claude-nomad 0.23.0 → 0.25.0

package/CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## [0.25.0](https://github.com/funkadelic/claude-nomad/compare/v0.24.0...v0.25.0) (2026-05-25)
+
+
+### Added
+
+* **doctor:** add gitleaks version and mirror-Actions drift checks ([#125](https://github.com/funkadelic/claude-nomad/issues/125)) ([8a16e0c](https://github.com/funkadelic/claude-nomad/commit/8a16e0c274bb7b961c6fd2df9912874c572023ee))
+* **extras:** support a single root file as an extras entry ([#132](https://github.com/funkadelic/claude-nomad/issues/132)) ([6303b62](https://github.com/funkadelic/claude-nomad/commit/6303b62de84406da6a7fa2b7eb7af28a0473d0aa))
+
+
+### Fixed
+
+* **drop-session:** cascade unstage into subagent transcript directory ([#120](https://github.com/funkadelic/claude-nomad/issues/120)) ([7f10d51](https://github.com/funkadelic/claude-nomad/commit/7f10d5135a7eaa9b6e74fb1aa863506a7b914a09))
+* **push,update:** handle untracked extras in allow-list and fork merge ([#122](https://github.com/funkadelic/claude-nomad/issues/122)) ([e710a48](https://github.com/funkadelic/claude-nomad/commit/e710a48973a7c4e7479a9671d5891458a182dac7))
+* **update:** skip push prompt when fork merge is a no-op ([#123](https://github.com/funkadelic/claude-nomad/issues/123)) ([77fdb20](https://github.com/funkadelic/claude-nomad/commit/77fdb20244a096e44a1fecd0a283e3401a78972d))
+
+
+### Changed
+
+* pin workflow actions to SHAs and drop persisted CI credentials ([#130](https://github.com/funkadelic/claude-nomad/issues/130)) ([b60109c](https://github.com/funkadelic/claude-nomad/commit/b60109c0cbb5dff1b13c4155cc12c3d98ce1b141))
+
+
+### Documentation
+
+* add CONTRIBUTING, PR template, and SECURITY policy ([#131](https://github.com/funkadelic/claude-nomad/issues/131)) ([774eb58](https://github.com/funkadelic/claude-nomad/commit/774eb58a36af032f7d1cd109d59f313c4ff6affa))
+* lead README with a benefit-first pitch ([#133](https://github.com/funkadelic/claude-nomad/issues/133)) ([289e299](https://github.com/funkadelic/claude-nomad/commit/289e2994fd7dffb10818fe02aad64b193ad800b6))
+* **readme:** foreground secret-safety in the intro ([#126](https://github.com/funkadelic/claude-nomad/issues/126)) ([e661e9f](https://github.com/funkadelic/claude-nomad/commit/e661e9f02247fc30630fd90d5facc65aa7b4f2a0))
+
+
+### Dependencies
+
+* bump SonarSource/sonarqube-scan-action from 8.0.0 to 8.1.0 ([#127](https://github.com/funkadelic/claude-nomad/issues/127)) ([603f20d](https://github.com/funkadelic/claude-nomad/commit/603f20d9a22528c8df19d328c91a02012690836c))
+* bump the dev-dependencies group across 1 directory with 2 updates ([#128](https://github.com/funkadelic/claude-nomad/issues/128)) ([50b1b87](https://github.com/funkadelic/claude-nomad/commit/50b1b87b7288eed60280843504e6ccc2598f10b0))
+* bump tsx from 4.22.2 to 4.22.3 in the prod-dependencies group ([#129](https://github.com/funkadelic/claude-nomad/issues/129)) ([a7ada00](https://github.com/funkadelic/claude-nomad/commit/a7ada000ec2d3dbee132c7b61dc207012e53c1c3))
+
+## [0.24.0](https://github.com/funkadelic/claude-nomad/compare/v0.23.0...v0.24.0) (2026-05-24)
+
+
+### Added
+
+* **doctor:** add --check-shared preflight gitleaks scan ([#117](https://github.com/funkadelic/claude-nomad/issues/117)) ([0089d09](https://github.com/funkadelic/claude-nomad/commit/0089d09ef91ff7b6778b065bcfe8be97f4c54d1b))
+
+
+### Documentation
+
+* **readme:** document nomad doctor --check-shared preflight ([#119](https://github.com/funkadelic/claude-nomad/issues/119)) ([d08ed91](https://github.com/funkadelic/claude-nomad/commit/d08ed91bbfd4c976f56c510b086e375c4595e682))
+
 ## [0.23.0](https://github.com/funkadelic/claude-nomad/compare/v0.22.3...v0.23.0) (2026-05-23)
 
 

package/README.md

@@ -6,17 +6,17 @@
 
 ![claude-nomad - Sync your Claude Code setup. Same environment. Any machine.](docs/hero.svg)
 
