@indigoai-us/hq-cloud 6.11.11 → 6.11.13

package/src/cli/sync.test.ts

@@ -8,6 +8,7 @@ import * as path from "path";
 import * as os from "os";
 import { clearContextCache } from "../context.js";
 import type { VaultServiceConfig } from "../types.js";
+import { lockPathFor } from "../operation-lock.js";
 
 // Mock s3 module at the top level
 vi.mock("../s3.js", async () => {
@@ -42,7 +43,7 @@ vi.mock("./reindex.js", () => ({
   reindex: vi.fn(() => ({ status: 0 })),
 }));
 
-import { sync } from "./sync.js";
+import { sync, reportNewFilesToNotify } from "./sync.js";
 import * as s3Module from "../s3.js";
 import { reindex } from "./reindex.js";
 
@@ -143,6 +144,31 @@ describe("sync", () => {
     expect(reindex).toHaveBeenCalledWith({ repoRoot: tmpDir, skipLock: true });
   });
 
+  it("F15: public sync entrypoint refuses an already-held operation lock", async () => {
+    process.env.HQ_OP_LOCK_TIMEOUT = "0";
+    const lockPath = lockPathFor(tmpDir);
+    fs.mkdirSync(path.dirname(lockPath), { recursive: true });
+    fs.writeFileSync(
+      lockPath,
+      JSON.stringify({
+        pid: 1,
+        command: "rescue",
+        startedAt: new Date().toISOString(),
+        hqRoot: path.resolve(tmpDir),
+      }),
+    );
+
+    try {
+      await expect(
+        sync({ company: "acme", vaultConfig: mockConfig, hqRoot: tmpDir }),
+      ).rejects.toThrow(/another HQ operation is already running/);
+      expect(s3Module.listRemoteFiles).not.toHaveBeenCalled();
+      expect(reindex).not.toHaveBeenCalled();
+    } finally {
+      delete process.env.HQ_OP_LOCK_TIMEOUT;
+    }
+  });
+
   it("skips reindex when skipReindex is set", async () => {
     const result = await sync({
       company: "acme",
@@ -408,6 +434,31 @@ describe("sync", () => {
     expect(litter).toHaveLength(1);
   });
 
+  it("pre-primes new-file GET presigns before per-file created-by HEADs (avoids the presign-burst breaker trip)", async () => {
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "alpha.md", size: 10, lastModified: new Date(), etag: '"a1"' },
+      { key: "beta.md", size: 10, lastModified: new Date(), etag: '"b2"' },
+    ]);
+
+    await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // The new-files enrichment must batch-mint the GET presigns once (so the
+    // per-file created-by HEADs reuse the cache) instead of minting one presign
+    // per file — the burst that trips the presign circuit breaker on big
+    // catch-up pulls. Mirrors the tombstone HEAD-verify pre-prime.
+    const getPrimedKeys = vi
+      .mocked(s3Module.primeObjectTransport)
+      .mock.calls.filter(([, op]) => op === "get")
+      .flatMap(([, , keys]) => keys as string[]);
+    expect(getPrimedKeys).toEqual(
+      expect.arrayContaining(["alpha.md", "beta.md"]),
+    );
+  });
+
   it("anti-rollback: a SMALLER remote does NOT silently clobber a clean local — routes through conflict and preserves local", async () => {
     // Regression for the 2026-06-10 incident: append-only chat logs were
     // rolled back when a regressed (older, smaller) S3 object overwrote newer
@@ -522,6 +573,195 @@ describe("sync", () => {
     expect(fs.readFileSync(localPath, "utf-8")).toBe("mock file content");
   });
 
