@indigoai-us/hq-cloud 6.11.6 → 6.11.8

package/src/bin/sync-runner.ts

@@ -1242,6 +1242,7 @@ export async function runRunner(
         filesTombstoned: 0,
         filesRefusedStale: 0,
         filesRefusedStalePaths: [],
+        filesSuppressedByTombstone: 0,
         filesExcludedByPolicy: 0,
         filesExcludedByScope: 0,
         conflictPaths: [],

package/src/cli/share.test.ts

@@ -336,6 +336,175 @@ describe("share", () => {
     expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "changed.md", undefined, expect.anything());
   });
 
+  // ── Push-side FILE_TOMBSTONE consult (delete-resync, 3B) ────────────────────
+  // An authoritative delete (`hq files delete`) writes a FILE_TOMBSTONE and
+  // removes the S3 object. Without a push-side consult, a behind peer that still
+  // holds the deleted file RE-UPLOADS it on a skipUnchanged=false push (e.g.
+  // `hq cloud share <path>`); the re-upload post-dates the tombstone, so the
+  // pull planner's timestamp-only re-create heuristic treats it as a genuine
+  // re-create and resurrects the key for everyone. These tests pin the fix: a
+  // stale-baseline copy is suppressed, while genuine content (locally-changed or
+  // no-journal) still uploads. Differential proof: reverting the consult in
+  // share.ts makes the first test fail (uploadFile IS called → resurrection).
+  describe("push-side tombstone consult", () => {
+    function seedJournal(key: string, hash: string, size: number) {
+      fs.writeFileSync(
+        path.join(stateDir, "sync-journal.acme.json"),
+        JSON.stringify({
+          version: "1",
+          lastSync: new Date().toISOString(),
+          files: {
+            [key]: {
+              hash,
+              size,
+              syncedAt: new Date().toISOString(),
+              direction: "down",
+            },
+          },
+        }),
+      );
+    }
+
+    it("suppresses re-upload of a stale-baseline copy of a tombstoned key", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      // Journal hash === current file hash → this machine holds the exact
+      // deleted baseline (a behind peer that never pulled the delete).
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      const events: Array<{ type: string; path?: string }> = [];
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        // skipUnchanged omitted (=false): models `hq cloud share <path>`, the
+        // path where a behind peer would otherwise re-upload the stale copy.
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+        onEvent: (e) => events.push(e as { type: string; path?: string }),
+      });
+
+      // The resurrection is blocked at the source: no upload for the tombstoned key.
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesUploaded).toBe(0);
+      expect(result.filesSuppressedByTombstone).toBe(1);
+      expect(
+        events.some(
+          (e) => e.type === "upload-suppressed-tombstone" && e.path === "docs/shared.md",
+        ),
+      ).toBe(true);
+    });
+
+    it("still uploads a LOCALLY-CHANGED file even when tombstoned (genuine edit/re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "edited-since-delete");
+      // Journal hash is stale (the file was edited after the delete) → genuine
+      // new content, must NOT be suppressed.
+      seedJournal("docs/shared.md", "stale-baseline-hash", 14);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+      expect(uploadFile).toHaveBeenCalledWith(
+        expect.anything(),
+        f,
+        "docs/shared.md",
+        undefined,
+        expect.anything(),
+      );
+    });
+
+    it("still uploads a tombstoned key with NO journal entry (genuine re-create)", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "freshly created");
+      // No journal entry seeded → indistinguishable from genuine new content;
+      // fail-open and upload (mirrors the pull side's `!journalEntry` branch).
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        fileTombstones: new Map([
+          ["docs/shared.md", { deletedAt: new Date().toISOString() }],
+        ]),
+      });
+
+      expect(result.filesSuppressedByTombstone).toBe(0);
+      expect(result.filesUploaded).toBe(1);
+    });
+
+    it("auto-fetches tombstones via vaultConfig (no injection) and suppresses", async () => {
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(path.join(companyRoot, "docs"), { recursive: true });
+      const f = path.join(companyRoot, "docs", "shared.md");
+      fs.writeFileSync(f, "shared content");
+      const { hashFile } = await import("../journal.js");
+      seedJournal("docs/shared.md", hashFile(f), 14);
+
+      // Re-stub fetch to also answer GET /v1/files/tombstones, proving share()
+      // fetches and consults tombstones on its own (the production wiring) when
+      // no map is injected.
+      const fetchMock = vi.fn().mockImplementation(async (url: string) => {
+        const u = String(url);
+        if (u.includes("/entity/check-slug/me")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({ available: false, conflictingCompanyUid: mockEntity.uid }),
+            text: async () => "",
+          };
+        }
+        if (u.includes("/entity/by-slug/") || /\/entity\/cmp_/.test(u)) {
+          return { ok: true, status: 200, json: async () => ({ entity: mockEntity }), text: async () => "" };
+        }
+        if (u.includes("/sts/vend")) {
+          return { ok: true, status: 200, json: async () => mockVendResponse, text: async () => "" };
+        }
+        if (u.includes("/v1/files/tombstones")) {
+          return {
+            ok: true,
+            status: 200,
+            json: async () => ({
+              tombstones: [{ key: "docs/shared.md", deletedAt: new Date().toISOString() }],
+            }),
+            text: async () => "",
+          };
+        }
+        return { ok: false, status: 404, text: async () => "Not found" };
+      });
+      vi.stubGlobal("fetch", fetchMock);
+
+      const result = await share({
+        paths: [path.join(companyRoot, "docs")],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+      });
+
+      expect(uploadFile).not.toHaveBeenCalled();
+      expect(result.filesSuppressedByTombstone).toBe(1);
+    });
+  });
+
   it("populates conflictPaths and emits a conflict event when both local and remote drifted from journal", async () => {
     const companyRoot = path.join(tmpDir, "companies", "acme");
     fs.mkdirSync(companyRoot, { recursive: true });
@@ -4157,7 +4326,7 @@ describe("currency-gated: journal version 2 fixtures", () => {
       expect(errorEvents[0]!.path).toBe("f-2.bin");
     });
 
