@indigoai-us/hq-cloud 6.2.2 → 6.2.3

package/src/scope-shrink.ts

@@ -62,6 +62,26 @@ export interface BuildScopeShrinkPlanInput {
   lastPrefixSet: string[];
   /** Coalesced prefixes the CURRENT pull will use. */
   currentPrefixSet: string[];
+  /**
+   * The caller's own Cognito `sub`. When set, a file the caller authored
+   * (`entry.createdBySub === callerSub`) is NEVER orphaned by a scope shrink —
+   * regardless of mode. This is the core of the authorship contract: sync mode
+   * governs whether you mirror *other people's* files; it must never disown
+   * your own work. Owners hold their whole vault by role-bypass, so without
+   * this guard a `shared`/`custom` scope would treat their own un-granted
+   * content as "someone else's file I happen to see" and prune it.
+   */
+  callerSub?: string;
+  /**
+   * When `true`, an orphan whose authorship is unknown (`createdBySub`
+   * undefined — a legacy entry predating author stamping, or an object
+   * uploaded without author metadata) is also retained rather than pruned.
+   * The automatic background pull sets this so a routine sync never makes a
+   * destructive guess about pre-stamp content; the explicit `hq sync narrow`
+   * ritual (which carries its own confirmation + dirty gate) leaves it off so
+   * a deliberately-confirmed narrow can still reclaim legacy files.
+   */
+  protectUnknownAuthors?: boolean;
 }
 
 /**
@@ -84,6 +104,7 @@ export function buildScopeShrinkPlan(
   input: BuildScopeShrinkPlanInput,
 ): ScopeShrinkPlan {
   const { journal, hqRoot, lastPrefixSet, currentPrefixSet } = input;
+  const { callerSub, protectUnknownAuthors } = input;
   const orphans: OrphanClassification[] = [];
 
   for (const [relPath, entry] of Object.entries(journal.files)) {
@@ -91,6 +112,14 @@ export function buildScopeShrinkPlan(
     if (entry.direction !== "down") continue;
     if (!isCoveredByAny(relPath, lastPrefixSet)) continue;
     if (isCoveredByAny(relPath, currentPrefixSet)) continue;
+    // Authorship guard: sync mode decides whether you mirror OTHER people's
+    // files — it must never disown your own. A file the caller authored is
+    // sacred and never orphaned, even out of the current prefix scope. When
+    // `protectUnknownAuthors` is set (the automatic pull path), a legacy
+    // entry with no recorded author is also retained — a routine background
+    // sync should never make a destructive guess about pre-stamp content.
+    if (callerSub && entry.createdBySub === callerSub) continue;
+    if (protectUnknownAuthors && entry.createdBySub === undefined) continue;
     orphans.push(classifyOrphan(relPath, entry, hqRoot));
   }
 

package/src/types.ts

@@ -26,6 +26,18 @@ export interface JournalEntry {
   size: number;
   syncedAt: string;
   direction: "up" | "down";
+  /**
+   * Cognito `sub` of the file's author, captured from the object's
+   * `created-by-sub` S3 user-metadata at download time (zero extra network —
+   * the GET response already carries it). Powers the scope-shrink authorship
+   * guard: a scope shrink must never orphan content the caller authored, so
+   * sync mode only ever governs whether you ALSO mirror *other people's*
+   * files. Optional for backwards compatibility — entries written before this
+   * field existed (or uploaded without author metadata) leave it `undefined`,
+   * which the automatic prune path treats conservatively (never auto-delete an
+   * unknown-author orphan).
+   */
+  createdBySub?: string;
   /**
    * S3 ETag of the remote object as of last successful sync, normalized (no
    * surrounding quotes). Optional for backwards compatibility: entries