@indigoai-us/hq-cloud 6.11.10 → 6.11.12

package/src/cli/sync.test.ts

@@ -8,6 +8,7 @@ import * as path from "path";
 import * as os from "os";
 import { clearContextCache } from "../context.js";
 import type { VaultServiceConfig } from "../types.js";
+import { lockPathFor } from "../operation-lock.js";
 
 // Mock s3 module at the top level
 vi.mock("../s3.js", async () => {
@@ -42,7 +43,7 @@ vi.mock("./reindex.js", () => ({
   reindex: vi.fn(() => ({ status: 0 })),
 }));
 
-import { sync } from "./sync.js";
+import { sync, reportNewFilesToNotify } from "./sync.js";
 import * as s3Module from "../s3.js";
 import { reindex } from "./reindex.js";
 
@@ -143,6 +144,31 @@ describe("sync", () => {
     expect(reindex).toHaveBeenCalledWith({ repoRoot: tmpDir, skipLock: true });
   });
 
+  it("F15: public sync entrypoint refuses an already-held operation lock", async () => {
+    process.env.HQ_OP_LOCK_TIMEOUT = "0";
+    const lockPath = lockPathFor(tmpDir);
+    fs.mkdirSync(path.dirname(lockPath), { recursive: true });
+    fs.writeFileSync(
+      lockPath,
+      JSON.stringify({
+        pid: 1,
+        command: "rescue",
+        startedAt: new Date().toISOString(),
+        hqRoot: path.resolve(tmpDir),
+      }),
+    );
+
+    try {
+      await expect(
+        sync({ company: "acme", vaultConfig: mockConfig, hqRoot: tmpDir }),
+      ).rejects.toThrow(/another HQ operation is already running/);
+      expect(s3Module.listRemoteFiles).not.toHaveBeenCalled();
+      expect(reindex).not.toHaveBeenCalled();
+    } finally {
+      delete process.env.HQ_OP_LOCK_TIMEOUT;
+    }
+  });
+
   it("skips reindex when skipReindex is set", async () => {
     const result = await sync({
       company: "acme",
@@ -522,6 +548,195 @@ describe("sync", () => {
     expect(fs.readFileSync(localPath, "utf-8")).toBe("mock file content");
   });
 
