRoot, env);
+  if (execBitFixes > 0) {
+    out(`==> Restored executable bit on ${execBitFixes} shipped shebang script(s) lacking +x\n`);
+  }
+
   // --- Stamp sync-point provenance into core/core.yaml ---
   // `last_sync_at` = the source commit's committer time, NOT wall-clock now:
   // the stamp must be a pure function of srcSha so every machine rescuing the
@@ -1085,7 +1095,7 @@ interface WalkCtx {
   // fail-safe — a throw mid-classify aborts before a single file is mutated, so
   // the wipe is never left half-applied (DEV-1767). Dry-run never fills this (it
   // returns after classification), so live + dry-run share one classify path.
-  actions: Array<() => void>;
+  actions: RescueAction[];
   counts: {
     userOnly: number;
     unchanged: number;
@@ -1102,6 +1112,157 @@ interface WalkCtx {
   out: (s: string) => void;
 }
 
+interface RescueAction {
+  label: string;
+  affectedRels: string[];
+  run: () => void;
+}
+
+function queueAction(
+  ctx: WalkCtx,
+  label: string,
+  affectedRels: string[],
+  runAction: () => void,
+): void {
+  ctx.actions.push({ label, affectedRels, run: runAction });
+}
+
+function applyClassifiedActions(ctx: WalkCtx, backupDir: string): void {
+  const completed: RescueAction[] = [];
+  for (const action of ctx.actions) {
+    try {
+      action.run();
+      completed.push(action);
+    } catch (err) {
+      const restored = rollbackCompletedActions(ctx, completed, backupDir);
+      const manifest = writeApplyFailureManifest(
+        ctx,
+        backupDir,
+        action,
+        completed,
+        restored,
+        err,
+      );
+      ctx.out("\n");
+      ctx.out(`error: rescue apply failed during '${action.label}'.\n`);
+      if (restored.length > 0) {
+        ctx.out(`==> Rolled back ${restored.length} prior action path(s) from the safety snapshot.\n`);
+      }
+      if (manifest) {
+        ctx.out(`==> Recovery manifest: ${manifest}\n`);
+      }
+      throw err;
+    }
+  }
+}
+
+function rollbackCompletedActions(
+  ctx: WalkCtx,
+  completed: RescueAction[],
+  backupDir: string,
+): string[] {
+  if (!backupDir || !isDir(backupDir)) return [];
+
+  const rels: string[] = [];
+  const seen = new Set<string>();
+  for (let i = completed.length - 1; i >= 0; i--) {
+    const action = completed[i];
+    for (let j = action.affectedRels.length - 1; j >= 0; j--) {
+      const rel = action.affectedRels[j];
+      if (rel && !seen.has(rel)) {
+        seen.add(rel);
+        rels.push(rel);
+      }
+    }
+  }
+
+  const restored: string[] = [];
+  for (const rel of rels) {
+    const snapshotPath = path.join(backupDir, rel);
+    if (!lexists(snapshotPath)) continue;
+    const dest = path.join(ctx.hqRoot, rel);
+    try {
+      fs.mkdirSync(path.dirname(dest), { recursive: true });
+      fs.rmSync(dest, { recursive: true, force: true });
+      cpATo(snapshotPath, dest);
+      restored.push(rel);
+    } catch {
+      // Recovery manifest below records any path that could not be restored.
