@indigoai-us/hq-cloud 6.2.2 → 6.2.3

package/src/cli/rescue-journal-reconcile.test.ts

@@ -1,17 +1,20 @@
 /**
- * Regression for the rescue → sync-journal stale-baseline bug.
+ * Regression for the rescue -> sync-journal stale-baseline bug (and its
+ * follow-ups). The rescue overlay + the post-overlay core.yaml stamp rewrite
+ * scaffold files from upstream, but their personal-vault journal entries keep
+ * the PRE-rescue hash. The next sync then reads localHash != journal.hash
+ * ("local changed") and mints a false `.conflict-*` mirror.
  *
- * Root cause: the rescue overlay rewrites scaffold files from upstream but
- * never re-stamps the personal-vault sync journal. The journal keeps the
- * PRE-rescue hash, so the next sync reads localHash != journal.hash ("local
- * changed") and — when the vault also moved — mints a false `.conflict-*`
- * mirror. `runRescue` now re-stamps the journal baseline for the files the
- * overlay actually re-laid (scoped to rsync `-i` itemize output, so a user's
- * pending edit is never touched).
+ * runRescue now reconciles the baseline by DIFFING the journal against current
+ * local hashes (robust — the earlier rsync-itemize regex undercounted), running
+ * AFTER every in-doRescue mutation (so it also catches the core.yaml stamp), and
+ * scoped to NON-preserved roots so a user's pending edit in personal/ is never
+ * marked synced.
  *
- * This test seeds a journal whose entry for an overlaid file carries the OLD
- * hash, runs a real (non-dry-run) rescue, and asserts the entry was re-stamped
- * to the freshly laid-down content — i.e. `localChanged` would now be false.
+ * This test seeds stale baselines for several overlaid scaffold files + core.yaml
+ * and a pending personal/ edit, runs a real rescue, and asserts: every changed
+ * scaffold entry is re-stamped to current local (no false conflict), while the
+ * personal/ pending edit is left untouched (still uploads).
  */
 import { describe, it, expect, beforeAll, afterAll } from "vitest";
 import { execFileSync } from "child_process";
@@ -52,7 +55,9 @@ function runRescueCapture(argv: string[], env: NodeJS.ProcessEnv) {
   return { status, stdout };
 }
 
-describe.skipIf(!gitAvailable)("rescue re-stamps sync-journal baseline for re-laid files", () => {
+const SCAFFOLD = ["core/a.md", "core/docs/b.md", ".claude/c.sh", "core/core.yaml"];
+
+describe.skipIf(!gitAvailable)("rescue reconciles sync-journal baseline (complete + robust)", () => {
   let workDir: string, upstream: string, hqRoot: string, stateDir: string, floorSha: string;
   let env: NodeJS.ProcessEnv;
   let savedStateDir: string | undefined;
@@ -64,52 +69,61 @@ describe.skipIf(!gitAvailable)("rescue re-stamps sync-journal baseline for re-la
       env: { ...process.env, GIT_AUTHOR_NAME: "t", GIT_AUTHOR_EMAIL: "t@t", GIT_COMMITTER_NAME: "t", GIT_COMMITTER_EMAIL: "t@t" },
     }).toString().trim();
 
+  const w = (root: string, rel: string, body: string) => {
+    const p = path.join(root, rel);
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.writeFileSync(p, body);
+  };
+
   beforeAll(() => {
     workDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-rescue-journal-"));
 
