@indigoai-us/hq-cloud 6.11.5 → 6.11.7

package/src/types.ts

@@ -155,9 +155,26 @@ export interface EntityContext {
   bucketName: string;
   /** AWS region */
   region: string;
-  /** STS-scoped credentials */
-  credentials: VaultCredentials;
-  /** When the credentials expire (ISO 8601) */
+  /**
+   * STS-scoped credentials.
+   *
+   * Absent for presign-only COMPANY contexts (HQ-59): when a run uses the
+   * presigned-URL transport for company vaults (`companyVaultUsesPresign`),
+   * `resolveEntityContext` skips the `POST /sts/vend` call entirely — the
+   * presign transport authorizes each object server-side and never reads these
+   * creds, and a compliant sync-runner must NOT hit the company vend route
+   * (the route-presence signal the hq-pro min-version gate keys on). The only
+   * reader of these creds is the direct-S3 (`S3SdkObjectIO`) path, which is
+   * used for personal vaults (`prs_*`, still vended) and pre-presign clients —
+   * never for a `cmp_*` context built on the presign path. That path throws
+   * loudly if it ever receives a credential-less context.
+   */
+  credentials?: VaultCredentials;
+  /**
+   * When the credentials expire (ISO 8601). For a presign-only company context
+   * (no STS vend) this is a far-future sentinel so `isExpiringSoon` is always
+   * false and no auto-refresh ever re-vends the skipped company route.
+   */
   expiresAt: string;
 }
 
@@ -209,6 +226,19 @@ export interface VaultServiceConfig {
    * Optional for back-compat, but all first-party clients should pass it.
    */
   clientInfo?: ClientInfo;
+  /**
+   * When true, COMPANY vaults (`cmp_*`) use the presigned-URL transport, so
+   * `resolveEntityContext` SKIPS `POST /sts/vend` for them and returns a
+   * credential-less context with a far-future `expiresAt` (HQ-59). Set by the
+   * sync-runner exactly when it installs the presign transport factory, so the
+   * vend-skip and the transport choice can never diverge. Personal vaults
+   * (`prs_*`) are unaffected — they always vend self via `/sts/vend-self`.
+   *
+   * Leaving this unset (the default) preserves the historical behavior: every
+   * context vends STS creds. Non-runner callers (standalone `hq sync`, hq-cli)
+   * that keep the direct-S3 path for company vaults must NOT set this.
+   */
+  companyVaultUsesPresign?: boolean;
 }
 
 // ── Conflict index (consumed by /resolve-conflicts) ─────────────────────────

package/src/version.ts

@@ -0,0 +1,24 @@
+/**
+ * The hq-cloud package version, read once at module load.
+ *
+ * Mirrors hq-cli's `cli-version.ts` pattern: resolve the version from the
+ * package.json at runtime via `import.meta.url` (rootDir-safe — no JSON import
+ * that would trip `tsc`'s rootDir, and resolves correctly from both `src/`
+ * during tests and `dist/` at runtime). Used to stamp `clientInfo.version` on
+ * the sync-runner's vault requests so the company-vend min-version gate (HQ-59,
+ * hq-pro) can tell a compliant (>= 6.11.6) sync-runner from a pre-6.11.6
+ * straggler. This is the hq-cloud package version — the version the gate
+ * compares against its floor — NOT the hq-sync desktop app version.
+ */
+
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import path from "node:path";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+// src/version.ts → dist/version.js; one level up from either is the package root.
+const pkg = JSON.parse(
+  readFileSync(path.resolve(here, "..", "package.json"), "utf-8"),
+) as { name: string; version: string };
+
+export const HQ_CLOUD_VERSION: string = pkg.version;

package/src/watcher.test.ts

@@ -263,6 +263,47 @@ describe("US-002: createWatchPathFilter — personal-vault exclusions", () => {
     expect(personal(path.join(ROOT, "repos/private/foo/file.ts"))).toBe(false);
   });
 