+  it("RF-F02EXEC: refuses a download whose parent symlink appears after planning", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const outsideRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-escape-"));
+    const previousConcurrency = process.env.HQ_SYNC_TRANSFER_CONCURRENCY;
+    const defaultDownload = vi.mocked(s3Module.downloadFile).getMockImplementation();
+    process.env.HQ_SYNC_TRANSFER_CONCURRENCY = "1";
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "docs/setup.md", size: 5, lastModified: new Date(), etag: '"setup"' },
+      { key: "trap/secret.md", size: 6, lastModified: new Date(), etag: '"secret"' },
+    ]);
+    vi.mocked(s3Module.downloadFile).mockImplementation(
+      async (_ctx: unknown, key: string, localPath: string) => {
+        fs.mkdirSync(path.dirname(localPath), { recursive: true });
+        if (key === "docs/setup.md") {
+          fs.writeFileSync(localPath, "setup");
+          fs.symlinkSync(outsideRoot, path.join(companyRoot, "trap"), "dir");
+        } else {
+          fs.writeFileSync(localPath, "escaped");
+        }
+        return { metadata: {} };
+      },
+    );
+
+    const events: Array<{ type: string; path?: string; message?: string }> = [];
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onEvent: (e) => events.push(e),
+      });
+
+      expect(result.filesDownloaded).toBe(1);
+      expect(fs.readFileSync(path.join(companyRoot, "docs", "setup.md"), "utf-8")).toBe(
+        "setup",
+      );
+      expect(fs.existsSync(path.join(outsideRoot, "secret.md"))).toBe(false);
+      expect(
+        events.some(
+          (e) =>
+            e.type === "error" &&
+            e.path === "trap/secret.md" &&
+            e.message?.includes("escaped the sync root"),
+        ),
+      ).toBe(true);
+    } finally {
+      if (defaultDownload) vi.mocked(s3Module.downloadFile).mockImplementation(defaultDownload);
+      if (previousConcurrency === undefined) {
+        delete process.env.HQ_SYNC_TRANSFER_CONCURRENCY;
+      } else {
+        process.env.HQ_SYNC_TRANSFER_CONCURRENCY = previousConcurrency;
+      }
+      fs.rmSync(outsideRoot, { recursive: true, force: true });
+    }
+  });
+
+  it("RF-F02EXEC-conflict", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const companyDocs = path.join(companyRoot, "docs");
+    const outsideRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-conflict-escape-"));
+    const localPath = path.join(companyDocs, "handoff.md");
+    fs.mkdirSync(companyDocs, { recursive: true });
+    fs.writeFileSync(localPath, "local version");
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "docs/handoff.md", size: 42, lastModified: new Date(), etag: '"new-etag"' },
+    ]);
+
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date().toISOString(),
+        files: {
+          "docs/handoff.md": {
+            hash: "stale-hash",
+            size: 20,
+            remoteEtag: "old-etag",
+            syncedAt: new Date(Date.now() - 3600000).toISOString(),
+            direction: "down",
+          },
+        },
+      }),
+    );
+
+    const events: Array<{ type: string; path?: string; message?: string }> = [];
+    let swappedParent = false;
+    try {
+      const result = await sync({
+        company: "acme",
+        onConflict: "keep",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onEvent: (e) => {
+          events.push(e);
+          if (e.type === "plan" && !swappedParent) {
+            swappedParent = true;
+            fs.rmSync(companyDocs, { recursive: true, force: true });
+            fs.symlinkSync(outsideRoot, companyDocs, "dir");
+          }
+        },
+      });
+
+      expect(swappedParent).toBe(true);
+      expect(result.conflicts).toBe(0);
+      expect(result.filesSkipped).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.readdirSync(outsideRoot)).toEqual([]);
+      expect(
+        events.some(
+          (e) =>
+            e.type === "error" &&
+            e.path === "docs/handoff.md" &&
+            e.message?.includes("escaped the sync root"),
+        ),
+      ).toBe(true);
+    } finally {
+      fs.rmSync(outsideRoot, { recursive: true, force: true });
+    }
+  });
+
+  it("RF-F33: FILE_TOMBSTONE planned against absence does not delete a new untracked file", async () => {
+    const untrackedKey = "docs/untracked.md";
+    const trackedKey = "docs/tracked.md";
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const untrackedPath = path.join(companyRoot, untrackedKey);
+    const trackedPath = path.join(companyRoot, trackedKey);
+    fs.mkdirSync(path.dirname(trackedPath), { recursive: true });
+    fs.writeFileSync(trackedPath, "tracked baseline");
+    const { hashFile } = await import("../journal.js");
+
+    setupFetchMock({
+      tombstones: [
+        { key: untrackedKey, deletedAt: "2026-06-20T00:00:00.000Z" },
+        { key: trackedKey, deletedAt: "2026-06-20T00:00:00.000Z" },
+      ],
+    });
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: untrackedKey,
+        size: 10,
+        lastModified: new Date("2026-06-19T00:00:00.000Z"),
+        etag: '"untracked"',
+      },
+      {
+        key: trackedKey,
+        size: 16,
+        lastModified: new Date("2026-06-19T00:00:00.000Z"),
+        etag: '"tracked"',
+      },
+    ]);
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "2",
+        lastSync: "2026-06-19T00:00:00.000Z",
+        files: {
+          [trackedKey]: {
+            hash: hashFile(trackedPath),
+            size: Buffer.byteLength("tracked baseline"),
+            syncedAt: "2026-06-19T00:00:00.000Z",
+            direction: "down",
+            remoteEtag: "tracked",
+          },
+        },
+        pulls: [],
+      }),
+    );
+
+    await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      onEvent: (e) => {
+        if (e.type === "plan") {
+          fs.mkdirSync(path.dirname(untrackedPath), { recursive: true });
+          fs.writeFileSync(untrackedPath, "brand new local work");
+        }
+      },
+    });
+
+    expect(fs.readFileSync(untrackedPath, "utf-8")).toBe("brand new local work");
+    expect(fs.existsSync(trackedPath)).toBe(false);
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files[untrackedKey]).toBeUndefined();
+    expect(journal.files[trackedKey]).toBeUndefined();
+  });
+
   it("aborts on --on-conflict abort", async () => {
     const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
     fs.mkdirSync(companyDocs, { recursive: true });
@@ -611,6 +826,165 @@ describe("sync", () => {
     expect(fs.existsSync(path.join(tmpDir, "companies", "acme", "docs", "readme.md"))).toBe(false);
   });
 
