@indigoai-us/hq-cloud 6.5.0 → 6.7.0

package/src/machine-auth.test.ts

@@ -0,0 +1,279 @@
+/**
+ * Unit tests for the machine-identity auth mode in cognito-auth.ts.
+ *
+ * Machine identities (company agents) carry long-lived Cognito creds at
+ * ~/.hq-agent/machine-creds.json (HQ_MACHINE_CREDS_FILE override) and mint
+ * sessions via USER_PASSWORD_AUTH on demand — no browser, no refresh token.
+ * The contract under test:
+ *   - detection: creds file present + well-formed → machine mode
+ *   - minting: BOTH tokens cached with correct field semantics
+ *   - re-mint on expiry; cache hit when valid
+ *   - getValidAccessToken short-circuits into machine mode (never browser)
+ */
+
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+let originalHome: string | undefined;
+let originalCredsEnv: string | undefined;
+let tmpHome: string;
+
+beforeEach(() => {
+  originalHome = process.env.HOME;
+  originalCredsEnv = process.env.HQ_MACHINE_CREDS_FILE;
+  tmpHome = fs.mkdtempSync(path.join(os.tmpdir(), "hq-machine-auth-test-"));
+  process.env.HOME = tmpHome;
+  delete process.env.HQ_MACHINE_CREDS_FILE;
+  vi.resetModules();
+});
+
+afterEach(() => {
+  if (originalHome === undefined) delete process.env.HOME;
+  else process.env.HOME = originalHome;
+  if (originalCredsEnv === undefined) delete process.env.HQ_MACHINE_CREDS_FILE;
+  else process.env.HQ_MACHINE_CREDS_FILE = originalCredsEnv;
+  fs.rmSync(tmpHome, { recursive: true, force: true });
+  vi.unstubAllGlobals();
+  vi.restoreAllMocks();
+});
+
+async function importModule() {
+  return await import("./cognito-auth.js");
+}
+
+const CONFIG = {
+  region: "us-east-1",
+  userPoolDomain: "vault-indigo-hq-prod",
+  clientId: "test-client-id",
+};
+
+function writeCreds(
+  creds: unknown = { username: "machine-agt_01TEST", secret: "s3cret" },
+): string {
+  const dir = path.join(tmpHome, ".hq-agent");
+  fs.mkdirSync(dir, { recursive: true });
+  const file = path.join(dir, "machine-creds.json");
+  fs.writeFileSync(file, JSON.stringify(creds));
+  return file;
+}
+
+/** Build a fake JWT whose payload decodes to the given claims. */
+function fakeJwt(claims: Record<string, unknown>): string {
+  const enc = (o: unknown) =>
+    Buffer.from(JSON.stringify(o)).toString("base64url");
+  return `${enc({ alg: "RS256", kid: "k" })}.${enc(claims)}.sig`;
+}
+
+function stubMintFetch(
+  overrides: Partial<{
+    AccessToken: string;
+    IdToken: string;
+    RefreshToken: string;
+    ExpiresIn: number;
+  }> = {},
+) {
+  const calls: Array<{ url: string; init: RequestInit }> = [];
+  const fetchMock = vi.fn(async (url: string | URL, init?: RequestInit) => {
+    calls.push({ url: String(url), init: init ?? {} });
+    return new Response(
+      JSON.stringify({
+        AuthenticationResult: {
+          AccessToken:
+            overrides.AccessToken ??
+            fakeJwt({ token_use: "access", client_id: CONFIG.clientId }),
+          IdToken: overrides.IdToken ?? fakeJwt({ token_use: "id" }),
+          RefreshToken: overrides.RefreshToken,
+          ExpiresIn: overrides.ExpiresIn ?? 3600,
+        },
+      }),
+      { status: 200 },
+    );
+  });
+  vi.stubGlobal("fetch", fetchMock);
+  return { fetchMock, calls };
+}
+
+// ---------------------------------------------------------------------------
+// Detection
+// ---------------------------------------------------------------------------
+
+describe("machine identity detection", () => {
+  it("is off when no creds file exists", async () => {
+    const { isMachineIdentity, loadMachineCreds } = await importModule();
+    expect(loadMachineCreds()).toBeNull();
+    expect(isMachineIdentity()).toBe(false);
+  });
+
+  it("detects creds at the default ~/.hq-agent path", async () => {
+    writeCreds();
+    const { isMachineIdentity, loadMachineCreds } = await importModule();
+    expect(loadMachineCreds()).toEqual({
+      username: "machine-agt_01TEST",
+      secret: "s3cret",
+    });
+    expect(isMachineIdentity()).toBe(true);
+  });
+
+  it("honors HQ_MACHINE_CREDS_FILE override", async () => {
+    const custom = path.join(tmpHome, "elsewhere.json");
+    fs.writeFileSync(
+      custom,
+      JSON.stringify({ username: "machine-agt_X", secret: "y" }),
+    );
+    process.env.HQ_MACHINE_CREDS_FILE = custom;
+    const { loadMachineCreds, machineCredsFilePath } = await importModule();
+    expect(machineCredsFilePath()).toBe(custom);
+    expect(loadMachineCreds()?.username).toBe("machine-agt_X");
+  });
+
+  it("rejects malformed creds (wrong username prefix, missing secret, bad JSON)", async () => {
+    const { loadMachineCreds } = await importModule();
+    writeCreds({ username: "stefan@example.com", secret: "x" });
+    expect(loadMachineCreds()).toBeNull();
+    writeCreds({ username: "machine-agt_01TEST" });
+    expect(loadMachineCreds()).toBeNull();
+    fs.writeFileSync(path.join(tmpHome, ".hq-agent", "machine-creds.json"), "{nope");