+    }
+  }
+  return restored;
+}
+
+function writeApplyFailureManifest(
+  ctx: WalkCtx,
+  backupDir: string,
+  failedAction: RescueAction,
+  completed: RescueAction[],
+  restored: string[],
+  err: unknown,
+): string | null {
+  const message = err instanceof Error ? err.message : String(err);
+  const completedLines =
+    completed.length === 0
+      ? ["  (none)"]
+      : completed.map((action) => {
+          const paths = action.affectedRels.length > 0 ? action.affectedRels.join(", ") : "(no filesystem path)";
+          return `  - ${action.label}: ${paths}`;
+        });
+  const restoredSet = new Set(restored);
+  const unrestored = completed
+    .flatMap((action) => action.affectedRels)
+    .filter((rel, idx, arr) => rel && arr.indexOf(rel) === idx && !restoredSet.has(rel));
+
+  const lines: string[] = [];
+  lines.push("# HQ rescue apply recovery", "");
+  lines.push(`Created: ${ctx.runTs}`);
+  lines.push(`HQ root: ${ctx.hqRoot}`);
+  lines.push(`Source: ${ctx.cfg.sourceRepo}@${ctx.cfg.ref} (${ctx.srcSha})`);
+  lines.push(`Failed action: ${failedAction.label}`);
+  lines.push(`Error: ${message}`);
+  lines.push("");
+  lines.push("## Completed Before Failure");
+  lines.push(...completedLines);
+  lines.push("");
+  lines.push("## Failed Action Paths");
+  if (failedAction.affectedRels.length > 0) {
+    for (const rel of failedAction.affectedRels) lines.push(`  - ${rel}`);
+  } else {
+    lines.push("  (no filesystem path)");
+  }
+  lines.push("");
+  lines.push("## Rollback");
+  if (restored.length > 0) {
+    lines.push("Restored from the pre-op safety snapshot:");
+    for (const rel of restored) lines.push(`  - ${rel}`);
+  } else {
+    lines.push("No completed action paths were restored automatically.");
+  }
+  if (unrestored.length > 0) {
+    lines.push("", "Completed action paths still requiring review:");
+    for (const rel of unrestored) lines.push(`  - ${rel}`);
+  }
+  if (backupDir && isDir(backupDir)) {
+    lines.push("");
+    lines.push("Manual restore examples:");
+    lines.push(`  cp "${backupDir}/<relpath>" "${ctx.hqRoot}/<relpath>"`);
+    lines.push(`  rsync -a "${backupDir}/" "${ctx.hqRoot}/"`);
+  } else {
+    lines.push("", "No pre-op safety snapshot was available for automatic restore.");
+  }
+
+  const manifestDir = path.join(ctx.hqRoot, ".hq", "rescue-recovery");
+  const manifestPath = path.join(manifestDir, `rescue-apply-failure-${ctx.runTs}.md`);
+  try {
+    fs.mkdirSync(manifestDir, { recursive: true });
+    fs.writeFileSync(manifestPath, lines.join("\n") + "\n");
+    return manifestPath;
+  } catch {
+    return null;
+  }
+}
+
 // --- Rescue-target mapping ---
 function mapRescueTarget(rel: string): string {
   if (rel === ".claude/CLAUDE.md") return "personal/CLAUDE.md";
@@ -1269,6 +1430,83 @@ function diffAppendClaudeMd(ctx: WalkCtx): void {
   ctx.counts.claudeDiffAppend += 1;
 }
 
+/**
+ * Defense-in-depth for executable scaffold scripts. `rescue` rebuilds the tree
+ * with `git clone` + `rsync -a`, faithfully propagating each file's git tree
+ * mode (100755 vs 100644). So a script accidentally committed upstream WITHOUT
+ * its executable bit (e.g. a `.claude/hooks/*.sh` checked in as 100644) is
+ * delivered non-executable to every machine, and a hook the runtime exec's
+ * directly then fails with EACCES ("Permission denied") and is silently
+ * disabled.
+ *
+ * A `#!` shebang is an unambiguous "this file is meant to be run" marker, so
+ * after the overlay we ensure every shipped shebang script is executable,
+ * regardless of the (possibly wrong) upstream mode bit. Execute is added only
+ * where read is already granted (0644 -> 0755, 0640 -> 0750), mirroring the
+ * umask convention; files that already carry any exec bit, non-files, and
+ * symlinks are left untouched. Paths are enumerated from the SOURCE repo's git
+ * index, so this only ever touches release-shipped scaffold -- never user
+ * content the rescue leaves in place.
+ *
+ * Best-effort and non-fatal: a failed `git ls-files` or chmod (read-only FS,
+ * EPERM) is swallowed, matching the rest of rescue's posture. Returns the count
+ * of files whose mode was changed, for the run summary.
+ */
+function restoreShebangExecBits(
+  srcDir: string,
+  hqRoot: string,
+  env: NodeJS.ProcessEnv,
+): number {
+  let listing: string;
+  try {
+    const r = spawnSync("git", ["-C", srcDir, "ls-files", "-z"], {
+      encoding: "utf-8",
+      env,
+      maxBuffer: 128 * 1024 * 1024,
+    });
+    if (r.status !== 0 || typeof r.stdout !== "string") return 0;
+    listing = r.stdout;
+  } catch {
+    return 0;
+  }
+  let fixed = 0;
+  for (const rel of listing.split("\0")) {
+    if (!rel) continue;
+    const dest = path.join(hqRoot, rel);
+    let st: fs.Stats;
+    try {
+      st = fs.lstatSync(dest);
+    } catch {
+      continue; // not delivered here (preserve-excluded, ignored, narrowed out)
+    }
+    if (!st.isFile()) continue; // skip dirs and symlinks (lstat: a link is not a file)
+    if ((st.mode & 0o111) !== 0) continue; // already executable
+    // Sniff the first two bytes for a shebang.
