@indigoai-us/hq-cloud 6.11.10 → 6.11.12

package/src/journal.test.ts

@@ -115,6 +115,58 @@ describe("journal", () => {
       expect(roundTripped.files).toEqual(original.files);
       expect(roundTripped.pulls).toEqual([]);
     });
+
+    it("F08: recovers the last good journal when the primary JSON is torn", () => {
+      const lastGood: SyncJournal = {
+        version: "2",
+        lastSync: "2026-06-18T00:00:00.000Z",
+        files: {
+          "docs/stable.md": {
+            hash: "last-good-hash",
+            size: 128,
+            syncedAt: "2026-06-18T00:00:00.000Z",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      writeJournal("indigo", lastGood);
+
+      // Simulate a torn direct write of the primary journal file. The next
+      // read must use the durable last-good copy rather than aborting sync.
+      fs.writeFileSync(getJournalPath("indigo"), '{"version":"2","files":');
+
+      const recovered = readJournal("indigo");
+      expect(recovered.version).toBe("2");
+      expect(recovered.lastSync).toBe(lastGood.lastSync);
+      expect(recovered.files["docs/stable.md"]).toEqual(
+        lastGood.files["docs/stable.md"],
+      );
+      expect(recovered.pulls).toEqual([]);
+    });
+
+    it("R-F08: surfaces primary IO errors instead of masking them with last-good", () => {
+      const lastGood: SyncJournal = {
+        version: "2",
+        lastSync: "2026-06-18T00:00:00.000Z",
+        files: {
+          "docs/stale.md": {
+            hash: "stale-hash",
+            size: 128,
+            syncedAt: "2026-06-18T00:00:00.000Z",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      writeJournal("indigo", lastGood);
+
+      const journalPath = getJournalPath("indigo");
+      fs.unlinkSync(journalPath);
+      fs.mkdirSync(journalPath);
+
+      expect(() => readJournal("indigo")).toThrow(/EISDIR|directory/i);
+    });
   });
 
   describe("writeJournal", () => {
@@ -754,6 +806,26 @@ describe("journal", () => {
       expect(all.map((j) => j.slug)).toEqual(["marshalops"]);
     });
 
+    it("R-F08: recovers a torn shard primary from .last-good in listJournals", () => {
+      seed("marshalops", {
+        "k/recovered.md": {
+          hash: "last-good-hash",
+          size: 2,
+          syncedAt: "2026-06-19T11:00:00.000Z",
+          direction: "down",
+        },
+      });
+      fs.writeFileSync(getJournalPath("marshalops"), "");
+
+      const all = listJournals();
+
+      expect(all).toHaveLength(1);
+      expect(all[0]!.slug).toBe("marshalops");
+      expect(all[0]!.journal.files["k/recovered.md"]?.hash).toBe(
+        "last-good-hash",
+      );
+    });
+
     it("ignores unrelated files in the state dir", () => {
       seed("marshalops", {});
       fs.writeFileSync(path.join(stateDir, "config.json"), "{}");

package/src/journal.ts

@@ -28,6 +28,7 @@ export const JOURNAL_VERSION_CURRENT = "2" as const;
 
 const JOURNAL_FILE_PREFIX = "sync-journal.";
 const JOURNAL_FILE_SUFFIX = ".json";
+const JOURNAL_LAST_GOOD_SUFFIX = ".last-good";
 
 /**
  * Where per-company journals are stored. Honors `HQ_STATE_DIR` for tests and
@@ -129,12 +130,40 @@ export function migratePersonalVaultJournal(): void {
 export function readJournal(slug: string): SyncJournal {
   const journalPath = getJournalPath(slug);
   if (fs.existsSync(journalPath)) {
-    const content = fs.readFileSync(journalPath, "utf-8");
-    return JSON.parse(content) as SyncJournal;
+    return readJournalFileWithLastGood(journalPath);
   }
   return { version: JOURNAL_VERSION_CURRENT, lastSync: "", files: {}, pulls: [] };
 }
 
