@indigoai-us/hq-cloud 6.11.5 → 6.11.7

package/src/bin/sync-runner.ts

@@ -98,8 +98,10 @@ import type { UploadAuthor } from "../s3.js";
 import {
   setObjectIOFactory,
   presignObjectIOFactory,
+  type ObjectIOFactory,
   type PresignTransportClient,
 } from "../object-io.js";
+import { HQ_CLOUD_VERSION } from "../version.js";
 import { collectAndSendTelemetry } from "../telemetry.js";
 import { collectAndSendSkillTelemetry } from "../skill-telemetry.js";
 import { reindexAfterSync } from "../qmd-reindex.js";
@@ -227,34 +229,34 @@ export function resolveSkipPersonal(flag: boolean): boolean {
 }
 
 /**
- * Decide whether this session uses the presigned-URL transport.
+ * Resolve the object-transport factory for this sync session.
  *
- * GA (2026-06-11): the presigned-URL transport is now the DEFAULT for every
- * account — the staged per-domain rollout (getindigo.ai pilot → gmail.com /
- * vyg.ai / amass.com batch 2) is complete. The transport only NARROWS client
- * privilege: the client holds no raw AWS credentials (it just fetches signed
- * URLs) and every upload is validated server-side via the vault API, so it is
- * safe as the universal default.
+ * Company vaults (`cmp_*`) ALWAYS use the presigned-URL transport: the client
+ * holds no raw AWS credentials (it fetches short-lived signed URLs) and every
+ * read/write is authorized server-side per-file, so it never hits the 2048-char
+ * STS session-policy ceiling that produced the HQ-59 lockout. The STS-direct-S3
+ * (`S3SdkObjectIO`) path for company vaults is RETIRED — there is no env
+ * override or rollback lever that can route a company vault back to direct S3.
+ * (The former `HQ_SYNC_PRESIGN_TRANSPORT` kill-switch is gone with this change.)
  *
- * `HQ_SYNC_PRESIGN_TRANSPORT` still overrides in both directions
- * (`1`/`true`/`yes`/`on` → force on, `0`/`false`/`no`/`off` → force off), so
- * an individual account can be rolled back to the STS-direct path WITHOUT a
- * redeploy if a regression surfaces. An unset/blank or unrecognized override
- * falls through to the GA default (on).
+ * Personal vaults (`prs_*`) KEEP the direct-S3/STS path: the membership-gated
+ * `list`/`presign` endpoints 403 for the membership-less vend-self model, and a
+ * single-owner personal vault has no ACL-scale problem. That cmp_/prs_ split
+ * lives inside {@link presignObjectIOFactory}.
  *
- * `email` is retained in the signature for the override contract and so the
- * gate can be re-narrowed to a domain set in future without touching the call
- * site; it is intentionally unused while the transport is GA.
+ * Returns `null` only when the client predates the presign methods (never in a
+ * shipped build); the caller then resets to the SDK default factory.
  */
-export function resolvePresignTransport(
-  email: string | undefined,
-  override: string | undefined,
-): boolean {
-  void email;
-  const o = (override ?? "").trim().toLowerCase();
-  if (o === "1" || o === "true" || o === "yes" || o === "on") return true;
-  if (o === "0" || o === "false" || o === "no" || o === "off") return false;
-  return true;
+export function selectObjectIOFactory(
+  client: Partial<PresignTransportClient>,
+): ObjectIOFactory | null {
+  if (
+    typeof client.presign === "function" &&
+    typeof client.listFiles === "function"
+  ) {
+    return presignObjectIOFactory(client as PresignTransportClient);
+  }
+  return null;
 }
 
 // Personal-vault scope (exclusion list + path computer) lives in
@@ -925,10 +927,18 @@ export async function runRunner(
   }
 
