plugin: auto-detect R2 capability changes and document snapshot restore follow-up

Author: kavinsood

engineering/mobile-qa-checklist.md

@@ -17,6 +17,8 @@ This runbook is split into two runs:
   - rapid-fire markdown append burst coalesced to a single ingest/apply event
     in measured trace
   - OOB edit path remained stable (no tug-of-war, clean integrity diffs)
+  - snapshot attachment restore passed across two desktop vaults after R2
+    auto-enable
 
 ## Final holy QA completion (March 10, 2026)
 
@@ -29,6 +31,8 @@ Completed and validated:
 5. Filesystem bridge controls
 6. Checkpoint/journal truncation fallback
 7. Migration drill + mixed-version kill switch
+8. Snapshot creation, markdown restore, and attachment restore after R2
+   capability activation
 
 Final diagnostics outcome for latest desktop run:
 
@@ -276,6 +280,15 @@ Pass criteria:
 - selected attachment refs restore and download.
 - no legacy path corruption after restore.
 
+Completion note:
+
+- validated on March 10, 2026 in two-desktop pass:
+  - primary vault auto-detected R2 after redeploy while already open
+  - secondary vault auto-detected R2 on startup after redeploy
+  - manual snapshot created successfully
+  - restore executed on secondary vault with pre-restore backups
+  - final desktop vault trees matched after restore
+
 ### 10. Long-offline anti-resurrection
 
 1. Keep Device A offline.
@@ -328,3 +341,9 @@ Final diagnostics export on both devices.
 - Fail if post-v2 snapshot restore fails.
 - Fail if mixed-version guard accepts incompatible client.
 - Fail if storage-pressure failure is silent or unclassified.
+
+## Remaining optional proof after release gate
+
+- cold recovery-kit validation on a brand-new third vault remains optional
+  rather than blocking, because hydration + restore convergence already passed
+  across paired vaults

engineering/qa-history.md

@@ -20,12 +20,14 @@ Final validated outcomes:
   - attachment sync under stress (including retries and queue durability)
   - rapid file switching/editor binding self-heal behavior
   - checkpoint/journal truncation fallback convergence
-  - snapshot and anti-resurrection defenses
+  - snapshot creation, markdown restore, and anti-resurrection defenses
 - Focused follow-up pass passed:
   - rapid-fire filesystem append burst now coalesces to a single ingest/apply
     event in the measured run
   - out-of-band (OOB) edit behavior remains stable with no tug-of-war or
     integrity drift
+  - snapshot attachment restore now passes empirically across two desktop vaults
+    with post-restore convergence and pre-restore backups
 
 Final diagnostics in latest runs show:
 
@@ -171,6 +173,42 @@ Status:
     `upload: "bay.jpg" too large (11118966 bytes), skipping`
   - default max attachment size is 10 MB (10240 KB), and `bay.jpg` exceeds it.
 
+## Snapshot and recovery follow-up pass (March 10, 2026)
+
+Two-vault desktop pass using `attachment-test` and `attachment-test copy`
+validated the remaining snapshot/recovery surface:
+
+- R2 capability auto-enable passed in both lifecycle cases:
+  - primary vault was already open when the worker gained `YAOS_BUCKET`
+  - secondary vault was opened only after redeploy
+- attachment engine auto-started without manual refresh or manual toggle
+- initial attachment upload/download converged to `blobPathCount=4` on both
+  devices with empty queues
+- daily snapshot path fired automatically once R2 became available
+- manual snapshot creation succeeded
+- snapshot restore succeeded on the secondary vault with pre-restore backups
+- attachment restore from snapshot was manually verified and final vault trees
+  converged byte-for-byte across both desktops
+
+Evidence from exported diagnostics/traces:
+
+- primary vault:
+  - `/home/kavin/attachment-test/.obsidian/plugins/yaos/diagnostics/sync-diagnostics-2026-03-10T14-23-06-853Z-device-mmkp74h1.json`
+  - `/home/kavin/attachment-test/.obsidian/plugins/yaos/diagnostics/sync-diagnostics-2026-03-10T14-29-38-322Z-device-mmkp74h1.json`
+  - `/home/kavin/attachment-test/.obsidian/plugins/yaos/diagnostics/sync-diagnostics-2026-03-10T14-32-32-221Z-device-mmkp74h1.json`
+- secondary vault:
+  - `/home/kavin/attachment-test copy/.obsidian/plugins/yaos/diagnostics/sync-diagnostics-2026-03-10T14-30-29-710Z-device-second.json`
+  - `/home/kavin/attachment-test copy/.obsidian/plugins/yaos/diagnostics/sync-diagnostics-2026-03-10T14-32-38-698Z-device-second.json`
+  - `/home/kavin/attachment-test copy/.obsidian/plugins/yaos/logs/current-state.json`
+  - `/home/kavin/attachment-test copy/.obsidian/plugins/yaos/restore-backups/2026-03-10T14-32-33-577Z/Welcome.md`
+  - `/home/kavin/attachment-test copy/.obsidian/plugins/yaos/restore-backups/2026-03-10T14-32-33-577Z/wallpapers/quota.md`
+
+Observed residual noise:
+
+- one transient `missing-sync-facet` editor health flap appears in historical
+  trace on the secondary vault and self-heals immediately via repair; it did
+  not cause data drift, queue stalls, or restore failure.
+
 ## Run A completion (March 8, 2026)
 