+function parseJournalContent(content: string): SyncJournal {
+  if (content.length === 0) {
+    throw new SyntaxError("journal JSON is empty");
+  }
+  return JSON.parse(content) as SyncJournal;
+}
+
+function isCorruptJournalJson(err: unknown): boolean {
+  return err instanceof SyntaxError;
+}
+
+function readJournalFileWithLastGood(journalPath: string): SyncJournal {
+  let primaryErr: unknown;
+  try {
+    return parseJournalContent(fs.readFileSync(journalPath, "utf-8"));
+  } catch (err) {
+    if (!isCorruptJournalJson(err)) throw err;
+    primaryErr = err;
+  }
+
+  try {
+    return parseJournalContent(
+      fs.readFileSync(lastGoodJournalPath(journalPath), "utf-8"),
+    );
+  } catch {
+    throw primaryErr;
+  }
+}
+
 /** One enumerated journal shard: its recovered slug, on-disk path, contents. */
 export interface JournalSummary {
   /**
@@ -189,12 +218,12 @@ export function listJournals(): JournalSummary[] {
     if (!slug) continue; // guard against a stray "sync-journal..json"
     const filePath = path.join(dir, name);
     try {
-      const journal = JSON.parse(
-        fs.readFileSync(filePath, "utf-8"),
-      ) as SyncJournal;
+      const journal = readJournalFileWithLastGood(filePath);
       out.push({ slug, path: filePath, journal });
-    } catch {
-      // Corrupt/unreadable shard — skip; don't blind the caller to the rest.
+    } catch (err) {
+      if (!isCorruptJournalJson(err)) throw err;
+      // Corrupt shard with no usable last-good — skip; don't blind the caller
+      // to the rest. Genuine IO/permission failures surface to the caller.
     }
   }
   out.sort((a, b) => a.slug.localeCompare(b.slug));
@@ -269,7 +298,65 @@ export function writeJournal(slug: string, journal: SyncJournal): void {
   migrateToV2(journal);
   const journalPath = getJournalPath(slug);
   fs.mkdirSync(path.dirname(journalPath), { recursive: true });
-  fs.writeFileSync(journalPath, JSON.stringify(journal, null, 2));
+  const content = JSON.stringify(journal, null, 2);
+  atomicWriteFileSync(journalPath, content);
+  atomicWriteFileSync(lastGoodJournalPath(journalPath), content);
+}
+
+function lastGoodJournalPath(journalPath: string): string {
+  return `${journalPath}${JOURNAL_LAST_GOOD_SUFFIX}`;
+}
+
+function atomicWriteFileSync(filePath: string, content: string): void {
+  const dir = path.dirname(filePath);
+  const tmpPath = path.join(
+    dir,
+    `.${path.basename(filePath)}.${process.pid}.${Date.now()}.${crypto
+      .randomBytes(6)
+      .toString("hex")}.tmp`,
+  );
+  let fd: number | undefined;
+  try {
+    fd = fs.openSync(tmpPath, "wx");
+    fs.writeFileSync(fd, content);
+    fs.fsyncSync(fd);
+    fs.closeSync(fd);
+    fd = undefined;
+    fs.renameSync(tmpPath, filePath);
+    fsyncDirSync(dir);
+  } catch (err) {
+    if (fd !== undefined) {
+      try {
+        fs.closeSync(fd);
+      } catch {
+        /* ignore close failure while surfacing the original write error */
+      }
+    }
+    try {
+      fs.rmSync(tmpPath, { force: true });
+    } catch {
+      /* best-effort cleanup */
+    }
+    throw err;
+  }
+}
+
+function fsyncDirSync(dir: string): void {
+  let fd: number | undefined;
+  try {
+    fd = fs.openSync(dir, "r");
+    fs.fsyncSync(fd);
+  } catch {
+    // Directory fsync is unsupported on some platforms/filesystems.
+  } finally {
+    if (fd !== undefined) {
+      try {
+        fs.closeSync(fd);
+      } catch {
+        /* ignore */
+      }
+    }
+  }
 }
 