-    // upstream: floor (doc.md=v1), then HEAD advances doc.md -> v2.
+    // --- upstream: floor (all scaffold = v1), HEAD advances the 3 docs to v2 ---
     upstream = path.join(workDir, "upstream");
-    fs.mkdirSync(path.join(upstream, "core"), { recursive: true });
+    fs.mkdirSync(upstream, { recursive: true });
     git(workDir, "init", "-b", "main", "upstream");
-    fs.writeFileSync(path.join(upstream, "core/doc.md"), "v1\n");
-    git(upstream, "add", "-A");
-    git(upstream, "commit", "-m", "floor");
+    w(upstream, "core/a.md", "v1\n");
+    w(upstream, "core/docs/b.md", "v1\n");
+    w(upstream, ".claude/c.sh", "v1\n");
+    w(upstream, "core/core.yaml", "version: 1\n");
+    git(upstream, "add", "-A"); git(upstream, "commit", "-m", "floor");
     floorSha = git(upstream, "rev-parse", "HEAD");
-    fs.writeFileSync(path.join(upstream, "core/doc.md"), "v2\n");
-    git(upstream, "add", "-A");
-    git(upstream, "commit", "-m", "head");
+    w(upstream, "core/a.md", "v2\n");
+    w(upstream, "core/docs/b.md", "v2\n");
+    w(upstream, ".claude/c.sh", "v2\n");
+    git(upstream, "add", "-A"); git(upstream, "commit", "-m", "head");
 
-    // local HQ root: doc.md == floor (v1) -> rescue overlays it to HEAD (v2).
+    // --- local HQ root: scaffold == floor (overlaid to v2); a pending personal/ edit ---
     hqRoot = path.join(workDir, "hq");
-    fs.mkdirSync(path.join(hqRoot, "core"), { recursive: true });
-    fs.mkdirSync(path.join(hqRoot, "personal"), { recursive: true });
     fs.mkdirSync(path.join(hqRoot, "companies"), { recursive: true });
-    const docAbs = path.join(hqRoot, "core/doc.md");
-    fs.writeFileSync(docAbs, "v1\n");
+    w(hqRoot, "core/a.md", "v1\n");
+    w(hqRoot, "core/docs/b.md", "v1\n");
+    w(hqRoot, ".claude/c.sh", "v1\n");
+    w(hqRoot, "core/core.yaml", "version: 1\n");
+    w(hqRoot, "personal/edited.md", "USER_LOCAL\n"); // local pending edit
 
-    // state dir + seeded personal-vault journal carrying the STALE (v1) hash.
+    // --- state dir + seeded journal: stale baselines for scaffold + a divergent personal/ entry ---
     stateDir = path.join(workDir, "state");
     fs.mkdirSync(stateDir, { recursive: true });
     savedStateDir = process.env.HQ_STATE_DIR;
-    process.env.HQ_STATE_DIR = stateDir; // getStateDir() reads process.env
-    const staleHash = hashFile(docAbs); // hash of v1
+    process.env.HQ_STATE_DIR = stateDir;
+    const entry = (rel: string, hash: string) => ({
+      hash,
+      size: fs.statSync(path.join(hqRoot, rel)).size,
+      syncedAt: new Date(0).toISOString(),
+      direction: "down" as const,
+      remoteEtag: "seed-etag",
+      mtimeMs: fs.statSync(path.join(hqRoot, rel)).mtimeMs,
+    });
+    const files: Record<string, unknown> = {};
+    for (const rel of SCAFFOLD) files[rel] = entry(rel, hashFile(path.join(hqRoot, rel))); // hash of v1/version:1
+    // personal/ pending edit: journal records a DIFFERENT (already-synced) hash than local.
+    files["personal/edited.md"] = { ...entry("personal/edited.md", "remote-side-hash-differs-from-local") };
     writeJournal(PERSONAL_VAULT_JOURNAL_SLUG, {
-      version: "2",
-      lastSync: new Date(0).toISOString(),
-      files: {
-        "core/doc.md": {
-          hash: staleHash,
-          size: fs.statSync(docAbs).size,
-          syncedAt: new Date(0).toISOString(),
-          direction: "down",
-          remoteEtag: "seed-etag",
-          mtimeMs: fs.statSync(docAbs).mtimeMs,
-        },
-      },
-      pulls: [],
+      version: "2", lastSync: new Date(0).toISOString(), files, pulls: [],
     } as never);
 
