@indigoai-us/hq-cloud 6.11.6 → 6.11.7

package/src/bin/sync-runner.ts

@@ -1242,6 +1242,7 @@ export async function runRunner(
         filesTombstoned: 0,
         filesRefusedStale: 0,
         filesRefusedStalePaths: [],
+        filesSuppressedByTombstone: 0,
         filesExcludedByPolicy: 0,
         filesExcludedByScope: 0,
         conflictPaths: [],

package/src/cli/share.test.ts

@@ -336,6 +336,175 @@ describe("share", () => {
     expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "changed.md", undefined, expect.anything());
   });
 
+  // ── Push-side FILE_TOMBSTONE consult (delete-resync, 3B) ────────────────────
+  // An authoritative delete (`hq files delete`) writes a FILE_TOMBSTONE and
+  // removes the S3 object. Without a push-side consult, a behind peer that still
+  // holds the deleted file RE-UPLOADS it on a skipUnchanged=false push (e.g.
+  // `hq cloud share <path>`); the re-upload post-dates the tombstone, so the
+  // pull planner's timestamp-only re-create heuristic treats it as a genuine
+  // re-create and resurrects the key for everyone. These tests pin the fix: a
+  // stale-baseline copy is suppressed, while genuine content (locally-changed or
+  // no-journal) still uploads. Differential proof: reverting the consult in
+  // share.ts makes the first test fail (uploadFile IS called → resurrection).
+  describe("push-side tombstone consult", () => {
+    function seedJournal(key: string, hash: string, size: number) {
+      fs.writeFileSync(
+        path.join(stateDir, "sync-journal.acme.json"),
+        JSON.stringify({
+          version: "1",
+          lastSync: new Date().toISOString(),
+          files: {
+            [key]: {
+              hash,
+              size,
+              syncedAt: new Date().toISOString(),
+              direction: "down",
+            },
+          },
+        }),
+      );
+    }
+
+    it("suppresses re-upload of a stale-baseline copy of a tombstoned key", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      // Journal hash === current file hash → this machine holds the exact
+      // deleted baseline (a behind peer that never pulled the delete).
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      const events: Array<{ type: string; path?: string }> = [];
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        // skipUnchanged omitted (=false): models `hq cloud share <path>`, the
+        // path where a behind peer would otherwise re-upload the stale copy.
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+        onEvent: (e) => events.push(e as { type: string; path?: string }),
+      });
+
+      // The resurrection is blocked at the source: no upload for the tombstoned key.
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesUploaded).toBe(0);
+      expect(result.filesSuppressedByTombstone).toBe(1);
+      expect(
+        events.some(
+          (e) => e.type === "upload-suppressed-tombstone" && e.path === "docs/shared.md",
+        ),
+      ).toBe(true);
+    });
+
+    it("still uploads a LOCALLY-CHANGED file even when tombstoned (genuine edit/re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "edited-since-delete");
+      // Journal hash is stale (the file was edited after the delete) → genuine
+      // new content, must NOT be suppressed.
+      seedJournal("docs/shared.md", "stale-baseline-hash", 14);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+      expect(uploadFile).toHaveBeenCalledWith(
+        expect.anything(),
+        f,
+        "docs/shared.md",
+        undefined,
+        expect.anything(),
+      );
+    });
+
+    it("still uploads a tombstoned key with NO journal entry (genuine re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "freshly created");
+      // No journal entry seeded → indistinguishable from genuine new content;
+      // fail-open and upload (mirrors the pull side's `!journalEntry` branch).
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+    });
+
+    it("auto-fetches tombstones via vaultConfig (no injection) and suppresses", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      // Re-stub fetch to also answer GET /v1/files/tombstones, proving share()
+      // fetches and consults tombstones on its own (the production wiring) when
+      // no map is injected.
+      const fetchMock = vi.fn().mockImplementation(async (url: string) => {
+        const u = String(url);
+        if (u.includes("/entity/check-slug/me")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({ available: false, conflictingCompanyUid: mockEntity.uid }),
+            text: async () => "",
+          };
+        }
+        if (u.includes("/entity/by-slug/") || /\/entity\/cmp_/.test(u)) {
+          return { ok: true, status: 200, json: async () => ({ entity: mockEntity }), text: async () => "" };
+        }
+        if (u.includes("/sts/vend")) {
+          return { ok: true, status: 200, json: async () => mockVendResponse, text: async () => "" };
+        }
+        if (u.includes("/v1/files/tombstones")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({
+              tombstones: [{ key: "docs/shared.md", deletedAt: new Date().toISOString() }],
+            }),
+            text: async () => "",
+          };
+        }
+        return { ok: false, status: 404, text: async () => "Not found" };
+      });
+      vi.stubGlobal("fetch", fetchMock);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesSuppressedByTombstone).toBe(1);
+    });
+  });
+
   it("populates conflictPaths and emits a conflict event when both local and remote drifted from journal", async () => {
     const companyRoot = path.join(tmpDir, "companies", "acme");
     fs.mkdirSync(companyRoot, { recursive: true });