 export function hashFile(filePath: string): string {

package/src/machine-auth.test.ts

@@ -246,9 +246,22 @@ describe("getValidMachineTokens", () => {
     writeCreds();
     const { fetchMock } = stubMintFetch();
     const { saveCachedTokens, getValidMachineTokens } = await importModule();
+    // A valid machine cache must prove this exact agent identity (F06): the
+    // cached tokens carry the agent claims that distinguish a machine token
+    // from a same-client human token, so cache reuse is safe and skips the wire.
     const cached = {
-      accessToken: fakeJwt({ token_use: "access", client_id: CONFIG.clientId }),
-      idToken: fakeJwt({ token_use: "id" }),
+      accessToken: fakeJwt({
+        token_use: "access",
+        client_id: CONFIG.clientId,
+        username: "machine-agt_01TEST",
+      }),
+      idToken: fakeJwt({
+        token_use: "id",
+        aud: CONFIG.clientId,
+        "custom:entityType": "agent",
+        "custom:entityUid": "agt_01TEST",
+        "cognito:username": "machine-agt_01TEST",
+      }),
       refreshToken: "",
       expiresAt: Date.now() + 30 * 60 * 1000,
       tokenType: "Bearer" as const,
@@ -291,6 +304,55 @@ describe("getValidMachineTokens", () => {
     await getValidMachineTokens(CONFIG);
     expect(fetchMock).toHaveBeenCalledTimes(1);
   });
+
+  it("R-F06: re-mints when cached access and ID tokens belong to different agents", async () => {
+    writeCreds();
+    const freshAccess = fakeJwt({
+      token_use: "access",
+      client_id: CONFIG.clientId,
+      username: "machine-agt_01TEST",
+      sub: "sub-agent-1",
+    });
+    const freshId = fakeJwt({
+      token_use: "id",
+      aud: CONFIG.clientId,
+      "custom:entityType": "agent",
+      "custom:entityUid": "agt_01TEST",
+      "cognito:username": "machine-agt_01TEST",
+      sub: "sub-agent-1",
+    });
+    const { fetchMock } = stubMintFetch({
+      AccessToken: freshAccess,
+      IdToken: freshId,
+    });
+    const { saveCachedTokens, getValidAccessToken, loadCachedTokens } =
+      await importModule();
+    saveCachedTokens({
+      accessToken: fakeJwt({
+        token_use: "access",
+        client_id: CONFIG.clientId,
+        username: "machine-agt_01TEST",
+        sub: "sub-agent-1",
+      }),
+      idToken: fakeJwt({
+        token_use: "id",
+        aud: CONFIG.clientId,
+        "custom:entityType": "agent",
+        "custom:entityUid": "agt_OTHER",
+        "cognito:username": "machine-agt_OTHER",
+        sub: "sub-agent-2",
+      }),
+      refreshToken: "",
+      expiresAt: Date.now() + 30 * 60 * 1000,
+      tokenType: "Bearer",
+    });
+
+    const token = await getValidAccessToken(CONFIG, { interactive: false });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(token).toBe(freshId);
+    expect(loadCachedTokens()?.idToken).toBe(freshId);
+  });
 });
 
 // ---------------------------------------------------------------------------

package/src/object-io.test.ts

@@ -215,6 +215,92 @@ describe("PresignObjectIO.putObject", () => {
     ).rejects.toThrow(/presigned PUT failed for k: 403/);
   });
 