-    // git shim: redirect `git clone <github-url>` to the local fixture.
+    // --- git shim: redirect clone to the local fixture ---
     const realGit = execFileSync("bash", ["-lc", "command -v git"]).toString().trim() || "/usr/bin/git";
     const shimDir = path.join(workDir, "shim");
     fs.mkdirSync(shimDir, { recursive: true });
@@ -133,24 +147,33 @@ exec ${JSON.stringify(realGit)} "$@"
     if (workDir) fs.rmSync(workDir, { recursive: true, force: true });
   });
 
-  it("re-stamps the journal so the overlaid file is no longer seen as locally changed", () => {
-    const docAbs = path.join(hqRoot, "core/doc.md");
-    const staleHash = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files["core/doc.md"].hash;
-
+  it("re-stamps EVERY changed scaffold file (incl. core.yaml), and never touches the personal/ pending edit", () => {
     const r = runRescueCapture(
       ["--hq-root", hqRoot, "--source", "test/repo", "--ref", "main", "--floor-sha", floorSha, "--yes", "--no-backup"],
       env,
     );
     expect(r.status, r.stdout).toBe(0);
 
-    // overlay actually re-laid the file (v1 -> v2)
-    expect(fs.readFileSync(docAbs, "utf-8")).toBe("v2\n");
+    // the 3 docs were overlaid v1 -> v2
+    for (const rel of ["core/a.md", "core/docs/b.md", ".claude/c.sh"]) {
+      expect(fs.readFileSync(path.join(hqRoot, rel), "utf-8")).toBe("v2\n");
+    }
+
+    const j = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files;
+
+    // INVARIANT: after the reconcile, every scaffold entry's baseline == current
+    // local hash -> localChanged is false -> no false conflict on the next sync.
+    // core.yaml is included BECAUSE the reconcile runs AFTER its yq/py stamp.
+    for (const rel of SCAFFOLD) {
+      expect(j[rel].hash, `${rel} not reconciled`).toBe(hashFile(path.join(hqRoot, rel)));
+      expect(j[rel].remoteEtag, `${rel} remote side touched`).toBe("seed-etag"); // clean push/converge, not conflict
+    }
+
+    // SAFETY: the personal/ pending edit is preserved (NOT marked synced) so it
+    // still uploads — its baseline stays the divergent seeded hash.
+    expect(j["personal/edited.md"].hash).toBe("remote-side-hash-differs-from-local");
+    expect(j["personal/edited.md"].hash).not.toBe(hashFile(path.join(hqRoot, "personal/edited.md")));
 
-    // journal entry was re-stamped to the NEW content's hash
-    const entry = readJournal(PERSONAL_VAULT_JOURNAL_SLUG).files["core/doc.md"];
-    expect(entry.hash).toBe(hashFile(docAbs)); // == hash(v2): localChanged would be FALSE
-    expect(entry.hash).not.toBe(staleHash); // proves it changed from the stale v1 baseline
-    expect(entry.remoteEtag).toBe("seed-etag"); // remote side untouched -> clean push/converge, not conflict
     expect(r.stdout).toContain("Reconciled sync-journal baseline");
   });
 });

package/src/cli/sync-scope.test.ts

@@ -48,7 +48,12 @@ vi.mock("../s3.js", async () => {
         if (!innerFs.existsSync(dir)) innerFs.mkdirSync(dir, { recursive: true });
         // Deterministic per-key body so re-downloads produce a stable hash.
         innerFs.writeFileSync(localPath, `mock:${key}`);
-        return { metadata: {} };
+        // Real GETs carry author metadata; surface a fixed uploader sub so
+        // journal entries are stamped with a KNOWN author. With no `callerSub`
+        // passed (the default for these tests), that author is "foreign", so
+        // the scope-shrink prune/block paths behave exactly as pre-guard —
+        // only the new own-author retention test passes a matching callerSub.
+        return { metadata: { "created-by-sub": "uploader-sub" } };
       }),
     listRemoteFiles: innerVi.fn().mockImplementation(async () => REMOTE.current),
     deleteRemoteFile: innerVi.fn().mockResolvedValue(undefined),
@@ -230,6 +235,35 @@ describe("sync — scope-aware download (US-005)", () => {
     expect(fs.existsSync(companyRel("knowledge/readme.md"))).toBe(true);
   });
 