package/src/cli/share.ts

@@ -42,6 +42,10 @@ import {
 import { resolveConflict } from "./conflict.js";
 import type { ConflictStrategy } from "./conflict.js";
 import type { SyncProgressEvent } from "./sync.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 import { isCoveredByAny, isDirInScope } from "../prefix-coalesce.js";
 import {
   buildConflictId,
@@ -634,6 +638,19 @@ export interface ShareOptions {
    * path is out of scope (mirrors the pull side's `isCoveredByAny([])`).
    */
   prefixSet?: string[];
+  /**
+   * Pre-fetched FILE_TOMBSTONE map (POSIX key → tombstone) for the push-side
+   * delete-resync consult. When omitted, share() fetches it itself via
+   * `fetchCompanyTombstones` for COMPANY vaults that have a `vaultConfig`
+   * (personal vaults and pre-vended `entityContext`-only callers without a
+   * `vaultConfig` degrade to no-suppression — the safe, legacy direction).
+   *
+   * Injection is an optimization + test seam: a sync run that already fetched
+   * tombstones for the pull leg can hand the same map to the push leg to avoid a
+   * second round-trip, and tests can supply a controlled map without stubbing
+   * the network. See the consult in the Stage-2 classification pass.
+   */
+  fileTombstones?: Map<string, CompanyTombstone>;
 }
 
 export interface ShareResult {
@@ -678,6 +695,15 @@ export interface ShareResult {
    * once the runner has folded them into the totals.
    */
   filesRefusedStalePaths: string[];
+  /**
+   * Number of uploads suppressed by the push-side FILE_TOMBSTONE consult — keys
+   * an authoritative delete (`hq files delete`) tombstoned that this machine
+   * still held as the unchanged synced baseline. Skipping the upload is what
+   * stops a behind peer from resurrecting an authoritatively-deleted key. Always
+   * 0 when there are no tombstones for in-scope keys (the common case) or when
+   * the run can't load tombstones (personal vault / no `vaultConfig`).
+   */
+  filesSuppressedByTombstone: number;
   /**
    * Number of paths blocked by `PERSONAL_VAULT_DEFAULT_EXCLUSIONS` during this
    * run (push leg, personalMode=true). Includes both files that would have
@@ -919,6 +945,10 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
   // propagateDeletes=false path.
   let filesTombstoned = 0;
   let filesRefusedStale = 0;
+  // Count of uploads suppressed by the push-side FILE_TOMBSTONE consult (a
+  // behind peer's stale copy of an authoritatively-deleted key). Always 0 when
+  // there are no tombstones for in-scope keys.
+  let filesSuppressedByTombstone = 0;
   // Capped at 50 to bound event payload size — `newFiles` uses the same cap.
   const REFUSED_STALE_PATH_CAP = 50;
   const filesRefusedStalePaths: string[] = [];
@@ -1058,6 +1088,29 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     return Number.isFinite(parsed) && parsed > 0 ? parsed : 16;
   })();
 
