@indigoai-us/hq-cloud 6.2.1 → 6.2.3

package/src/cli/rescue-journal-reconcile.test.ts

@@ -1,17 +1,20 @@
 /**
- * Regression for the rescue → sync-journal stale-baseline bug.
+ * Regression for the rescue -> sync-journal stale-baseline bug (and its
+ * follow-ups). The rescue overlay + the post-overlay core.yaml stamp rewrite
+ * scaffold files from upstream, but their personal-vault journal entries keep
+ * the PRE-rescue hash. The next sync then reads localHash != journal.hash
+ * ("local changed") and mints a false `.conflict-*` mirror.
  *
- * Root cause: the rescue overlay rewrites scaffold files from upstream but
- * never re-stamps the personal-vault sync journal. The journal keeps the
- * PRE-rescue hash, so the next sync reads localHash != journal.hash ("local
- * changed") and — when the vault also moved — mints a false `.conflict-*`
- * mirror. `runRescue` now re-stamps the journal baseline for the files the
- * overlay actually re-laid (scoped to rsync `-i` itemize output, so a user's
- * pending edit is never touched).
+ * runRescue now reconciles the baseline by DIFFING the journal against current
+ * local hashes (robust — the earlier rsync-itemize regex undercounted), running
+ * AFTER every in-doRescue mutation (so it also catches the core.yaml stamp), and
+ * scoped to NON-preserved roots so a user's pending edit in personal/ is never
+ * marked synced.
  *
- * This test seeds a journal whose entry for an overlaid file carries the OLD
- * hash, runs a real (non-dry-run) rescue, and asserts the entry was re-stamped
- * to the freshly laid-down content — i.e. `localChanged` would now be false.
+ * This test seeds stale baselines for several overlaid scaffold files + core.yaml
+ * and a pending personal/ edit, runs a real rescue, and asserts: every changed
+ * scaffold entry is re-stamped to current local (no false conflict), while the
+ * personal/ pending edit is left untouched (still uploads).
  */
 import { describe, it, expect, beforeAll, afterAll } from "vitest";
 import { execFileSync } from "child_process";
@@ -52,7 +55,9 @@ function runRescueCapture(argv: string[], env: NodeJS.ProcessEnv) {
   return { status, stdout };
 }
 
-describe.skipIf(!gitAvailable)("rescue re-stamps sync-journal baseline for re-laid files", () => {
+const SCAFFOLD = ["core/a.md", "core/docs/b.md", ".claude/c.sh", "core/core.yaml"];
+
+describe.skipIf(!gitAvailable)("rescue reconciles sync-journal baseline (complete + robust)", () => {
   let workDir: string, upstream: string, hqRoot: string, stateDir: string, floorSha: string;
   let env: NodeJS.ProcessEnv;
   let savedStateDir: string | undefined;
@@ -64,52 +69,61 @@ describe.skipIf(!gitAvailable)("rescue re-stamps sync-journal baseline for re-la
       env: { ...process.env, GIT_AUTHOR_NAME: "t", GIT_AUTHOR_EMAIL: "t@t", GIT_COMMITTER_NAME: "t", GIT_COMMITTER_EMAIL: "t@t" },
     }).toString().trim();
 
+  const w = (root: string, rel: string, body: string) => {
+    const p = path.join(root, rel);
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.writeFileSync(p, body);
+  };
+
   beforeAll(() => {
     workDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-rescue-journal-"));
 
