@indigoai-us/hq-cloud 6.3.4 → 6.3.6

package/src/cli/sync.test.ts

@@ -775,6 +775,91 @@ describe("sync", () => {
     expect(journal.files["docs/kept.md"]).toBeDefined();
   });
 
+  it("does NOT tombstone a live file recorded under a Windows backslash journal key whose POSIX twin still exists remotely (ridge data-loss regression — feedback_b8d09d0f)", async () => {
+    // Root-cause regression. A pre-5.47.2 Windows client stamped the journal
+    // key with path.sep ("\\"): `projects\forecast-development\...\sean-frank.csv`.
+    // The forecast file IS still in the vault (remote LIST has the forward-slash
+    // key). Pre-fix the planner compared the raw backslash key against the
+    // forward-slash remote set, missed the match, classed the LIVE file as
+    // remote-deleted, and dropped its journal entry (and on Windows, where
+    // path.join collapses "\\", unlinked the real file — ~36 files lost in one
+    // pull). The fix: normalize journal keys to POSIX on load + compare in POSIX
+    // space, so the live file is recognized as present and never tombstoned.
+    const companyRoot = path.join(tmpDir, "companies", "acme");
+    const forecastDir = path.join(
+      companyRoot,
+      "projects",
+      "forecast-development",
+      "forecasts",
+    );
+    fs.mkdirSync(forecastDir, { recursive: true });
+    const forecastPath = path.join(forecastDir, "sean-frank.csv");
+    fs.writeFileSync(forecastPath, "forecast,data\n1,2\n");
+
+    const posixKey = "projects/forecast-development/forecasts/sean-frank.csv";
+    const backslashKey =
+      "projects\\forecast-development\\forecasts\\sean-frank.csv";
+
+    const crypto = await import("node:crypto");
+    const baseline = crypto
+      .createHash("sha256")
+      .update("forecast,data\n1,2\n")
+      .digest("hex");
+
+    // Seed the journal under the MALFORMED backslash key (the landmine state).
+    fs.writeFileSync(
+      journalPath,
+      JSON.stringify({
+        version: "2",
+        lastSync: new Date(Date.now() - 60_000).toISOString(),
+        files: {
+          [backslashKey]: {
+            hash: baseline,
+            size: 18,
+            syncedAt: new Date(Date.now() - 60_000).toISOString(),
+            direction: "down",
+            remoteEtag: "e-forecast",
+          },
+        },
+        pulls: [],
+      }),
+    );
+
+    // The vault still holds the file under its canonical forward-slash key.
+    vi.mocked(s3Module.listRemoteFiles).mockResolvedValueOnce([
+      {
+        key: posixKey,
+        size: 18,
+        lastModified: new Date(),
+        etag: '"e-forecast"',
+      },
+    ]);
+    // If anything still HEAD-probed the backslash key, S3 would say NotFound —
+    // model that worst case so the test proves the planner never gets there.
+    vi.mocked(s3Module.headRemoteFile).mockResolvedValue(null);
+
+    const result = await sync({
+      company: "acme",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    // The live forecast file MUST survive the pull.
+    expect(fs.existsSync(forecastPath)).toBe(true);
+    expect(fs.readFileSync(forecastPath, "utf-8")).toBe("forecast,data\n1,2\n");
+    // Nothing was tombstoned — the file is present remotely.
+    expect(result.filesTombstoned).toBe(0);
+
+    // The journal is healed: the malformed key is gone, the canonical POSIX key
+    // points at the live file (so a future pull stays converged, not poisoned).
+    const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+    expect(journal.files[backslashKey]).toBeUndefined();
+    expect(journal.files[posixKey]).toBeDefined();
+    expect(
+      Object.keys(journal.files).some((k) => k.includes("\\")),
+    ).toBe(false);
+  });
+
   it("does NOT tombstone keys whose local copy has diverged from the journal (Codex P1 — delete-vs-edit race)", async () => {
     // Codex review on PR #24 round 3 caught: in a delete-vs-local-edit
     // race, peer A deletes a file remotely while peer B edits it

