fix(evidence-export): tighten S3 missing-object check to specific error codes

The blanket `httpStatusCode === 404` fallback in `isS3MissingObjectError`
misclassified `NoSuchBucket` (bucket misconfigured) as a per-attachment
missing object. That would have produced an export that completed
"successfully" with nothing but `_MISSING_*.txt` placeholders — worse than
failing outright, because the customer would have no idea their bundle
contains none of the actual evidence.

Now we only treat the specific error codes `NoSuchKey` and `NotFound` as
missing; everything else (including other 404s like `NoSuchBucket`) rethrows
and aborts the archive.

Added a regression test asserting NoSuchBucket aborts the archive rather
than producing a placeholder.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tofikwest

apps/api/src/tasks/evidence-export/evidence-attachment-streamer.ts

@@ -135,21 +135,18 @@ export async function appendAttachmentToArchive(params: {
 }
 
 /**
- * True only for "the object does not exist" — NoSuchKey or HTTP 404.
- * Everything else (AccessDenied, SlowDown, NetworkError, timeouts) is treated
- * as a real failure that should surface, not a silent skip.
+ * True only for "the object does not exist" — specifically `NoSuchKey` (or
+ * `NotFound` for HeadObject semantics). Anything else — including the other
+ * 404s like `NoSuchBucket`, or 403s like `AccessDenied` — is a real failure
+ * that must surface, not a silent per-attachment skip. A misconfigured bucket
+ * returning NoSuchBucket would otherwise produce an export full of placeholders
+ * that looks "successful" but contains none of the customer's evidence.
  */
 function isS3MissingObjectError(error: unknown): boolean {
   if (!error || typeof error !== 'object') return false;
-  const err = error as {
-    name?: string;
-    Code?: string;
-    $metadata?: { httpStatusCode?: number };
-  };
-  if (err.name === 'NoSuchKey' || err.name === 'NotFound') return true;
-  if (err.Code === 'NoSuchKey' || err.Code === 'NotFound') return true;
-  if (err.$metadata?.httpStatusCode === 404) return true;
-  return false;
+  const err = error as { name?: string; Code?: string };
+  const code = err.name ?? err.Code;
+  return code === 'NoSuchKey' || code === 'NotFound';
 }
 
 function buildMissingPlaceholder(

apps/api/src/tasks/evidence-export/evidence-export.service.spec.ts

@@ -267,6 +267,42 @@ describe('EvidenceExportService — streaming ZIPs', () => {
       expect(placeholder).toBeUndefined();
     });
 
+    it('aborts on NoSuchBucket (a 404 that is NOT a missing object)', async () => {
+      const attachments = [
+        {
+          id: 'att_bucket',
+          name: 'file.pdf',
+          url: 'org_1/attachments/task/tsk_123/file.pdf',
+          type: 'document',
+          createdAt: new Date(),
+        },
+      ];
+
+      // Bucket misconfiguration — returns HTTP 404 but must NOT be
+      // treated as a single missing attachment. Otherwise the export looks
+      // "successful" while silently containing only placeholders.
+      const noSuchBucketError = Object.assign(new Error('NoSuchBucket'), {
+        name: 'NoSuchBucket',
+        $metadata: { httpStatusCode: 404 },
+      });
+      (s3Client!.send as jest.Mock).mockRejectedValue(noSuchBucketError);
+      primeTaskQueries({ attachments });
+
+      const { archive } = await service.streamTaskEvidenceZip(
+        'org_1',
+        'tsk_123',
+      );
+      const mock = archive as unknown as MockArchive;
+
+      await expect(mock.finalized).rejects.toThrow('aborted');
+      expect(mock.abort).toHaveBeenCalled();
+
+      const placeholder = mock.appendCalls.find((c) =>
+        c.options.name.includes('_MISSING_'),
+      );
+      expect(placeholder).toBeUndefined();
+    });
+
     it('disambiguates duplicate filenames within attachments folder', async () => {
       const attachments = [
         {