-    // ── Codex P1 (5.36.x): interactive conflict prompt serialization ────
+    // ── Interactive conflict prompt serialization ───────────────────────
     //
     // The parallel pool can run multiple processUploadItem workers
     // concurrently; each worker calls resolveConflict() on a conflict, and
@@ -4165,12 +4334,11 @@ describe("currency-gated: journal version 2 fixtures", () => {
     // prompt on process.stdin. Two prompts open at once would race for the
     // same terminal input — answers would interleave nondeterministically.
     //
-    // Trade-off (Option A): when onConflict is undefined we force pool
-    // concurrency to 1 for the whole run. Interactive sessions are rare
-    // (operator is already at the terminal clicking through prompts), so
-    // serializing the entire pool is acceptable and has the smallest
-    // blast radius vs. a per-prompt mutex. Non-interactive (onConflict set)
-    // keeps full parallelism.
+    // Fix: rather than force the WHOLE pool to concurrency=1 (which made an
+    // interactive `hq sync now` crawl even with zero conflicts), the pool
+    // keeps full concurrency and serializes ONLY the prompt via a chained
+    // lock (`resolveConflictSerialized`). At most one prompt awaits input at
+    // a time; this test pins that invariant.
     it("serializes interactive conflict prompts (no two readline prompts open at once)", async () => {
       const companyRoot = path.join(tmpDir, "companies", "acme");
       fs.mkdirSync(companyRoot, { recursive: true });
@@ -4282,6 +4450,59 @@ describe("currency-gated: journal version 2 fixtures", () => {
       expect(maxConcurrent).toBeGreaterThanOrEqual(4);
     });
 