+  // Push-side FILE_TOMBSTONE consult (delete-resync) — symmetric to the pull
+  // planner's suppression in sync.ts. An authoritative delete
+  // (`hq files delete <prefix>`) writes a FILE_TOMBSTONE and removes the S3
+  // object; the pull side already honors it. But the PUSH side did not: a behind
+  // peer who still holds the deleted file locally would re-upload it here, and
+  // because the re-uploaded object post-dates the tombstone, the pull planner's
+  // timestamp-only re-create heuristic (`isRemoteRecreateAfterTombstone`) treats
+  // it as a genuine re-create and resurrects the key for EVERYONE — defeating the
+  // authoritative delete. Consult the tombstones so a stale-baseline upload is
+  // skipped at the source.
+  //
+  // Source: an injected `fileTombstones` (a sync run can hand the push leg the
+  // map it already fetched for the pull leg), else a self-fetch for COMPANY
+  // vaults that have a `vaultConfig`. Personal vaults have no company tombstones
+  // (the pull side skips them too), and `entityContext`-only callers have no
+  // auth to fetch with — both degrade to an empty map (no suppression), the
+  // safe/legacy direction.
+  const fileTombstones: Map<string, CompanyTombstone> =
+    options.fileTombstones ??
+    (!ctx.uid.startsWith("prs_") && vaultConfig
+      ? await fetchCompanyTombstones(vaultConfig, ctx.uid)
+      : new Map<string, CompanyTombstone>());
+
   // Phase A: serial classification pass — handle skips inline, collect
   // upload candidates for the parallel pool.
   const uploadItems: Array<typeof plan.items[number] & { action: "upload" }> = [];
@@ -1071,6 +1124,30 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       filesSkipped++;
       continue;
     }
+    // Suppress the re-upload of an authoritatively-deleted key when the local
+    // copy is still the deleted baseline. Discrimination mirrors the pull side's
+    // `localChanged || !journalEntry` test: a journal entry whose hash matches
+    // the upload's localHash means the file is byte-identical to what was last
+    // synced — i.e. the deleted version a behind peer never pulled away — so
+    // SKIP it. A locally-changed file (hash differs) or one with no journal
+    // entry is genuine new content (a real re-create or a post-delete edit) and
+    // uploads normally. The deleter's own stale local copy is removed by the
+    // pull leg's `tombstone-delete`; this guard only stops the resurrection.
+    if (item.action === "upload" && fileTombstones.size > 0) {
+      const ts = fileTombstones.get(toPosixKey(item.relativePath));
+      if (ts !== undefined) {
+        const entry = journal.files[item.relativePath];
+        if (entry && entry.hash === item.localHash) {
+          filesSuppressedByTombstone++;
+          emit({
+            type: "upload-suppressed-tombstone",
+            path: item.relativePath,
+            deletedAt: ts.deletedAt,
+          });
+          continue;
+        }
+      }
+    }
     if (item.action === "skip-unchanged") {
       // Refresh the journal's (mtimeMs, size) for a touched-but-identical file
       // so the next sync's lstat fast-path matches and skips without re-hashing.
@@ -1546,6 +1623,9 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       // defaulting fallback. Empty on the abort path because the
       // delete-plan execution loop is short-circuited.
       filesRefusedStalePaths,
+      // Tombstone-suppressed uploads are classified in Phase A, which runs
+      // before the upload pool can abort, so the count is meaningful here.
+      filesSuppressedByTombstone,
       // Exclusions are computed during the upload walk which has
       // already completed by the time we hit a per-file conflict-
       // abort, so the count is meaningful here. No event emit on
@@ -1717,6 +1797,7 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     filesTombstoned,
     filesRefusedStale,
     filesRefusedStalePaths,
+    filesSuppressedByTombstone,
     filesExcludedByPolicy: excludedSet.size,
     filesExcludedByScope: scopeExcludedSet.size,
     conflictPaths,

package/src/cli/sync.ts

@@ -54,6 +54,10 @@ import {
 } from "../lib/conflict-file.js";
 import { appendConflictEntry } from "../lib/conflict-index.js";
 import { reindex } from "./reindex.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 
 /**
  * Per-file events emitted by `sync()` as it progresses.
@@ -265,6 +269,23 @@ export type SyncProgressEvent =
       type: "scope-excluded";
       count: number;
       samplePaths: string[];
+    }
+  | {
+      /**
+       * Emitted by the PUSH leg (`share()`) once per key whose upload was
+       * suppressed because an authoritative FILE_TOMBSTONE marks it deleted and
+       * the local copy is still the deleted baseline (journal hash unchanged).
+       * Without this, a behind peer that still holds the file would re-upload it,
+       * and the pull planner's timestamp-only re-create heuristic
+       * (`isRemoteRecreateAfterTombstone`) would treat the re-upload as a genuine
+       * re-create and resurrect the key for everyone. The deleter's own stale
+       * local copy is cleaned by the pull leg's `tombstone-delete`; this event
+       * records that the push refused to resurrect it. `deletedAt` is the
+       * tombstone's delete time.
+       */
+      type: "upload-suppressed-tombstone";
+      path: string;
+      deletedAt: string;
     };
 
 export interface SyncOptions {
@@ -539,94 +560,6 @@ async function reportNewFilesToNotify(
   }
 }
 
