@indigoai-us/hq-cloud 6.11.11 → 6.11.13

package/src/cognito-auth.test.ts

@@ -198,6 +198,83 @@ describe("getValidAccessToken stale-pool detection", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// Machine identity cache isolation — machine mode must not reuse human tokens
+// from the shared Cognito cache even when the app client matches.
+// ---------------------------------------------------------------------------
+
+describe("machine identity cache isolation", () => {
+  it("F06: machine mode re-mints instead of reusing a cached human token", async () => {
+    const { saveCachedTokens, getValidAccessToken } = await importModule();
+
+    const cachedHumanAccessToken = makeAccessToken({
+      token_use: "access",
+      client_id: PROD_CLIENT,
+      username: "human@example.com",
+      sub: "human-sub",
+    });
+    const cachedHumanIdToken = makeAccessToken({
+      token_use: "id",
+      aud: PROD_CLIENT,
+      email: "human@example.com",
+      "cognito:username": "human@example.com",
+      sub: "human-sub",
+    });
+    saveCachedTokens({
+      ...baseTokens,
+      accessToken: cachedHumanAccessToken,
+      idToken: cachedHumanIdToken,
+      expiresAt: Date.now() + 60 * 60 * 1000,
+    });
+
+    const machineUid = "agt_01JZ0000000000000000000000";
+    const machineCredsDir = path.join(tmpHome, ".hq-agent");
+    fs.mkdirSync(machineCredsDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(machineCredsDir, "machine-creds.json"),
+      JSON.stringify({
+        username: "agt-01jz0000000000000000000000@agents.getindigo.ai",
+        secret: "machine-secret",
+        clientId: PROD_CLIENT,
+        region: "us-east-1",
+      }),
+    );
+
+    const mintedMachineAccessToken = makeAccessToken({
+      token_use: "access",
+      client_id: PROD_CLIENT,
+      username: "agt-01jz0000000000000000000000@agents.getindigo.ai",
+      sub: machineUid,
+    });
+    const mintedMachineIdToken = makeAccessToken({
+      token_use: "id",
+      aud: PROD_CLIENT,
+      "custom:entityType": "agent",
+      "custom:entityUid": machineUid,
+      "cognito:username": "agt-01jz0000000000000000000000@agents.getindigo.ai",
+      sub: machineUid,
+    });
+    const fetchMock = vi.fn(async () =>
+      new Response(
+        JSON.stringify({
+          AuthenticationResult: {
+            AccessToken: mintedMachineAccessToken,
+            IdToken: mintedMachineIdToken,
+            ExpiresIn: 3600,
+          },
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      ),
+    );
+    vi.stubGlobal("fetch", fetchMock);
+
+    await expect(
+      getValidAccessToken(baseConfig, { interactive: false }),
+    ).resolves.toBe(mintedMachineIdToken);
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // Round-trip: writers emit epoch-ms, readers read epoch-ms
 // ---------------------------------------------------------------------------

package/src/cognito-auth.ts

@@ -134,19 +134,80 @@ export function isExpiring(tokens: CognitoTokens, bufferSeconds = 60): boolean {
  * forcing a re-login is the only safe self-heal.
  */
 export function decodeAccessTokenClientId(accessToken: string): string | null {
+  const claims = decodeJwtClaims(accessToken);
+  return typeof claims?.client_id === "string" ? claims.client_id : null;
+}
+
+function decodeJwtClaims(token: string): Record<string, unknown> | null {
   try {
-    const parts = accessToken.split(".");
+    const parts = token.split(".");
     if (parts.length < 2) return null;
     const payloadB64 = parts[1];
-    const padded = payloadB64 + "=".repeat((4 - (payloadB64.length % 4)) % 4);
+    const normalized = payloadB64.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized + "=".repeat((4 - (normalized.length % 4)) % 4);
     const json = Buffer.from(padded, "base64").toString("utf-8");
-    const claims = JSON.parse(json) as { client_id?: unknown };
-    return typeof claims.client_id === "string" ? claims.client_id : null;
+    const claims = JSON.parse(json);
+    return claims && typeof claims === "object" && !Array.isArray(claims)
+      ? (claims as Record<string, unknown>)
+      : null;
   } catch {
     return null;
   }
 }
 