-    // upstream: floor (doc.md=v1), then HEAD advances doc.md -> v2.
+    // --- upstream: floor (all scaffold = v1), HEAD advances the 3 docs to v2 ---
     upstream = path.join(workDir, "upstream");
-    fs.mkdirSync(path.join(upstream, "core"), { recursive: true });
+    fs.mkdirSync(upstream, { recursive: true });
     git(workDir, "init", "-b", "main", "upstream");
-    fs.writeFileSync(path.join(upstream, "core/doc.md"), "v1\n");
-    git(upstream, "add", "-A");
-    git(upstream, "commit", "-m", "floor");
+    w(upstream, "core/a.md", "v1\n");
+    w(upstream, "core/docs/b.md", "v1\n");
+    w(upstream, ".claude/c.sh", "v1\n");
+    w(upstream, "core/core.yaml", "version: 1\n");
+    git(upstream, "add", "-A"); git(upstream, "commit", "-m", "floor");
     floorSha = git(upstream, "rev-parse", "HEAD");
-    fs.writeFileSync(path.join(upstream, "core/doc.md"), "v2\n");
-    git(upstream, "add", "-A");
-    git(upstream, "commit", "-m", "head");
+    w(upstream, "core/a.md", "v2\n");
+    w(upstream, "core/docs/b.md", "v2\n");
+    w(upstream, ".claude/c.sh", "v2\n");
+    git(upstream, "add", "-A"); git(upstream, "commit", "-m", "head");
 
-    // local HQ root: doc.md == floor (v1) -> rescue overlays it to HEAD (v2).
+    // --- local HQ root: scaffold == floor (overlaid to v2); a pending personal/ edit ---
     hqRoot = path.join(workDir, "hq");
-    fs.mkdirSync(path.join(hqRoot, "core"), { recursive: true });
-    fs.mkdirSync(path.join(hqRoot, "personal"), { recursive: true });
     fs.mkdirSync(path.join(hqRoot, "companies"), { recursive: true });
-    const docAbs = path.join(hqRoot, "core/doc.md");
-    fs.writeFileSync(docAbs, "v1\n");
+    w(hqRoot, "core/a.md", "v1\n");
+    w(hqRoot, "core/docs/b.md", "v1\n");
+    w(hqRoot, ".claude/c.sh", "v1\n");
+    w(hqRoot, "core/core.yaml", "version: 1\n");
+    w(hqRoot, "personal/edited.md", "USER_LOCAL\n"); // local pending edit
 
-    // state dir + seeded personal-vault journal carrying the STALE (v1) hash.
+    // --- state dir + seeded journal: stale baselines for scaffold + a divergent personal/ entry ---
     stateDir = path.join(workDir, "state");
     fs.mkdirSync(stateDir, { recursive: true });
     savedStateDir = process.env.HQ_STATE_DIR;
-    process.env.HQ_STATE_DIR = stateDir; // getStateDir() reads process.env
-    const staleHash = hashFile(docAbs); // hash of v1
+    process.env.HQ_STATE_DIR = stateDir;
+    const entry = (rel: string, hash: string) => ({
+      hash,
+      size: fs.statSync(path.join(hqRoot, rel)).size,
+      syncedAt: new Date(0).toISOString(),
+      direction: "down" as const,
+      remoteEtag: "seed-etag",
+      mtimeMs: fs.statSync(path.join(hqRoot, rel)).mtimeMs,
+    });
+    const files: Record<string, unknown> = {};
+    for (const rel of SCAFFOLD) files[rel] = entry(rel, hashFile(path.join(hqRoot, rel))); // hash of v1/version:1
+    // personal/ pending edit: journal records a DIFFERENT (already-synced) hash than local.
+    files["personal/edited.md"] = { ...entry("personal/edited.md", "remote-side-hash-differs-from-local") };
     writeJournal(PERSONAL_VAULT_JOURNAL_SLUG, {
-      version: "2",
-      lastSync: new Date(0).toISOString(),
-      files: {
-        "core/doc.md": {
-          hash: staleHash,
-          size: fs.statSync(docAbs).size,
-          syncedAt: new Date(0).toISOString(),
-          direction: "down",
-          remoteEtag: "seed-etag",
-          mtimeMs: fs.statSync(docAbs).mtimeMs,
-        },
-      },
-      pulls: [],
+      version: "2", lastSync: new Date(0).toISOString(), files, pulls: [],
     } as never);
 
-    // git shim: redirect `git clone <github-url>` to the local fixture.
+    // --- git shim: redirect clone to the local fixture ---
     const realGit = execFileSync("bash", ["-lc", "command -v git"]).toString().trim() || "/usr/bin/git";
     const shimDir = path.join(workDir, "shim");
     fs.mkdirSync(shimDir, { recursive: true });
@@ -133,24 +147,33 @@ exec ${JSON.stringify(realGit)} "$@"
     if (workDir) fs.rmSync(workDir, { recursive: true, force: true });
   });
 