+    expect(loadMachineCreds()).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Minting
+// ---------------------------------------------------------------------------
+
+describe("mintMachineTokens", () => {
+  it("mints via USER_PASSWORD_AUTH and caches both tokens with correct fields", async () => {
+    writeCreds();
+    const { calls } = stubMintFetch({ RefreshToken: "rt" });
+    const { mintMachineTokens, loadCachedTokens } = await importModule();
+
+    const tokens = await mintMachineTokens(CONFIG);
+
+    // Request shape: Cognito IDP InitiateAuth with the machine creds.
+    expect(calls).toHaveLength(1);
+    expect(calls[0].url).toBe("https://cognito-idp.us-east-1.amazonaws.com/");
+    const body = JSON.parse(String(calls[0].init.body));
+    expect(body).toMatchObject({
+      AuthFlow: "USER_PASSWORD_AUTH",
+      ClientId: CONFIG.clientId,
+      AuthParameters: { USERNAME: "machine-agt_01TEST", PASSWORD: "s3cret" },
+    });
+
+    // Field semantics: access token in accessToken, id token in idToken.
+    const accessClaims = JSON.parse(
+      Buffer.from(tokens.accessToken.split(".")[1], "base64url").toString(),
+    );
+    const idClaims = JSON.parse(
+      Buffer.from(tokens.idToken.split(".")[1], "base64url").toString(),
+    );
+    expect(accessClaims.token_use).toBe("access");
+    expect(idClaims.token_use).toBe("id");
+    expect(tokens.refreshToken).toBe("rt");
+    expect(typeof tokens.expiresAt).toBe("number");
+
+    // Persisted to the shared cache file.
+    expect(loadCachedTokens()).toEqual(tokens);
+  });
+
+  it("throws CognitoAuthError on auth failure", async () => {
+    writeCreds();
+    vi.stubGlobal(
+      "fetch",
+      vi.fn(async () =>
+        new Response(
+          JSON.stringify({ __type: "NotAuthorizedException", message: "nope" }),
+          { status: 400 },
+        ),
+      ),
+    );
+    const { mintMachineTokens, CognitoAuthError } = await importModule();
+    await expect(mintMachineTokens(CONFIG)).rejects.toBeInstanceOf(
+      CognitoAuthError,
+    );
+  });
+
+  it("throws when no creds are present", async () => {
+    const { mintMachineTokens, CognitoAuthError } = await importModule();
+    await expect(mintMachineTokens(CONFIG)).rejects.toBeInstanceOf(
+      CognitoAuthError,
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getValidMachineTokens — cache vs re-mint
+// ---------------------------------------------------------------------------
+
+describe("getValidMachineTokens", () => {
+  it("returns the cache when valid without touching the network", async () => {
+    writeCreds();
+    const { fetchMock } = stubMintFetch();
+    const { saveCachedTokens, getValidMachineTokens } = await importModule();
+    const cached = {
+      accessToken: fakeJwt({ token_use: "access", client_id: CONFIG.clientId }),
+      idToken: fakeJwt({ token_use: "id" }),
+      refreshToken: "",
+      expiresAt: Date.now() + 30 * 60 * 1000,
+      tokenType: "Bearer" as const,
+    };
+    saveCachedTokens(cached);
+
+    const tokens = await getValidMachineTokens(CONFIG);
+    expect(tokens).toEqual(cached);
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("re-mints when the cache is expiring", async () => {
+    writeCreds();
+    const { fetchMock } = stubMintFetch();
+    const { saveCachedTokens, getValidMachineTokens } = await importModule();
+    saveCachedTokens({
+      accessToken: fakeJwt({ token_use: "access", client_id: CONFIG.clientId }),
+      idToken: fakeJwt({ token_use: "id" }),
+      refreshToken: "",
+      expiresAt: Date.now() + 10 * 1000,
+      tokenType: "Bearer",
+    });
+
+    await getValidMachineTokens(CONFIG);
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
+  it("re-mints when the cached token targets a different app client", async () => {
+    writeCreds();
+    const { fetchMock } = stubMintFetch();
+    const { saveCachedTokens, getValidMachineTokens } = await importModule();
+    saveCachedTokens({
+      accessToken: fakeJwt({ token_use: "access", client_id: "other-client" }),
+      idToken: fakeJwt({ token_use: "id" }),
+      refreshToken: "",
+      expiresAt: Date.now() + 30 * 60 * 1000,
+      tokenType: "Bearer",
+    });
+
+    await getValidMachineTokens(CONFIG);
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getValidAccessToken — machine-mode short circuit
+// ---------------------------------------------------------------------------
+
+describe("getValidAccessToken in machine mode", () => {
+  it("mints via machine creds instead of refreshing or opening a browser", async () => {
+    writeCreds();
+    const { calls } = stubMintFetch();
+    const { getValidAccessToken } = await importModule();
+
+    const token = await getValidAccessToken(CONFIG, { interactive: false });
+
+    expect(calls).toHaveLength(1);
+    const claims = JSON.parse(
+      Buffer.from(token.split(".")[1], "base64url").toString(),
+    );
+    expect(claims.token_use).toBe("access");
+  });
+});