+    it("interactive mode (onConflict unset) still runs transfers concurrently", async () => {
+      // REGRESSION: the 5.36.x interactive guard forced the WHOLE pool to
+      // concurrency=1 whenever onConflict was unset — so `hq sync now` (which
+      // omits --on-conflict) crawled through transfers one at a time even when
+      // no conflict ever occurred. The prompt is now serialized on its own
+      // chained lock, leaving the transfer pool at full concurrency.
+      const companyRoot = path.join(tmpDir, "companies", "acme");
+      fs.mkdirSync(companyRoot, { recursive: true });
+      const FILE_COUNT = 16;
+      for (let i = 0; i < FILE_COUNT; i++) {
+        fs.writeFileSync(
+          path.join(companyRoot, `f-${i.toString().padStart(2, "0")}.bin`),
+          `c-${i}`,
+        );
+      }
+
+      const startTimes: number[] = [];
+      const endTimes: number[] = [];
+      vi.mocked(uploadFile).mockImplementation(async () => {
+        startTimes.push(Date.now());
+        await new Promise((r) => setTimeout(r, 30));
+        endTimes.push(Date.now());
+        return { etag: '"upload-etag"' };
+      });
+
+      await share({
+        paths: [companyRoot],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        // onConflict intentionally omitted → interactive mode. No conflicts
+        // occur, so the transfer pool must NOT serialize.
+      });
+
+      const sortedEvents: Array<{ t: number; kind: "start" | "end" }> = [];
+      for (const t of startTimes) sortedEvents.push({ t, kind: "start" });
+      for (const t of endTimes) sortedEvents.push({ t, kind: "end" });
+      sortedEvents.sort((a, b) => a.t - b.t || (a.kind === "start" ? -1 : 1));
+      let cur = 0;
+      let maxConcurrent = 0;
+      for (const ev of sortedEvents) {
+        if (ev.kind === "start") {
+          cur++;
+          if (cur > maxConcurrent) maxConcurrent = cur;
+        } else {
+          cur--;
+        }
+      }
+      // Pre-fix this was exactly 1 (forced serial). Now it tracks the full
+      // pool; 4 is a conservative lower bound to avoid CI flakiness.
+      expect(maxConcurrent).toBeGreaterThanOrEqual(4);
+    });
+
     // ── Codex P1 (5.36.x): pool drains in-flight on worker rejection ────
     //
     // Pre-fix: the scheduler waited on `Promise.race(inFlight)`. If any

package/src/cli/share.ts

@@ -42,6 +42,10 @@ import {
 import { resolveConflict } from "./conflict.js";
 import type { ConflictStrategy } from "./conflict.js";
 import type { SyncProgressEvent } from "./sync.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 import { isCoveredByAny, isDirInScope } from "../prefix-coalesce.js";
 import {
   buildConflictId,
@@ -634,6 +638,19 @@ export interface ShareOptions {
    * path is out of scope (mirrors the pull side's `isCoveredByAny([])`).
    */
   prefixSet?: string[];
+  /**
+   * Pre-fetched FILE_TOMBSTONE map (POSIX key → tombstone) for the push-side
+   * delete-resync consult. When omitted, share() fetches it itself via
+   * `fetchCompanyTombstones` for COMPANY vaults that have a `vaultConfig`
+   * (personal vaults and pre-vended `entityContext`-only callers without a
+   * `vaultConfig` degrade to no-suppression — the safe, legacy direction).
+   *
+   * Injection is an optimization + test seam: a sync run that already fetched
+   * tombstones for the pull leg can hand the same map to the push leg to avoid a
+   * second round-trip, and tests can supply a controlled map without stubbing
+   * the network. See the consult in the Stage-2 classification pass.
+   */
+  fileTombstones?: Map<string, CompanyTombstone>;
 }
 