+  it("personalMode: downloads + journals companies/manifest.yaml (carve-out round-trips) while still skipping other companies/* keys", async () => {
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "companies/foo/bar.md",    size: 50, lastModified: new Date(), etag: '"xyz789"' },
+      { key: "companies/manifest.yaml", size: 40, lastModified: new Date(), etag: '"man111"' },
+    ]);
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      personalMode: true,
+    });
+
+    // The manifest is the lone companies/* exemption: it downloads; other
+    // companies/* keys are still dropped.
+    expect(result.filesSkipped).toBe(1);
+    expect(result.filesDownloaded).toBe(1);
+    expect(fs.existsSync(path.join(tmpDir, "companies", "manifest.yaml"))).toBe(true);
+    expect(fs.existsSync(path.join(tmpDir, "companies", "foo", "bar.md"))).toBe(false);
+
+    // The whole point: it now gets a journal baseline, so the push side stops
+    // re-firing a transient conflict every sync (the bug this fix closes).
+    const journaledManifest = fs
+      .readdirSync(stateDir)
+      .filter((f) => f.startsWith("sync-journal."))
+      .some((f) => {
+        const j = JSON.parse(fs.readFileSync(path.join(stateDir, f), "utf8"));
+        return j.files?.["companies/manifest.yaml"] != null;
+      });
+    expect(journaledManifest).toBe(true);
+  });
+
+  it("personalMode pull lands the session-continuity pointer + active thread file under <hqRoot>/workspace/threads/ so a handoff resumes on machine B (DEV-1778)", async () => {
+    // End-to-end download leg of the cross-machine handoff. Machine A pushed
+    // workspace/threads/handoff.json + the thread file it points to into the
+    // personal bucket; machine B pulls and both must land hq-root-relative
+    // (NOT under companies/<slug>/) with the pointer still resolving to the
+    // thread file that also landed — that is what lets /startwork resume.
+    const handoffKey = "workspace/threads/handoff.json";
+    const threadKey = "workspace/threads/T-20260619-1200-resume-me.json";
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: handoffKey, size: 80, lastModified: new Date(), etag: '"h1"' },
+      { key: threadKey, size: 40, lastModified: new Date(), etag: '"t1"' },
+    ]);
+
+    // Materialize realistic bytes per key (the default mock writes a fixed
+    // string, but the pointer must be valid JSON referencing the thread).
+    const origDownload = vi.mocked(s3Module.downloadFile).getMockImplementation();
+    vi.mocked(s3Module.downloadFile).mockImplementation(
+      async (_ctx: unknown, key: string, localPath: string) => {
+        fs.mkdirSync(path.dirname(localPath), { recursive: true });
+        const body = key.endsWith("handoff.json")
+          ? JSON.stringify({ thread_path: threadKey, message: "from machine A" })
+          : JSON.stringify({ conversation_summary: "pick up here" });
+        fs.writeFileSync(localPath, body);
+        return { metadata: {} };
+      },
+    );
+
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        personalMode: true,
+      });
+
+      expect(result.filesDownloaded).toBe(2);
+
+      const handoffLocal = path.join(tmpDir, "workspace", "threads", "handoff.json");
+      const threadLocal = path.join(
+        tmpDir,
+        "workspace",
+        "threads",
+        "T-20260619-1200-resume-me.json",
+      );
+      expect(fs.existsSync(handoffLocal)).toBe(true);
+      expect(fs.existsSync(threadLocal)).toBe(true);
+
+      // Pointer round-trips and resolves to the thread file that also landed.
+      const pointer = JSON.parse(fs.readFileSync(handoffLocal, "utf-8"));
+      expect(pointer.thread_path).toBe(threadKey);
+      expect(fs.existsSync(path.join(tmpDir, pointer.thread_path))).toBe(true);
+
+      // Must NOT be misfiled under companies/<slug>/.
+      expect(
+        fs.existsSync(path.join(tmpDir, "companies", "acme", handoffKey)),
+      ).toBe(false);
+    } finally {
+      if (origDownload) {
+        vi.mocked(s3Module.downloadFile).mockImplementation(origDownload);
+      }
+    }
+  });
+
+  it("personalMode pull does NOT clobber a newer local session-continuity pointer (conflict → keep local) (DEV-1778)", async () => {
+    // Machine B did its OWN /handoff after machine A's push, so B's local
+    // handoff.json is newer than the remote. The pull must preserve B's
+    // pointer rather than overwrite it with A's stale one — the brief's
+    // "download cleanly without clobbering a newer local pointer".
+    const threadsLocal = path.join(tmpDir, "workspace", "threads");
+    fs.mkdirSync(threadsLocal, { recursive: true });
+    fs.writeFileSync(
+      path.join(threadsLocal, "handoff.json"),
+      JSON.stringify({
+        thread_path: "workspace/threads/T-machineB.json",
+        message: "newer local from B",
+      }),
+    );
+
+    // Journal records a prior synced baseline (stale hash, no remoteEtag) so
+    // the planner sees local-changed AND remote-changed → conflict. Keys are
+    // hq-root-relative in personalMode.
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date().toISOString(),
+        files: {
+          "workspace/threads/handoff.json": {
+            hash: "old-hash-from-last-sync",
+            size: 10,
+            syncedAt: new Date(Date.now() - 3600000).toISOString(),
+            direction: "down",
+          },
+        },
+      }),
+    );
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: "workspace/threads/handoff.json",
+        size: 50,
+        lastModified: new Date(),
+        etag: '"remote-from-A"',
+      },
+    ]);
+
+    const result = await sync({
+      company: "acme",
+      onConflict: "keep",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      personalMode: true,
+    });
+
+    expect(result.conflicts).toBe(1);
+    expect(result.conflictPaths).toEqual(["workspace/threads/handoff.json"]);
+    expect(result.filesSkipped).toBeGreaterThanOrEqual(1);
+
+    // B's newer local pointer is preserved verbatim — not clobbered by A's.
+    const kept = JSON.parse(
+      fs.readFileSync(path.join(threadsLocal, "handoff.json"), "utf-8"),
+    );
+    expect(kept.message).toBe("newer local from B");
+    expect(kept.thread_path).toBe("workspace/threads/T-machineB.json");
+  });
+
   it("personalMode + includeLocalCompanies: downloads companies/{cloud-false-slug}/... keys when slug NOT in teamSyncedSlugs", async () => {
     // The symmetric flip for the cloud:false → personal-bucket fallback.
     // Machine A pushed `companies/free-co/notes.md` to the personal bucket
@@ -936,6 +1310,60 @@ describe("sync", () => {
     expect(journal.files["docs/edited-locally.md"].hash).toBe(baselineHash);
   });
 