+  it("scope shrink (all → shared) RETAINS the owner's own out-of-scope file", async () => {
+    // Corey's exact scenario: the caller authored everything (the mock stamps
+    // `created-by-sub: "uploader-sub"`), so passing the matching `callerSub`
+    // means narrowing to `shared` must NOT prune their own work — mode only
+    // governs mirroring OTHER people's files.
+    const all = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "all",
+      callerSub: "uploader-sub",
+    });
+    expect(all.filesDownloaded).toBe(2);
+
+    const shared = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+      syncMode: "shared",
+      prefixSet: ["knowledge/"],
+      callerSub: "uploader-sub",
+    });
+    // Out of scope, but authored by the caller → retained, not pruned.
+    expect(shared.scopeOrphansRemoved).toBe(0);
+    expect(shared.scopeOrphansBlocked).toBe(0);
+    expect(fs.existsSync(companyRel("docs/handoff.md"))).toBe(true);
+    expect(fs.existsSync(companyRel("knowledge/readme.md"))).toBe(true);
+  });
+
   it("refuses a bulk auto-prune over the safety cap, then proceeds when forced", async () => {
     // Pull both files under all-mode, then narrow to a scope covering neither
     // → 2 clean orphans. With the cap set to 1, the auto-prune is refused.

package/src/cli/sync.ts

@@ -330,6 +330,14 @@ export interface SyncOptions {
    * tombstoned. Mirrors `hq sync narrow --force`.
    */
   forceScopeShrink?: boolean;
+  /**
+   * The caller's own Cognito `sub`, used by the scope-shrink authorship guard
+   * so a scope shrink never prunes content the caller authored. Injected by the
+   * entry point — the runner sources it from its decoded idToken claims (the
+   * same sub stamped onto uploads as `created-by-sub`). The engine never reads
+   * it from disk, so it stays pure/hermetic; undefined degrades safely.
+   */
+  callerSub?: string;
   /**
    * Skip the post-sync `reindex()` refresh (skill wrappers + personal overlay
    * mirrors + workers registry). By default, when a sync changes on-disk
@@ -536,6 +544,13 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
   const syncMode: SyncMode = options.syncMode ?? "all";
   const currentPrefixSet =
     syncMode === "all" ? [""] : coalescePrefixes(options.prefixSet ?? []);
+  // Authorship guard input (scope-shrink): the caller's own Cognito sub,
+  // injected by the entry point (the runner sources it from its decoded
+  // idToken claims — the same sub stamped onto uploads as `created-by-sub`).
+  // Undefined degrades safely: own-author files lose their special shield, but
+  // the `protectUnknownAuthors` conservative path below still prevents a
+  // routine sync from deleting anything it can't prove is foreign.
+  const callerSub = options.callerSub;
 
   let filesDownloaded = 0;
   let bytesDownloaded = 0;
@@ -603,6 +618,11 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
     hqRoot: companyRoot,
     lastPrefixSet,
     currentPrefixSet,
+    callerSub,
+    // Automatic pull: never auto-prune content the caller authored, and never
+    // make a destructive guess about unknown-author (legacy) orphans. The
+    // explicit `hq sync narrow` ritual opts out of the unknown-author shield.
+    protectUnknownAuthors: true,
   });
   if (shrinkPlan.dirty.length > 0 && options.forceScopeShrink !== true) {
     throw new ScopeShrinkBlockedError(
@@ -988,6 +1008,9 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
       try {
         const { metadata } = await downloadFile(ctx, remoteFile.key, localPath);
         const author = metadata?.["created-by"] ?? null;
+        // Author sub for the scope-shrink authorship guard — same field the
+        // upload side stamps, read straight off the GET response metadata.
+        const createdBySub = metadata?.["created-by-sub"];
 