 export interface ShareResult {
@@ -678,6 +695,15 @@ export interface ShareResult {
    * once the runner has folded them into the totals.
    */
   filesRefusedStalePaths: string[];
+  /**
+   * Number of uploads suppressed by the push-side FILE_TOMBSTONE consult — keys
+   * an authoritative delete (`hq files delete`) tombstoned that this machine
+   * still held as the unchanged synced baseline. Skipping the upload is what
+   * stops a behind peer from resurrecting an authoritatively-deleted key. Always
+   * 0 when there are no tombstones for in-scope keys (the common case) or when
+   * the run can't load tombstones (personal vault / no `vaultConfig`).
+   */
+  filesSuppressedByTombstone: number;
   /**
    * Number of paths blocked by `PERSONAL_VAULT_DEFAULT_EXCLUSIONS` during this
    * run (push leg, personalMode=true). Includes both files that would have
@@ -919,6 +945,10 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
   // propagateDeletes=false path.
   let filesTombstoned = 0;
   let filesRefusedStale = 0;
+  // Count of uploads suppressed by the push-side FILE_TOMBSTONE consult (a
+  // behind peer's stale copy of an authoritatively-deleted key). Always 0 when
+  // there are no tombstones for in-scope keys.
+  let filesSuppressedByTombstone = 0;
   // Capped at 50 to bound event payload size — `newFiles` uses the same cap.
   const REFUSED_STALE_PATH_CAP = 50;
   const filesRefusedStalePaths: string[] = [];
@@ -1040,24 +1070,64 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
   // PUTs that already issued will complete (S3 doesn't have client-side
   // cancellation in this code path); their results are still recorded on
   // the journal so the next sync's planner doesn't re-fire them.
-  // Interactive-mode guard (Codex P1, 5.36.x): when onConflict is unset
-  // the per-item conflict path falls into resolveConflict()'s readline
-  // prompt on process.stdin. Multiple pool workers prompting at once
-  // would race for the same terminal input and interleave answers
-  // nondeterministically. Force concurrency=1 for interactive sessions —
-  // the operator is at the keyboard anyway, the throughput penalty only
-  // applies when conflicts actually exist, and Option A (whole-pool
-  // serialization) has the smallest blast radius vs. a per-prompt mutex.
-  // Non-interactive (onConflict set) keeps the env-tunable default.
-  const isInteractiveConflictMode = onConflict === undefined;
+  // Interactive-mode prompts: when `onConflict` is unset the per-item conflict
+  // path calls resolveConflict()'s readline prompt on process.stdin, and two
+  // pool workers prompting at once would race for the terminal and interleave
+  // answers. The 5.36.x guard solved this by forcing the WHOLE pool to
+  // concurrency=1 — which made an interactive `hq sync now` crawl even when
+  // zero conflicts existed (every transfer serialized just in case one might
+  // prompt). Instead, keep full env-tunable concurrency and serialize ONLY the
+  // prompt (see `resolveConflictSerialized` below): at most one prompt awaits
+  // input at a time while transfers stay parallel.
   const TRANSFER_CONCURRENCY = (() => {
-    if (isInteractiveConflictMode) return 1;
     const raw = process.env.HQ_SYNC_TRANSFER_CONCURRENCY;
     if (raw === undefined || raw === "") return 16;
     const parsed = Number.parseInt(raw, 10);
     return Number.isFinite(parsed) && parsed > 0 ? parsed : 16;
   })();
 
+  // Chained lock around the (possibly interactive) conflict prompt. Each
+  // resolveConflict() runs only after the previous one settles, so concurrent
+  // pool workers never prompt over each other on stdin — without dropping the
+  // transfer pool's parallelism. A rejected prompt must not wedge the chain,
+  // so the link swallows errors (the original promise still rejects to its
+  // awaiter). In non-interactive mode resolveConflict applies the configured
+  // strategy without reading stdin, so the lock adds no real serialization.
+  let conflictPromptChain: Promise<unknown> = Promise.resolve();
+  const resolveConflictSerialized = (
+    info: Parameters<typeof resolveConflict>[0],
+  ): ReturnType<typeof resolveConflict> => {
+    const run = conflictPromptChain.then(() => resolveConflict(info, onConflict));
+    conflictPromptChain = run.then(
+      () => undefined,
+      () => undefined,
+    );
+    return run;
+  };
+
+  // Push-side FILE_TOMBSTONE consult (delete-resync) — symmetric to the pull
+  // planner's suppression in sync.ts. An authoritative delete
+  // (`hq files delete <prefix>`) writes a FILE_TOMBSTONE and removes the S3
+  // object; the pull side already honors it. But the PUSH side did not: a behind
+  // peer who still holds the deleted file locally would re-upload it here, and
+  // because the re-uploaded object post-dates the tombstone, the pull planner's
+  // timestamp-only re-create heuristic (`isRemoteRecreateAfterTombstone`) treats
+  // it as a genuine re-create and resurrects the key for EVERYONE — defeating the
+  // authoritative delete. Consult the tombstones so a stale-baseline upload is
+  // skipped at the source.
+  //
+  // Source: an injected `fileTombstones` (a sync run can hand the push leg the
+  // map it already fetched for the pull leg), else a self-fetch for COMPANY
+  // vaults that have a `vaultConfig`. Personal vaults have no company tombstones
+  // (the pull side skips them too), and `entityContext`-only callers have no
+  // auth to fetch with — both degrade to an empty map (no suppression), the
+  // safe/legacy direction.
+  const fileTombstones: Map<string, CompanyTombstone> =
+    options.fileTombstones ??
+    (!ctx.uid.startsWith("prs_") && vaultConfig
+      ? await fetchCompanyTombstones(vaultConfig, ctx.uid)
+      : new Map<string, CompanyTombstone>());
+
   // Phase A: serial classification pass — handle skips inline, collect
   // upload candidates for the parallel pool.
   const uploadItems: Array<typeof plan.items[number] & { action: "upload" }> = [];
@@ -1071,6 +1141,30 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       filesSkipped++;
       continue;
     }
+    // Suppress the re-upload of an authoritatively-deleted key when the local
+    // copy is still the deleted baseline. Discrimination mirrors the pull side's
+    // `localChanged || !journalEntry` test: a journal entry whose hash matches
+    // the upload's localHash means the file is byte-identical to what was last
+    // synced — i.e. the deleted version a behind peer never pulled away — so
+    // SKIP it. A locally-changed file (hash differs) or one with no journal
+    // entry is genuine new content (a real re-create or a post-delete edit) and
+    // uploads normally. The deleter's own stale local copy is removed by the
+    // pull leg's `tombstone-delete`; this guard only stops the resurrection.
+    if (item.action === "upload" && fileTombstones.size > 0) {
+      const ts = fileTombstones.get(toPosixKey(item.relativePath));
+      if (ts !== undefined) {
+        const entry = journal.files[item.relativePath];
+        if (entry && entry.hash === item.localHash) {
+          filesSuppressedByTombstone++;
+          emit({
+            type: "upload-suppressed-tombstone",
+            path: item.relativePath,
+            deletedAt: ts.deletedAt,
+          });
+          continue;
+        }
+      }
+    }
     if (item.action === "skip-unchanged") {
       // Refresh the journal's (mtimeMs, size) for a touched-but-identical file
       // so the next sync's lstat fast-path matches and skips without re-hashing.
@@ -1256,15 +1350,12 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       if ((localChanged && remoteChanged) || isFreshCollision) {
         conflictPaths.push(relativePath);
 