package/src/cli/sync.ts

@@ -15,6 +15,7 @@ import {
   listRemoteFiles,
   headRemoteFile,
   primeObjectTransport,
+  toPosixKey,
 } from "../s3.js";
 import type { RemoteFile } from "../s3.js";
 import {
@@ -1253,6 +1254,17 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
   // converged. Failures are reported but non-fatal — the entry stays in
   // the journal and the next run retries.
   for (const key of plan.tombstones) {
+    // Last line of defense against the Windows backslash-key landmine: a
+    // malformed key must NEVER reach fs.unlinkSync. path.join(companyRoot, key)
+    // collapses the backslashes and resolves onto the REAL POSIX file, so
+    // unlinking here destroys live data (ridge incident, feedback_b8d09d0f).
+    // The planner already refuses to enqueue malformed keys; if one still
+    // arrives, drop the poisoned journal entry without touching disk —
+    // normalizeJournalKeys rewrites it to its POSIX form on load.
+    if (isMalformedVaultKey(key)) {
+      removeEntry(journal, key);
+      continue;
+    }
     const localPath = path.join(companyRoot, key);
     let removedSomething = false;
     try {
@@ -1795,7 +1807,19 @@ function computePullPlan(
   for (const rf of remoteFiles) remoteKeySet.add(rf.key);
   const tombstones: string[] = [];
   for (const key of Object.keys(journal.files)) {
-    if (remoteKeySet.has(key)) continue;
+    // Compare membership in POSIX space. A pre-5.47.2 Windows journal key can
+    // carry backslash separators; the remote LIST is always forward-slash, so a
+    // raw `has(key)` would miss the match and class a live local file as
+    // remote-deleted. normalizeJournalKeys() defuses this on load, but the
+    // POSIX compare is defense-in-depth (ridge data-loss, feedback_b8d09d0f).
+    const posixKey = toPosixKey(key);
+    if (remoteKeySet.has(posixKey)) continue;
+    // Never tombstone-delete via a malformed (backslash) key: the executor's
+    // path.join(companyRoot, key) collapses backslashes back onto the REAL
+    // POSIX file and unlinks live data. Leave it for normalizeJournalKeys to
+    // rewrite to POSIX on the next write; the canonical key is re-evaluated
+    // (and correctly tombstoned if genuinely remote-deleted) on a later pull.
+    if (isMalformedVaultKey(key)) continue;
     // PersonalMode key gating — mirror the download branch.
     if (personalMode && key.startsWith("companies/")) {
       const slug = key.split("/")[1] ?? "";

package/src/journal.test.ts

@@ -17,6 +17,7 @@ import {
   writeJournal,
   updateEntry,
   migrateToV2,
+  normalizeJournalKeys,
   appendPullRecord,
   lastPullRecord,
   tombstoneEntry,
@@ -208,6 +209,125 @@ describe("journal", () => {
       expect(raw.version).toBe("2");
       expect(raw.pulls).toEqual([]);
     });
+
+    it("normalizes backslash keys even on an already-v2 journal", () => {
+      // The landmine predates the v2 bump, so a poisoned journal can be v2.
+      // migrateToV2's early-return must not skip normalization.
+      const j: SyncJournal = {
+        version: "2",
+        lastSync: "",
+        files: {
+          "projects\\forecast\\x.csv": {
+            hash: "h",
+            size: 1,
+            syncedAt: "2026-06-10",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      migrateToV2(j);
+      expect(j.files["projects\\forecast\\x.csv"]).toBeUndefined();
+      expect(j.files["projects/forecast/x.csv"]).toBeDefined();
+    });
+  });
+
+  describe("normalizeJournalKeys (Windows backslash-key landmine — ridge data loss)", () => {
+    // Regression for feedback_b8d09d0f: pre-5.47.2 Windows clients stamped
+    // journal keys with path.sep ("\\"). Those keys never match the
+    // forward-slash remote LIST, so the cross-machine delete planner classed
+    // live local files as remote-deleted and path.join collapsed the key back
+    // onto the real file — deleting ~36 live files in a single pull. The
+    // canonical defense is rewriting every key to POSIX form on load.
+    it("rewrites backslash keys to POSIX form and reports the count", () => {
+      const j: SyncJournal = {
+        version: "2",
+        lastSync: "",
+        files: {
+          "projects\\forecast-development\\forecasts\\sean-frank.csv": {
+            hash: "h1",
+            size: 10,
+            syncedAt: "2026-06-10",
+            direction: "down",
+          },
+          "docs\\notes.md": {
+            hash: "h2",
+            size: 5,
+            syncedAt: "2026-06-10",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      const rewritten = normalizeJournalKeys(j);
+      expect(rewritten).toBe(2);
+      expect(
+        j.files["projects/forecast-development/forecasts/sean-frank.csv"],
+      ).toBeDefined();
+      expect(j.files["docs/notes.md"]).toBeDefined();
+      // No malformed keys survive.
+      expect(
+        Object.keys(j.files).some((k) => k.includes("\\")),
+      ).toBe(false);
+      // Entry payload is preserved verbatim under the new key.
+      expect(j.files["docs/notes.md"]?.hash).toBe("h2");
+    });
+
+    it("leaves a clean (all-POSIX) journal untouched and returns 0", () => {
+      const j: SyncJournal = {
+        version: "2",
+        lastSync: "",
+        files: {
+          "docs/a.md": { hash: "h", size: 1, syncedAt: "x", direction: "down" },
+        },
+        pulls: [],
+      };
+      const before = JSON.stringify(j);
+      const rewritten = normalizeJournalKeys(j);
+      expect(rewritten).toBe(0);
+      expect(JSON.stringify(j)).toBe(before);
+    });
+
+    it("prefers an existing POSIX twin and drops the malformed duplicate", () => {
+      // When both forms exist, the POSIX entry is authoritative (it round-
+      // tripped through an up-to-date client). The malformed dup is discarded.
+      const j: SyncJournal = {
+        version: "2",
+        lastSync: "",
+        files: {
+          "docs/a.md": {
+            hash: "posix-wins",
+            size: 1,
+            syncedAt: "x",
+            direction: "down",
+          },
+          "docs\\a.md": {
+            hash: "backslash-loses",
+            size: 2,
+            syncedAt: "x",
+            direction: "down",
+          },
+        },
+        pulls: [],
+      };
+      normalizeJournalKeys(j);
+      expect(j.files["docs\\a.md"]).toBeUndefined();
+      expect(j.files["docs/a.md"]?.hash).toBe("posix-wins");
+    });
+
+    it("is idempotent — a second pass rewrites nothing", () => {
+      const j: SyncJournal = {
+        version: "2",
+        lastSync: "",
+        files: {
+          "a\\b\\c.txt": { hash: "h", size: 1, syncedAt: "x", direction: "down" },
+        },
+        pulls: [],
+      };
+      expect(normalizeJournalKeys(j)).toBe(1);
+      expect(normalizeJournalKeys(j)).toBe(0);
+      expect(j.files["a/b/c.txt"]).toBeDefined();
+    });
   });
 