+function cachedTokensMatchMachineIdentity(
+  tokens: CognitoTokens,
+  creds: MachineCreds,
+  expectedClientId: string,
+): boolean {
+  const accessClaims = decodeJwtClaims(tokens.accessToken);
+  const idClaims = decodeJwtClaims(tokens.idToken);
+  if (!accessClaims || !idClaims) return false;
+
+  const stringClaim = (
+    claims: Record<string, unknown>,
+    key: string,
+  ): string | null => {
+    const value = claims[key];
+    return typeof value === "string" && value.length > 0 ? value : null;
+  };
+
+  const accessClientId = accessClaims.client_id;
+  const idAudience = idClaims.aud;
+  const accessUsername =
+    stringClaim(accessClaims, "username") ??
+    stringClaim(accessClaims, "cognito:username");
+  const accessSub = stringClaim(accessClaims, "sub");
+  const idUsername =
+    stringClaim(idClaims, "cognito:username") ?? stringClaim(idClaims, "username");
+  const idSub = stringClaim(idClaims, "sub");
+  const entityType = idClaims["custom:entityType"];
+  const entityUid = idClaims["custom:entityUid"];
+  const idTokenMatchesCreds =
+    idUsername === creds.username || idSub === creds.username;
+  const subjectBindings: boolean[] = [];
+  if (accessUsername !== null && idUsername !== null) {
+    subjectBindings.push(accessUsername === idUsername);
+  }
+  if (accessSub !== null && idSub !== null) {
+    subjectBindings.push(accessSub === idSub);
+  }
+  const tokensShareSubject =
+    subjectBindings.length > 0 && subjectBindings.every(Boolean);
+
+  return (
+    accessClaims.token_use === "access" &&
+    accessClientId === expectedClientId &&
+    idClaims.token_use === "id" &&
+    idAudience === expectedClientId &&
+    entityType === "agent" &&
+    typeof entityUid === "string" &&
+    entityUid.startsWith("agt_") &&
+    idTokenMatchesCreds &&
+    tokensShareSubject
+  );
+}
+
 // ---------------------------------------------------------------------------
 // Machine identity (company agents)
 // ---------------------------------------------------------------------------
@@ -309,17 +370,18 @@ export async function mintMachineTokens(
 export async function getValidMachineTokens(
   config: CognitoAuthConfig,
 ): Promise<CognitoTokens> {
+  const machineCreds = loadMachineCreds();
   const cached = loadCachedTokens();
-  if (cached && !isExpiring(cached, 120)) {
-    const cachedClientId = decodeAccessTokenClientId(cached.accessToken);
-    // Compare against the client we'd actually mint with (creds-file
-    // clientId wins over config).
-    const expectedClientId = loadMachineCreds()?.clientId ?? config.clientId;
-    if (cachedClientId === null || cachedClientId === expectedClientId) {
+  if (machineCreds && cached && !isExpiring(cached, 120)) {
+    // Compare against the client we'd actually mint with (creds-file clientId
+    // wins over config), and require the cached ID token to prove this exact
+    // agent identity. Opaque/missing/human-shaped claims are treated as stale.
+    const expectedClientId = machineCreds.clientId ?? config.clientId;
+    if (cachedTokensMatchMachineIdentity(cached, machineCreds, expectedClientId)) {
       return cached;
     }
   }
-  return mintMachineTokens(config);
+  return mintMachineTokens(config, machineCreds ?? undefined);
 }
 
 // ---------------------------------------------------------------------------

package/src/daemon-worker.ts

@@ -4,11 +4,11 @@
  *
  * Day 1: not invoked by CLI surface; retained for future automatic-sync milestone.
  * When re-enabled, this worker will need to resolve an EntityContext before
- * constructing the SyncWatcher. The process argv will need to include company
- * context (slug or UID) and vault-service config.
+ * constructing the active watcher/runner path. The process argv will need to
+ * include company context (slug or UID) and vault-service config.
  */
 
-// Day 1: SyncWatcher now requires an EntityContext.
+// Day 1: this worker still requires EntityContext-aware startup wiring.
 // This file is retained for the automatic-sync milestone but is not functional
 // until the daemon startup path is updated to resolve entity context.
 

package/src/index.ts

@@ -62,6 +62,14 @@ export {
   coalescePrefixes,
   isCoveredByAny,
   grantPathToPrefix,
+  grantPathToScopePrefix,
+  pathToScopePrefix,
+  toScopePrefixEntries,
+} from "./prefix-coalesce.js";
+export type {
+  ScopePrefixEntry,
+  ScopePrefixInput,
+  ScopePrefixMatch,
 } from "./prefix-coalesce.js";
 
