@indigoai-us/hq-cloud 6.3.5 → 6.4.0

package/src/bin/sync-runner.ts

@@ -222,47 +222,35 @@ export function resolveSkipPersonal(flag: boolean): boolean {
   return env === "1" || env === "true" || env === "yes";
 }
 
-/**
- * Email domains enrolled in the presigned-URL transport rollout.
- *
- * Staged by the operator (2026-06-10) in descending user count: getindigo.ai
- * was the pilot; gmail.com / vyg.ai / amass.com are batch 2. The presign
- * transport also routes every upload through the vault API's
- * `validateObjectKey` (INVALID_KEY_BACKSLASH et al.), so enrolling a domain
- * upgrades its server-side input validation versus the STS-direct path.
- * Matching is on the EXACT domain (the part after the last `@`), not a
- * suffix — `evil-gmail.com` and `gmail.com.evil.com` never match.
- */
-const PRESIGN_ROLLOUT_DOMAINS: ReadonlySet<string> = new Set([
-  "getindigo.ai",
-  "gmail.com",
-  "vyg.ai",
-  "amass.com",
-]);
-
 /**
  * Decide whether this session uses the presigned-URL transport.
  *
- * Rollout gate: ON for accounts whose verified email domain is enrolled in
- * `PRESIGN_ROLLOUT_DOMAINS`. `HQ_SYNC_PRESIGN_TRANSPORT` overrides the email
- * check in both directions (`1`/`true`/`yes`/`on` → force on,
- * `0`/`false`/`no`/`off` → force off) so the transport can be exercised by
- * unenrolled testers or rolled back for enrolled accounts without a redeploy.
- * An unset/blank override falls through to the email check; an unrecognized
- * override value is ignored (email check wins) rather than silently forcing
- * a state.
+ * GA (2026-06-11): the presigned-URL transport is now the DEFAULT for every
+ * account — the staged per-domain rollout (getindigo.ai pilot → gmail.com /
+ * vyg.ai / amass.com batch 2) is complete. The transport only NARROWS client
+ * privilege: the client holds no raw AWS credentials (it just fetches signed
+ * URLs) and every upload is validated server-side via the vault API, so it is
+ * safe as the universal default.
+ *
+ * `HQ_SYNC_PRESIGN_TRANSPORT` still overrides in both directions
+ * (`1`/`true`/`yes`/`on` → force on, `0`/`false`/`no`/`off` → force off), so
+ * an individual account can be rolled back to the STS-direct path WITHOUT a
+ * redeploy if a regression surfaces. An unset/blank or unrecognized override
+ * falls through to the GA default (on).
+ *
+ * `email` is retained in the signature for the override contract and so the
+ * gate can be re-narrowed to a domain set in future without touching the call
+ * site; it is intentionally unused while the transport is GA.
  */
 export function resolvePresignTransport(
   email: string | undefined,
   override: string | undefined,
 ): boolean {
+  void email;
   const o = (override ?? "").trim().toLowerCase();
   if (o === "1" || o === "true" || o === "yes" || o === "on") return true;
   if (o === "0" || o === "false" || o === "no" || o === "off") return false;
-  if (typeof email !== "string") return false;
-  const at = email.lastIndexOf("@");
-  if (at < 0) return false;
-  return PRESIGN_ROLLOUT_DOMAINS.has(email.slice(at + 1).toLowerCase());
+  return true;
 }
 
 // Personal-vault scope (exclusion list + path computer) lives in
@@ -1016,15 +1004,16 @@ export async function runRunner(
       : undefined;
 
   // ---- transport selection (presigned-URL vs STS-direct-S3) -------------
-  // Default transport is unchanged: STS-vended credentials + direct S3 SDK.
-  // The presigned-URL transport (vault `list` + `presign` endpoints) is
-  // feature-flagged to @getindigo.ai accounts during rollout. The gate runs
-  // ONCE here — every s3.ts call in this session's fanout resolves through
-  // the installed factory. `HQ_SYNC_PRESIGN_TRANSPORT` is an explicit
-  // override (1/true → force on, 0/false → force off) that wins over the
-  // email check, so the flag can be flipped for testing or rollback without
-  // a redeploy. Setting the factory unconditionally (even to the default)
-  // keeps the choice deterministic if a prior run mutated module state.
+  // The presigned-URL transport (vault `list` + `presign` endpoints) is now
+  // the GA default for every account. The STS-direct-S3 path (STS-vended
+  // credentials + direct S3 SDK) remains the fallback only when an account is
+  // force-disabled via HQ_SYNC_PRESIGN_TRANSPORT or the client build predates
+  // the presign methods. The gate runs ONCE here — every s3.ts call in this
+  // session's fanout resolves through the installed factory.
+  // HQ_SYNC_PRESIGN_TRANSPORT is an explicit override (1/true → force on,
+  // 0/false → force off) for testing or emergency rollback without a redeploy.
+  // Setting the factory unconditionally (even to the default) keeps the choice
+  // deterministic if a prior run mutated module state.
   const presignCapable = client as Partial<PresignTransportClient>;
   if (
     resolvePresignTransport(