-Claude Code's state is per-machine. Your `CLAUDE.md`, custom agents, skills, slash commands, settings, and session history live in `~/.claude/` and don't follow you to your laptop, your work machine, or your homelab box.
+**Your entire Claude Code setup, on every machine. History included, secrets excluded.**
 
-claude-nomad keeps all of it in sync through a private Git repo you control. `nomad push` on one machine, `nomad pull` on another, and your full setup is there, including past sessions you can resume.
+Open Claude Code on a second machine and it is a blank slate: none of your custom agents, slash commands, tuned settings, or past conversations. claude-nomad keeps all of it in sync through a private Git repo you control. `nomad push` on one machine, `nomad pull` on the next, and everything is there, conversations included.
 
-**Who this is for:** anyone running Claude Code on more than one machine. A laptop and a desktop, a Mac and a WSL box, a personal rig and a work machine, or any combination. If you've ever felt the friction of starting fresh on a second machine or copying files around by hand, this is for you.
+- **Resume your sessions on any machine.** Start a conversation on your desktop and pick it up on your laptop. claude-nomad remaps the file paths Claude Code embeds in every transcript, so your history follows you instead of getting stranded on the box where it started.
+- **Private by default.** Your `~/.claude/` also holds OAuth tokens, MCP credentials, and the full text of every conversation. Every push is secret-scanned before it leaves your machine, credentials and ephemeral state never sync, and `nomad init` disables CI on your private mirror by default, so transcripts can't leak through Actions logs.
+- **One setup, every machine.** Your agents, skills, slash commands, and settings live in one place and follow you everywhere. Per-machine tweaks like model choice, MCP URLs, and env vars merge on top instead of clobbering your shared defaults.
 
-Three things it does that ad-hoc dotfiles syncing can't:
+Not dotfiles, not rsync. claude-nomad understands Claude Code's state, so your session history survives different file paths and your secrets never ride along.
 
-- **Session history survives path differences.** The same project at `/Users/norm/code/foo` on your Mac and `/home/norm/foo` on Linux gets remapped automatically, so `claude --resume` finds your past conversations on whichever machine you're on.
-- **Per-host settings via deep merge.** Shared defaults live in one file; machine-specific overrides (model choice, MCP server URLs, env vars, hooks) live in a per-host file. They're merged on every pull instead of overwriting each other.
-- **Per-project content rides along, opt-in.** Whitelisted directories at a project's root (declared via `path-map.json`'s `extras` field) sync alongside session transcripts, so project-attached state like `.planning/` follows you across hosts. Off by default; projects without an `extras` entry behave exactly as before.
+For anyone running Claude Code on more than one machine: a laptop and a desktop, a Mac and a WSL box, a personal rig and a work machine. [Get started in three steps.](#quickstart)
 
 ## Table of contents
 
@@ -114,7 +114,7 @@ By default the CLI operates on `~/claude-nomad/` (see `REPO_HOME` in `src/config
 │   ├── commands/
 │   ├── rules/
 │   ├── my-statusline.cjs     # any script you want symlinked into ~/.claude/
-│   ├── .gitignore            # defense-in-depth: blocks .claude.json, settings.local.json, *.token, *.key, .env
+│   ├── .gitignore            # defense-in-depth: blocks .claude.json, settings.local.json, *.token, *.key, *.pem, id_rsa, id_ed25519, .env, .env.*
 │   ├── projects/             # session transcripts under logical names
 │   └── extras/               # opt-in per-project content (materializes when path-map.json declares extras)
 ├── hosts/
@@ -127,14 +127,14 @@ By default the CLI operates on `~/claude-nomad/` (see `REPO_HOME` in `src/config
 