   // ---- vault client -----------------------------------------------------
+  // Stamp clientInfo so every vault request (incl. /sts/vend) carries
+  // x-hq-client-name=hq-sync + x-hq-client-version=<hq-cloud version>. The
+  // company-vend min-version gate (HQ-59, hq-pro) uses this to recognize a
+  // compliant (>= 6.11.6) sync-runner and NOT force-upgrade it — the
+  // belt-and-suspenders companion to skipping the cmp_ vend on the presign
+  // path. Version is the hq-cloud package version (what the gate compares to
+  // its floor), not the desktop app version.
   const vaultConfig: VaultServiceConfig = {
     apiUrl: DEFAULT_VAULT_API_URL,
     authToken: getAccessToken,
     region: DEFAULT_COGNITO.region,
+    clientInfo: { name: "hq-sync", version: HQ_CLOUD_VERSION },
   };
   const client =
     deps.createVaultClient?.(vaultConfig) ?? new VaultClient(vaultConfig);
@@ -949,32 +959,29 @@ export async function runRunner(
       ? { userSub: claims.sub, email: claims.email }
       : undefined;
 
-  // ---- transport selection (presigned-URL vs STS-direct-S3) -------------
-  // The presigned-URL transport (vault `list` + `presign` endpoints) is now
-  // the GA default for every account. The STS-direct-S3 path (STS-vended
-  // credentials + direct S3 SDK) remains the fallback only when an account is
-  // force-disabled via HQ_SYNC_PRESIGN_TRANSPORT or the client build predates
-  // the presign methods. The gate runs ONCE here — every s3.ts call in this
-  // session's fanout resolves through the installed factory.
-  // HQ_SYNC_PRESIGN_TRANSPORT is an explicit override (1/true → force on,
-  // 0/false → force off) for testing or emergency rollback without a redeploy.
-  // Setting the factory unconditionally (even to the default) keeps the choice
+  // ---- transport selection (presigned-URL for cmp_, direct-S3/STS for prs_) -
+  // Company vaults ALWAYS use the presigned-URL transport now (HQ-59): the
+  // STS-direct-S3 path for cmp_ is retired — no env override routes a company
+  // vault back to direct S3. Personal vaults keep direct-S3 inside the factory
+  // (the cmp_/prs_ split lives in presignObjectIOFactory). selectObjectIOFactory
+  // runs ONCE here — every s3.ts call in this session's fanout resolves through
+  // the installed factory. Setting it unconditionally (even to null, which the
+  // default S3 SDK factory backs for a pre-presign client) keeps the choice
   // deterministic if a prior run mutated module state.
   const presignCapable = client as Partial<PresignTransportClient>;
-  if (
-    resolvePresignTransport(
-      claims?.email,
-      process.env.HQ_SYNC_PRESIGN_TRANSPORT,
-    ) &&
-    typeof presignCapable.presign === "function" &&
-    typeof presignCapable.listFiles === "function"
-  ) {
-    setObjectIOFactory(
-      presignObjectIOFactory(presignCapable as PresignTransportClient),
-    );
-  } else {
-    setObjectIOFactory(null);
-  }
+  const objectIOFactory = selectObjectIOFactory(presignCapable);
+  setObjectIOFactory(objectIOFactory);
+  // HQ-59 vend-skip: when company vaults run over the presign transport (the
+  // shipped case — selectObjectIOFactory only returns null for a pre-presign
+  // client), tell resolveEntityContext to SKIP `POST /sts/vend` for cmp_
+  // contexts. Two reasons, both load-bearing: (1) the presign transport never
+  // reads STS creds, so the vend is dead weight; (2) a compliant sync-runner
+  // must not call the company vend route at all — its presence is the
+  // pre-6.11.6 signal the hq-pro min-version gate denies on. Gated on the SAME
+  // value that picks the transport, so the vend-skip and the transport can
+  // never diverge. If the factory is null (S3 SDK fallback), cmp_ keeps vending
+  // because S3SdkObjectIO needs the creds. Personal vaults always vend self.
+  vaultConfig.companyVaultUsesPresign = objectIOFactory !== null;
 
   // ---- resolve targets --------------------------------------------------
   let memberships: Pick<Membership, "companyUid">[];
@@ -1235,6 +1242,7 @@ export async function runRunner(
         filesTombstoned: 0,
         filesRefusedStale: 0,
         filesRefusedStalePaths: [],
+        filesSuppressedByTombstone: 0,
         filesExcludedByPolicy: 0,
         filesExcludedByScope: 0,
         conflictPaths: [],

package/src/cli/share.test.ts

@@ -336,6 +336,175 @@ describe("share", () => {
     expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "changed.md", undefined, expect.anything());
   });
 