+    let head = "";
+    try {
+      const fd = fs.openSync(dest, "r");
+      try {
+        const buf = Buffer.alloc(2);
+        const n = fs.readSync(fd, buf, 0, 2, 0);
+        head = buf.subarray(0, n).toString("latin1");
+      } finally {
+        fs.closeSync(fd);
+      }
+    } catch {
+      continue;
+    }
+    if (head !== "#!") continue;
+    const execBits = (st.mode & 0o444) >> 2; // copy r-bits into the x-bit slots
+    try {
+      fs.chmodSync(dest, st.mode | execBits);
+      fixed += 1;
+    } catch {
+      // read-only FS / EPERM -- non-fatal.
+    }
+  }
+  return fixed;
+}
+
 function readFileOrEmpty(p: string): string {
   try {
     return fs.readFileSync(p, "utf-8");
@@ -1344,7 +1582,9 @@ function processOne(ctx: WalkCtx, rel: string): void {
     if (cfg.dryRun) {
       ctx.out(`    drop conflict artifact: ${rel}\n`);
     } else {
-      ctx.actions.push(() => fs.rmSync(localPath, { force: true }));
+      queueAction(ctx, `drop conflict artifact: ${rel}`, [rel], () =>
+        fs.rmSync(localPath, { force: true }),
+      );
     }
     return;
   }
@@ -1354,7 +1594,9 @@ function processOne(ctx: WalkCtx, rel: string): void {
     if (cfg.dryRun) {
       ctx.out(`    skip script-managed (rewrites at stamp step): ${rel}\n`);
     } else {
-      ctx.actions.push(() => fs.rmSync(localPath, { force: true }));
+      queueAction(ctx, `drop script-managed: ${rel}`, [rel], () =>
+        fs.rmSync(localPath, { force: true }),
+      );
     }
     return;
   }
@@ -1373,7 +1615,7 @@ function processOne(ctx: WalkCtx, rel: string): void {
         }
         ctx.out(`    drop reindex symlink: ${rel}  ->  ${tgt}\n`);
       } else {
-        ctx.actions.push(() => {
+        queueAction(ctx, `drop reindex symlink: ${rel}`, [rel], () => {
           fs.rmSync(localPath, { force: true });
           ctx.appendLog(`symlink-dropped\t${rel}\t(reindex regenerable)\n`);
         });
@@ -1443,7 +1685,7 @@ function processOne(ctx: WalkCtx, rel: string): void {
         `    cloud-symlink reconciled (unchanged): ${rel}  (hq-symlink: marker matches upstream target)\n`,
       );
     } else {
-      ctx.actions.push(() => {
+      queueAction(ctx, `cloud-symlink reconciled: ${rel}`, [rel], () => {
         fs.rmSync(localPath, { force: true });
         ctx.appendLog(
           `cloud-symlink-reconciled\t${rel}\t(hq-symlink: marker matches upstream target; overlay re-lays symlink)\n`,
@@ -1459,7 +1701,7 @@ function processOne(ctx: WalkCtx, rel: string): void {
     if (cfg.dryRun) {
       ctx.out(`    drift reconciled (identical to upstream HEAD; no rescue): ${rel}\n`);
     } else {
-      ctx.actions.push(() => {
+      queueAction(ctx, `drift reconciled: ${rel}`, [rel], () => {
         fs.rmSync(localPath, { force: true });
         ctx.appendLog(
           `drift-reconciled\t${rel}\t(identical to upstream HEAD; drifted from floor only — no personal/ copy)\n`,
@@ -1486,17 +1728,21 @@ function processOne(ctx: WalkCtx, rel: string): void {
       }
     } else {
       if (rel === ".claude/CLAUDE.md") {
-        ctx.actions.push(() => rescueOne(ctx, rel));
+        queueAction(ctx, `rescue diff-append: ${rel}`, [rel], () =>
+          rescueOne(ctx, rel),
+        );
       } else if (isOverwriteSafe(rel)) {
-        ctx.actions.push(() => {