-        const resolution = await resolveConflict(
-          {
-            path: relativePath,
-            localHash,
-            remoteModified: remoteMeta.lastModified,
-            direction: "push",
-          },
-          onConflict,
-        );
+        const resolution = await resolveConflictSerialized({
+          path: relativePath,
+          localHash,
+          remoteModified: remoteMeta.lastModified,
+          direction: "push",
+        });
 
         emit({
           type: "conflict",
@@ -1404,10 +1495,11 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
         // the race the fence exists to catch. Surface as a push conflict;
         // never silently overwrite.
         conflictPaths.push(relativePath);
-        const resolution = await resolveConflict(
-          { path: relativePath, localHash, direction: "push" },
-          onConflict,
-        );
+        const resolution = await resolveConflictSerialized({
+          path: relativePath,
+          localHash,
+          direction: "push",
+        });
         emit({
           type: "conflict",
           path: relativePath,
@@ -1546,6 +1638,9 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       // defaulting fallback. Empty on the abort path because the
       // delete-plan execution loop is short-circuited.
       filesRefusedStalePaths,
+      // Tombstone-suppressed uploads are classified in Phase A, which runs
+      // before the upload pool can abort, so the count is meaningful here.
+      filesSuppressedByTombstone,
       // Exclusions are computed during the upload walk which has
       // already completed by the time we hit a per-file conflict-
       // abort, so the count is meaningful here. No event emit on
@@ -1717,6 +1812,7 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
     filesTombstoned,
     filesRefusedStale,
     filesRefusedStalePaths,
+    filesSuppressedByTombstone,
     filesExcludedByPolicy: excludedSet.size,
     filesExcludedByScope: scopeExcludedSet.size,
     conflictPaths,

package/src/cli/sync.ts

@@ -54,6 +54,10 @@ import {
 } from "../lib/conflict-file.js";
 import { appendConflictEntry } from "../lib/conflict-index.js";
 import { reindex } from "./reindex.js";
+import {
+  fetchCompanyTombstones,
+  type CompanyTombstone,
+} from "./tombstones.js";
 