+  it("RF-F02EXEC: refuses a download whose parent symlink appears after planning", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const outsideRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-escape-"));
+    const previousConcurrency = process.env.HQ_SYNC_TRANSFER_CONCURRENCY;
+    const defaultDownload = vi.mocked(s3Module.downloadFile).getMockImplementation();
+    process.env.HQ_SYNC_TRANSFER_CONCURRENCY = "1";
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "docs/setup.md", size: 5, lastModified: new Date(), etag: '"setup"' },
+      { key: "trap/secret.md", size: 6, lastModified: new Date(), etag: '"secret"' },
+    ]);
+    vi.mocked(s3Module.downloadFile).mockImplementation(
+      async (_ctx: unknown, key: string, localPath: string) => {
+        fs.mkdirSync(path.dirname(localPath), { recursive: true });
+        if (key === "docs/setup.md") {
+          fs.writeFileSync(localPath, "setup");
+          fs.symlinkSync(outsideRoot, path.join(companyRoot, "trap"), "dir");
+        } else {
+          fs.writeFileSync(localPath, "escaped");
+        }
+        return { metadata: {} };
+      },
+    );
+
+    const events: Array<{ type: string; path?: string; message?: string }> = [];
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onEvent: (e) => events.push(e),
+      });
+
+      expect(result.filesDownloaded).toBe(1);
+      expect(fs.readFileSync(path.join(companyRoot, "docs", "setup.md"), "utf-8")).toBe(
+        "setup",
+      );
+      expect(fs.existsSync(path.join(outsideRoot, "secret.md"))).toBe(false);
+      expect(
+        events.some(
+          (e) =>
+            e.type === "error" &&
+            e.path === "trap/secret.md" &&
+            e.message?.includes("escaped the sync root"),
+        ),
+      ).toBe(true);
+    } finally {
+      if (defaultDownload) vi.mocked(s3Module.downloadFile).mockImplementation(defaultDownload);
+      if (previousConcurrency === undefined) {
+        delete process.env.HQ_SYNC_TRANSFER_CONCURRENCY;
+      } else {
+        process.env.HQ_SYNC_TRANSFER_CONCURRENCY = previousConcurrency;
+      }
+      fs.rmSync(outsideRoot, { recursive: true, force: true });
+    }
+  });
+
+  it("RF-F02EXEC-conflict", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const companyDocs = path.join(companyRoot, "docs");
+    const outsideRoot = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-conflict-escape-"));
+    const localPath = path.join(companyDocs, "handoff.md");
+    fs.mkdirSync(companyDocs, { recursive: true });
+    fs.writeFileSync(localPath, "local version");
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      { key: "docs/handoff.md", size: 42, lastModified: new Date(), etag: '"new-etag"' },
+    ]);
+
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date().toISOString(),
+        files: {
+          "docs/handoff.md": {
+            hash: "stale-hash",
+            size: 20,
+            remoteEtag: "old-etag",
+            syncedAt: new Date(Date.now() - 3600000).toISOString(),
+            direction: "down",
+          },
+        },
+      }),
+    );
+
+    const events: Array<{ type: string; path?: string; message?: string }> = [];
+    let swappedParent = false;
+    try {
+      const result = await sync({
+        company: "acme",
+        onConflict: "keep",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onEvent: (e) => {
+          events.push(e);
+          if (e.type === "plan" && !swappedParent) {
+            swappedParent = true;
+            fs.rmSync(companyDocs, { recursive: true, force: true });
+            fs.symlinkSync(outsideRoot, companyDocs, "dir");
+          }
+        },
+      });
+
+      expect(swappedParent).toBe(true);
+      expect(result.conflicts).toBe(0);
+      expect(result.filesSkipped).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.readdirSync(outsideRoot)).toEqual([]);
+      expect(
+        events.some(
+          (e) =>
+            e.type === "error" &&
+            e.path === "docs/handoff.md" &&
+            e.message?.includes("escaped the sync root"),
+        ),
+      ).toBe(true);
+    } finally {
+      fs.rmSync(outsideRoot, { recursive: true, force: true });
+    }
+  });
+
+  it("RF-F33: FILE_TOMBSTONE planned against absence does not delete a new untracked file", async () => {
+    const untrackedKey = "docs/untracked.md";
+    const trackedKey = "docs/tracked.md";
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const untrackedPath = path.join(companyRoot, untrackedKey);
+    const trackedPath = path.join(companyRoot, trackedKey);
+    fs.mkdirSync(path.dirname(trackedPath), { recursive: true });
+    fs.writeFileSync(trackedPath, "tracked baseline");
+    const { hashFile } = await import("../journal.js");
+
+    setupFetchMock({
+      tombstones: [
+        { key: untrackedKey, deletedAt: "2026-06-20T00:00:00.000Z" },
+        { key: trackedKey, deletedAt: "2026-06-20T00:00:00.000Z" },
+      ],
+    });
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: untrackedKey,
+        size: 10,
+        lastModified: new Date("2026-06-19T00:00:00.000Z"),
+        etag: '"untracked"',
+      },
+      {
+        key: trackedKey,
+        size: 16,
+        lastModified: new Date("2026-06-19T00:00:00.000Z"),
+        etag: '"tracked"',
+      },
+    ]);
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "2",
+        lastSync: "2026-06-19T00:00:00.000Z",
+        files: {
+          [trackedKey]: {
+            hash: hashFile(trackedPath),
+            size: Buffer.byteLength("tracked baseline"),
+            syncedAt: "2026-06-19T00:00:00.000Z",
+            direction: "down",
+            remoteEtag: "tracked",
+          },
+        },
+        pulls: [],
+      }),
+    );
+
+    await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      onEvent: (e) => {
+        if (e.type === "plan") {
+          fs.mkdirSync(path.dirname(untrackedPath), { recursive: true });
+          fs.writeFileSync(untrackedPath, "brand new local work");
+        }
+      },
+    });
+
+    expect(fs.readFileSync(untrackedPath, "utf-8")).toBe("brand new local work");
+    expect(fs.existsSync(trackedPath)).toBe(false);
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files[untrackedKey]).toBeUndefined();
+    expect(journal.files[trackedKey]).toBeUndefined();
+  });
+
   it("aborts on --on-conflict abort", async () => {
     const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
     fs.mkdirSync(companyDocs, { recursive: true });
@@ -1095,6 +1335,60 @@ describe("sync", () => {
     expect(journal.files["docs/edited-locally.md"].hash).toBe(baselineHash);
   });
 