 // Scope-shrink detection + application (US-005)

package/src/journal.test.ts

@@ -115,6 +115,58 @@ describe("journal", () => {
       expect(roundTripped.files).toEqual(original.files);
       expect(roundTripped.pulls).toEqual([]);
     });
+
+    it("F08: recovers the last good journal when the primary JSON is torn", () => {
+      const lastGood: SyncJournal = {
+        version: "2",
+        lastSync: "2026-06-18T00:00:00.000Z",
+        files: {
+          "docs/stable.md": {
+            hash: "last-good-hash",
+            size: 128,
+            syncedAt: "2026-06-18T00:00:00.000Z",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      writeJournal("indigo", lastGood);
+
+      // Simulate a torn direct write of the primary journal file. The next
+      // read must use the durable last-good copy rather than aborting sync.
+      fs.writeFileSync(getJournalPath("indigo"), '{"version":"2","files":');
+
+      const recovered = readJournal("indigo");
+      expect(recovered.version).toBe("2");
+      expect(recovered.lastSync).toBe(lastGood.lastSync);
+      expect(recovered.files["docs/stable.md"]).toEqual(
+        lastGood.files["docs/stable.md"],
+      );
+      expect(recovered.pulls).toEqual([]);
+    });
+
+    it("R-F08: surfaces primary IO errors instead of masking them with last-good", () => {
+      const lastGood: SyncJournal = {
+        version: "2",
+        lastSync: "2026-06-18T00:00:00.000Z",
+        files: {
+          "docs/stale.md": {
+            hash: "stale-hash",
+            size: 128,
+            syncedAt: "2026-06-18T00:00:00.000Z",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      writeJournal("indigo", lastGood);
+
+      const journalPath = getJournalPath("indigo");
+      fs.unlinkSync(journalPath);
+      fs.mkdirSync(journalPath);
+
+      expect(() => readJournal("indigo")).toThrow(/EISDIR|directory/i);
+    });
   });
 
   describe("writeJournal", () => {
@@ -754,6 +806,26 @@ describe("journal", () => {
       expect(all.map((j) => j.slug)).toEqual(["marshalops"]);
     });
 
+    it("R-F08: recovers a torn shard primary from .last-good in listJournals", () => {
+      seed("marshalops", {
+        "k/recovered.md": {
+          hash: "last-good-hash",
+          size: 2,
+          syncedAt: "2026-06-19T11:00:00.000Z",
+          direction: "down",
+        },
+      });
+      fs.writeFileSync(getJournalPath("marshalops"), "");
+
+      const all = listJournals();
+
+      expect(all).toHaveLength(1);
+      expect(all[0]!.slug).toBe("marshalops");
+      expect(all[0]!.journal.files["k/recovered.md"]?.hash).toBe(
+        "last-good-hash",
+      );
+    });
+
     it("ignores unrelated files in the state dir", () => {
       seed("marshalops", {});
       fs.writeFileSync(path.join(stateDir, "config.json"), "{}");

package/src/journal.ts

@@ -28,6 +28,7 @@ export const JOURNAL_VERSION_CURRENT = "2" as const;
 
 const JOURNAL_FILE_PREFIX = "sync-journal.";
 const JOURNAL_FILE_SUFFIX = ".json";
+const JOURNAL_LAST_GOOD_SUFFIX = ".last-good";
 
 /**
  * Where per-company journals are stored. Honors `HQ_STATE_DIR` for tests and
@@ -129,12 +130,40 @@ export function migratePersonalVaultJournal(): void {
 export function readJournal(slug: string): SyncJournal {
   const journalPath = getJournalPath(slug);
   if (fs.existsSync(journalPath)) {
-    const content = fs.readFileSync(journalPath, "utf-8");
-    return JSON.parse(content) as SyncJournal;
+    return readJournalFileWithLastGood(journalPath);
   }
   return { version: JOURNAL_VERSION_CURRENT, lastSync: "", files: {}, pulls: [] };
 }
 