package/src/index.ts

@@ -31,6 +31,11 @@ export {
   getEntry,
   removeEntry,
   getJournalPath,
+  // State-dir + all-shard enumeration. `listJournals` is the single source of
+  // truth for "every journal the engine can write" — surfaces like
+  // `hq sync status` must read all shards through it, never a single path.
+  getStateDir,
+  listJournals,
   // Journal v2 (US-005)
   migrateToV2,
   generatePullId,
@@ -50,6 +55,8 @@ export {
   migratePersonalVaultJournal,
 } from "./journal.js";
 
+export type { JournalSummary } from "./journal.js";
+
 // Prefix coalescing helper (US-005)
 export {
   coalescePrefixes,

package/src/journal.test.ts

@@ -27,6 +27,7 @@ import {
   TOMBSTONE_TTL_MS,
   PERSONAL_VAULT_JOURNAL_SLUG,
   migratePersonalVaultJournal,
+  listJournals,
 } from "./journal.js";
 import type { SyncJournal, PullRecord } from "./types.js";
 
@@ -643,4 +644,123 @@ describe("journal", () => {
       expect(fs.existsSync(getJournalPath(PERSONAL_VAULT_JOURNAL_SLUG))).toBe(false);
     });
   });
+
+  // Regression: `hq sync status` reported "No sync journal yet" right after a
+  // successful sync because it read one path keyed off the HQ-ROOT, while the
+  // engine writes slug-sharded journals (personal vault + per-company).
+  // `listJournals` is the all-shard enumeration the status surface now uses.
+  describe("listJournals", () => {
+    function seed(slug: string, files: SyncJournal["files"]): void {
+      writeJournal(slug, {
+        version: "2",
+        lastSync: "",
+        files,
+        pulls: [],
+      });
+    }
+
+    it("returns [] when the state dir has no journals (truly-empty case)", () => {
+      expect(listJournals()).toEqual([]);
+    });
+
+    it("returns [] when the state dir does not exist at all", () => {
+      process.env.HQ_STATE_DIR = path.join(stateDir, "does-not-exist");
+      expect(listJournals()).toEqual([]);
+    });
+
+    it("enumerates the personal-vault shard written by a `--personal` sync", () => {
+      seed(PERSONAL_VAULT_JOURNAL_SLUG, {
+        ".claude/skills/x/SKILL.md": {
+          hash: "a",
+          size: 10,
+          syncedAt: "2026-06-08T10:00:00.000Z",
+          direction: "up",
+        },
+      });
+
+      const all = listJournals();
+      expect(all).toHaveLength(1);
+      expect(all[0]!.slug).toBe(PERSONAL_VAULT_JOURNAL_SLUG);
+      expect(all[0]!.path).toBe(getJournalPath(PERSONAL_VAULT_JOURNAL_SLUG));
+      expect(Object.keys(all[0]!.journal.files)).toContain(
+        ".claude/skills/x/SKILL.md",
+      );
+    });
+
+    it("enumerates a per-company shard written by a company sync", () => {
+      seed("marshalops", {
+        "knowledge/a.md": {
+          hash: "b",
+          size: 20,
+          syncedAt: "2026-06-08T11:00:00.000Z",
+          direction: "down",
+        },
+      });
+
+      const all = listJournals();
+      expect(all.map((j) => j.slug)).toEqual(["marshalops"]);
+    });
+
+    it("enumerates ALL shards together, sorted by slug", () => {
+      seed(PERSONAL_VAULT_JOURNAL_SLUG, {
+        ".claude/x": {
+          hash: "a",
+          size: 1,
+          syncedAt: "2026-06-08T10:00:00.000Z",
+          direction: "up",
+        },
+      });
+      seed("marshalops", {
+        "k/a": {
+          hash: "b",
+          size: 2,
+          syncedAt: "2026-06-08T11:00:00.000Z",
+          direction: "down",
+        },
+      });
+      seed("glazeymedia", {
+        "k/b": {
+          hash: "c",
+          size: 3,
+          syncedAt: "2026-06-08T12:00:00.000Z",
+          direction: "down",
+        },
+      });
+
+      const slugs = listJournals().map((j) => j.slug);
+      // Sorted: "__hq_personal_vault__" < "glazeymedia" < "marshalops".
+      expect(slugs).toEqual([
+        PERSONAL_VAULT_JOURNAL_SLUG,
+        "glazeymedia",
+        "marshalops",
+      ]);
+    });
+
+    it("skips a corrupt shard but still returns the healthy ones", () => {
+      seed("marshalops", {
+        "k/a": {
+          hash: "b",
+          size: 2,
+          syncedAt: "2026-06-08T11:00:00.000Z",
+          direction: "down",
+        },
+      });
+      fs.writeFileSync(
+        path.join(stateDir, "sync-journal.broken.json"),
+        "{ not valid json",
+      );
+
+      const all = listJournals();
+      expect(all.map((j) => j.slug)).toEqual(["marshalops"]);
+    });
+
+    it("ignores unrelated files in the state dir", () => {
+      seed("marshalops", {});
+      fs.writeFileSync(path.join(stateDir, "config.json"), "{}");
+      fs.writeFileSync(path.join(stateDir, "sync-journal.json"), "{}"); // no slug
+      fs.writeFileSync(path.join(stateDir, "notes.txt"), "hi");
+
+      expect(listJournals().map((j) => j.slug)).toEqual(["marshalops"]);
+    });
+  });
 });

