@indigoai-us/hq-cloud 6.2.5 → 6.2.6

package/src/cli/watch-event-push-conflict.test.ts

@@ -0,0 +1,234 @@
+/**
+ * Regression guard: the watch + event-push path must NOT mint phantom
+ * `.conflict-*` mirrors for an ordinary single-writer local edit.
+ *
+ * Background (feedback_ef2b7c8c): a user editing files under
+ * `companies/{slug}/` saw the menubar's watch/event-push runner mint a
+ * `.conflict-<ts>-<machine>` mirror on EVERY ordinary local Edit/Write —
+ * thousands of phantom files in a single session. The watch/event-push runner
+ * reacts to a local change by running a targeted `--direction push` pass, i.e.
+ * `share()` over the changed company subtree, so the conflict-minting logic is
+ * share()'s push-side conflict gate. The original gate flagged a conflict on
+ * `localChanged` alone (`journalEntry.hash !== localHash`), which fires for
+ * every edit of any already-synced file. The gate now requires
+ * `(localChanged && remoteChanged) || isFreshCollision`: a single writer never
+ * has `remoteChanged` (the live S3 ETag still equals the journal's recorded
+ * baseline), so an ordinary edit is uploaded, not mirrored.
+ *
+ * This test pins that contract end-to-end through `share()` using the same
+ * mocked-S3 harness as `share.test.ts`, modelling a single-writer remote whose
+ * ETag is always exactly what THIS device last uploaded. A positive control
+ * (a genuine out-of-band peer write) proves the guard is not trivially
+ * always-zero: real divergence is still detected.
+ */
+
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { clearContextCache } from "../context.js";
+import type { VaultServiceConfig } from "../types.js";
+
+vi.mock("../s3.js", () => ({
+  toPosixKey: (key: string) => key.split("\\").join("/"),
+  uploadFile: vi.fn(),
+  uploadSymlink: vi.fn().mockResolvedValue({ etag: '"upload-symlink-etag"' }),
+  downloadFile: vi.fn().mockResolvedValue(undefined),
+  listRemoteFiles: vi.fn().mockResolvedValue([]),
+  deleteRemoteFile: vi.fn().mockResolvedValue(undefined),
+  headRemoteFile: vi.fn(),
+  primeObjectTransport: vi.fn().mockResolvedValue(undefined),
+  primeUploads: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("readline", () => ({
+  createInterface: vi.fn(() => ({ question: vi.fn(), close: vi.fn() })),
+}));
+
+import { share } from "./share.js";
+import { downloadFile, headRemoteFile, uploadFile } from "../s3.js";
+
+const mockConfig: VaultServiceConfig = {
+  apiUrl: "https://vault-api.test",
+  authToken: "test-jwt-token",
+  region: "us-east-1",
+};
+
+const mockEntity = {
+  uid: "cmp_01ABCDEF",
+  slug: "acme",
+  bucketName: "hq-vault-acme-123",
+  status: "active",
+};
+
+function setupFetchMock() {
+  vi.stubGlobal(
+    "fetch",
+    vi.fn().mockImplementation(async (url: string) => {
+      const u = String(url);
+      if (u.includes("/entity/check-slug/me"))
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ available: false, conflictingCompanyUid: mockEntity.uid }),
+          text: async () => "",
+        };
+      if (u.includes("/entity/by-slug/") || /\/entity\/cmp_/.test(u))
+        return { ok: true, status: 200, json: async () => ({ entity: mockEntity }), text: async () => "" };
+      if (u.includes("/sts/vend"))
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            credentials: {
+              accessKeyId: "ASIA_TEST",
+              secretAccessKey: "s",
+              sessionToken: "t",
+              expiration: new Date(Date.now() + 9e5).toISOString(),
+            },
+            expiresAt: new Date(Date.now() + 9e5).toISOString(),
+          }),
+          text: async () => "",
+        };
+      return { ok: false, status: 404, text: async () => "Not found" };
+    }),
+  );
+}
+
+/** Every `.conflict-<ts>-*` mirror file anywhere under `root`. */
+function countConflictMirrors(root: string): string[] {
+  const out: string[] = [];
+  const walk = (d: string) => {
+    for (const e of fs.readdirSync(d, { withFileTypes: true })) {
+      const p = path.join(d, e.name);
+      if (e.isDirectory()) walk(p);
+      else if (/\.conflict-/.test(e.name)) out.push(p);
+    }
+  };
+  walk(root);
+  return out;
+}
+
+/**
+ * In-memory single-writer S3: the object's ETag is always exactly what THIS
+ * device last uploaded (no peer ever writes). `lastModified` advances on each
+ * PUT to model S3 stamping it server-side. The S3-module signatures are
+ * `uploadFile(ctx, localPath, key)`, `headRemoteFile(ctx, key)`,
+ * `downloadFile(ctx, key, dest)` — wire the mocks to match exactly.
+ */
+function wireSingleWriterRemote() {
+  const remote = new Map<string, { etag: string; lastModified: Date; size: number }>();
+  let clock = Date.now();
+  let seq = 0;
+  vi.mocked(uploadFile).mockImplementation(async (_ctx: unknown, localPath: string, key: string) => {
+    const etag = `"etag-${seq++}"`;
+    clock += 1000;
+    remote.set(key, { etag, lastModified: new Date(clock), size: fs.statSync(localPath).size });
+    return { etag };
+  });
+  vi.mocked(headRemoteFile).mockImplementation(async (_ctx: unknown, key: string) => {
+    const r = remote.get(key);
+    return r ? { lastModified: r.lastModified, etag: r.etag, size: r.size } : null;
+  });
+  vi.mocked(downloadFile).mockImplementation(async (_ctx: unknown, _key: string, dest: string) => {
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+    fs.writeFileSync(dest, "remote-bytes\n");
+    return {};
+  });
+  return remote;
+}
+
+describe("watch + event-push conflict regression (feedback_ef2b7c8c)", () => {
+  let tmpDir: string;
+  let stateDir: string;
+
+  beforeEach(() => {
+    clearContextCache();
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-watch-conflict-"));
+    stateDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-watch-state-"));
+    process.env.HQ_STATE_DIR = stateDir;
+    setupFetchMock();
+  });
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+    vi.clearAllMocks();
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+    fs.rmSync(stateDir, { recursive: true, force: true });
+    delete process.env.HQ_STATE_DIR;
+  });
+
+  it("a single writer's repeated local edits mint ZERO .conflict-* files", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(companyRoot, { recursive: true });
+    const files = ["notes.md", "plan.md", "ideas.md"].map((n) => path.join(companyRoot, n));
+    for (const f of files) fs.writeFileSync(f, "v0\n");
+
+    wireSingleWriterRemote();
+
+    const conflictPathsSeen: string[] = [];
+    // The event-push runner pushes the changed company subtree. Mirror that:
+    // share() over the company root on every settled change.
+    const eventPush = async () => {
+      const r = await share({
+        paths: [companyRoot],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onConflict: "keep",
+        onEvent: () => {},
+      });
+      conflictPathsSeen.push(...r.conflictPaths);
+    };
+
+    // Initial sync establishes the journal baseline (first upload of each file).
+    await eventPush();
+
+    // An editing session: 30 ordinary local edits, round-robin across the
+    // files, each followed by its targeted event-push.
+    for (let i = 0; i < 30; i++) {
+      fs.writeFileSync(files[i % files.length], `v${i + 1}\n`);
+      await eventPush();
+    }
+
+    expect(countConflictMirrors(tmpDir)).toEqual([]);
+    expect(conflictPathsSeen).toEqual([]);
+  });
+
+  it("positive control: a genuine peer write is still detected as a conflict", async () => {
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    fs.mkdirSync(companyRoot, { recursive: true });
+    const file = path.join(companyRoot, "contested.md");
+    fs.writeFileSync(file, "v0\n");
+
+    const remote = wireSingleWriterRemote();
+
+    const conflictPathsSeen: string[] = [];
+    const eventPush = async () => {
+      const r = await share({
+        paths: [companyRoot],
+        company: "acme",
+        vaultConfig: mockConfig,
+        hqRoot: tmpDir,
+        onConflict: "keep",
+        onEvent: () => {},
+      });
+      conflictPathsSeen.push(...r.conflictPaths);
+    };
+
+    await eventPush(); // baseline
+
+    // A peer advances the remote object out-of-band to DIFFERENT bytes. Journal
+    // keys are company-relative, so the key is "contested.md".
+    remote.set("contested.md", { etag: '"peer-etag"', lastModified: new Date(Date.now() + 60_000), size: 99 });
+    // ...and we also edit locally → both sides moved → a genuine conflict.
+    fs.writeFileSync(file, "v1-local\n");
+    await eventPush();
+
+    // Existing-entry push conflicts surface via conflictPaths (the inspection
+    // mirror is written by the pull leg). The contract under test: a REAL
+    // divergence is still flagged — the single-writer guard above did not
+    // over-correct into swallowing true conflicts.
+    expect(conflictPathsSeen).toContain("contested.md");
+  });
+});

