@indigoai-us/hq-cloud 6.8.0 → 6.9.0

package/dist/cli/share.test.js

@@ -141,7 +141,7 @@ describe("share", () => {
         expect(result.filesUploaded).toBe(1);
         expect(result.aborted).toBe(false);
         // Remote key must be company-relative, not hqRoot-relative
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "test.md");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "test.md", undefined, expect.anything());
     });
     it("respects ignore rules", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -181,7 +181,7 @@ describe("share", () => {
             hqRoot: tmpDir,
         });
         // Key is "knowledge/crawl.json", not "companies/acme/knowledge/crawl.json"
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), nested, "knowledge/crawl.json");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), nested, "knowledge/crawl.json", undefined, expect.anything());
     });
     it("skips files outside the company folder with a warning", async () => {
         const warnSpy = vi.spyOn(console, "error").mockImplementation(() => { });
@@ -280,7 +280,7 @@ describe("share", () => {
             skipUnchanged: true,
         });
         expect(result.filesUploaded).toBe(1);
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "changed.md");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "changed.md", undefined, expect.anything());
     });
     it("populates conflictPaths and emits a conflict event when both local and remote drifted from journal", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -496,6 +496,142 @@ describe("share", () => {
         // Local file untouched under keep.
         expect(fs.readFileSync(testFile, "utf-8")).toBe("my-local-version");
     });
+    describe("conditional-write fence (If-Match / If-None-Match / 412)", () => {
+        const fence412 = () => Object.assign(new Error("Precondition failed"), {
+            name: "PreconditionFailed",
+        });
+        it("fences a PUT over an existing remote with If-Match on the observed etag", async () => {
+            const companyRoot = path.join(tmpDir, "companies", "acme");
+            fs.mkdirSync(companyRoot, { recursive: true });
+            const testFile = path.join(companyRoot, "fenced.md");
+            fs.writeFileSync(testFile, "local edit");
+            // Remote exists at the journal baseline; only local changed -> clean
+            // push, but the PUT must still assert the observed remote etag so a
+            // peer write landing between HEAD and PUT draws a 412 instead of
+            // being clobbered (HEAD->PUT TOCTOU).
+            const syncedAt = new Date(Date.now() - 60_000).toISOString();
+            vi.mocked(headRemoteFile).mockResolvedValueOnce({
+                lastModified: new Date(Date.parse(syncedAt) - 30_000),
+                etag: '"baseline-etag"',
+                size: 5,
+            });
+            const journalPath = path.join(stateDir, "sync-journal.acme.json");
+            fs.writeFileSync(journalPath, JSON.stringify({
+                version: "1",
+                lastSync: syncedAt,
+                files: {
+                    "fenced.md": {
+                        hash: "stale-local-hash",
+                        size: 5,
+                        syncedAt,
+                        direction: "up",
+                        remoteEtag: "baseline-etag",
+                    },
+                },
+            }));
+            const result = await share({
+                paths: [testFile],
+                company: "acme",
+                vaultConfig: mockConfig,
+                hqRoot: tmpDir,
+            });
+            expect(result.filesUploaded).toBe(1);
+            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "fenced.md", undefined, { ifMatch: '"baseline-etag"' });
+        });
+        it("fences a brand-new key with If-None-Match:* (create-only)", async () => {
+            const companyRoot = path.join(tmpDir, "companies", "acme");
+            fs.mkdirSync(companyRoot, { recursive: true });
+            const testFile = path.join(companyRoot, "brand-new.md");
+            fs.writeFileSync(testFile, "fresh");
+            vi.mocked(headRemoteFile).mockResolvedValueOnce(null);
+            await share({
+                paths: [testFile],
+                company: "acme",
+                vaultConfig: mockConfig,
+                hqRoot: tmpDir,
+            });
+            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "brand-new.md", undefined, { ifNoneMatch: "*" });
+        });
+        it("412 under keep: conflict event + remote mirrored + ledger entry + NO journal stamp", async () => {
+            const companyRoot = path.join(tmpDir, "companies", "acme");
+            fs.mkdirSync(companyRoot, { recursive: true });
+            const testFile = path.join(companyRoot, "raced.md");
+            fs.writeFileSync(testFile, "my local bytes");
+            vi.mocked(headRemoteFile).mockResolvedValueOnce(null);
+            vi.mocked(uploadFile).mockRejectedValueOnce(fence412());
+            vi.mocked(downloadFile).mockImplementationOnce(async (_ctx, _key, dest) => {
+                fs.writeFileSync(dest, "the racing peer version");
+                return undefined;
+            });
+            const events = [];
+            const result = await share({
+                paths: [testFile],
+                company: "acme",
+                vaultConfig: mockConfig,
+                hqRoot: tmpDir,
+                onConflict: "keep",
+                onEvent: (e) => events.push(e),
+            });
+            // Surfaced as a push conflict, not an error.