+        queueAction(ctx, `overwrite-safe: ${rel}`, [rel], () => {
           fs.rmSync(localPath, { force: true });
           ctx.counts.userOverwrite += 1;
           ctx.appendLog(`overwritten\t${rel}\t(overwrite-safe; upstream wins, no copy preserved)\n`);
         });
       } else if (isConflictClass(rel)) {
-        ctx.actions.push(() => conflictOne(ctx, rel));
+        queueAction(ctx, `conflict quarantine: ${rel}`, [rel], () =>
+          conflictOne(ctx, rel),
+        );
       } else {
-        ctx.actions.push(() => rescueOne(ctx, rel));
+        queueAction(ctx, `rescue: ${rel}`, [rel], () => rescueOne(ctx, rel));
       }
     }
   } else {
@@ -1506,7 +1752,7 @@ function processOne(ctx: WalkCtx, rel: string): void {
       if (cfg.dryRun) {
         ctx.out(`    unchanged (preserved in place): ${rel}\n`);
       } else {
-        ctx.actions.push(() => {
+        queueAction(ctx, `preserve unchanged: ${rel}`, [], () => {
           fs.appendFileSync(ctx.unchangedList, `/${rel}\n`);
           ctx.appendLog(`unchanged\t${rel}\t(identical to upstream; left in place, mtime preserved)\n`);
         });
@@ -1515,7 +1761,7 @@ function processOne(ctx: WalkCtx, rel: string): void {
       if (cfg.dryRun) {
         ctx.out(`    unchanged (delete + replace): ${rel}\n`);
       } else {
-        ctx.actions.push(() => {
+        queueAction(ctx, `delete unchanged: ${rel}`, [rel], () => {
           fs.rmSync(localPath, { force: true });
           ctx.appendLog(`deleted\t${rel}\t(unchanged vs baseline; re-laid by overlay if still upstream)\n`);
         });
@@ -1640,7 +1886,7 @@ function walkAndProcess(ctx: WalkCtx, rootRel: string): void {
     if (cfg.dryRun) {
       ctx.out("    wholesale-replace: companies/_template (template carve-out)\n");
     } else {
-      ctx.actions.push(() =>
+      queueAction(ctx, "wholesale-replace: companies/_template", [rootRel], () =>
         fs.rmSync(path.join(ctx.hqRoot, "companies", "_template"), {
           recursive: true,
           force: true,
@@ -1665,7 +1911,7 @@ function walkAndProcess(ctx: WalkCtx, rootRel: string): void {
         }
         ctx.out(`    drop reindex symlink: ${rootRel}  ->  ${tgt}\n`);
       } else {
-        ctx.actions.push(() => {
+        queueAction(ctx, `drop reindex symlink: ${rootRel}`, [rootRel], () => {
           fs.rmSync(rootAbs, { force: true });
           ctx.appendLog(`symlink-dropped\t${rootRel}\t(reindex regenerable)\n`);
         });

package/src/cli/rescue-exec-bit-preserve.test.ts

@@ -0,0 +1,187 @@
+/**
+ * Regression for the rescue executable-bit guarantee in src/cli/rescue-core.ts
+ * (restoreShebangExecBits).
+ *
+ * rescue rebuilds the tree with `git clone` + `rsync -a`, which faithfully
+ * propagates the upstream git tree mode. So a script committed upstream WITHOUT
+ * its executable bit (a `.sh` checked in as 100644) is delivered non-executable
+ * to every machine -- and a hook the runtime exec's directly then fails with
+ * "Permission denied". After the overlay, rescue restores +x on any shipped
+ * file that begins with a `#!` shebang (and leaves non-shebang files alone).
+ *
+ * Mirrors rescue-mtime-preserve.test.ts: shim `git clone` to a local fixture
+ * and run the real rescue (non-dry-run, --no-backup) so the overlay lays files
+ * down for real.