 /**
  * Per-file events emitted by `sync()` as it progresses.
@@ -265,6 +269,23 @@ export type SyncProgressEvent =
       type: "scope-excluded";
       count: number;
       samplePaths: string[];
+    }
+  | {
+      /**
+       * Emitted by the PUSH leg (`share()`) once per key whose upload was
+       * suppressed because an authoritative FILE_TOMBSTONE marks it deleted and
+       * the local copy is still the deleted baseline (journal hash unchanged).
+       * Without this, a behind peer that still holds the file would re-upload it,
+       * and the pull planner's timestamp-only re-create heuristic
+       * (`isRemoteRecreateAfterTombstone`) would treat the re-upload as a genuine
+       * re-create and resurrect the key for everyone. The deleter's own stale
+       * local copy is cleaned by the pull leg's `tombstone-delete`; this event
+       * records that the push refused to resurrect it. `deletedAt` is the
+       * tombstone's delete time.
+       */
+      type: "upload-suppressed-tombstone";
+      path: string;
+      deletedAt: string;
     };
 
 export interface SyncOptions {
@@ -539,94 +560,6 @@ async function reportNewFilesToNotify(
   }
 }
 
-/** Timeout for the best-effort FILE_TOMBSTONE fetch (GET /v1/files/tombstones). */
-const FETCH_TOMBSTONES_TIMEOUT_MS = 5000;
-
-/**
- * A FILE_TOMBSTONE as the pull planner needs it: the deleted key + when it was
- * deleted. The `deletedAt` timestamp is the decisive precedence signal — a
- * remote object newer than it is a genuine re-create (sync it), an object at or
- * older than it is a stale resurrection of a deleted key (suppress it).
- */
-interface CompanyTombstone {
-  deletedAt: string;
-}
-
-/**
- * Fetch the company's FILE_TOMBSTONE rows from hq-pro (GET /v1/files/tombstones)
- * and return them as a POSIX-keyed map the pull planner consults to avoid
- * resurrecting an intentionally-deleted object (delete-resync). The endpoint is
- * ACL-filtered server-side, so the map only ever contains keys this caller can
- * read — exactly the keys that can appear in the (STS-scoped) remote LIST.
- *
- * Best-effort and bounded by a 5s timeout: a tombstone read that fails, times
- * out, or returns non-2xx degrades to an EMPTY map — i.e. to the pre-fix
- * behavior (no suppression). That is the safe failure direction: a missed
- * tombstone re-pulls a deleted file (a known, recoverable annoyance), whereas a
- * spurious tombstone would HIDE a file the user wants. The failure is logged
- * (never silently swallowed) so a persistently-degraded read is visible.
- */
-async function fetchCompanyTombstones(
-  vaultConfig: VaultServiceConfig,
-  companyUid: string,
-): Promise<Map<string, CompanyTombstone>> {
-  const out = new Map<string, CompanyTombstone>();
-  try {
-    const token =
-      typeof vaultConfig.authToken === "function"
-        ? await vaultConfig.authToken()
-        : vaultConfig.authToken;
-    const base = vaultConfig.apiUrl.replace(/\/+$/, "");
-    const url = `${base}/v1/files/tombstones?company=${encodeURIComponent(
-      companyUid,
-    )}`;
-    const controller = new AbortController();
-    const timer = setTimeout(
-      () => controller.abort(),
-      FETCH_TOMBSTONES_TIMEOUT_MS,
-    );
-    try {
-      const res = await fetch(url, {
-        method: "GET",
-        headers: { Authorization: `Bearer ${token}` },
-        signal: controller.signal,
-      });
-      if (!res.ok) {
-        // Non-2xx is non-fatal: log and degrade to no-suppression. A 404 means
-        // the endpoint is not deployed yet (hq-pro release lag) — the pull
-        // proceeds with the legacy behavior until it lands.
-        console.error(
-          `[hq-sync] tombstone fetch returned ${res.status} (degrading to no-suppression)`,
-        );
-        return out;
-      }
-      const body = (await res.json()) as {
-        tombstones?: Array<{ key?: string; deletedAt?: string }>;
-      };
-      for (const t of body.tombstones ?? []) {
-        if (typeof t.key === "string" && typeof t.deletedAt === "string") {
-          out.set(toPosixKey(t.key), { deletedAt: t.deletedAt });
-        }
-      }
-    } finally {
-      clearTimeout(timer);
-    }
-  } catch (err) {
-    // Best-effort: a failed tombstone read must never break the pull. Log
-    // (policy: never silently swallow) and degrade to no-suppression.
-    try {
-      console.error(
-        `[hq-sync] tombstone fetch failed (non-fatal, degrading to no-suppression): ${
-          err instanceof Error ? err.message : String(err)
-        }`,
-      );
-    } catch {
-      // swallow — logging must never break sync
-    }
-  }
-  return out;
-}
-
 /**
  * Sync (pull) all allowed files from the entity vault.
  */