+  // ── Push-side FILE_TOMBSTONE consult (delete-resync, 3B) ────────────────────
+  // An authoritative delete (`hq files delete`) writes a FILE_TOMBSTONE and
+  // removes the S3 object. Without a push-side consult, a behind peer that still
+  // holds the deleted file RE-UPLOADS it on a skipUnchanged=false push (e.g.
+  // `hq cloud share <path>`); the re-upload post-dates the tombstone, so the
+  // pull planner's timestamp-only re-create heuristic treats it as a genuine
+  // re-create and resurrects the key for everyone. These tests pin the fix: a
+  // stale-baseline copy is suppressed, while genuine content (locally-changed or
+  // no-journal) still uploads. Differential proof: reverting the consult in
+  // share.ts makes the first test fail (uploadFile IS called → resurrection).
+  describe("push-side tombstone consult", () => {
+    function seedJournal(key: string, hash: string, size: number) {
+      fs.writeFileSync(
+        path.join(stateDir, "sync-journal.acme.json"),
+        JSON.stringify({
+          version: "1",
+          lastSync: new Date().toISOString(),
+          files: {
+            [key]: {
+              hash,
+              size,
+              syncedAt: new Date().toISOString(),
+              direction: "down",
+            },
+          },
+        }),
+      );
+    }
+
+    it("suppresses re-upload of a stale-baseline copy of a tombstoned key", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      // Journal hash === current file hash → this machine holds the exact
+      // deleted baseline (a behind peer that never pulled the delete).
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      const events: Array<{ type: string; path?: string }> = [];
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        // skipUnchanged omitted (=false): models `hq cloud share <path>`, the
+        // path where a behind peer would otherwise re-upload the stale copy.
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+        onEvent: (e) => events.push(e as { type: string; path?: string }),
+      });
+
+      // The resurrection is blocked at the source: no upload for the tombstoned key.
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesUploaded).toBe(0);
+      expect(result.filesSuppressedByTombstone).toBe(1);
+      expect(
+        events.some(
+          (e) => e.type === "upload-suppressed-tombstone" && e.path === "docs/shared.md",
+        ),
+      ).toBe(true);
+    });
+
+    it("still uploads a LOCALLY-CHANGED file even when tombstoned (genuine edit/re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "edited-since-delete");
+      // Journal hash is stale (the file was edited after the delete) → genuine
+      // new content, must NOT be suppressed.
+      seedJournal("docs/shared.md", "stale-baseline-hash", 14);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+      expect(uploadFile).toHaveBeenCalledWith(
+        expect.anything(),
+        f,
+        "docs/shared.md",
+        undefined,
+        expect.anything(),
+      );
+    });
+
+    it("still uploads a tombstoned key with NO journal entry (genuine re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "freshly created");
+      // No journal entry seeded → indistinguishable from genuine new content;
+      // fail-open and upload (mirrors the pull side's `!journalEntry` branch).
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+    });
+
+    it("auto-fetches tombstones via vaultConfig (no injection) and suppresses", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      // Re-stub fetch to also answer GET /v1/files/tombstones, proving share()
+      // fetches and consults tombstones on its own (the production wiring) when
+      // no map is injected.
+      const fetchMock = vi.fn().mockImplementation(async (url: string) => {
+        const u = String(url);
+        if (u.includes("/entity/check-slug/me")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({ available: false, conflictingCompanyUid: mockEntity.uid }),
+            text: async () => "",
+          };
+        }
+        if (u.includes("/entity/by-slug/") || /\/entity\/cmp_/.test(u)) {
+          return { ok: true, status: 200, json: async () => ({ entity: mockEntity }), text: async () => "" };
+        }
+        if (u.includes("/sts/vend")) {
+          return { ok: true, status: 200, json: async () => mockVendResponse, text: async () => "" };
+        }
+        if (u.includes("/v1/files/tombstones")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({
+              tombstones: [{ key: "docs/shared.md", deletedAt: new Date().toISOString() }],
+            }),
+            text: async () => "",
+          };
+        }
+        return { ok: false, status: 404, text: async () => "Not found" };
+      });
+      vi.stubGlobal("fetch", fetchMock);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesSuppressedByTombstone).toBe(1);
+    });
+  });
+
   it("populates conflictPaths and emits a conflict event when both local and remote drifted from journal", async () => {
     const companyRoot = path.join(tmpDir, "companies", "acme");
     fs.mkdirSync(companyRoot, { recursive: true });