+  // ── DEV-1778 continuity-pointer carve-out ───────────────────────────────
+  it("DOES emit for workspace/threads/handoff.json (the continuity pointer)", () => {
+    expect(personal(path.join(ROOT, "workspace/threads/handoff.json"))).toBe(
+      true,
+    );
+  });
+
+  it("still does NOT emit for other workspace/ files (carve-out is pointer-only)", () => {
+    // The pointer is the ONLY re-include — sibling threads, the journal, and
+    // unrelated workspace litter stay machine-local.
+    expect(personal(path.join(ROOT, "workspace/threads/T-old.json"))).toBe(
+      false,
+    );
+    expect(personal(path.join(ROOT, "workspace/threads/INDEX.md"))).toBe(false);
+    expect(personal(path.join(ROOT, "workspace/locks/x.lock"))).toBe(false);
+    // The pointer queried as a directory is not an emit target either.
+    expect(
+      personal(path.join(ROOT, "workspace/threads/handoff.json"), true),
+    ).toBe(false);
+  });
+
+  it("allows chokidar to DESCEND through the pointer's ancestor dirs (dir probe)", () => {
+    // Without this the Linux chokidar backend prunes `workspace/` before ever
+    // reaching the leaf. Ancestor dirs return true ONLY when queried as dirs.
+    expect(personal(path.join(ROOT, "workspace"), true)).toBe(true);
+    expect(personal(path.join(ROOT, "workspace/threads"), true)).toBe(true);
+    // A non-ancestor dir under workspace/ is still pruned.
+    expect(personal(path.join(ROOT, "workspace/locks"), true)).toBe(false);
+    // Ancestor dirs queried as FILES are not emit targets.
+    expect(personal(path.join(ROOT, "workspace"), false)).toBe(false);
+  });
+
+  it("does not apply the carve-out in non-personal mode", () => {
+    // In non-personal mode the excluded-top-level layer never runs, so the
+    // carve-out is irrelevant; handoff.json passes via the ordinary ignore
+    // stack like any other tracked file (no special-casing needed).
+    expect(
+      nonPersonal(path.join(ROOT, "workspace/threads/handoff.json")),
+    ).toBe(true);
+  });
+
   it("DOES emit for an included top-level personal path in personalMode", () => {
     expect(personal(path.join(ROOT, "personal/notes.md"))).toBe(true);
     expect(personal(path.join(ROOT, "core/policies/x.md"))).toBe(true);

package/src/watcher.ts

@@ -19,7 +19,10 @@ import { readJournal, writeJournal, hashFile, updateEntry } from "./journal.js";
 import { uploadFile, deleteRemoteFile, toPosixKey } from "./s3.js";
 import type { UploadAuthor } from "./s3.js";
 import { isPersonalVaultExcluded } from "./personal-vault-exclusions.js";
-import { PERSONAL_VAULT_EXCLUDED_TOP_LEVEL } from "./personal-vault.js";
+import {
+  CONTINUITY_POINTER_REL,
+  PERSONAL_VAULT_EXCLUDED_TOP_LEVEL,
+} from "./personal-vault.js";
 import type { PushEvent } from "./sync/push-event.js";
 import type { PushTransport } from "./sync/push-transport.js";
 import type { EventDrivenPushFlagProvider } from "./sync/feature-flags.js";
@@ -498,6 +501,26 @@ export function createWatchPathFilter(
     if (!ignoreFilter(absolutePath, isDir)) return false;
 
     if (personalMode) {
+      // Continuity-pointer carve-out: the session pointer lives under the
+      // otherwise-excluded `workspace/`, so it must re-include BEFORE the
+      // top-level bucket rejection below. Two cases:
+      //   (a) the pointer FILE itself → emit. Waking on the pointer is
+      //       sufficient: `/handoff` rewrites handoff.json AFTER its
+      //       (immutable) thread file, and the resulting personal push
+      //       re-enumerates via computePersonalVaultPaths, which sweeps the
+      //       pointer + its active thread file together.
+      //   (b) an ANCESTOR DIR of the pointer (`workspace`, `workspace/threads`)
+      //       queried as a directory → allow descent. The Linux chokidar
+      //       backend prunes a subtree the instant its dir probe says "ignore",
+      //       so without this it would prune `workspace/` before ever reaching
+      //       the leaf (the same ancestor-descent subtlety `.hqinclude` handles
+      //       via its ancestor matcher). The native recursive backend ignores
+      //       descent decisions and re-checks each path at event time, so this
+      //       only matters for chokidar but is harmless everywhere.
+      // See computeContinuityPointerPaths for the matching push-side carve-out.
+      if (rel === CONTINUITY_POINTER_REL && !isDir) return true;
+      if (isDir && CONTINUITY_POINTER_REL.startsWith(rel + "/")) return true;
+
       // Layer 3: excluded top-level buckets (.git/companies/repos/workspace).
       const topLevel = rel.split("/")[0];
       if (excludedTopLevel.has(topLevel)) return false;