-/** Timeout for the best-effort FILE_TOMBSTONE fetch (GET /v1/files/tombstones). */
-const FETCH_TOMBSTONES_TIMEOUT_MS = 5000;
-
-/**
- * A FILE_TOMBSTONE as the pull planner needs it: the deleted key + when it was
- * deleted. The `deletedAt` timestamp is the decisive precedence signal — a
- * remote object newer than it is a genuine re-create (sync it), an object at or
- * older than it is a stale resurrection of a deleted key (suppress it).
- */
-interface CompanyTombstone {
-  deletedAt: string;
-}
-
-/**
- * Fetch the company's FILE_TOMBSTONE rows from hq-pro (GET /v1/files/tombstones)
- * and return them as a POSIX-keyed map the pull planner consults to avoid
- * resurrecting an intentionally-deleted object (delete-resync). The endpoint is
- * ACL-filtered server-side, so the map only ever contains keys this caller can
- * read — exactly the keys that can appear in the (STS-scoped) remote LIST.
- *
- * Best-effort and bounded by a 5s timeout: a tombstone read that fails, times
- * out, or returns non-2xx degrades to an EMPTY map — i.e. to the pre-fix
- * behavior (no suppression). That is the safe failure direction: a missed
- * tombstone re-pulls a deleted file (a known, recoverable annoyance), whereas a
- * spurious tombstone would HIDE a file the user wants. The failure is logged
- * (never silently swallowed) so a persistently-degraded read is visible.
- */
-async function fetchCompanyTombstones(
-  vaultConfig: VaultServiceConfig,
-  companyUid: string,
-): Promise<Map<string, CompanyTombstone>> {
-  const out = new Map<string, CompanyTombstone>();
-  try {
-    const token =
-      typeof vaultConfig.authToken === "function"
-        ? await vaultConfig.authToken()
-        : vaultConfig.authToken;
-    const base = vaultConfig.apiUrl.replace(/\/+$/, "");
-    const url = `${base}/v1/files/tombstones?company=${encodeURIComponent(
-      companyUid,
-    )}`;
-    const controller = new AbortController();
-    const timer = setTimeout(
-      () => controller.abort(),
-      FETCH_TOMBSTONES_TIMEOUT_MS,
-    );
-    try {
-      const res = await fetch(url, {
-        method: "GET",
-        headers: { Authorization: `Bearer ${token}` },
-        signal: controller.signal,
-      });
-      if (!res.ok) {
-        // Non-2xx is non-fatal: log and degrade to no-suppression. A 404 means
-        // the endpoint is not deployed yet (hq-pro release lag) — the pull
-        // proceeds with the legacy behavior until it lands.
-        console.error(
-          `[hq-sync] tombstone fetch returned ${res.status} (degrading to no-suppression)`,
-        );
-        return out;
-      }
-      const body = (await res.json()) as {
-        tombstones?: Array<{ key?: string; deletedAt?: string }>;
-      };
-      for (const t of body.tombstones ?? []) {
-        if (typeof t.key === "string" && typeof t.deletedAt === "string") {
-          out.set(toPosixKey(t.key), { deletedAt: t.deletedAt });
-        }
-      }
-    } finally {
-      clearTimeout(timer);
-    }
-  } catch (err) {
-    // Best-effort: a failed tombstone read must never break the pull. Log
-    // (policy: never silently swallow) and degrade to no-suppression.
-    try {
-      console.error(
-        `[hq-sync] tombstone fetch failed (non-fatal, degrading to no-suppression): ${
-          err instanceof Error ? err.message : String(err)
-        }`,
-      );
-    } catch {
-      // swallow — logging must never break sync
-    }
-  }
-  return out;
-}
-
 /**
  * Sync (pull) all allowed files from the entity vault.
  */