-  it("re-stamps the journal so the overlaid file is no longer seen as locally changed", () => {
-    const docAbs = path.join(hqRoot, "core/doc.md");
-    const staleHash = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files["core/doc.md"].hash;
-
+  it("re-stamps EVERY changed scaffold file (incl. core.yaml), and never touches the personal/ pending edit", () => {
     const r = runRescueCapture(
       ["--hq-root", hqRoot, "--source", "test/repo", "--ref", "main", "--floor-sha", floorSha, "--yes", "--no-backup"],
       env,
     );
     expect(r.status, r.stdout).toBe(0);
 
-    // overlay actually re-laid the file (v1 -> v2)
-    expect(fs.readFileSync(docAbs, "utf-8")).toBe("v2\n");
+    // the 3 docs were overlaid v1 -> v2
+    for (const rel of ["core/a.md", "core/docs/b.md", ".claude/c.sh"]) {
+      expect(fs.readFileSync(path.join(hqRoot, rel), "utf-8")).toBe("v2\n");
+    }
+
+    const j = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files;
+
+    // INVARIANT: after the reconcile, every scaffold entry's baseline == current
+    // local hash -> localChanged is false -> no false conflict on the next sync.
+    // core.yaml is included BECAUSE the reconcile runs AFTER its yq/py stamp.
+    for (const rel of SCAFFOLD) {
+      expect(j[rel].hash, `${rel} not reconciled`).toBe(hashFile(path.join(hqRoot, rel)));
+      expect(j[rel].remoteEtag, `${rel} remote side touched`).toBe("seed-etag"); // clean push/converge, not conflict
+    }
+
+    // SAFETY: the personal/ pending edit is preserved (NOT marked synced) so it
+    // still uploads — its baseline stays the divergent seeded hash.
+    expect(j["personal/edited.md"].hash).toBe("remote-side-hash-differs-from-local");
+    expect(j["personal/edited.md"].hash).not.toBe(hashFile(path.join(hqRoot, "personal/edited.md")));
 
-    // journal entry was re-stamped to the NEW content's hash
-    const entry = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files["core/doc.md"];
-    expect(entry.hash).toBe(hashFile(docAbs)); // == hash(v2): localChanged would be FALSE
-    expect(entry.hash).not.toBe(staleHash); // proves it changed from the stale v1 baseline
-    expect(entry.remoteEtag).toBe("seed-etag"); // remote side untouched -> clean push/converge, not conflict
     expect(r.stdout).toContain("Reconciled sync-journal baseline");
   });
 });

package/src/cli/share.test.ts

@@ -39,7 +39,7 @@ vi.mock("readline", () => ({
 
 import * as readline from "readline";
 import { share, _testing as shareTesting } from "./share.js";
-import { deleteRemoteFile, headRemoteFile, uploadFile, uploadSymlink } from "../s3.js";
+import { deleteRemoteFile, downloadFile, headRemoteFile, uploadFile, uploadSymlink } from "../s3.js";
 import type { EntityContext } from "../types.js";
 
 const mockConfig: VaultServiceConfig = {
@@ -482,6 +482,110 @@ describe("share", () => {
     expect(result.filesUploaded).toBe(0);
   });
 