+  it("F33: rechecks a tombstone candidate after HEAD verification and preserves a stale local edit", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+    const racedPath = path.join(companyRoot, "docs", "racy-delete.md");
+    fs.writeFileSync(racedPath, "synced baseline");
+
+    const crypto = await import("node:crypto");
+    const baselineHash = crypto
+      .createHash("sha256")
+      .update("synced baseline")
+      .digest("hex");
+
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "1",
+        lastSync: new Date(Date.now() - 60_000).toISOString(),
+        files: {
+          "docs/racy-delete.md": {
+            hash: baselineHash,
+            size: 15,
+            syncedAt: new Date(Date.now() - 60_000).toISOString(),
+            direction: "down",
+            remoteEtag: "remote-before-delete",
+          },
+        },
+      }),
+    );
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([]);
+    let editInjected = false;
+    vi.mocked(s3Module.headRemoteFile).mockImplementationOnce(async (_ctx, key) => {
+      expect(key).toBe("docs/racy-delete.md");
+      fs.writeFileSync(racedPath, "concurrent local edit");
+      editInjected = true;
+      return null;
+    });
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    expect(editInjected).toBe(true);
+    expect(result.filesTombstoned).toBe(0);
+    expect(fs.existsSync(racedPath)).toBe(true);
+    expect(fs.readFileSync(racedPath, "utf-8")).toBe("concurrent local edit");
+
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files["docs/racy-delete.md"]).toBeDefined();
+    expect(journal.files["docs/racy-delete.md"].hash).toBe(baselineHash);
+  });
+
   it("does NOT tombstone symlinks whose readlink target has diverged from the journal (Codex P1 round 4)", async () => {
     // Codex review on PR #24 round 4 caught: the round-3 local-edit
     // divergence guard only covered regular files (`isFile()` is false
@@ -1735,6 +2029,79 @@ describe("sync", () => {
     expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
   });
 