package/src/s3.test.ts

@@ -6,7 +6,7 @@
  * `Metadata`, so the listing's HEAD fan-out had nothing to attribute.
  */
 
-import { describe, it, expect, beforeEach, vi } from "vitest";
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import * as fs from "fs";
 import * as os from "os";
 import * as path from "path";
@@ -83,6 +83,7 @@ import {
   uploadFile,
   uploadSymlink,
   toPosixKey,
+  primeUploads,
   downloadFile,
   listRemoteFiles,
   SYMLINK_BODY_PREFIX,
@@ -92,6 +93,12 @@ import {
   FILE_MTIME_META_KEY,
   FILE_BTIME_META_KEY,
 } from "./s3.js";
+import {
+  setObjectIOFactory,
+  presignObjectIOFactory,
+  type PresignTransportClient,
+} from "./object-io.js";
+import type { PresignResultRow } from "./vault-client.js";
 import type { EntityContext } from "./types.js";
 
 function makeCtx(): EntityContext {
@@ -158,6 +165,89 @@ describe("backslash key normalization (Windows client → POSIX S3 key)", () =>
   });
 });
 
+describe("backslash key normalization on the PRESIGNED (GA) transport", () => {
+  // The tests above assert normalization on the S3-SDK transport (sentCommands
+  // capture SDK PutObjectCommands). As of 6.5.0 the presigned-URL transport is
+  // GA for every company vault (cmp_*) — that's the path a real Windows client
+  // like Ridge's now takes. These lock the SAME write-side invariant on that
+  // transport: a backslash key is canonicalized to POSIX before the server is
+  // ever asked to presign it, so a non-POSIX vault key can never be minted.
+  let tmpFile: string;
+  let presignCalls: Array<{ op?: string; keys: Array<{ key?: string }> }>;
+
+  function presignKeysFor(op: string): string[] {
+    return presignCalls
+      .filter((c) => c.op === op)
+      .flatMap((c) => c.keys.map((k) => k.key ?? ""));
+  }
+
+  beforeEach(() => {
+    tmpFile = path.join(
+      os.tmpdir(),
+      `s3-presign-backslash-${Date.now()}-${Math.random()}.md`,
+    );
+    fs.writeFileSync(tmpFile, "hello");
+
+    presignCalls = [];
+    const vault: PresignTransportClient = {
+      // Echo each requested key back as a usable URL so putObject's PUT
+      // resolves; record the op + keys so we can assert what was signed.
+      presign: async (input) => {
+        presignCalls.push({ op: input.op, keys: input.keys as Array<{ key?: string }> });
+        const results: PresignResultRow[] = input.keys.map((k) => ({
+          key: (k as { key: string }).key,
+          op: input.op ?? "put",
+          url: `https://s3.test/${(k as { key: string }).key}`,
+        }));
+        return { results, expiresAt: "2099-01-01T00:00:00.000Z" };
+      },
+      listFiles: async () => ({ objects: [], cursor: null, truncated: false }),
+    };
+    setObjectIOFactory(presignObjectIOFactory(vault));
+    // putObject moves bytes over the presigned URL via global fetch.
+    vi.stubGlobal(
+      "fetch",
+      vi.fn(async () => new Response(null, { status: 200, headers: { etag: '"e"' } })),
+    );
+  });
+
+  afterEach(() => {
+    setObjectIOFactory(null);
+    vi.unstubAllGlobals();
+  });
+
+  it("uploadFile presigns + PUTs a POSIX key for a Windows-style backslash path", async () => {
+    await uploadFile(makeCtx(), tmpFile, "knowledge\\books-eoi.md");
+    expect(presignKeysFor("put")).toContain("knowledge/books-eoi.md");
+    // The malformed backslash key is never presigned (so never PUT).
+    expect(presignKeysFor("put")).not.toContain("knowledge\\books-eoi.md");
+  });
+
+  it("uploadSymlink presigns a POSIX key for a Windows-style backslash path", async () => {