+  it("fresh-install multipart collision: byte-identical remote is NOT a conflict (reconciled, no mirror)", async () => {
+    // Root cause of "HQ installs with conflicts": on a first push the
+    // journal is empty, so the fresh-collision branch decides conflict-vs-
+    // identical from the remote etag alone. A multipart remote etag
+    // (\`<md5>-<partCount>\`) is NOT a content hash, so the OLD code assumed
+    // a collision for ANY multipart object — minting a false conflict for
+    // the most common fresh-install case: re-pushing a byte-identical
+    // core/ scaffold file whose remote copy happened to be multipart-
+    // uploaded. The fix fetches the remote bytes once and compares content
+    // hashes; identical content reconciles (journal re-stamped, PUT
+    // skipped) instead of producing a conflict + \`.conflict-*\` mirror.
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(companyRoot, { recursive: true });
+    const testFile = path.join(companyRoot, "core-scaffold.md");
+    const scaffoldBytes = "identical-scaffold-content-shipped-to-every-user";
+    fs.writeFileSync(testFile, scaffoldBytes);
+
+    // Remote exists with a MULTIPART etag and NO journal entry (first push).
+    vi.mocked(headRemoteFile).mockResolvedValueOnce({
+      lastModified: new Date(),
+      etag: '"d41d8cd98f00b204e9800998ecf8427e-2"',
+      size: scaffoldBytes.length,
+    });
+    // The convergence probe downloads the remote bytes — which are
+    // byte-identical to local — so the content hashes match.
+    vi.mocked(downloadFile).mockImplementationOnce(async (_ctx, _key, dest) => {
+      fs.writeFileSync(dest as string, scaffoldBytes);
+      return undefined as never;
+    });
+
+    const events: unknown[] = [];
+    const result = await share({
+      paths: [testFile],
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      onConflict: "keep",
+      onEvent: (e) => events.push(e),
+    });
+
+    // No conflict, no upload (bytes already there), counted as a skip.
+    expect(result.conflictPaths).toEqual([]);
+    expect(result.filesUploaded).toBe(0);
+    expect(result.filesSkipped).toBe(1);
+    const conflicts = events.filter(
+      (e) => typeof e === "object" && e !== null && (e as { type?: string }).type === "conflict",
+    );
+    expect(conflicts).toHaveLength(0);
+    const reconciled = events.filter(
+      (e) => typeof e === "object" && e !== null && (e as { type?: string }).type === "reconciled",
+    );
+    expect(reconciled).toHaveLength(1);
+    expect(reconciled[0]).toMatchObject({ path: "core-scaffold.md", direction: "push" });
+    // No conflict-mirror litter on disk.
+    const litter = fs
+      .readdirSync(companyRoot)
+      .filter((n) => n.includes(".conflict-"));
+    expect(litter).toEqual([]);
+    // Local file untouched.
+    expect(fs.readFileSync(testFile, "utf-8")).toBe(scaffoldBytes);
+  });
+
+  it("fresh-install multipart collision: genuinely different remote IS a conflict (Bug #7 preserved)", async () => {
+    // The convergence probe must not weaken Bug #7 protection: a multipart
+    // remote whose CONTENT actually differs from local is still a real
+    // fresh collision and must surface a conflict (so a peer's content
+    // isn't silently clobbered).
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(companyRoot, { recursive: true });
+    const testFile = path.join(companyRoot, "diverged-multipart.md");
+    fs.writeFileSync(testFile, "my-local-version");
+
+    vi.mocked(headRemoteFile).mockResolvedValueOnce({
+      lastModified: new Date(),
+      etag: '"0123456789abcdef0123456789abcdef-3"',
+      size: 32,
+    });
+    // The probe (and the subsequent keep-mirror download) return DIFFERENT
+    // remote bytes.
+    vi.mocked(downloadFile).mockImplementation(async (_ctx, _key, dest) => {
+      fs.writeFileSync(dest as string, "a-peers-different-version");
+      return undefined as never;
+    });
+
+    const events: unknown[] = [];
+    const result = await share({
+      paths: [testFile],
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      onConflict: "keep",
+      onEvent: (e) => events.push(e),
+    });
+
+    expect(result.conflictPaths).toEqual(["diverged-multipart.md"]);
+    expect(result.filesUploaded).toBe(0);
+    const conflicts = events.filter(
+      (e) => typeof e === "object" && e !== null && (e as { type?: string }).type === "conflict",
+    );
+    expect(conflicts).toHaveLength(1);
+    // Local file untouched under keep.
+    expect(fs.readFileSync(testFile, "utf-8")).toBe("my-local-version");
+  });
+
   it("uploads (no conflict) when only the local side changed since last sync", async () => {
     // Regression for hq-cloud#<conflict-detection>: a local edit to a file
     // that exists on S3 used to trigger a push conflict because the

package/src/cli/share.ts

@@ -6,6 +6,7 @@
  */
 
 import * as fs from "fs";
+import * as os from "os";
 import * as path from "path";
 import type { EntityContext, VaultServiceConfig, SyncJournal } from "../types.js";
 import { resolveEntityContext, isExpiringSoon, refreshEntityContext } from "../context.js";
@@ -45,6 +46,59 @@ import {
 } from "../lib/conflict-file.js";
 import { appendConflictEntry } from "../lib/conflict-index.js";
 