+function parseJournalContent(content: string): SyncJournal {
+  if (content.length === 0) {
+    throw new SyntaxError("journal JSON is empty");
+  }
+  return JSON.parse(content) as SyncJournal;
+}
+
+function isCorruptJournalJson(err: unknown): boolean {
+  return err instanceof SyntaxError;
+}
+
+function readJournalFileWithLastGood(journalPath: string): SyncJournal {
+  let primaryErr: unknown;
+  try {
+    return parseJournalContent(fs.readFileSync(journalPath, "utf-8"));
+  } catch (err) {
+    if (!isCorruptJournalJson(err)) throw err;
+    primaryErr = err;
+  }
+
+  try {
+    return parseJournalContent(
+      fs.readFileSync(lastGoodJournalPath(journalPath), "utf-8"),
+    );
+  } catch {
+    throw primaryErr;
+  }
+}
+
 /** One enumerated journal shard: its recovered slug, on-disk path, contents. */
 export interface JournalSummary {
   /**
@@ -189,12 +218,12 @@ export function listJournals(): JournalSummary[] {
     if (!slug) continue; // guard against a stray "sync-journal..json"
     const filePath = path.join(dir, name);
     try {
-      const journal = JSON.parse(
-        fs.readFileSync(filePath, "utf-8"),
-      ) as SyncJournal;
+      const journal = readJournalFileWithLastGood(filePath);
       out.push({ slug, path: filePath, journal });
-    } catch {
-      // Corrupt/unreadable shard — skip; don't blind the caller to the rest.
+    } catch (err) {
+      if (!isCorruptJournalJson(err)) throw err;
+      // Corrupt shard with no usable last-good — skip; don't blind the caller
+      // to the rest. Genuine IO/permission failures surface to the caller.
     }
   }
   out.sort((a, b) => a.slug.localeCompare(b.slug));
@@ -269,7 +298,65 @@ export function writeJournal(slug: string, journal: SyncJournal): void {
   migrateToV2(journal);
   const journalPath = getJournalPath(slug);
   fs.mkdirSync(path.dirname(journalPath), { recursive: true });
-  fs.writeFileSync(journalPath, JSON.stringify(journal, null, 2));
+  const content = JSON.stringify(journal, null, 2);
+  atomicWriteFileSync(journalPath, content);
+  atomicWriteFileSync(lastGoodJournalPath(journalPath), content);
+}
+
+function lastGoodJournalPath(journalPath: string): string {
+  return `${journalPath}${JOURNAL_LAST_GOOD_SUFFIX}`;
+}
+
+function atomicWriteFileSync(filePath: string, content: string): void {
+  const dir = path.dirname(filePath);
+  const tmpPath = path.join(
+    dir,
+    `.${path.basename(filePath)}.${process.pid}.${Date.now()}.${crypto
+      .randomBytes(6)
+      .toString("hex")}.tmp`,
+  );
+  let fd: number | undefined;
+  try {
+    fd = fs.openSync(tmpPath, "wx");
+    fs.writeFileSync(fd, content);
+    fs.fsyncSync(fd);
+    fs.closeSync(fd);
+    fd = undefined;
+    fs.renameSync(tmpPath, filePath);
+    fsyncDirSync(dir);
+  } catch (err) {
+    if (fd !== undefined) {
+      try {
+        fs.closeSync(fd);
+      } catch {
+        /* ignore close failure while surfacing the original write error */
+      }
+    }
+    try {
+      fs.rmSync(tmpPath, { force: true });
+    } catch {
+      /* best-effort cleanup */
+    }
+    throw err;
+  }
+}
+
+function fsyncDirSync(dir: string): void {
+  let fd: number | undefined;
+  try {
+    fd = fs.openSync(dir, "r");
+    fs.fsyncSync(fd);
+  } catch {
+    // Directory fsync is unsupported on some platforms/filesystems.
+  } finally {
+    if (fd !== undefined) {
+      try {
+        fs.closeSync(fd);
+      } catch {
+        /* ignore */
+      }
+    }
+  }
 }
 