+  it("F02: rejects traversal remote keys before they can escape the company root", async () => {
+    const escapeName = `${path.basename(tmpDir)}-escaped.md`;
+    const traversalKey = `../../../${escapeName}`;
+    const escapedPath = path.join(path.dirname(tmpDir), escapeName);
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: traversalKey,
+        size: 13,
+        lastModified: new Date(),
+        etag: '"traversal"',
+      },
+    ]);
+
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(result.filesDownloaded).toBe(0);
+      expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.existsSync(escapedPath)).toBe(false);
+      expect(fs.existsSync(path.join(companyRoot, traversalKey))).toBe(false);
+
+      const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(journal.files[traversalKey]).toBeUndefined();
+    } finally {
+      fs.rmSync(escapedPath, { force: true });
+    }
+  });
+
+  it("R-F02: rejects remote children under an in-root symlink directory", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const outsideDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-sync-escape-"));
+    const linkDir = path.join(companyRoot, "linked-out");
+    const remoteKey = "linked-out/owned-by-remote.md";
+    const escapedPath = path.join(outsideDir, "owned-by-remote.md");
+
+    fs.mkdirSync(companyRoot, { recursive: true });
+    fs.symlinkSync(outsideDir, linkDir, "dir");
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: remoteKey,
+        size: 13,
+        lastModified: new Date(),
+        etag: '"symlink-dir-escape"',
+      },
+    ]);
+
+    try {
+      const result = await sync({
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(result.filesDownloaded).toBe(0);
+      expect(result.filesExcludedByPolicy).toBeGreaterThanOrEqual(1);
+      expect(s3Module.downloadFile).not.toHaveBeenCalled();
+      expect(fs.existsSync(escapedPath)).toBe(false);
+      expect(fs.existsSync(path.join(companyRoot, remoteKey))).toBe(false);
+
+      const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(journal.files[remoteKey]).toBeUndefined();
+    } finally {
+      fs.rmSync(outsideDir, { recursive: true, force: true });
+    }
+  });
+
   it("overwrites local on --on-conflict overwrite", async () => {
     const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
     fs.mkdirSync(companyDocs, { recursive: true });
@@ -2649,3 +3016,95 @@ describe("sync", () => {
     expect(entry.remoteEtag).toBe(newRemoteEtagNormalized);
   });
 });
+
+describe("reportNewFilesToNotify chunking (server cap = 1000 files/report)", () => {
+  // The /v1/notify/file-added endpoint rejects an oversized batch wholesale.
+  // Without chunking, a first sync with >1000 new files reports NONE of them and
+  // the same oversized batch re-triggers every cycle. These lock that the client
+  // splits into chunks at or under the cap.
+  const cfg: VaultServiceConfig = {
+    apiUrl: "https://vault-api.test",
+    authToken: "test-jwt-token",
+    region: "us-east-1",
+  };
+  const mkFiles = (n: number) =>
+    Array.from({ length: n }, (_v, i) => ({
+      path: `docs/file-${i}.md`,
+      bytes: i,
+      addedBy: null as string | null,
+    }));
+  const notifyBatchSizes = (fetchMock: ReturnType<typeof vi.fn>): number[] =>
+    (fetchMock.mock.calls as Array<[string, RequestInit?]>)
+      .filter(([u]) => String(u).includes("/v1/notify/file-added"))
+      .map(([, init]) => JSON.parse(String(init!.body)).files.length);
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+    vi.clearAllMocks();
+  });
+
+  it("sends a single request when exactly at the cap (1000 files)", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(1000));
+
+    const sizes = notifyBatchSizes(fetchMock);
+    expect(sizes).toEqual([1000]); // one POST, exactly at the cap
+  });
+
+  it("splits an over-cap report into batches all at or under the cap", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(1001));
+
+    const sizes = notifyBatchSizes(fetchMock);
+    expect(sizes).toEqual([1000, 1]); // 1001 → 1000 + 1, never one oversized POST
+    expect(Math.max(...sizes)).toBeLessThanOrEqual(1000);
+    expect(sizes.reduce((a, b) => a + b, 0)).toBe(1001); // every file reported
+  });
+
+  it("chunks a large report into ceil(n/1000) batches with no file dropped", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    const all = mkFiles(2500);
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", all);
+
+    const calls = (fetchMock.mock.calls as Array<[string, RequestInit?]>).filter(([u]) =>
+      String(u).includes("/v1/notify/file-added"),
+    );
+    const sizes = calls.map(([, init]) => JSON.parse(String(init!.body)).files.length);
+    expect(sizes).toEqual([1000, 1000, 500]); // 2500 → three batches
+    // Union of all reported paths equals the input, in order, nothing lost.
+    const reported = calls.flatMap(([, init]) =>
+      (JSON.parse(String(init!.body)).files as Array<{ path: string }>).map((f) => f.path),
+    );
+    expect(reported).toEqual(all.map((f) => f.path));
+  });
+
+  it("a failing chunk does not abort the remaining chunks (best-effort per batch)", async () => {
+    let call = 0;
+    const fetchMock = vi.fn().mockImplementation(async () => {
+      call += 1;
+      if (call === 1) throw new Error("notify endpoint down");
+      return { ok: true, status: 200, text: async () => "" };
+    });
+    vi.stubGlobal("fetch", fetchMock);
+
+    // Must not reject even though the first chunk throws.
+    await expect(reportNewFilesToNotify(cfg, "cmp_X", "acme", mkFiles(2001))).resolves.toBeUndefined();
+    // All three chunks were still attempted (1000 + 1000 + 1).
+    expect(notifyBatchSizes(fetchMock)).toEqual([1000, 1000, 1]);
+  });
+
+  it("no request at all when there are no new files", async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ ok: true, status: 200, text: async () => "" });
+    vi.stubGlobal("fetch", fetchMock);
+
+    await reportNewFilesToNotify(cfg, "cmp_X", "acme", []);
+
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+});