+    await uploadSymlink(makeCtx(), "../target.md", "data\\boots-accounts.json");
+    expect(presignKeysFor("put")).toContain("data/boots-accounts.json");
+    expect(presignKeysFor("put")).not.toContain("data\\boots-accounts.json");
+  });
+
+  it("primeUploads canonicalizes keys so the primed PUT URL matches the upload lookup", async () => {
+    // Prime then upload the SAME Windows-origin key. Both must key the cache
+    // under the POSIX form: prime signs the POSIX PUT URL, and uploadFile's
+    // hasPrimedPut(toPosixKey(...)) reuses it instead of re-presigning — proving
+    // the primed fast-path can't strand a backslash key (and can't store one).
+    await primeUploads(makeCtx(), [
+      { key: "knowledge\\books-eoi.md", localPath: tmpFile, isSymlink: false },
+    ]);
+    // prime("get") + prime("put") both went out under the POSIX key only.
+    expect(presignKeysFor("get")).toEqual(["knowledge/books-eoi.md"]);
+    expect(presignKeysFor("put")).toEqual(["knowledge/books-eoi.md"]);
+
+    const putCountAfterPrime = presignKeysFor("put").length;
+    await uploadFile(makeCtx(), tmpFile, "knowledge\\books-eoi.md");
+    // No NEW put presign: uploadFile reused the primed POSIX URL (cache hit).
+    expect(presignKeysFor("put").length).toBe(putCountAfterPrime);
+  });
+});
+
 describe("uploadFile", () => {
   let tmpFile: string;
 

package/src/s3.ts

@@ -339,9 +339,14 @@ export async function primeUploads(
   if (!io.prime || items.length === 0) return;
 
   // Prime GET first so each item's created-at HEAD reuses a cached URL.
+  // Canonicalize to POSIX here (one-canonical-form, matching the uploadFile /
+  // uploadSymlink boundary): a Windows-origin backslash key must cache under
+  // the SAME key uploadFile later looks up via hasPrimedPut(toPosixKey(...)),
+  // or the primed URL silently misses and the upload re-presigns. It also
+  // keeps the created-at HEAD pointed at the real (POSIX) object.
   await io.prime(
     "get",
-    items.map((i) => ({ key: i.key })),
+    items.map((i) => ({ key: toPosixKey(i.key) })),
   );
 
   // Build per-key PUT metadata with the SAME builders the upload path uses,
@@ -356,10 +361,15 @@ export async function primeUploads(
   const worker = async (): Promise<void> => {
     while (next < items.length) {
       const it = items[next++];
-      const createdAt = await resolveCreatedAt(io, it.key, it.author);
+      // Same boundary guardrail as uploadFile/uploadSymlink: prime under the
+      // canonical POSIX key so the cached PUT URL is keyed identically to the
+      // hasPrimedPut/putObject lookup, and a backslash key can never be primed
+      // (let alone stored) as a non-POSIX vault key.
+      const key = toPosixKey(it.key);
+      const createdAt = await resolveCreatedAt(io, key, it.author);
       if (it.isSymlink) {
         putKeys.push({
-          key: it.key,
+          key,
           contentType: "application/octet-stream",
           metadata: {
             [SYMLINK_TARGET_META_KEY]: SYMLINK_MARKER_META_VALUE,
@@ -374,8 +384,8 @@ export async function primeUploads(
           // raced rm / EPERM — leave stamps off (receiver umask default).
         }
         putKeys.push({
-          key: it.key,
-          contentType: getMimeType(it.key),
+          key,
+          contentType: getMimeType(key),
           metadata: {
             ...(it.author ? buildAuthorMetadata(it.author, createdAt) : {}),
             ...modeTime,

