Skip to content
Indigo Docs

Cloud Sync GA

Goal

Users can run hq sync inithq sync start and have their HQ files accessible from any device via the PWA at hq.indigoai.com.

Prerequisites

AWS Account

  • AWS account under IndigoAI organization
  • IAM admin user for SST deployment
  • AWS CLI configured with credentials
  • Budget alerts set ($50/month threshold)

Domain

  • hq.indigoai.com DNS configured
  • Route 53 hosted zone (or external DNS)
  • SSL certificate (ACM, auto-provisioned by SST)

Acceptance Criteria

AC-1: Infrastructure deploys cleanly

Terminal window
cd infra && npx sst deploy --stage prod

All resources created: Cognito pool, S3 bucket, API Gateway, Lambda functions, CloudFront distribution.

AC-2: Auth flow E2E

  1. User runs hq sync init
  2. Browser opens to hq.indigoai.com/auth
  3. User signs up with email
  4. Callback received on localhost:19847
  5. Credentials stored at ~/.hq/credentials.json
  6. User runs hq sync start — daemon starts successfully

AC-3: File sync works

  1. Create file in HQ: echo "test" > workspace/test.md
  2. File appears in S3 within 5 seconds
  3. File visible in PWA file browser
  4. Modify file locally → S3 updates
  5. Delete file locally → S3 removes

AC-4: PWA accessible

  1. Navigate to hq.indigoai.com
  2. Login with Cognito credentials
  3. Browse HQ directory structure
  4. View markdown files with rendering
  5. Install as PWA on phone home screen

AC-5: Daemon reliability

  • Daemon survives terminal close (detached process)
  • Daemon auto-recovers from network interruptions
  • 30-second heartbeat keeps state file current
  • hq sync status accurately reports health
  • Graceful shutdown on hq sync stop

AC-6: Rate limiting and quotas

  • Maximum 1000 files per sync batch
  • 50MB per-file size limit enforced
  • S3 request throttling handled with exponential backoff
  • User storage quota: 1GB initial (configurable)

Implementation Steps

  1. Deploy infrasst deploy --stage prod
  2. Configure domain — DNS + SSL for hq.indigoai.com
  3. Deploy PWA — Build apps/web + deploy to CloudFront
  4. Test auth flow — Sign up, sign in, token refresh
  5. Test sync — Create/modify/delete files, verify S3
  6. Stress test daemon — Large file count (1000+), rapid changes, network drops
  7. Security audit — Verify user isolation, token handling, CORS
  8. Monitor — CloudWatch dashboards, error alerting

Risks

RiskMitigation
AWS costs spikeBudget alerts, per-user quotas, request throttling
Credential expiry during long syncAuto-refresh in S3 client, re-auth prompt
Race conditions in journalFile-level locking, atomic journal writes
Large HQ directories (10K+ files)Batched sync, pagination, ignore patterns
Browser OAuth blocked by popup blockerFallback: manual code entry

Security Checklist

  • STS credentials expire after 1 hour
  • Credentials file has 0600 permissions
  • User A cannot access User B’s files
  • JWT tokens validated on every API request
  • CORS restricted to known origins
  • No sensitive data in URL parameters
  • S3 bucket not publicly accessible
  • API rate limiting enabled

Definition of Done

  • hq sync inithq sync start works on fresh install
  • PWA loads at hq.indigoai.com
  • Files sync bidirectionally within 5 seconds
  • Daemon runs reliably for 24+ hours
  • Security audit passes
  • Monitoring dashboards active