         // Symlink records materialize as real symlinks on disk. lstat
         // (does not follow) lets us detect that case so the journal stamp
@@ -1026,6 +1049,7 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
           "down",
           remoteFile.etag,
           localLstat.mtimeMs,
+          createdBySub,
         );
 
         // Attach message from the prior journal entry if present (set by a

package/src/journal.ts

@@ -211,6 +211,7 @@ export function updateEntry(
   direction: "up" | "down",
   remoteEtag?: string,
   mtimeMs?: number,
+  createdBySub?: string,
 ): void {
   const entry: JournalEntry = {
     hash,
@@ -224,6 +225,12 @@ export function updateEntry(
   if (mtimeMs !== undefined) {
     entry.mtimeMs = mtimeMs;
   }
+  // Authorship (scope-shrink guard input). Stamped from the object's
+  // `created-by-sub` S3 metadata on download. Only persisted when present so
+  // legacy journals and author-less uploads stay byte-identical.
+  if (createdBySub !== undefined && createdBySub !== "") {
+    entry.createdBySub = createdBySub;
+  }
   journal.files[relativePath] = entry;
   journal.lastSync = new Date().toISOString();
 }

package/src/remote-pull.test.ts

@@ -594,6 +594,9 @@ describe("pullCompany (engine orchestrator)", () => {
           size: 8,
           syncedAt: new Date().toISOString(),
           direction: "down",
+          // Authored by someone else (no matching callerSub passed below), so
+          // the authorship guard correctly leaves it eligible for shrink.
+          createdBySub: "uploader-sub",
         },
       },
       pulls: [
@@ -651,12 +654,14 @@ describe("pullCompany (engine orchestrator)", () => {
           size: 8,
           syncedAt: new Date().toISOString(),
           direction: "down",
+          createdBySub: "uploader-sub", // foreign author — eligible for shrink
         },
         "companies/indigo/scratch/clean.md": {
           hash: sha256("clean"),
           size: 5,
           syncedAt: new Date().toISOString(),
           direction: "down",
+          createdBySub: "uploader-sub", // foreign author — eligible for shrink
         },
       },
       pulls: [
@@ -711,6 +716,7 @@ describe("pullCompany (engine orchestrator)", () => {
           size: 5,
           syncedAt: new Date(Date.now() - 60_000).toISOString(),
           direction: "down",
+          createdBySub: "uploader-sub", // foreign author — eligible for shrink
         },
       },
     };
@@ -741,6 +747,118 @@ describe("pullCompany (engine orchestrator)", () => {
     expect(journal.version).toBe("2"); // migrated by appendPullRecord
   });
 