+ */
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { execFileSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { runRescue } from "./rescue-core.js";
+
+function has(bin: string, ...args: string[]): boolean {
+  try {
+    execFileSync(bin, args, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+const toolsAvailable = has("git", "--version") && has("rsync", "--version");
+
+const FLOOR_EPOCH = 1577836800; // 2020-01-01
+const HEAD_EPOCH = 1609459200; // 2021-01-01
+
+function runRescueCapture(argv: string[], env: NodeJS.ProcessEnv) {
+  let stdout = "";
+  let stderr = "";
+  const origOut = process.stdout.write.bind(process.stdout);
+  const origErr = process.stderr.write.bind(process.stderr);
+  process.stdout.write = ((chunk: unknown) => {
+    stdout += String(chunk);
+    return true;
+  }) as typeof process.stdout.write;
+  process.stderr.write = ((chunk: unknown) => {
+    stderr += String(chunk);
+    return true;
+  }) as typeof process.stderr.write;
+  let status: number;
+  try {
+    status = runRescue(argv, { env }).status;
+  } finally {
+    process.stdout.write = origOut;
+    process.stderr.write = origErr;
+  }
+  return { status, stdout, stderr };
+}
+
+describe.skipIf(!toolsAvailable)("rescue restores +x on shipped shebang scripts", () => {
+  let workDir: string;
+  let upstream: string;
+  let hqRoot: string;
+  let shimDir: string;
+  let floorSha: string;
+  let env: NodeJS.ProcessEnv;
+
+  const gitAt = (cwd: string, epoch: number, ...args: string[]) =>
+    execFileSync("git", args, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"],
+      env: {
+        ...process.env,
+        GIT_AUTHOR_NAME: "t",
+        GIT_AUTHOR_EMAIL: "t@t",
+        GIT_COMMITTER_NAME: "t",
+        GIT_COMMITTER_EMAIL: "t@t",
+        GIT_AUTHOR_DATE: `${epoch} +0000`,
+        GIT_COMMITTER_DATE: `${epoch} +0000`,
+      },
+    })
+      .toString()
+      .trim();
+
+  const isExec = (p: string) => (fs.statSync(p).mode & 0o111) !== 0;
+  const mode = (p: string) => fs.statSync(p).mode & 0o777;
+
+  beforeAll(() => {
+    workDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-rescue-exec-"));
+
+    // --- "upstream" repo ----------------------------------------------------
+    upstream = path.join(workDir, "upstream");
+    fs.mkdirSync(path.join(upstream, "core/scripts"), { recursive: true });
+    fs.mkdirSync(path.join(upstream, "core/docs"), { recursive: true });
+    gitAt(workDir, FLOOR_EPOCH, "init", "-b", "main", "upstream");
+
+    // Shebang script committed WITHOUT +x (the bug: arrives non-executable).
+    const needs = path.join(upstream, "core/scripts/needs-exec.sh");
+    fs.writeFileSync(needs, "#!/bin/bash\necho needs\n", { mode: 0o644 });
+    fs.chmodSync(needs, 0o644);
+    // Shebang script committed WITH +x (control: rsync -a already preserves it).
+    const already = path.join(upstream, "core/scripts/already-exec.sh");
+    fs.writeFileSync(already, "#!/bin/bash\necho already\n");
+    fs.chmodSync(already, 0o755);
+    // Non-shebang data file (control: must NOT be made executable).
+    fs.writeFileSync(path.join(upstream, "core/docs/note.md"), "# note\n", { mode: 0o644 });
+
+    gitAt(upstream, FLOOR_EPOCH, "add", "-A");
+    gitAt(upstream, FLOOR_EPOCH, "commit", "-m", "floor");
+    floorSha = gitAt(upstream, FLOOR_EPOCH, "rev-parse", "HEAD");
+    // A second commit so floor != HEAD (mirrors the mtime fixture).
+    fs.writeFileSync(path.join(upstream, "core/docs/head.md"), "head\n");
+    gitAt(upstream, HEAD_EPOCH, "add", "-A");
+    gitAt(upstream, HEAD_EPOCH, "commit", "-m", "head");
+
+    // Confirm the fixture actually stored the intended tree modes.