+/**
+ * Push-side fresh-collision convergence probe.
+ *
+ * For a first push (no journal entry) where the remote object already
+ * exists AND was multipart-uploaded, the remote etag (`<md5>-<partCount>`)
+ * is not a content hash, so we cannot tell "byte-identical" from "genuine
+ * divergence" without looking at the bytes. Fetch the remote object once to
+ * a throwaway temp file, hash it the same symlink-aware way the planner
+ * hashed local, and report whether the two contents DIFFER.
+ *
+ * Returns `true` on a genuine difference (a real fresh collision) and
+ * `false` when the bytes are identical. Fails safe to `true` on any
+ * fetch/hash error — a false positive merely prompts the operator, while a
+ * false negative could silently clobber a peer's content. Mirrors the
+ * pull-side convergence guard in `sync.ts`.
+ *
+ * The temp file lives in the OS temp dir (never under hqRoot) so it can
+ * never round-trip to S3, and is removed in a `finally` regardless of
+ * outcome. The name is derived from the relative path so concurrent probes
+ * for distinct files never collide on disk.
+ */
+async function remoteContentDiffers(
+  ctx: EntityContext,
+  relativePath: string,
+  localHash: string,
+  hqRoot: string,
+): Promise<boolean> {
+  const probeKey = crypto
+    .createHash("sha256")
+    .update(relativePath)
+    .digest("hex")
+    .slice(0, 16);
+  const probePath = path.join(
+    os.tmpdir(),
+    `hq-conflict-probe-${readShortMachineId(hqRoot)}-${probeKey}.tmp`,
+  );
+  try {
+    await downloadFile(ctx, relativePath, probePath);
+    const remoteHash = fs.lstatSync(probePath).isSymbolicLink()
+      ? hashSymlinkTarget(fs.readlinkSync(probePath))
+      : hashFile(probePath);
+    return remoteHash !== localHash;
+  } catch {
+    return true;
+  } finally {
+    try {
+      fs.rmSync(probePath, { force: true });
+    } catch {
+      /* best-effort cleanup; a stray temp probe is harmless */
+    }
+  }
+}
+
 /**
  * Local-only ephemeral artifacts: conflict-mirror files written by the pull
  * leg whenever a 3-way merge keeps local AND wants to preserve the remote
@@ -940,12 +994,10 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
       const remoteChanged = !!journalEntry && hasRemoteChanged(remoteMeta, journalEntry);
 