 - Migration/divergence mini-run is completed and passes.
@@ -220,6 +258,7 @@ are optional hardening/soak tests:
 1. Extended long-duration mobile churn soak (30-60+ minutes)
 2. Additional low-storage device matrix coverage beyond simulated quota
 3. Additional UI polish checks for oversize-attachment messaging copy
+4. Optional cold recovery-kit proof on a brand-new third vault
 
 ## Operational QA guidance (development mode)
 

src/main.ts

@@ -61,6 +61,7 @@ const FAST_RECONNECT_MIN_INTERVAL_MS = 2_000;
 const MARKDOWN_DIRTY_SETTLE_MS = 350;
 const OPEN_FILE_EXTERNAL_EDIT_IDLE_GRACE_MS = 1200;
 const BOUND_RECOVERY_LOCK_MS = 1500;
+const CAPABILITY_REFRESH_INTERVAL_MS = 30_000;
 
 export default class VaultCrdtSyncPlugin extends Plugin {
 	settings: VaultSyncSettings = DEFAULT_SETTINGS;
@@ -161,6 +162,8 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 	private traceServerInFlight = false;
 	private recentServerTrace: unknown[] = [];
 	private serverCapabilities: ServerCapabilities | null = null;
+	private capabilityRefreshPromise: Promise<void> | null = null;
+	private lastCapabilityRefreshAt = 0;
 	private commandsRegistered = false;
 	private idbDegradedHandled = false;
 
@@ -312,6 +315,13 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 						void this.clearSavedBlobQueue();
 					}
 				}
+				const capabilityState = this.serverCapabilities;
+				const waitingForR2 =
+					!!this.settings.host &&
+					(!capabilityState || !capabilityState.attachments || !capabilityState.snapshots);
+				if (waitingForR2 && Date.now() - this.lastCapabilityRefreshAt >= CAPABILITY_REFRESH_INTERVAL_MS) {
+					void this.refreshServerCapabilities("background-poll");
+				}
 			}, 3000);
 			this.register(() => {
 				if (this.statusInterval) clearInterval(this.statusInterval);
@@ -501,6 +511,7 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 		if (!this.vaultSync) return;
 
 		this.log(`Running reconnect reconciliation (gen ${generation})`);
+		await this.refreshServerCapabilities("provider-sync");
 		this.validateAllOpenBindings(`reconnect-pre:${generation}`);
 
 		// Also import any untracked files from a previous conservative run
@@ -542,6 +553,7 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 			if (!this.vaultSync) return;
 			if (this.vaultSync.fatalAuthError) return;
 
+			void this.refreshServerCapabilities("app-foregrounded");
 			this.requestFastReconnect("app-foregrounded");
 		};
 
@@ -564,6 +576,7 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 		this.onlineHandler = () => {
 			this.log("Network online event — requesting fast reconnect");
 			this.scheduleTraceStateSnapshot("network-online");
+			void this.refreshServerCapabilities("network-online");
 			this.requestFastReconnect("network-online");
 		};
 
@@ -2303,6 +2316,14 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 			DEFAULT_SETTINGS,
 			data as Partial<VaultSyncSettings>,
 		);
+		let migratedSettings = false;
+		if (typeof data?.attachmentSyncExplicitlyConfigured !== "boolean") {
+			this.settings.attachmentSyncExplicitlyConfigured = data?.enableAttachmentSync === true;
+			if (data?.enableAttachmentSync !== true) {
+				this.settings.enableAttachmentSync = true;
+			}
+			migratedSettings = true;
+		}
 		// Load disk index from plugin data (stored under _diskIndex key)
 		if (data && typeof data._diskIndex === "object" && data._diskIndex !== null) {
 			this.diskIndex = data._diskIndex as DiskIndex;
@@ -2316,6 +2337,9 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 			this.savedBlobQueue = data._blobQueue as BlobQueueSnapshot;
 		}
 		this.refreshPersistedState();
+		if (migratedSettings) {
+			await this.persistPluginState();
+		}
 	}
 
 	async saveSettings() {
@@ -2451,9 +2475,25 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 		this.refreshStatusBar();
 	}
 