+            expect(result.conflictPaths).toEqual(["raced.md"]);
+            expect(result.filesUploaded).toBe(0);
+            expect(result.aborted).toBe(false);
+            expect(events.some((e) => e.type === "conflict" && e.path === "raced.md")).toBe(true);
+            // The racing remote bytes were preserved next to the local copy.
+            const mirrors = fs
+                .readdirSync(companyRoot)
+                .filter((f) => f.includes(".conflict-"));
+            expect(mirrors).toHaveLength(1);
+            // Local copy untouched.
+            expect(fs.readFileSync(testFile, "utf-8")).toBe("my local bytes");
+            // No journal stamp for the failed PUT — next pass re-evaluates fresh.
+            const journalPath = path.join(stateDir, "sync-journal.acme.json");
+            if (fs.existsSync(journalPath)) {
+                const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+                expect(journal.files?.["raced.md"]).toBeUndefined();
+            }
+        });
+        it("412 under overwrite: retries exactly once WITHOUT the fence (explicit consent)", async () => {
+            const companyRoot = path.join(tmpDir, "companies", "acme");
+            fs.mkdirSync(companyRoot, { recursive: true });
+            const testFile = path.join(companyRoot, "consented.md");
+            fs.writeFileSync(testFile, "clobber me in");
+            vi.mocked(headRemoteFile).mockResolvedValueOnce(null);
+            vi.mocked(uploadFile)
+                .mockRejectedValueOnce(fence412())
+                .mockResolvedValueOnce({ etag: '"retried-etag"' });
+            const result = await share({
+                paths: [testFile],
+                company: "acme",
+                vaultConfig: mockConfig,
+                hqRoot: tmpDir,
+                onConflict: "overwrite",
+            });
+            expect(result.filesUploaded).toBe(1);
+            const calls = vi.mocked(uploadFile).mock.calls;
+            expect(calls).toHaveLength(2);
+            // First attempt fenced; retry deliberately unfenced.
+            expect(calls[0][4]).toEqual({ ifNoneMatch: "*" });
+            expect(calls[1][4]).toBeUndefined();
+        });
+        it("412 under abort: halts the pass", async () => {
+            const companyRoot = path.join(tmpDir, "companies", "acme");
+            fs.mkdirSync(companyRoot, { recursive: true });
+            const testFile = path.join(companyRoot, "halting.md");
+            fs.writeFileSync(testFile, "stop here");
+            vi.mocked(headRemoteFile).mockResolvedValueOnce(null);
+            vi.mocked(uploadFile).mockRejectedValueOnce(fence412());
+            const result = await share({
+                paths: [testFile],
+                company: "acme",
+                vaultConfig: mockConfig,
+                hqRoot: tmpDir,
+                onConflict: "abort",
+            });
+            expect(result.aborted).toBe(true);
+            expect(result.conflictPaths).toEqual(["halting.md"]);
+        });
+    });
     it("scoped push (plan-exceeds-grant): syncs the in-scope subset, skips out-of-scope paths, never aborts (feedback_ded09d56)", async () => {
         // Real case (look-optic): a FILE_ACL grant covered {knowledge,policies,
         // workers}/* + company.yaml, but the upload plan also contained
@@ -594,6 +730,39 @@ describe("share", () => {
         expect(errs[0].path).toBe("out-of-reach.md");
         expect(errs[0].message).toMatch(/outside granted ACL scope/i);
     });
+    it("a Forbidden HEAD (presigned-transport denial) skips the key — NEVER an unconditional PUT", async () => {
+        // Regression for the 2026-06-10..12 vault regression storm: the presigned
+        // transport used to map per-key denials and signed-GET 403s to `null`,
+        // which `processUploadItem` read as "no remote object" — skipping every
+        // conflict guard and blind-PUTting this machine's (possibly stale) bytes
+        // over a newer remote. The transport now throws `name: "Forbidden"`
+        // (SDK HeadObject parity); this locks the share side of that contract:
+        // a Forbidden HEAD must skip the key, emit a named error, and issue NO PUT.