+  it("retains a caller-authored orphan across a scope shrink (own work is never pruned)", async () => {
+    // The owner narrowed to `shared`, but `projects/mine.md` is their own work
+    // (createdBySub === callerSub). A scope shrink must NOT prune it — mode
+    // only governs mirroring OTHER people's files.
+    const mineAbs = path.join(hqRoot, "companies/indigo/projects/mine.md");
+    fs.mkdirSync(path.dirname(mineAbs), { recursive: true });
+    fs.writeFileSync(mineAbs, "mine");
+    const past = Date.now() - 60_000;
+    fs.utimesSync(mineAbs, past / 1000, past / 1000);
+
+    const journal: SyncJournal = {
+      version: "2",
+      lastSync: "",
+      files: {
+        "companies/indigo/projects/mine.md": {
+          hash: sha256("mine"),
+          size: 4,
+          syncedAt: new Date().toISOString(),
+          direction: "down",
+          createdBySub: "owner-sub",
+        },
+      },
+      pulls: [
+        {
+          pullId: "01PREV",
+          companyUid: "cmp_indigo",
+          startedAt: "2026-05-19T00:00:00.000Z",
+          completedAt: "2026-05-19T00:00:05.000Z",
+          syncMode: "all",
+          prefixSet: ["companies/indigo/"],
+          scopeChangeDetected: false,
+          orphansRemoved: 0,
+          orphansBlocked: 0,
+        },
+      ],
+    };
+
+    const result = await pullCompany({
+      ctx: makeCtx(),
+      journal,
+      hqRoot,
+      callerSub: "owner-sub",
+      scope: {
+        companyUid: "cmp_indigo",
+        syncMode: "shared",
+        prefixSet: ["companies/indigo/meetings/"],
+        strategy: "vend-fanout",
+      },
+      listFn: async () => [],
+    });
+
+    expect(result.pullRecord.scopeChangeDetected).toBe(false);
+    expect(result.pullRecord.orphansRemoved).toBe(0);
+    expect(fs.existsSync(mineAbs)).toBe(true); // own work preserved
+  });
+
+  it("retains an unknown-author orphan on the automatic path (conservative, never auto-deletes)", async () => {
+    // A legacy entry with no recorded author. The background pull must not make
+    // a destructive guess — retain it (the explicit narrow ritual is the
+    // confirmed path that can reclaim it).
+    const legacyAbs = path.join(hqRoot, "companies/indigo/projects/legacy.md");
+    fs.mkdirSync(path.dirname(legacyAbs), { recursive: true });
+    fs.writeFileSync(legacyAbs, "legacy");
+    const past = Date.now() - 60_000;
+    fs.utimesSync(legacyAbs, past / 1000, past / 1000);
+
+    const journal: SyncJournal = {
+      version: "2",
+      lastSync: "",
+      files: {
+        "companies/indigo/projects/legacy.md": {
+          hash: sha256("legacy"),
+          size: 6,
+          syncedAt: new Date().toISOString(),
+          direction: "down",
+          // no createdBySub — predates author stamping
+        },
+      },
+      pulls: [
+        {
+          pullId: "01PREV",
+          companyUid: "cmp_indigo",
+          startedAt: "2026-05-19T00:00:00.000Z",
+          completedAt: "2026-05-19T00:00:05.000Z",
+          syncMode: "all",
+          prefixSet: ["companies/indigo/"],
+          scopeChangeDetected: false,
+          orphansRemoved: 0,
+          orphansBlocked: 0,
+        },
+      ],
+    };
+
+    const result = await pullCompany({
+      ctx: makeCtx(),
+      journal,
+      hqRoot,
+      callerSub: "owner-sub",
+      scope: {
+        companyUid: "cmp_indigo",
+        syncMode: "shared",
+        prefixSet: ["companies/indigo/meetings/"],
+        strategy: "vend-fanout",
+      },
+      listFn: async () => [],
+    });
+
+    expect(result.pullRecord.scopeChangeDetected).toBe(false);
+    expect(result.pullRecord.orphansRemoved).toBe(0);
+    expect(fs.existsSync(legacyAbs)).toBe(true); // legacy file retained
+  });
+
   it("GC's expired tombstones at the start of every leg", async () => {
     const old = new Date(
       Date.now() - 31 * 24 * 60 * 60 * 1000,