+  it("F33: rechecks a tombstone candidate after HEAD verification and preserves a stale local edit", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const racedPath = path.join(companyRoot, "docs", "racy-delete.md");
+    fs.writeFileSync(racedPath, "synced baseline");
+
+    const crypto = await import("node:crypto");
+    const baselineHash = crypto
+      .createHash("sha256")
+      .update("synced baseline")
+      .digest("hex");
+
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date(Date.now() - 60_000).toISOString(),
+        files: {
+          "docs/racy-delete.md": {
+            hash: baselineHash,
+            size: 15,
+            syncedAt: new Date(Date.now() - 60_000).toISOString(),
+            direction: "down",
+            remoteEtag: "remote-before-delete",
+          },
+        },
+      }),
+    );
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([]);
+    let editInjected = false;
+    vi.mocked(s3Module.headRemoteFile).mockImplementationOnce(async (_ctx, key) => {
+      expect(key).toBe("docs/racy-delete.md");
+      fs.writeFileSync(racedPath, "concurrent local edit");
+      editInjected = true;
+      return null;
+    });
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    expect(editInjected).toBe(true);
+    expect(result.filesTombstoned).toBe(0);
+    expect(fs.existsSync(racedPath)).toBe(true);
+    expect(fs.readFileSync(racedPath, "utf-8")).toBe("concurrent local edit");
+
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files["docs/racy-delete.md"]).toBeDefined();
+    expect(journal.files["docs/racy-delete.md"].hash).toBe(baselineHash);
+  });
+
   it("does NOT tombstone symlinks whose readlink target has diverged from the journal (Codex P1 round 4)", async () => {
     // Codex review on PR #24 round 4 caught: the round-3 local-edit
     // divergence guard only covered regular files (`isFile()` is false
@@ -1576,6 +2004,79 @@ describe("sync", () => {
     expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
   });
 