+        const companyRoot = path.join(tmpDir, "companies", "acme");
+        fs.mkdirSync(companyRoot, { recursive: true });
+        const staleFile = path.join(companyRoot, "stale-local.md");
+        fs.writeFileSync(staleFile, "stale local bytes\n");
+        vi.mocked(headRemoteFile).mockImplementation(async () => {
+            const err = new Error("Access denied for stale-local.md: presigned HEAD returned 403");
+            err.name = "Forbidden";
+            throw err;
+        });
+        const events = [];
+        const result = await share({
+            paths: [staleFile],
+            company: "acme",
+            vaultConfig: mockConfig,
+            hqRoot: tmpDir,
+            onEvent: (e) => events.push(e),
+        });
+        // The one thing that must never happen: a PUT issued with unknown remote state.
+        expect(vi.mocked(uploadFile)).not.toHaveBeenCalled();
+        expect(result.filesUploaded).toBe(0);
+        expect(result.aborted).toBe(false);
+        const errs2 = events.filter((e) => e.type === "error");
+        expect(errs2).toHaveLength(1);
+        expect(errs2[0].path).toBe("stale-local.md");
+    });
     it("uploads (no conflict) when only the local side changed since last sync", async () => {
         // Regression for hq-cloud#<conflict-detection>: a local edit to a file
         // that exists on S3 used to trigger a push conflict because the
@@ -706,11 +875,12 @@ describe("share", () => {
             hqRoot: tmpDir,
             author: { userSub: "abc-123", email: "alice@example.com" },
         });
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "attribution.md", { userSub: "abc-123", email: "alice@example.com" });
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "attribution.md", { userSub: "abc-123", email: "alice@example.com" }, expect.anything());
     });
     it("omits author arg when not provided (back-compat)", async () => {
-        // share() must remain a 3-arg call to uploadFile when no author is
-        // configured — older test stubs and external integrations rely on it.
+        // With no author configured the author slot is undefined (the
+        // conditional-write fence appended a 5th arg in 6.9.0, so the legacy
+        // 3-arg shape grew to 5; author-less calls pass undefined explicitly).
         const companyRoot = path.join(tmpDir, "companies", "acme");
         fs.mkdirSync(companyRoot, { recursive: true });
         const testFile = path.join(companyRoot, "no-author.md");
@@ -721,7 +891,7 @@ describe("share", () => {
             vaultConfig: mockConfig,
             hqRoot: tmpDir,
         });
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "no-author.md");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "no-author.md", undefined, expect.anything());
     });
     it("skipUnchanged=false (default) uploads even when hash matches", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -863,7 +1033,7 @@ describe("share", () => {
         expect(fetchMock).not.toHaveBeenCalled();
         // The S3 upload sees the pre-vended credentials, not freshly-vended ones.
         // (uploadFile is mocked, so we just verify it was called with our ctx.)
-        expect(uploadFile).toHaveBeenCalledWith(ctx, testFile, "from-appbar.md");
+        expect(uploadFile).toHaveBeenCalledWith(ctx, testFile, "from-appbar.md", undefined, expect.anything());
     });
     it("falls back to entityContext.slug when company is not specified", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -879,7 +1049,7 @@ describe("share", () => {
         expect(result.filesUploaded).toBe(1);
         // Confirms the relative-path scoping landed under acme even without an
         // explicit company arg.
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "no-company-arg.md");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), testFile, "no-company-arg.md", undefined, expect.anything());
     });
     it("does NOT auto-refresh when entityContext is expiring soon (no vending source)", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -905,7 +1075,7 @@ describe("share", () => {
         expect(result.filesUploaded).toBe(1);
         expect(fetchMock).not.toHaveBeenCalled();
         // The original (still-valid-for-30s) credentials must have been used as-is.
-        expect(uploadFile).toHaveBeenCalledWith(expiringCtx, testFile, "race.md");
+        expect(uploadFile).toHaveBeenCalledWith(expiringCtx, testFile, "race.md", undefined, expect.anything());
     });
     it("throws when both vaultConfig and entityContext are provided (ambiguous)", async () => {
         const companyRoot = path.join(tmpDir, "companies", "acme");
@@ -1779,7 +1949,7 @@ describe("share", () => {
             skipUnchanged: true,
         });
         expect(uploadFile).toHaveBeenCalledTimes(1);
-        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), expect.stringContaining("real.md"), "skills/real.md");
+        expect(uploadFile).toHaveBeenCalledWith(expect.anything(), expect.stringContaining("real.md"), "skills/real.md", undefined, expect.anything());
         // Spy was called once total — the conflict mirror never reaches uploadFile.