 export function hashFile(filePath: string): string {

package/src/machine-auth.test.ts

@@ -246,9 +246,22 @@ describe("getValidMachineTokens", () => {
     writeCreds();
     const { fetchMock } = stubMintFetch();
     const { saveCachedTokens, getValidMachineTokens } = await importModule();
+    // A valid machine cache must prove this exact agent identity (F06): the
+    // cached tokens carry the agent claims that distinguish a machine token
+    // from a same-client human token, so cache reuse is safe and skips the wire.
     const cached = {
-      accessToken: fakeJwt({ token_use: "access", client_id: CONFIG.clientId }),
-      idToken: fakeJwt({ token_use: "id" }),
+      accessToken: fakeJwt({
+        token_use: "access",
+        client_id: CONFIG.clientId,
+        username: "machine-agt_01TEST",
+      }),
+      idToken: fakeJwt({
+        token_use: "id",
+        aud: CONFIG.clientId,
+        "custom:entityType": "agent",
+        "custom:entityUid": "agt_01TEST",
+        "cognito:username": "machine-agt_01TEST",
+      }),
       refreshToken: "",
       expiresAt: Date.now() + 30 * 60 * 1000,
       tokenType: "Bearer" as const,
@@ -291,6 +304,55 @@ describe("getValidMachineTokens", () => {
     await getValidMachineTokens(CONFIG);
     expect(fetchMock).toHaveBeenCalledTimes(1);
   });
+
+  it("R-F06: re-mints when cached access and ID tokens belong to different agents", async () => {
+    writeCreds();
+    const freshAccess = fakeJwt({
+      token_use: "access",
+      client_id: CONFIG.clientId,
+      username: "machine-agt_01TEST",
+      sub: "sub-agent-1",
+    });
+    const freshId = fakeJwt({
+      token_use: "id",
+      aud: CONFIG.clientId,
+      "custom:entityType": "agent",
+      "custom:entityUid": "agt_01TEST",
+      "cognito:username": "machine-agt_01TEST",
+      sub: "sub-agent-1",
+    });
+    const { fetchMock } = stubMintFetch({
+      AccessToken: freshAccess,
+      IdToken: freshId,
+    });
+    const { saveCachedTokens, getValidAccessToken, loadCachedTokens } =
+      await importModule();
+    saveCachedTokens({
+      accessToken: fakeJwt({
+        token_use: "access",
+        client_id: CONFIG.clientId,
+        username: "machine-agt_01TEST",
+        sub: "sub-agent-1",
+      }),
+      idToken: fakeJwt({
+        token_use: "id",
+        aud: CONFIG.clientId,
+        "custom:entityType": "agent",
+        "custom:entityUid": "agt_OTHER",
+        "cognito:username": "machine-agt_OTHER",
+        sub: "sub-agent-2",
+      }),
+      refreshToken: "",
+      expiresAt: Date.now() + 30 * 60 * 1000,
+      tokenType: "Bearer",
+    });
+
+    const token = await getValidAccessToken(CONFIG, { interactive: false });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(token).toBe(freshId);
+    expect(loadCachedTokens()?.idToken).toBe(freshId);
+  });
 });
 
 // ---------------------------------------------------------------------------

package/src/object-io.test.ts

@@ -215,6 +215,92 @@ describe("PresignObjectIO.putObject", () => {
     ).rejects.toThrow(/presigned PUT failed for k: 403/);
   });
 