+  it("F01: fails closed when a fenced PUT presign omits If-Match", async () => {
+    const previous = process.env.HQ_PRESIGN_FENCE_STRICT;
+    process.env.HQ_PRESIGN_FENCE_STRICT = "true";
+    try {
+      const { vault, setPresign } = makeVault();
+      setPresign([
+        {
+          key: "stale.md",
+          op: "put",
+          url: "https://s3/unfenced-put",
+          headers: { "content-type": "text/markdown" },
+        },
+      ]);
+      fetchMock.mockResolvedValue(
+        new Response(null, { status: 200, headers: { etag: '"v2"' } }),
+      );
+
+      const io = new PresignObjectIO(vault, COMPANY);
+      await expect(
+        io.putObject({
+          key: "stale.md",
+          body: Buffer.from("old bytes"),
+          contentType: "text/markdown",
+          ifMatch: '"v1"',
+        }),
+      ).rejects.toThrow(/if-match|condition|precondition/i);
+      expect(fetchMock).not.toHaveBeenCalled();
+    } finally {
+      if (previous === undefined) {
+        delete process.env.HQ_PRESIGN_FENCE_STRICT;
+      } else {
+        process.env.HQ_PRESIGN_FENCE_STRICT = previous;
+      }
+    }
+  });
+
+  it("F01: does not satisfy a fenced PUT with an unfenced primed URL", async () => {
+    const presignCalls: Array<Parameters<PresignTransportClient["presign"]>[0]> = [];
+    const vault: PresignTransportClient = {
+      presign: async (input) => {
+        presignCalls.push(input);
+        const isFenced = input.keys.some((k) => k.ifNoneMatch === "*");
+        return {
+          results: input.keys.map((k): PresignResultRow => ({
+            key: k.key,
+            op: k.op ?? input.op ?? "put",
+            url: isFenced ? "https://s3/fenced-put" : "https://s3/unfenced-put",
+            headers: isFenced
+              ? { "content-type": "text/plain", "if-none-match": "*" }
+              : { "content-type": "text/plain" },
+            expiresIn: 900,
+          })),
+          expiresAt: "2099-01-01T00:00:00.000Z",
+        };
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    fetchMock.mockResolvedValue(
+      new Response(null, { status: 200, headers: { etag: '"created"' } }),
+    );
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("put", [{ key: "new.md", op: "put", contentType: "text/plain" }]);
+    const afterPrime = presignCalls.length;
+
+    await io.putObject({
+      key: "new.md",
+      body: Buffer.from("new bytes"),
+      contentType: "text/plain",
+      ifNoneMatch: "*",
+    });
+
+    expect(presignCalls).toHaveLength(afterPrime + 1);
+    expect(presignCalls[afterPrime].keys[0]).toMatchObject({
+      key: "new.md",
+      op: "put",
+      ifNoneMatch: "*",
+    });
+    const [url, init] = fetchMock.mock.calls[0];
+    expect(url).toBe("https://s3/fenced-put");
+    expect(init.headers).toEqual({
+      "content-type": "text/plain",
+      "if-none-match": "*",
+    });
+  });
+
   it("forwards the conditional-write fence on the presign request (ifMatch stripped, ifNoneMatch verbatim)", async () => {
     // The server signs If-Match/If-None-Match into the URL (hq-pro follow-up)
     // and echoes the headers for replay; the client's job is to ASK. Servers
@@ -530,6 +616,62 @@ describe("PresignObjectIO.prime — batch URL cache", () => {
     expect(fetchMock.mock.calls[0][0]).toBe("https://signed/get/f0");
   });
 
+  it("F21: consumes primed GET URLs instead of retaining them", async () => {
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", [{ key: "single" }]);
+    const afterPrime = calls();
+
+    await io.getObject("single");
+    expect(calls()).toBe(afterPrime);
+
+    await io.getObject("single");
+    expect(calls()).toBe(afterPrime + 1);
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+  });
+
+  it("R-F21: reuses a primed GET for later HEAD and clears stale primed PUT on fenced PUT", async () => {
+    fetchMock.mockImplementation(async () => (
+      new Response(Buffer.from("body"), {
+        status: 200,
+        headers: {
+          etag: '"etag-1"',
+          "content-length": "4",
+          "last-modified": "Wed, 01 Jan 2026 00:00:00 GMT",
+        },
+      })
+    ));
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+
+    await io.prime("get", [{ key: "doc.md" }]);
+    const afterGetPrime = calls();
+    const got = await io.getObject("doc.md");
+    expect(got.body.toString("utf-8")).toBe("body");
+
+    const head = await io.headObject("doc.md");
+    expect(head?.etag).toBe("etag-1");
+    expect(calls()).toBe(afterGetPrime);
+    expect(fetchMock.mock.calls[0][0]).toBe("https://signed/get/doc.md");
+    expect(fetchMock.mock.calls[1][0]).toBe("https://signed/get/doc.md");
+
+    await io.prime("put", [
+      { key: "stale.md", op: "put", contentType: "text/plain" },
+    ]);
+    expect(io.hasPrimedPut("stale.md")).toBe(true);
+    const afterPutPrime = calls();
+
+    await io.putObject({
+      key: "stale.md",
+      body: Buffer.from("new body"),
+      contentType: "text/plain",
+      ifMatch: "old-etag",
+    });
+
+    expect(calls()).toBe(afterPutPrime + 1);
+    expect(io.hasPrimedPut("stale.md")).toBe(false);
+  });
+
   it("primed GET cache also serves headObject (HEAD reuses GET URLs)", async () => {
     const { vault, calls } = makeEchoVault();
     fetchMock.mockResolvedValue(