package/src/cli/tombstones.ts

@@ -0,0 +1,106 @@
+/**
+ * Shared FILE_TOMBSTONE fetch used by BOTH the pull planner (`sync.ts`) and the
+ * push planner (`share.ts`).
+ *
+ * A FILE_TOMBSTONE is the authoritative record of an intentional, scoped delete
+ * (`hq files delete <prefix>` → `POST /v1/files/delete` → `recordDeletions`).
+ * Both sync legs consult it so a deleted key is neither re-downloaded (pull) nor
+ * re-uploaded (push) and therefore cannot be resurrected by a behind peer.
+ *
+ * Lives in its own module so `share.ts` can use the fetch without importing from
+ * `sync.ts` — `sync.ts` already imports values from `share.ts`
+ * (`isEphemeralPath`, `isMalformedVaultKey`), so the reverse value-import would
+ * create a runtime ESM cycle.
+ */
+
+import type { VaultServiceConfig } from "../types.js";
+import { toPosixKey } from "../s3.js";
+
+/** Timeout for the best-effort FILE_TOMBSTONE fetch (GET /v1/files/tombstones). */
+export const FETCH_TOMBSTONES_TIMEOUT_MS = 5000;
+
+/**
+ * A FILE_TOMBSTONE as the planners need it: the deleted key + when it was
+ * deleted. The `deletedAt` timestamp is the decisive precedence signal on the
+ * pull side — a remote object newer than it is a genuine re-create (sync it), an
+ * object at or older than it is a stale resurrection of a deleted key (suppress
+ * it).
+ */
+export interface CompanyTombstone {
+  deletedAt: string;
+}
+
+/**
+ * Fetch the company's FILE_TOMBSTONE rows from hq-pro (GET /v1/files/tombstones)
+ * and return them as a POSIX-keyed map the planners consult to avoid
+ * resurrecting an intentionally-deleted object (delete-resync). The endpoint is
+ * ACL-filtered server-side, so the map only ever contains keys this caller can
+ * read — exactly the keys that can appear in the (STS-scoped) remote LIST.
+ *
+ * Best-effort and bounded by a 5s timeout: a tombstone read that fails, times
+ * out, or returns non-2xx degrades to an EMPTY map — i.e. to the pre-fix
+ * behavior (no suppression). That is the safe failure direction: a missed
+ * tombstone re-pulls/re-pushes a deleted file (a known, recoverable annoyance),
+ * whereas a spurious tombstone would HIDE a file the user wants. The failure is
+ * logged (never silently swallowed) so a persistently-degraded read is visible.
+ */
+export async function fetchCompanyTombstones(
+  vaultConfig: VaultServiceConfig,
+  companyUid: string,
+): Promise<Map<string, CompanyTombstone>> {
+  const out = new Map<string, CompanyTombstone>();
+  try {
+    const token =
+      typeof vaultConfig.authToken === "function"
+        ? await vaultConfig.authToken()
+        : vaultConfig.authToken;
+    const base = vaultConfig.apiUrl.replace(/\/+$/, "");
+    const url = `${base}/v1/files/tombstones?company=${encodeURIComponent(
+      companyUid,
+    )}`;
+    const controller = new AbortController();
+    const timer = setTimeout(
+      () => controller.abort(),
+      FETCH_TOMBSTONES_TIMEOUT_MS,
+    );
+    try {
+      const res = await fetch(url, {
+        method: "GET",
+        headers: { Authorization: `Bearer ${token}` },
+        signal: controller.signal,
+      });
+      if (!res.ok) {
+        // Non-2xx is non-fatal: log and degrade to no-suppression. A 404 means
+        // the endpoint is not deployed yet (hq-pro release lag) — the sync
+        // proceeds with the legacy behavior until it lands.
+        console.error(
+          `[hq-sync] tombstone fetch returned ${res.status} (degrading to no-suppression)`,
+        );
+        return out;
+      }
+      const body = (await res.json()) as {
+        tombstones?: Array<{ key?: string; deletedAt?: string }>;
+      };
+      for (const t of body.tombstones ?? []) {
+        if (typeof t.key === "string" && typeof t.deletedAt === "string") {
+          out.set(toPosixKey(t.key), { deletedAt: t.deletedAt });
+        }
+      }
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch (err) {
+    // Best-effort: a failed tombstone read must never break the sync. Log
+    // (policy: never silently swallow) and degrade to no-suppression.
+    try {
+      console.error(
+        `[hq-sync] tombstone fetch failed (non-fatal, degrading to no-suppression): ${
+          err instanceof Error ? err.message : String(err)
+        }`,
+      );
+    } catch {
+      // swallow — logging must never break sync
+    }
+  }
+  return out;
+}

package/src/index.ts

@@ -142,8 +142,10 @@ export type { PullScope, PullScopeClient } from "./sync/pull-scope.js";
 export {
   PERSONAL_VAULT_EXCLUDED_TOP_LEVEL,
   PERSONAL_VAULT_COMPANY_EXCLUDED_SLUGS,
+  CONTINUITY_POINTER_REL,
   computePersonalVaultPaths,
   computePersonalCompanySubdirs,
+  computeContinuityPointerPaths,
 } from "./personal-vault.js";
 export type { PersonalVaultOptions } from "./personal-vault.js";