package/src/prefix-coalesce.ts

@@ -71,6 +71,41 @@ export function isCoveredByAny(
   return false;
 }
 
+/**
+ * Directory companion to `isCoveredByAny`: should the push/pull walk DESCEND
+ * into directory `relDir` (company-relative, no leading slash) given the
+ * granted `prefixSet`?
+ *
+ * A file uses plain `startsWith` (`isCoveredByAny`), but a directory must be
+ * descended whenever it COULD contain an in-scope file — which is true in two
+ * directions:
+ *   - the directory sits INSIDE a granted prefix (`knowledge/sub` under
+ *     `knowledge/`), or
+ *   - a granted prefix sits INSIDE the directory (`knowledge/` under the
+ *     company root `""`, or `knowledge/README.md` under `knowledge/`).
+ * Without the second case the walk would refuse to descend into `knowledge/`
+ * to reach a `knowledge/README.md` exact-file grant, scoping the whole tree
+ * to nothing.
+ *
+ * The directory is normalized to a trailing-slash form so the `startsWith`
+ * comparisons line up with coalesced prefixes (which are themselves either
+ * trailing-slash dir prefixes or exact-file keys). The empty string (company
+ * root) always descends when any prefix exists.
+ */
+export function isDirInScope(
+  relDir: string,
+  prefixSet: readonly string[],
+): boolean {
+  const dir = relDir === "" || relDir.endsWith("/") ? relDir : relDir + "/";
+  for (const p of prefixSet) {
+    if (p === "") return true; // full scope
+    if (dir === "") return true; // company root — descend to reach grants
+    if (dir.startsWith(p)) return true; // dir is inside a granted prefix
+    if (p.startsWith(dir)) return true; // a granted prefix is inside dir
+  }
+  return false;
+}
+
 /**
  * Normalize a raw ACL grant `path` into a COMPANY-RELATIVE prefix suitable
  * for `coalescePrefixes` + `isCoveredByAny` (which do literal `startsWith`