@indigoai-us/hq-cloud 6.11.4 → 6.11.6

package/src/types.ts

@@ -155,9 +155,26 @@ export interface EntityContext {
   bucketName: string;
   /** AWS region */
   region: string;
-  /** STS-scoped credentials */
-  credentials: VaultCredentials;
-  /** When the credentials expire (ISO 8601) */
+  /**
+   * STS-scoped credentials.
+   *
+   * Absent for presign-only COMPANY contexts (HQ-59): when a run uses the
+   * presigned-URL transport for company vaults (`companyVaultUsesPresign`),
+   * `resolveEntityContext` skips the `POST /sts/vend` call entirely — the
+   * presign transport authorizes each object server-side and never reads these
+   * creds, and a compliant sync-runner must NOT hit the company vend route
+   * (the route-presence signal the hq-pro min-version gate keys on). The only
+   * reader of these creds is the direct-S3 (`S3SdkObjectIO`) path, which is
+   * used for personal vaults (`prs_*`, still vended) and pre-presign clients —
+   * never for a `cmp_*` context built on the presign path. That path throws
+   * loudly if it ever receives a credential-less context.
+   */
+  credentials?: VaultCredentials;
+  /**
+   * When the credentials expire (ISO 8601). For a presign-only company context
+   * (no STS vend) this is a far-future sentinel so `isExpiringSoon` is always
+   * false and no auto-refresh ever re-vends the skipped company route.
+   */
   expiresAt: string;
 }
 
@@ -209,6 +226,19 @@ export interface VaultServiceConfig {
    * Optional for back-compat, but all first-party clients should pass it.
    */
   clientInfo?: ClientInfo;
+  /**
+   * When true, COMPANY vaults (`cmp_*`) use the presigned-URL transport, so
+   * `resolveEntityContext` SKIPS `POST /sts/vend` for them and returns a
+   * credential-less context with a far-future `expiresAt` (HQ-59). Set by the
+   * sync-runner exactly when it installs the presign transport factory, so the
+   * vend-skip and the transport choice can never diverge. Personal vaults
+   * (`prs_*`) are unaffected — they always vend self via `/sts/vend-self`.
+   *
+   * Leaving this unset (the default) preserves the historical behavior: every
+   * context vends STS creds. Non-runner callers (standalone `hq sync`, hq-cli)
+   * that keep the direct-S3 path for company vaults must NOT set this.
+   */
+  companyVaultUsesPresign?: boolean;
 }
 
 // ── Conflict index (consumed by /resolve-conflicts) ─────────────────────────

package/src/version.ts

@@ -0,0 +1,24 @@
+/**
+ * The hq-cloud package version, read once at module load.
+ *
+ * Mirrors hq-cli's `cli-version.ts` pattern: resolve the version from the
+ * package.json at runtime via `import.meta.url` (rootDir-safe — no JSON import
+ * that would trip `tsc`'s rootDir, and resolves correctly from both `src/`
+ * during tests and `dist/` at runtime). Used to stamp `clientInfo.version` on
+ * the sync-runner's vault requests so the company-vend min-version gate (HQ-59,
+ * hq-pro) can tell a compliant (>= 6.11.6) sync-runner from a pre-6.11.6
+ * straggler. This is the hq-cloud package version — the version the gate
+ * compares against its floor — NOT the hq-sync desktop app version.
+ */
+
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import path from "node:path";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+// src/version.ts → dist/version.js; one level up from either is the package root.
+const pkg = JSON.parse(
+  readFileSync(path.resolve(here, "..", "package.json"), "utf-8"),
+) as { name: string; version: string };
+
+export const HQ_CLOUD_VERSION: string = pkg.version;