package/src/scope-shrink.test.ts

@@ -498,6 +498,52 @@ describe("applyScopeShrink", () => {
       journal.files["companies/indigo/scratch/clean.md"]?.removedReason,
     ).toBe("narrow_apply");
   });
+
+  // DEV-1768 fix #3: clean orphans are MOVED to quarantine (recoverable),
+  // not unlinked, when `cleanDisposition: "quarantine"`.
+  it("quarantines clean orphans (moves, not deletes) and reports named paths", () => {
+    const rel = "companies/indigo/scratch/clean.md";
+    const abs = path.join(hqRoot, rel);
+    fs.mkdirSync(path.dirname(abs), { recursive: true });
+    fs.writeFileSync(abs, "clean");
+    const past = Date.now() - 60_000;
+    fs.utimesSync(abs, past / 1000, past / 1000);
+
+    const quarantineRoot = path.join(hqRoot, ".hq", "scope-quarantine", "indigo");
+    const journal: SyncJournal = {
+      ...emptyJournal(),
+      files: {
+        [rel]: { hash: sha256("clean"), size: 5, syncedAt: new Date().toISOString(), direction: "down" },
+      },
+    };
+    const plan = buildScopeShrinkPlan({
+      journal,
+      hqRoot,
+      lastPrefixSet: ["companies/indigo/"],
+      currentPrefixSet: ["companies/indigo/meetings/"],
+    });
+    const result = applyScopeShrink({
+      journal,
+      plan,
+      hqRoot,
+      forceScopeShrink: false,
+      cleanDisposition: "quarantine",
+      quarantineRoot,
+    });
+
+    expect(result.cleanQuarantined).toBe(1);
+    expect(result.cleanRemoved).toBe(0);
+    expect(result.quarantinedPaths).toEqual([rel]);
+    expect(result.removedPaths).toEqual([]);
+    expect(result.quarantineRoot).toBe(quarantineRoot);
+    // Moved, not deleted: gone from the working tree, present + intact in quarantine.
+    expect(fs.existsSync(abs)).toBe(false);
+    const quarantined = path.join(quarantineRoot, rel);
+    expect(fs.existsSync(quarantined)).toBe(true);
+    expect(fs.readFileSync(quarantined, "utf-8")).toBe("clean");
+    // Journal entry tombstoned so it stops being re-flagged (idempotent).
+    expect(journal.files[rel]?.removedAt).toBeTruthy();
+  });
 });
 
 describe("ScopeShrinkBlockedError", () => {
@@ -527,4 +573,29 @@ describe("ScopeShrinkBlockedError", () => {
     expect(err.dirty).toHaveLength(1);
     expect(err.name).toBe("ScopeShrinkBlockedError");
   });
+
+  // DEV-1768 fix #2: advice must be FOLLOWABLE from the entry point that throws.
+  // The old message always said "pass --force-scope-shrink", which the menubar
+  // runner cannot accept.
+  const mk = (ctx?: "cli" | "runner" | "engine") =>
+    new ScopeShrinkBlockedError("cmp_x", "all", "shared", [], [], ctx);
+
+  it("runner-context advice points at a terminal command, NOT an impossible flag", () => {
+    const msg = mk("runner").message;
+    // The followable path from the menubar is a terminal command.
+    expect(msg).toContain("hq sync narrow --apply");
+    // It must NOT imply the flag is acceptable to the menubar itself.
+    expect(msg).toContain("menubar sync cannot take this flag");
+  });
+
+  it("cli-context advice offers the flag the CLI actually accepts", () => {
+    const msg = mk("cli").message;
+    expect(msg).toContain("--force-scope-shrink");
+    expect(msg).toContain("hq sync narrow --apply");
+  });
+
+  it("defaults to the engine/library advice when no context is given", () => {
+    expect(mk().adviceContext).toBe("engine");
+    expect(mk().message).toContain("hq sync narrow --apply");
+  });
 });