       let isFreshCollision = false;
+      let multipartConverged = false;
       if (!journalEntry && item.kind === "file") {
         // Single-part S3 PUT etag is MD5 of the body. Multipart uploads
-        // produce \`<md5>-<partCount>\`; we treat any non-single-part etag
-        // as ambiguous and DO classify as a conflict (safer for the
-        // first-time path — false positives prompt the operator, false
-        // negatives lose data). Symlink records (\`kind: "symlink"\`)
+        // produce \`<md5>-<partCount>\`. Symlink records (\`kind: "symlink"\`)
         // skip the check entirely — the wire body shape (\`hq-symlink:\`
         // prefix + target) isn't a pure byte mirror and would mis-
         // classify; symlink overwrites are rare and an audit pass after
@@ -962,13 +1014,55 @@ export async function share(options: ShareOptions): Promise<ShareResult> {
           // path which is idempotent (S3 will overwrite with identical
           // content + carry our metadata). Cheap, no behavior change.
         } else {
-          // Multipart object pre-exists with unknown body shape — assume
-          // collision rather than risk a silent overwrite. The operator
-          // can resolve via the standard conflict prompt.
-          isFreshCollision = true;
+          // Multipart remote etag is \`<md5>-<partCount>\`, NOT a usable
+          // content hash, so — unlike the single-part branch — we cannot
+          // decide collision-vs-identical from the etag alone. The old
+          // behavior assumed a collision here, which minted a FALSE
+          // conflict for the most common fresh-install case: re-pushing a
+          // byte-identical \`core/\` scaffold file whose remote copy happened
+          // to be multipart-uploaded. Every fresh install that hit an
+          // already-populated bucket therefore came up "with conflicts".
+          //
+          // Instead, fetch the remote bytes once and compare content
+          // hashes directly — the same convergence guard the pull side
+          // uses (sync.ts). Identical content is NOT a conflict. On any
+          // fetch/hash failure we fail safe to "conflict" (false positives
+          // prompt the operator; false negatives risk clobbering a peer).
+          const remoteDiffers = await remoteContentDiffers(
+            ctx,
+            relativePath,
+            localHash,
+            hqRoot,
+          );
+          if (remoteDiffers) {
+            isFreshCollision = true;
+          } else {
+            // Byte-identical multipart object already present. Seed the
+            // journal baseline from the remote so the next sync sees no
+            // change on either side, and skip the redundant PUT —
+            // re-uploading would needlessly rewrite remote and churn its
+            // etag from multipart to single-part.
+            multipartConverged = true;
+          }
         }
       }
 
+      if (multipartConverged) {
+        const lstat = fs.lstatSync(absolutePath);
+        updateEntry(
+          journal,
+          relativePath,
+          localHash,
+          lstat.size,
+          "up",
+          remoteMeta.etag,
+          lstat.mtimeMs,
+        );
+        emit({ type: "reconciled", path: relativePath, direction: "push" });
+        filesSkipped++;
+        return;
+      }
+
       if ((localChanged && remoteChanged) || isFreshCollision) {
         conflictPaths.push(relativePath);
 

package/src/cli/sync-scope.test.ts

@@ -48,7 +48,12 @@ vi.mock("../s3.js", async () => {
         if (!innerFs.existsSync(dir)) innerFs.mkdirSync(dir, { recursive: true });
         // Deterministic per-key body so re-downloads produce a stable hash.
         innerFs.writeFileSync(localPath, `mock:${key}`);
-        return { metadata: {} };
+        // Real GETs carry author metadata; surface a fixed uploader sub so
+        // journal entries are stamped with a KNOWN author. With no `callerSub`
+        // passed (the default for these tests), that author is "foreign", so
+        // the scope-shrink prune/block paths behave exactly as pre-guard —
+        // only the new own-author retention test passes a matching callerSub.
+        return { metadata: { "created-by-sub": "uploader-sub" } };
       }),
     listRemoteFiles: innerVi.fn().mockImplementation(async () => REMOTE.current),
     deleteRemoteFile: innerVi.fn().mockResolvedValue(undefined),
@@ -230,6 +235,35 @@ describe("sync — scope-aware download (US-005)", () => {
     expect(fs.existsSync(companyRel("knowledge/readme.md"))).toBe(true);
   });
 
+  it("scope shrink (all → shared) RETAINS the owner's own out-of-scope file", async () => {
+    // Corey's exact scenario: the caller authored everything (the mock stamps
+    // `created-by-sub: "uploader-sub"`), so passing the matching `callerSub`
+    // means narrowing to `shared` must NOT prune their own work — mode only
+    // governs mirroring OTHER people's files.
+    const all = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "all",
+      callerSub: "uploader-sub",
+    });
+    expect(all.filesDownloaded).toBe(2);
+
+    const shared = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "shared",
+      prefixSet: ["knowledge/"],
+      callerSub: "uploader-sub",
+    });
+    // Out of scope, but authored by the caller → retained, not pruned.
+    expect(shared.scopeOrphansRemoved).toBe(0);
+    expect(shared.scopeOrphansBlocked).toBe(0);
+    expect(fs.existsSync(companyRel("docs/handoff.md"))).toBe(true);
+    expect(fs.existsSync(companyRel("knowledge/readme.md"))).toBe(true);
+  });
+
   it("refuses a bulk auto-prune over the safety cap, then proceeds when forced", async () => {
     // Pull both files under all-mode, then narrow to a scope covering neither
     // → 2 clean orphans. With the cap set to 1, the auto-prune is refused.