-	async refreshServerCapabilities(): Promise<void> {
+	async refreshServerCapabilities(reason = "manual"): Promise<void> {
+		if (this.capabilityRefreshPromise) {
+			return await this.capabilityRefreshPromise;
+		}
+
+		this.capabilityRefreshPromise = this.refreshServerCapabilitiesInner(reason)
+			.finally(() => {
+				this.capabilityRefreshPromise = null;
+			});
+		return await this.capabilityRefreshPromise;
+	}
+
+	private async refreshServerCapabilitiesInner(reason: string): Promise<void> {
+		this.lastCapabilityRefreshAt = Date.now();
+		const previous = this.serverCapabilities;
+
 		if (!this.settings.host) {
 			this.serverCapabilities = null;
+			await this.handleCapabilityChange(previous, null, reason);
 			return;
 		}
 
@@ -2463,6 +2503,55 @@ export default class VaultCrdtSyncPlugin extends Plugin {
 			this.serverCapabilities = null;
 			this.log(`Server capability probe failed: ${err}`);
 		}
+
+		await this.handleCapabilityChange(previous, this.serverCapabilities, reason);
+	}
+
+	private async handleCapabilityChange(
+		previous: ServerCapabilities | null,
+		next: ServerCapabilities | null,
+		reason: string,
+	): Promise<void> {
+		const prevAttachments = previous?.attachments ?? null;
+		const prevSnapshots = previous?.snapshots ?? null;
+		const nextAttachments = next?.attachments ?? null;
+		const nextSnapshots = next?.snapshots ?? null;
+		const changed =
+			prevAttachments !== nextAttachments ||
+			prevSnapshots !== nextSnapshots ||
+			previous?.authMode !== next?.authMode ||
+			previous?.claimed !== next?.claimed;
+		if (!changed) return;
+
+		this.log(
+			`Server capabilities updated (${reason}): ` +
+			`claimed=${next?.claimed ?? "unknown"} auth=${next?.authMode ?? "unknown"} ` +
+			`attachments=${nextAttachments ?? "unknown"} snapshots=${nextSnapshots ?? "unknown"}`,
+		);
+		this.scheduleTraceStateSnapshot(`capabilities:${reason}`);
+
+		if (this.vaultSync) {
+			await this.refreshAttachmentSyncRuntime(`capability-change:${reason}`);
+		}
+
+		const gainedR2 = prevAttachments === false && nextAttachments === true;
+		const lostR2 = prevAttachments === true && nextAttachments === false;
+		if (gainedR2) {
+			new Notice(
+				this.settings.enableAttachmentSync
+					? "YAOS: R2 backend detected. Attachments and snapshots are now available."
+					: "YAOS: R2 backend detected. Attachments and snapshots are available if you enable them in settings.",
+				7000,
+			);
+			if (this.vaultSync?.connected && this.vaultSync.providerSynced && this.serverSupportsSnapshots) {
+				void this.triggerDailySnapshot();
+			}
+		} else if (lostR2) {
+			new Notice(
+				"YAOS: R2 backend is unavailable. Attachment transfers are paused and snapshots are unavailable.",
+				7000,
+			);
+		}
 	}
 
 	private async handleSetupLink(params: Record<string, string>): Promise<void> {

src/settings.ts

@@ -34,6 +34,8 @@ export interface VaultSyncSettings {
 
 	/** Enable attachment (non-markdown) sync via R2 blob store. */
 	enableAttachmentSync: boolean;
+	/** True once the user has explicitly changed the attachment sync toggle. */
+	attachmentSyncExplicitlyConfigured: boolean;
 	/** Maximum attachment size in KB. Files larger are skipped. Default 10240 (10 MB). */
 	maxAttachmentSizeKB: number;
 	/** Number of parallel upload/download slots. */
@@ -56,7 +58,8 @@ export const DEFAULT_SETTINGS: VaultSyncSettings = {
 	excludePatterns: "",
 	maxFileSizeKB: 2048,
 	externalEditPolicy: "always",
-	enableAttachmentSync: false,
+	enableAttachmentSync: true,
+	attachmentSyncExplicitlyConfigured: false,
 	maxAttachmentSizeKB: 10240,
 	// requestUrl cannot be hard-aborted; default to 1 to avoid stacked zombie transfers.
 	attachmentConcurrency: 1,