package/src/cli/share.ts

@@ -42,6 +42,10 @@ import {
 import { resolveConflict } from "./conflict.js";
 import type { ConflictStrategy } from "./conflict.js";
 import type { SyncProgressEvent } from "./sync.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 import { isCoveredByAny, isDirInScope } from "../prefix-coalesce.js";
 import {
   buildConflictId,
@@ -634,6 +638,19 @@ export interface ShareOptions {
    * path is out of scope (mirrors the pull side's `isCoveredByAny([])`).
    */
   prefixSet?: string[];
+  /**
+   * Pre-fetched FILE_TOMBSTONE map (POSIX key → tombstone) for the push-side
+   * delete-resync consult. When omitted, share() fetches it itself via
+   * `fetchCompanyTombstones` for COMPANY vaults that have a `vaultConfig`
+   * (personal vaults and pre-vended `entityContext`-only callers without a
+   * `vaultConfig` degrade to no-suppression — the safe, legacy direction).
+   *
+   * Injection is an optimization + test seam: a sync run that already fetched
+   * tombstones for the pull leg can hand the same map to the push leg to avoid a
+   * second round-trip, and tests can supply a controlled map without stubbing
+   * the network. See the consult in the Stage-2 classification pass.
+   */
+  fileTombstones?: Map<string, CompanyTombstone>;
 }
 
 export interface ShareResult {
@@ -678,6 +695,15 @@ export interface ShareResult {
    * once the runner has folded them into the totals.
    */
   filesRefusedStalePaths: string[];
+  /**
+   * Number of uploads suppressed by the push-side FILE_TOMBSTONE consult — keys
+   * an authoritative delete (`hq files delete`) tombstoned that this machine
+   * still held as the unchanged synced baseline. Skipping the upload is what
+   * stops a behind peer from resurrecting an authoritatively-deleted key. Always
+   * 0 when there are no tombstones for in-scope keys (the common case) or when
+   * the run can't load tombstones (personal vault / no `vaultConfig`).
+   */
+  filesSuppressedByTombstone: number;
   /**
    * Number of paths blocked by `PERSONAL_VAULT_DEFAULT_EXCLUSIONS` during this
    * run (push leg, personalMode=true). Includes both files that would have
@@ -919,6 +945,10 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
   // propagateDeletes=false path.
   let filesTombstoned = 0;
   let filesRefusedStale = 0;
+  // Count of uploads suppressed by the push-side FILE_TOMBSTONE consult (a
+  // behind peer's stale copy of an authoritatively-deleted key). Always 0 when
+  // there are no tombstones for in-scope keys.
+  let filesSuppressedByTombstone = 0;
   // Capped at 50 to bound event payload size — `newFiles` uses the same cap.
   const REFUSED_STALE_PATH_CAP = 50;
   const filesRefusedStalePaths: string[] = [];
@@ -1058,6 +1088,29 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     return Number.isFinite(parsed) && parsed > 0 ? parsed : 16;
   })();
 