         // (Asserted by count above; the explicit non-call below is defensive.)
         const calls = vi.mocked(uploadFile).mock.calls;
@@ -2184,7 +2354,7 @@ describe("share", () => {
                 journalSlug: "personal",
             });
             expect(result.filesUploaded).toBe(1);
-            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), outsideFile, "stray.md");
+            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), outsideFile, "stray.md", undefined, expect.anything());
         });
         it("uploads 0-byte files (e.g. .gitkeep placeholders)", async () => {
             // Regression for the bug where `projects/.gitkeep` (0 bytes) was
@@ -2205,7 +2375,7 @@ describe("share", () => {
                 journalSlug: "personal",
             });
             expect(result.filesUploaded).toBe(1);
-            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), gitkeep, "projects/.gitkeep");
+            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), gitkeep, "projects/.gitkeep", undefined, expect.anything());
         });
         it("personalMode=true + skipUnchanged honors the personal-journal hash", async () => {
             fs.mkdirSync(path.join(tmpDir, "knowledge"), { recursive: true });
@@ -2268,7 +2438,7 @@ describe("share", () => {
                 hqRoot: tmpDir,
             });
             expect(result.filesUploaded).toBe(1);
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), "target.md", "link.md");
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), "target.md", "link.md", undefined, expect.anything());
             // The link itself must NOT be uploaded as a regular file. Pre-fix,
             // fs.statSync(link) followed the link and uploadFile got called with
             // the link's path → cloud stored a copy of target.md's bytes under
@@ -2296,8 +2466,8 @@ describe("share", () => {
             // Pre-fix, walkDir's Dirent.isFile() returned false for the symlink and
             // it was silently dropped — only the real file was uploaded.
             expect(result.filesUploaded).toBe(2);
-            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), realPolicy, "policies/real.md");
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), "real.md", "policies/link.md");
+            expect(uploadFile).toHaveBeenCalledWith(expect.anything(), realPolicy, "policies/real.md", undefined, expect.anything());
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), "real.md", "policies/link.md", undefined, expect.anything());
         });
         it("accepts a symlink inside the company folder even when its target lives outside", async () => {
             // Codex P2 follow-up: pre-fix, isWithin canonicalized the link
@@ -2322,7 +2492,7 @@ describe("share", () => {
             });
             warnSpy.mockRestore();
             expect(result.filesUploaded).toBe(1);
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), externalTarget, "knowledge");
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), externalTarget, "knowledge", undefined, expect.anything());
             // No "outside company folder" warning for this case.
             expect(warnSpy).not.toHaveBeenCalledWith(expect.stringMatching(/outside company folder/i));
         });
@@ -2375,7 +2545,7 @@ describe("share", () => {
             // symlink's journal hash differs from the regular-file hash.
             expect(result.filesUploaded).toBe(1);
             expect(result.filesSkipped).toBe(0);
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), target, "case-key.md");
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), target, "case-key.md", undefined, expect.anything());
         });
         it("includes a directory symlink whose only matching allowlist pattern is dir-only", async () => {
             // Codex round-6 P1 follow-up: pre-fix, walkDir called the filter
@@ -2409,7 +2579,7 @@ describe("share", () => {
             });
             // The symlink record uploaded; the sibling regular file did NOT.
             expect(result.filesUploaded).toBe(1);
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), externalTarget, "knowledge");
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), externalTarget, "knowledge", undefined, expect.anything());
             expect(uploadFile).not.toHaveBeenCalledWith(expect.anything(), expect.stringContaining("stray.md"), expect.anything());
         });
         it("does not recurse into directory symlinks (record-only)", async () => {
@@ -2432,7 +2602,7 @@ describe("share", () => {
             });
             // The link record itself uploads; the target's contents do NOT.
             expect(result.filesUploaded).toBe(1);
-            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), realDir, "linked-dir");
+            expect(uploadSymlink).toHaveBeenCalledWith(expect.anything(), realDir, "linked-dir", undefined, expect.anything());
             // Crucially, no upload of the dir's contents.
             const calls = vi.mocked(uploadFile).mock.calls;
             expect(calls.find((c) => c[2].includes("secret.md"))).toBeUndefined();