+    const lsFloor = gitAt(upstream, HEAD_EPOCH, "ls-tree", "-r", "HEAD");
+    if (!/100644\s+blob\s+\S+\s+core\/scripts\/needs-exec\.sh/.test(lsFloor)) {
+      throw new Error(`fixture needs-exec.sh not stored as 100644:\n${lsFloor}`);
+    }
+    if (!/100755\s+blob\s+\S+\s+core\/scripts\/already-exec\.sh/.test(lsFloor)) {
+      throw new Error(`fixture already-exec.sh not stored as 100755:\n${lsFloor}`);
+    }
+
+    // --- local HQ root being rescued (fresh; upstream files are brand-new) --
+    hqRoot = path.join(workDir, "hq");
+    fs.mkdirSync(path.join(hqRoot, "core"), { recursive: true });
+    fs.mkdirSync(path.join(hqRoot, "personal"), { recursive: true });
+    fs.mkdirSync(path.join(hqRoot, "companies"), { recursive: true });
+
+    // --- git shim: redirect `git clone <github-url>` to the local fixture ---
+    const realGit = execFileSync("bash", ["-lc", "command -v git"]).toString().trim() || "/usr/bin/git";
+    shimDir = path.join(workDir, "shim");
+    fs.mkdirSync(shimDir, { recursive: true });
+    const shim = `#!/usr/bin/env bash
+if [ "$1" = "clone" ]; then
+  args=()
+  for a in "$@"; do
+    case "$a" in
+      https://github.com/*) a=${JSON.stringify(upstream)} ;;
+    esac
+    args+=("$a")
+  done
+  exec ${JSON.stringify(realGit)} "\${args[@]}"
+fi
+exec ${JSON.stringify(realGit)} "$@"
+`;
+    fs.writeFileSync(path.join(shimDir, "git"), shim, { mode: 0o755 });
+    env = { ...process.env, PATH: `${shimDir}:${process.env.PATH ?? ""}` };
+
+    const r = runRescueCapture(
+      [
+        "--hq-root", hqRoot,
+        "--source", "test/repo",
+        "--ref", "main",
+        "--floor-sha", floorSha,
+        "--yes",
+        "--no-backup",
+      ],
+      env,
+    );
+    if (r.status !== 0) {
+      throw new Error(`rescue failed (${r.status}):\n${r.stdout}\n${r.stderr}`);
+    }
+  });
+
+  afterAll(() => {
+    if (workDir) fs.rmSync(workDir, { recursive: true, force: true });
+  });
+
+  it("restores +x on a shebang script shipped as 0644 (the bug)", () => {
+    const f = path.join(hqRoot, "core/scripts/needs-exec.sh");
+    expect(fs.readFileSync(f, "utf-8")).toBe("#!/bin/bash\necho needs\n");
+    expect(isExec(f)).toBe(true);
+    expect(mode(f)).toBe(0o755); // 0644 + (read-bits -> exec-bits)
+  });
+
+  it("leaves an already-executable shebang script executable", () => {
+    const f = path.join(hqRoot, "core/scripts/already-exec.sh");
+    expect(isExec(f)).toBe(true);
+  });
+
+  it("never makes a non-shebang data file executable", () => {
+    const f = path.join(hqRoot, "core/docs/note.md");
+    expect(fs.existsSync(f)).toBe(true);
+    expect(isExec(f)).toBe(false);
+  });
+});

package/src/cli/share.test.ts

@@ -3108,6 +3108,44 @@ describe("share", () => {
     // zero-byte object with x-amz-meta-hq-symlink-target carrying the
     // readlink string verbatim.
 
+    it("F32: first-sync symlink refuses to clobber an existing remote object", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(companyRoot, { recursive: true });
+      fs.writeFileSync(path.join(companyRoot, "target.md"), "local target");
+      const link = path.join(companyRoot, "link.md");
+      fs.symlinkSync("target.md", link);
+
+      // No journal entry: this machine is seeing link.md for the first time.
+      // A remote object already exists at the same key, and HEAD alone does
+      // not prove it is the same symlink target, so the safe behavior is to
+      // surface a push conflict instead of replacing the remote object.
+      vi.mocked(headRemoteFile).mockResolvedValueOnce({
+        lastModified: new Date(),
+        etag: '"remote-existing-etag"',
+        size: 42,
+      });
+
+      const events: Array<{ type?: string; path?: string; direction?: string }> = [];
+      const result = await share({
+        paths: [link],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onConflict: "abort",
+        onEvent: (e) => events.push(e as { type?: string; path?: string; direction?: string }),
+      });
+
+      expect(result.aborted).toBe(true);
+      expect(result.filesUploaded).toBe(0);
+      expect(result.conflictPaths).toEqual(["link.md"]);
+      expect(uploadSymlink).not.toHaveBeenCalled();
+      expect(
+        events.some(
+          (e) => e.type === "conflict" && e.path === "link.md" && e.direction === "push",
+        ),
+      ).toBe(true);
+    });
+
     it("uploads a top-level symlink as a symlink record (not the target's bytes)", async () => {
       const companyRoot = path.join(tmpDir, "companies", "acme");
       fs.mkdirSync(companyRoot, { recursive: true });