+  // Push-side FILE_TOMBSTONE consult (delete-resync) — symmetric to the pull
+  // planner's suppression in sync.ts. An authoritative delete
+  // (`hq files delete <prefix>`) writes a FILE_TOMBSTONE and removes the S3
+  // object; the pull side already honors it. But the PUSH side did not: a behind
+  // peer who still holds the deleted file locally would re-upload it here, and
+  // because the re-uploaded object post-dates the tombstone, the pull planner's
+  // timestamp-only re-create heuristic (`isRemoteRecreateAfterTombstone`) treats
+  // it as a genuine re-create and resurrects the key for EVERYONE — defeating the
+  // authoritative delete. Consult the tombstones so a stale-baseline upload is
+  // skipped at the source.
+  //
+  // Source: an injected `fileTombstones` (a sync run can hand the push leg the
+  // map it already fetched for the pull leg), else a self-fetch for COMPANY
+  // vaults that have a `vaultConfig`. Personal vaults have no company tombstones
+  // (the pull side skips them too), and `entityContext`-only callers have no
+  // auth to fetch with — both degrade to an empty map (no suppression), the
+  // safe/legacy direction.
+  const fileTombstones: Map<string, CompanyTombstone> =
+    options.fileTombstones ??
+    (!ctx.uid.startsWith("prs_") && vaultConfig
+      ? await fetchCompanyTombstones(vaultConfig, ctx.uid)
+      : new Map<string, CompanyTombstone>());
+
   // Phase A: serial classification pass — handle skips inline, collect
   // upload candidates for the parallel pool.
   const uploadItems: Array<typeof plan.items[number] & { action: "upload" }> = [];
@@ -1071,6 +1124,30 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       filesSkipped++;
       continue;
     }
+    // Suppress the re-upload of an authoritatively-deleted key when the local
+    // copy is still the deleted baseline. Discrimination mirrors the pull side's
+    // `localChanged || !journalEntry` test: a journal entry whose hash matches
+    // the upload's localHash means the file is byte-identical to what was last
+    // synced — i.e. the deleted version a behind peer never pulled away — so
+    // SKIP it. A locally-changed file (hash differs) or one with no journal
+    // entry is genuine new content (a real re-create or a post-delete edit) and
+    // uploads normally. The deleter's own stale local copy is removed by the
+    // pull leg's `tombstone-delete`; this guard only stops the resurrection.
+    if (item.action === "upload" && fileTombstones.size > 0) {
+      const ts = fileTombstones.get(toPosixKey(item.relativePath));
+      if (ts !== undefined) {
+        const entry = journal.files[item.relativePath];
+        if (entry && entry.hash === item.localHash) {
+          filesSuppressedByTombstone++;
+          emit({
+            type: "upload-suppressed-tombstone",
+            path: item.relativePath,
+            deletedAt: ts.deletedAt,
+          });
+          continue;
+        }
+      }
+    }
     if (item.action === "skip-unchanged") {
       // Refresh the journal's (mtimeMs, size) for a touched-but-identical file
       // so the next sync's lstat fast-path matches and skips without re-hashing.
@@ -1546,6 +1623,9 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       // defaulting fallback. Empty on the abort path because the
       // delete-plan execution loop is short-circuited.
       filesRefusedStalePaths,
+      // Tombstone-suppressed uploads are classified in Phase A, which runs
+      // before the upload pool can abort, so the count is meaningful here.
+      filesSuppressedByTombstone,
       // Exclusions are computed during the upload walk which has
       // already completed by the time we hit a per-file conflict-
       // abort, so the count is meaningful here. No event emit on
@@ -1717,6 +1797,7 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     filesTombstoned,
     filesRefusedStale,
     filesRefusedStalePaths,
+    filesSuppressedByTombstone,
     filesExcludedByPolicy: excludedSet.size,
     filesExcludedByScope: scopeExcludedSet.size,
     conflictPaths,

package/src/cli/sync.ts

@@ -54,6 +54,10 @@ import {
 } from "../lib/conflict-file.js";
 import { appendConflictEntry } from "../lib/conflict-index.js";
 import { reindex } from "./reindex.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 
 /**
  * Per-file events emitted by `sync()` as it progresses.
@@ -265,6 +269,23 @@ export type SyncProgressEvent =
       type: "scope-excluded";
       count: number;
       samplePaths: string[];
+    }
+  | {
+      /**
+       * Emitted by the PUSH leg (`share()`) once per key whose upload was
+       * suppressed because an authoritative FILE_TOMBSTONE marks it deleted and
+       * the local copy is still the deleted baseline (journal hash unchanged).
+       * Without this, a behind peer that still holds the file would re-upload it,
+       * and the pull planner's timestamp-only re-create heuristic
+       * (`isRemoteRecreateAfterTombstone`) would treat the re-upload as a genuine
+       * re-create and resurrect the key for everyone. The deleter's own stale
+       * local copy is cleaned by the pull leg's `tombstone-delete`; this event
+       * records that the push refused to resurrect it. `deletedAt` is the
+       * tombstone's delete time.
+       */
+      type: "upload-suppressed-tombstone";
+      path: string;
+      deletedAt: string;
     };
 
 export interface SyncOptions {
@@ -539,94 +560,6 @@ async function reportNewFilesToNotify(
   }
 }
 