package/src/remote-pull.ts

@@ -368,6 +368,13 @@ export interface PullCompanyInput {
   conflictKeys?: Set<string>;
   /** Honor the operator override on dirty orphans (US-005 contract). */
   forceScopeShrink?: boolean;
+  /**
+   * The caller's own Cognito `sub` for the scope-shrink authorship guard — a
+   * scope shrink never prunes content the caller authored. Defaults to the
+   * cached session sub (`resolveCallerSubFromCache()`); pass explicitly when
+   * the runner already decoded its idToken claims.
+   */
+  callerSub?: string;
   /** Listing override hook — see `ListRemoteForScopeInput.listFn`. */
   listFn?: ListRemoteForScopeInput["listFn"];
   vendForBatchFn?: ListRemoteForScopeInput["vendForBatchFn"];
@@ -432,6 +439,11 @@ export async function pullCompany(
     hqRoot: input.hqRoot,
     lastPrefixSet,
     currentPrefixSet: input.scope.prefixSet,
+    callerSub: input.callerSub,
+    // Background runner pull: protect the caller's own work and don't make a
+    // destructive guess about unknown-author (legacy) orphans. The explicit
+    // `hq sync narrow` ritual is the confirmed path that opts out of this.
+    protectUnknownAuthors: true,
   });
 
   let scopeShrinkApplied: ApplyScopeShrinkResult | null = null;

package/src/scope-shrink.test.ts

@@ -239,6 +239,134 @@ describe("buildScopeShrinkPlan", () => {
     });
     expect(plan.orphans).toEqual([]);
   });
+
+  // ── Authorship guard ──────────────────────────────────────────────────────
+  // Sync mode decides whether you mirror OTHER people's files; it must never
+  // orphan content the caller authored. Owners hold their whole vault by
+  // role-bypass, so without this guard a `shared`/`custom` scope would treat
+  // their own un-granted work as "someone else's file" and prune it.
+
+  it("never orphans a file the caller authored, even out of scope", () => {
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        "companies/indigo/projects/mine.md": {
+          hash: "h",
+          size: 1,
+          syncedAt: "2026-05-01T00:00:00.000Z",
+          direction: "down",
+          createdBySub: "sub-corey",
+        },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+      callerSub: "sub-corey",
+    });
+    expect(plan.orphans).toEqual([]);
+    expect(plan.scopeChangeDetected).toBe(false);
+  });
+
+  it("orphans a file authored by someone else (mode stops mirroring others' files)", () => {
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        "companies/indigo/projects/theirs.md": {
+          hash: "h",
+          size: 1,
+          syncedAt: "2026-05-01T00:00:00.000Z",
+          direction: "down",
+          createdBySub: "sub-jacob",
+        },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+      callerSub: "sub-corey",
+      protectUnknownAuthors: true,
+    });
+    expect(plan.orphans.map((o) => o.path)).toEqual([
+      "companies/indigo/projects/theirs.md",
+    ]);
+  });
+
+  it("retains an unknown-author orphan when protectUnknownAuthors is set (conservative auto path)", () => {
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        "companies/indigo/projects/legacy.md": {
+          hash: "h",
+          size: 1,
+          syncedAt: "2026-05-01T00:00:00.000Z",
+          direction: "down",
+          // no createdBySub — a legacy entry predating author stamping
+        },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+      callerSub: "sub-corey",
+      protectUnknownAuthors: true,
+    });
+    expect(plan.orphans).toEqual([]);
+  });
+
+  it("prunes an unknown-author orphan when protectUnknownAuthors is off (explicit narrow path)", () => {
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        "companies/indigo/projects/legacy.md": {
+          hash: "h",
+          size: 1,
+          syncedAt: "2026-05-01T00:00:00.000Z",
+          direction: "down",
+        },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+      callerSub: "sub-corey",
+    });
+    expect(plan.orphans.map((o) => o.path)).toEqual([
+      "companies/indigo/projects/legacy.md",
+    ]);
+  });
+
+  it("ignores authorship when no callerSub is supplied (back-compat)", () => {
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        "companies/indigo/projects/mine.md": {
+          hash: "h",
+          size: 1,
+          syncedAt: "2026-05-01T00:00:00.000Z",
+          direction: "down",
+          createdBySub: "sub-corey",
+        },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+    });
+    expect(plan.orphans.map((o) => o.path)).toEqual([
+      "companies/indigo/projects/mine.md",
+    ]);
+  });
 });
 
 describe("applyScopeShrink", () => {