   describe("generatePullId", () => {

package/src/journal.ts

@@ -18,6 +18,7 @@ import * as os from "os";
 import * as path from "path";
 import * as crypto from "crypto";
 import type { SyncJournal, JournalEntry, PullRecord } from "./types.js";
+import { toPosixKey } from "./s3.js";
 
 /** Tombstone retention. 30 days in milliseconds — roughly two release cycles. */
 export const TOMBSTONE_TTL_MS = 30 * 24 * 60 * 60 * 1000;
@@ -134,6 +135,42 @@ export function readJournal(slug: string): SyncJournal {
   return { version: JOURNAL_VERSION_CURRENT, lastSync: "", files: {}, pulls: [] };
 }
 
+/**
+ * Defuse the pre-5.47.2 Windows backslash-key landmine in a journal's `files`
+ * map. Such clients stamped keys with the OS path separator ("\\"), e.g.
+ * `projects\\forecast-development\\x.csv`. A backslash key is a live data-loss
+ * hazard for the cross-machine delete planner (Bug #9): it never matches the
+ * forward-slash remote LIST, so the planner classifies the still-present local
+ * file as remote-deleted, and `path.join(companyRoot, key)` collapses the
+ * backslashes back onto the REAL POSIX file — which the executor then unlinks
+ * (ridge incident, feedback_b8d09d0f: a single pull deleted ~36 live files,
+ * with 587 backslash keys left in the journal as a recurring landmine).
+ *
+ * Rewriting every key to its canonical POSIX form on load removes the hazard
+ * idempotently — a clean (all-POSIX) journal is returned untouched. Merge rule:
+ * if a key's POSIX twin already exists, the POSIX entry is authoritative (it
+ * round-tripped through an up-to-date client) and the malformed duplicate is
+ * dropped; otherwise the entry is moved to its POSIX key. Returns the number of
+ * keys rewritten (0 for a clean journal) for telemetry and test assertions.
+ */
+export function normalizeJournalKeys(journal: SyncJournal): number {
+  if (!journal.files) return 0;
+  let rewritten = 0;
+  // Snapshot keys up front — we mutate journal.files during the walk.
+  for (const key of Object.keys(journal.files)) {
+    const posix = toPosixKey(key);
+    if (posix === key) continue; // already canonical (no backslash)
+    const entry = journal.files[key];
+    delete journal.files[key];
+    rewritten++;
+    // POSIX twin already present → it wins; drop the malformed duplicate.
+    if (!(posix in journal.files)) {
+      journal.files[posix] = entry;
+    }
+  }
+  return rewritten;
+}
+
 /**
  * Coerce any-version journal into a v2 shape. Idempotent for v2 inputs.
  * Mutates the input and returns it for chainable use. Call this immediately
@@ -145,6 +182,10 @@ export function readJournal(slug: string): SyncJournal {
  * "all" in the scope-shrink algorithm).
  */
 export function migrateToV2(journal: SyncJournal): SyncJournal {
+  // Backslash-key normalization runs UNCONDITIONALLY — a poisoned journal can
+  // already carry version "2" (the landmine predates the schema bump), so this
+  // must precede the v2 early-return or already-v2 journals stay poisoned.
+  normalizeJournalKeys(journal);
   if (journal.version === "2" && Array.isArray(journal.pulls)) {
     return journal;
   }

package/src/sync/event-sync.ts

@@ -57,8 +57,9 @@ import type { TreeChangeBatch } from "../watcher.js";
  * EXACT full-address matching, case-insensitive — NOT a domain suffix. The
  * single-account Phase 3 rollout (2026-06-10) targets the operator's own
  * devices; `xhassaan@getindigo.ai` and `hassaan@getindigo.ai.evil.com` must
- * never match. Broadening later is an entry here (or a domain-set like
- * `PRESIGN_ROLLOUT_DOMAINS` once GA'd).
+ * never match. Broadening later is an entry here, then a domain set, then a
+ * GA default-on switch (the path the presigned-URL transport already took in
+ * `resolvePresignTransport`).
  */
 export const EVENT_SYNC_ROLLOUT_EMAILS: ReadonlySet<string> = new Set([
   "hassaan@getindigo.ai",