+  it("F01: fails closed when a fenced PUT presign omits If-Match", async () => {
+    const previous = process.env.HQ_PRESIGN_FENCE_STRICT;
+    process.env.HQ_PRESIGN_FENCE_STRICT = "true";
+    try {
+      const { vault, setPresign } = makeVault();
+      setPresign([
+        {
+          key: "stale.md",
+          op: "put",
+          url: "https://s3/unfenced-put",
+          headers: { "content-type": "text/markdown" },
+        },
+      ]);
+      fetchMock.mockResolvedValue(
+        new Response(null, { status: 200, headers: { etag: '"v2"' } }),
+      );
+
+      const io = new PresignObjectIO(vault, COMPANY);
+      await expect(
+        io.putObject({
+          key: "stale.md",
+          body: Buffer.from("old bytes"),
+          contentType: "text/markdown",
+          ifMatch: '"v1"',
+        }),
+      ).rejects.toThrow(/if-match|condition|precondition/i);
+      expect(fetchMock).not.toHaveBeenCalled();
+    } finally {
+      if (previous === undefined) {
+        delete process.env.HQ_PRESIGN_FENCE_STRICT;
+      } else {
+        process.env.HQ_PRESIGN_FENCE_STRICT = previous;
+      }
+    }
+  });
+
+  it("F01: does not satisfy a fenced PUT with an unfenced primed URL", async () => {
+    const presignCalls: Array<Parameters<PresignTransportClient["presign"]>[0]> = [];
+    const vault: PresignTransportClient = {
+      presign: async (input) => {
+        presignCalls.push(input);
+        const isFenced = input.keys.some((k) => k.ifNoneMatch === "*");
+        return {
+          results: input.keys.map((k): PresignResultRow => ({
+            key: k.key,
+            op: k.op ?? input.op ?? "put",
+            url: isFenced ? "https://s3/fenced-put" : "https://s3/unfenced-put",
+            headers: isFenced
+              ? { "content-type": "text/plain", "if-none-match": "*" }
+              : { "content-type": "text/plain" },
+            expiresIn: 900,
+          })),
+          expiresAt: "2099-01-01T00:00:00.000Z",
+        };
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    fetchMock.mockResolvedValue(
+      new Response(null, { status: 200, headers: { etag: '"created"' } }),
+    );
+
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("put", [{ key: "new.md", op: "put", contentType: "text/plain" }]);
+    const afterPrime = presignCalls.length;
+
+    await io.putObject({
+      key: "new.md",
+      body: Buffer.from("new bytes"),
+      contentType: "text/plain",
+      ifNoneMatch: "*",
+    });
+
+    expect(presignCalls).toHaveLength(afterPrime + 1);
+    expect(presignCalls[afterPrime].keys[0]).toMatchObject({
+      key: "new.md",
+      op: "put",
+      ifNoneMatch: "*",
+    });
+    const [url, init] = fetchMock.mock.calls[0];
+    expect(url).toBe("https://s3/fenced-put");
+    expect(init.headers).toEqual({
+      "content-type": "text/plain",
+      "if-none-match": "*",
+    });
+  });
+
   it("forwards the conditional-write fence on the presign request (ifMatch stripped, ifNoneMatch verbatim)", async () => {
     // The server signs If-Match/If-None-Match into the URL (hq-pro follow-up)
     // and echoes the headers for replay; the client's job is to ASK. Servers
@@ -530,6 +616,62 @@ describe("PresignObjectIO.prime — batch URL cache", () => {
     expect(fetchMock.mock.calls[0][0]).toBe("https://signed/get/f0");
   });
 
+  it("F21: consumes primed GET URLs instead of retaining them", async () => {
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+    await io.prime("get", [{ key: "single" }]);
+    const afterPrime = calls();
+
+    await io.getObject("single");
+    expect(calls()).toBe(afterPrime);
+
+    await io.getObject("single");
+    expect(calls()).toBe(afterPrime + 1);
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+  });
+
+  it("R-F21: reuses a primed GET for later HEAD and clears stale primed PUT on fenced PUT", async () => {
+    fetchMock.mockImplementation(async () => (
+      new Response(Buffer.from("body"), {
+        status: 200,
+        headers: {
+          etag: '"etag-1"',
+          "content-length": "4",
+          "last-modified": "Wed, 01 Jan 2026 00:00:00 GMT",
+        },
+      })
+    ));
+    const { vault, calls } = makeEchoVault();
+    const io = new PresignObjectIO(vault, COMPANY);
+
+    await io.prime("get", [{ key: "doc.md" }]);
+    const afterGetPrime = calls();
+    const got = await io.getObject("doc.md");
+    expect(got.body.toString("utf-8")).toBe("body");
+
+    const head = await io.headObject("doc.md");
+    expect(head?.etag).toBe("etag-1");
+    expect(calls()).toBe(afterGetPrime);
+    expect(fetchMock.mock.calls[0][0]).toBe("https://signed/get/doc.md");
+    expect(fetchMock.mock.calls[1][0]).toBe("https://signed/get/doc.md");
+
+    await io.prime("put", [
+      { key: "stale.md", op: "put", contentType: "text/plain" },
+    ]);
+    expect(io.hasPrimedPut("stale.md")).toBe(true);
+    const afterPutPrime = calls();
+
+    await io.putObject({
+      key: "stale.md",
+      body: Buffer.from("new body"),
+      contentType: "text/plain",
+      ifMatch: "old-etag",
+    });
+
+    expect(calls()).toBe(afterPutPrime + 1);
+    expect(io.hasPrimedPut("stale.md")).toBe(false);
+  });
+
   it("primed GET cache also serves headObject (HEAD reuses GET URLs)", async () => {
     const { vault, calls } = makeEchoVault();
     fetchMock.mockResolvedValue(