+  it("F02: rejects traversal remote keys before they can escape the company root", async () => {
+    const escapeName = `${path.basename(tmpDir)}-escaped.md`;
+    const traversalKey = `../../../${escapeName}`;
+    const escapedPath = path.join(path.dirname(tmpDir), escapeName);
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: traversalKey,
+        size: 13,
+        lastModified: new Date(),
+        etag: '"traversal"',
+      },
+    ]);
+
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(result.filesDownloaded).toBe(0);
+      expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.existsSync(escapedPath)).toBe(false);
+      expect(fs.existsSync(path.join(companyRoot, traversalKey))).toBe(false);
+
+      const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(journal.files[traversalKey]).toBeUndefined();
+    } finally {
+      fs.rmSync(escapedPath, { force: true });
+    }
+  });
+
+  it("R-F02: rejects remote children under an in-root symlink directory", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const outsideDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-escape-"));
+    const linkDir = path.join(companyRoot, "linked-out");
+    const remoteKey = "linked-out/owned-by-remote.md";
+    const escapedPath = path.join(outsideDir, "owned-by-remote.md");
+
+    fs.mkdirSync(companyRoot, { recursive: true });
+    fs.symlinkSync(outsideDir, linkDir, "dir");
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: remoteKey,
+        size: 13,
+        lastModified: new Date(),
+        etag: '"symlink-dir-escape"',
+      },
+    ]);
+
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(result.filesDownloaded).toBe(0);
+      expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.existsSync(escapedPath)).toBe(false);
+      expect(fs.existsSync(path.join(companyRoot, remoteKey))).toBe(false);
+
+      const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(journal.files[remoteKey]).toBeUndefined();
+    } finally {
+      fs.rmSync(outsideDir, { recursive: true, force: true });
+    }
+  });
+
   it("overwrites local on --on-conflict overwrite", async () => {
     const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
     fs.mkdirSync(companyDocs, { recursive: true });
@@ -2490,3 +2991,95 @@ describe("sync", () => {
     expect(entry.remoteEtag).toBe(newRemoteEtagNormalized);
   });
 });
+
+describe("reportNewFilesToNotify chunking (server cap = 1000 files/report)", () => {
+  // The /v1/notify/file-added endpoint rejects an oversized batch wholesale.
+  // Without chunking, a first sync with >1000 new files reports NONE of them and
+  // the same oversized batch re-triggers every cycle. These lock that the client
+  // splits into chunks at or under the cap.
+  const cfg: VaultServiceConfig = {
+    apiUrl: "https://vault-api.test",
+    authToken: "test-jwt-token",
+    region: "us-east-1",
+  };
+  const mkFiles = (n: number) =>
+    Array.from({ length: n }, (_v, i) => ({
+      path: `docs/file-${i}.md`,
+      bytes: i,
+      addedBy: null as string | null,
+    }));
+  const notifyBatchSizes = (fetchMock: ReturnType<typeof vi.fn>): number[] =>
+    (fetchMock.mock.calls as Array<[string, RequestInit?]>)
+      .filter(([u]) => String(u).includes("/v1/notify/file-added"))
+      .map(([, init]) => JSON.parse(String(init!.body)).files.length);
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+    vi.clearAllMocks();
+  });
+
+  it("sends a single request when exactly at the cap (1000 files)", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(1000));
+
+    const sizes = notifyBatchSizes(fetchMock);
+    expect(sizes).toEqual([1000]); // one POST, exactly at the cap
+  });
+
+  it("splits an over-cap report into batches all at or under the cap", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(1001));
+
+    const sizes = notifyBatchSizes(fetchMock);
+    expect(sizes).toEqual([1000, 1]); // 1001 → 1000 + 1, never one oversized POST
+    expect(Math.max(...sizes)).toBeLessThanOrEqual(1000);
+    expect(sizes.reduce((a, b) => a + b, 0)).toBe(1001); // every file reported
+  });
+
+  it("chunks a large report into ceil(n/1000) batches with no file dropped", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    const all = mkFiles(2500);
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", all);
+
+    const calls = (fetchMock.mock.calls as Array<[string, RequestInit?]>).filter(([u]) =>
+      String(u).includes("/v1/notify/file-added"),
+    );
+    const sizes = calls.map(([, init]) => JSON.parse(String(init!.body)).files.length);
+    expect(sizes).toEqual([1000, 1000, 500]); // 2500 → three batches
+    // Union of all reported paths equals the input, in order, nothing lost.
+    const reported = calls.flatMap(([, init]) =>
+      (JSON.parse(String(init!.body)).files as Array<{ path: string }>).map((f) => f.path),
+    );
+    expect(reported).toEqual(all.map((f) => f.path));
+  });
+
+  it("a failing chunk does not abort the remaining chunks (best-effort per batch)", async () => {
+    let call = 0;
+    const fetchMock = vi.fn().mockImplementation(async () => {
+      call += 1;
+      if (call === 1) throw new Error("notify endpoint down");
+      return { ok: true, status: 200, text: async () => "" };
+    });
+    vi.stubGlobal("fetch", fetchMock);
+
+    // Must not reject even though the first chunk throws.
+    await expect(reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(2001))).resolves.toBeUndefined();
+    // All three chunks were still attempted (1000 + 1000 + 1).
+    expect(notifyBatchSizes(fetchMock)).toEqual([1000, 1000, 1]);
+  });
+
+  it("no request at all when there are no new files", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", []);
+
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+});