-/** Timeout for the best-effort FILE_TOMBSTONE fetch (GET /v1/files/tombstones). */
-const FETCH_TOMBSTONES_TIMEOUT_MS = 5000;
-
-/**
- * A FILE_TOMBSTONE as the pull planner needs it: the deleted key + when it was
- * deleted. The `deletedAt` timestamp is the decisive precedence signal — a
- * remote object newer than it is a genuine re-create (sync it), an object at or
- * older than it is a stale resurrection of a deleted key (suppress it).
- */
-interface CompanyTombstone {
-  deletedAt: string;
-}
-
-/**
- * Fetch the company's FILE_TOMBSTONE rows from hq-pro (GET /v1/files/tombstones)
- * and return them as a POSIX-keyed map the pull planner consults to avoid
- * resurrecting an intentionally-deleted object (delete-resync). The endpoint is
- * ACL-filtered server-side, so the map only ever contains keys this caller can
- * read — exactly the keys that can appear in the (STS-scoped) remote LIST.
- *
- * Best-effort and bounded by a 5s timeout: a tombstone read that fails, times
- * out, or returns non-2xx degrades to an EMPTY map — i.e. to the pre-fix
- * behavior (no suppression). That is the safe failure direction: a missed
- * tombstone re-pulls a deleted file (a known, recoverable annoyance), whereas a
- * spurious tombstone would HIDE a file the user wants. The failure is logged
- * (never silently swallowed) so a persistently-degraded read is visible.
- */
-async function fetchCompanyTombstones(
-  vaultConfig: VaultServiceConfig,
-  companyUid: string,
-): Promise<Map<string, CompanyTombstone>> {
-  const out = new Map<string, CompanyTombstone>();
-  try {
-    const token =
-      typeof vaultConfig.authToken === "function"
-        ? await vaultConfig.authToken()
-        : vaultConfig.authToken;
-    const base = vaultConfig.apiUrl.replace(/\/+$/, "");
-    const url = `${base}/v1/files/tombstones?company=${encodeURIComponent(
-      companyUid,
-    )}`;
-    const controller = new AbortController();
-    const timer = setTimeout(
-      () => controller.abort(),
-      FETCH_TOMBSTONES_TIMEOUT_MS,
-    );
-    try {
-      const res = await fetch(url, {
-        method: "GET",
-        headers: { Authorization: `Bearer ${token}` },
-        signal: controller.signal,
-      });
-      if (!res.ok) {
-        // Non-2xx is non-fatal: log and degrade to no-suppression. A 404 means
-        // the endpoint is not deployed yet (hq-pro release lag) — the pull
-        // proceeds with the legacy behavior until it lands.
-        console.error(
-          `[hq-sync] tombstone fetch returned ${res.status} (degrading to no-suppression)`,
-        );
-        return out;
-      }
-      const body = (await res.json()) as {
-        tombstones?: Array<{ key?: string; deletedAt?: string }>;
-      };
-      for (const t of body.tombstones ?? []) {
-        if (typeof t.key === "string" && typeof t.deletedAt === "string") {
-          out.set(toPosixKey(t.key), { deletedAt: t.deletedAt });
-        }
-      }
-    } finally {
-      clearTimeout(timer);
-    }
-  } catch (err) {
-    // Best-effort: a failed tombstone read must never break the pull. Log
-    // (policy: never silently swallow) and degrade to no-suppression.
-    try {
-      console.error(
-        `[hq-sync] tombstone fetch failed (non-fatal, degrading to no-suppression): ${
-          err instanceof Error ? err.message : String(err)
-        }`,
-      );
-    } catch {
-      // swallow — logging must never break sync
-    }
-  }
-  return out;
-}
-
 /**
  * Sync (pull) all allowed files from the entity vault.
  */