package/src/cli/sync.ts

@@ -149,7 +149,7 @@ export type SyncProgressEvent =
        */
       type: "reconciled";
       path: string;
-      direction: "pull";
+      direction: "pull" | "push";
     }
   | {
       type: "new-files";
@@ -330,6 +330,14 @@ export interface SyncOptions {
    * tombstoned. Mirrors `hq sync narrow --force`.
    */
   forceScopeShrink?: boolean;
+  /**
+   * The caller's own Cognito `sub`, used by the scope-shrink authorship guard
+   * so a scope shrink never prunes content the caller authored. Injected by the
+   * entry point — the runner sources it from its decoded idToken claims (the
+   * same sub stamped onto uploads as `created-by-sub`). The engine never reads
+   * it from disk, so it stays pure/hermetic; undefined degrades safely.
+   */
+  callerSub?: string;
   /**
    * Skip the post-sync `reindex()` refresh (skill wrappers + personal overlay
    * mirrors + workers registry). By default, when a sync changes on-disk
@@ -536,6 +544,13 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
   const syncMode: SyncMode = options.syncMode ?? "all";
   const currentPrefixSet =
     syncMode === "all" ? [""] : coalescePrefixes(options.prefixSet ?? []);
+  // Authorship guard input (scope-shrink): the caller's own Cognito sub,
+  // injected by the entry point (the runner sources it from its decoded
+  // idToken claims — the same sub stamped onto uploads as `created-by-sub`).
+  // Undefined degrades safely: own-author files lose their special shield, but
+  // the `protectUnknownAuthors` conservative path below still prevents a
+  // routine sync from deleting anything it can't prove is foreign.
+  const callerSub = options.callerSub;
 
   let filesDownloaded = 0;
   let bytesDownloaded = 0;
@@ -603,6 +618,11 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
     hqRoot: companyRoot,
     lastPrefixSet,
     currentPrefixSet,
+    callerSub,
+    // Automatic pull: never auto-prune content the caller authored, and never
+    // make a destructive guess about unknown-author (legacy) orphans. The
+    // explicit `hq sync narrow` ritual opts out of the unknown-author shield.
+    protectUnknownAuthors: true,
   });
   if (shrinkPlan.dirty.length > 0 && options.forceScopeShrink !== true) {
     throw new ScopeShrinkBlockedError(
@@ -988,6 +1008,9 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
       try {
         const { metadata } = await downloadFile(ctx, remoteFile.key, localPath);
         const author = metadata?.["created-by"] ?? null;
+        // Author sub for the scope-shrink authorship guard — same field the
+        // upload side stamps, read straight off the GET response metadata.
+        const createdBySub = metadata?.["created-by-sub"];
 
         // Symlink records materialize as real symlinks on disk. lstat
         // (does not follow) lets us detect that case so the journal stamp
@@ -1026,6 +1049,7 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
           "down",
           remoteFile.etag,
           localLstat.mtimeMs,
+          createdBySub,
         );
 
         // Attach message from the prior journal entry if present (set by a

package/src/journal.ts

@@ -211,6 +211,7 @@ export function updateEntry(
   direction: "up" | "down",
   remoteEtag?: string,
   mtimeMs?: number,
+  createdBySub?: string,
 ): void {
   const entry: JournalEntry = {
     hash,
@@ -224,6 +225,12 @@ export function updateEntry(
   if (mtimeMs !== undefined) {
     entry.mtimeMs = mtimeMs;
   }
+  // Authorship (scope-shrink guard input). Stamped from the object's
+  // `created-by-sub` S3 metadata on download. Only persisted when present so
+  // legacy journals and author-less uploads stay byte-identical.
+  if (createdBySub !== undefined && createdBySub !== "") {
+    entry.createdBySub = createdBySub;
+  }
   journal.files[relativePath] = entry;
   journal.lastSync = new Date().toISOString();
 }