package/src/journal.ts

@@ -135,6 +135,72 @@ export function readJournal(slug: string): SyncJournal {
   return { version: JOURNAL_VERSION_CURRENT, lastSync: "", files: {}, pulls: [] };
 }
 
+/** One enumerated journal shard: its recovered slug, on-disk path, contents. */
+export interface JournalSummary {
+  /**
+   * Slug recovered from the `sync-journal.<slug>.json` filename — the
+   * sanitized form the engine wrote (e.g. a company slug,
+   * `PERSONAL_VAULT_JOURNAL_SLUG`, or the legacy `"personal"`).
+   */
+  slug: string;
+  /** Absolute path to the journal file. */
+  path: string;
+  /** Parsed journal contents. */
+  journal: SyncJournal;
+}
+
+/**
+ * Enumerate every sync journal present in the state dir.
+ *
+ * The engine SHARDS journals by slug (ADR-0001 Phase 5): the personal-vault
+ * fanout slot under `PERSONAL_VAULT_JOURNAL_SLUG`, one shard per cloud company,
+ * and the legacy `"personal"` shard. A caller that reads a single fixed path
+ * therefore only ever sees one scope — and a caller that mistakes a non-slug
+ * value for a slug (e.g. `hq sync status` passing the HQ-root PATH, which
+ * `sanitizeSlug` mangles into `_Users_<user>_hq`) sees a slug the engine never
+ * writes, and reports "no journal" right after a successful sync. Any surface
+ * that wants the COMPLETE local sync picture must read ALL shards via this
+ * helper rather than reconstructing a path.
+ *
+ * Slugs are recovered from each filename. A shard that fails to read or parse
+ * is skipped rather than thrown — one corrupt shard must not blind the caller
+ * to the healthy ones. Results are sorted by slug for deterministic output.
+ */
+export function listJournals(): JournalSummary[] {
+  const dir = getStateDir();
+  let names: string[];
+  try {
+    names = fs.readdirSync(dir);
+  } catch {
+    return []; // state dir absent → no journals yet
+  }
+  const out: JournalSummary[] = [];
+  for (const name of names) {
+    if (
+      !name.startsWith(JOURNAL_FILE_PREFIX) ||
+      !name.endsWith(JOURNAL_FILE_SUFFIX)
+    ) {
+      continue;
+    }
+    const slug = name.slice(
+      JOURNAL_FILE_PREFIX.length,
+      name.length - JOURNAL_FILE_SUFFIX.length,
+    );
+    if (!slug) continue; // guard against a stray "sync-journal..json"
+    const filePath = path.join(dir, name);
+    try {
+      const journal = JSON.parse(
+        fs.readFileSync(filePath, "utf-8"),
+      ) as SyncJournal;
+      out.push({ slug, path: filePath, journal });
+    } catch {
+      // Corrupt/unreadable shard — skip; don't blind the caller to the rest.
+    }
+  }
+  out.sort((a, b) => a.slug.localeCompare(b.slug));
+  return out;
+}
+
 /**
  * Defuse the pre-5.47.2 Windows backslash-key landmine in a journal's `files`
  * map. Such clients stamped keys with the OS path separator ("\\"), e.g.

package/src/sync/event-sync.ts

@@ -57,8 +57,9 @@ import type { TreeChangeBatch } from "../watcher.js";
  * EXACT full-address matching, case-insensitive — NOT a domain suffix. The
  * single-account Phase 3 rollout (2026-06-10) targets the operator's own
  * devices; `xhassaan@getindigo.ai` and `hassaan@getindigo.ai.evil.com` must
- * never match. Broadening later is an entry here (or a domain-set like
- * `PRESIGN_ROLLOUT_DOMAINS` once GA'd).
+ * never match. Broadening later is an entry here, then a domain set, then a
+ * GA default-on switch (the path the presigned-URL transport already took in
+ * `resolvePresignTransport`).
  */
 export const EVENT_SYNC_ROLLOUT_EMAILS: ReadonlySet<string> = new Set([
   "hassaan@getindigo.ai",