 ## What gets synced vs. not
 
-| Category               | Items                                                                                                                                                                                                                                     | Behavior                                                                                                                                                                                   |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **Synced**             | `CLAUDE.md`, `agents/`, `skills/`, `commands/`, `rules/`, `my-statusline.cjs`                                                                                                                                                             | Symlinked into `~/.claude/` from `shared/` (see `SHARED_LINKS` in `src/config.ts`).                                                                                                        |
-| **Generated**          | `settings.json`                                                                                                                                                                                                                           | Deep-merge of `settings.base.json` with `hosts/<hostname>.json`. Rewritten on every pull.                                                                                                  |
-| **Remapped**           | `projects/` session transcripts                                                                                                                                                                                                           | Copied with path translation per `path-map.json`.                                                                                                                                          |
-| **Per-project extras** | `<localRoot>/.planning/` and other directories whitelisted by `SUPPORTED_EXTRAS` in `src/config.ts`                                                                                                                                       | Opt-in via the `extras` field in `path-map.json`. Mirrored to/from `shared/extras/<logical>/<dirname>/`. Pre-pull divergence WARN flags local edits before they get overwritten.           |
-| **Never synced**       | `~/.claude.json` (OAuth, MCP state), `history.jsonl`, `settings.local.json` (per-host overrides), `stats-cache.json`, `todos/`, `shell-snapshots/`, `debug/`, `file-history/`, `plans/`, `session-env/`, `statsig/`, `telemetry/`, `ide/` | Per-host ephemeral state.                                                                                                                                                                  |
-| **Auto-rehydrated**    | `~/.claude/plugins/cache/<plugin>/...`                                                                                                                                                                                                    | Plugin payloads not synced. Claude Code re-downloads them on first use from the `enabledPlugins` list in the regenerated `settings.json`; no manual `claude plugins install ...` per host. |
+| Category               | Items                                                                                                                                                                                                                                     | Behavior                                                                                                                                                                                                        |
+| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Synced**             | `CLAUDE.md`, `agents/`, `skills/`, `commands/`, `rules/`, `my-statusline.cjs`                                                                                                                                                             | Symlinked into `~/.claude/` from `shared/` (see `SHARED_LINKS` in `src/config.ts`).                                                                                                                             |
+| **Generated**          | `settings.json`                                                                                                                                                                                                                           | Deep-merge of `settings.base.json` with `hosts/<hostname>.json`. Rewritten on every pull.                                                                                                                       |
+| **Remapped**           | `projects/` session transcripts                                                                                                                                                                                                           | Copied with path translation per `path-map.json`.                                                                                                                                                               |
+| **Per-project extras** | `<localRoot>/.planning/` and other directories, or a single root file like `CLAUDE.md`, whitelisted by `SUPPORTED_EXTRAS` in `src/config.ts`                                                                                              | Opt-in via the `extras` field in `path-map.json`. Mirrored to/from `shared/extras/<logical>/<name>` (directory subtree or single file). Pre-pull divergence WARN flags local edits before they get overwritten. |
+| **Never synced**       | `~/.claude.json` (OAuth, MCP state), `history.jsonl`, `settings.local.json` (per-host overrides), `stats-cache.json`, `todos/`, `shell-snapshots/`, `debug/`, `file-history/`, `plans/`, `session-env/`, `statsig/`, `telemetry/`, `ide/` | Per-host ephemeral state.                                                                                                                                                                                       |
+| **Auto-rehydrated**    | `~/.claude/plugins/cache/<plugin>/...`                                                                                                                                                                                                    | Plugin payloads not synced. Claude Code re-downloads them on first use from the `enabledPlugins` list in the regenerated `settings.json`; no manual `claude plugins install ...` per host.                      |
 
 > [!NOTE]
 > Plugins that depend on host-specific state (external binaries, API keys in env, MCP server URLs) still need that side set up on each host. Put them in `hosts/<host>.json` or the plugin's own per-host config.
@@ -145,7 +145,7 @@ For the rationale behind these choices, see [What does NOT sync (deliberate trad
 
 The hard problem: Claude Code stores sessions in `~/.claude/projects/<encoded-path>/` where the encoded path is the absolute path with `/` replaced by `-`. So the same logical project ends up in different directories on each host.
 
-`path-map.json` defines logical names and where the repo lives on each host. The optional `extras` block opts a project into syncing whitelisted directories at its root:
+`path-map.json` defines logical names and where the repo lives on each host. The optional `extras` block opts a project into syncing whitelisted directories (or a single root file) at its root:
 
 ```json
 {
@@ -157,7 +157,7 @@ The hard problem: Claude Code stores sessions in `~/.claude/projects/<encoded-pa
     }
   },
   "extras": {
-    "ha-acwd": [".planning"]
+    "ha-acwd": [".planning", "CLAUDE.md"]
   }
 }
 ```
@@ -169,7 +169,7 @@ Use the literal string `"TBD"` for hosts you haven't onboarded yet; `remapPull`
 
 On `push`, sessions in `~/.claude/projects/-Users-you-code-ha-acwd/` get copied to `shared/projects/ha-acwd/`. On `pull` on another machine, they get copied to that host's encoded path. `claude --resume` then finds them (see [What does NOT sync (deliberate trade-offs)](#what-does-not-sync-deliberate-trade-offs) for the cross-OS cwd-binding gotcha).
 
-The `extras` block is additive and back-compatible: legacy `path-map.json` files without it continue to work unchanged. Each value is an array of directory names validated against `SUPPORTED_EXTRAS` in `src/config.ts`; values outside the whitelist are skipped with a log line so an unrecognized name cannot widen the sync surface. On `push`, opted-in directories at `<localRoot>/<dirname>/` are copied to `shared/extras/<logical>/<dirname>/` and inherit the staged-tree gitleaks scan. On `pull`, the reverse copy runs after `git pull --rebase`; just before it overwrites your working tree, a divergence check compares the incoming content against your local copy and emits a per-file WARN naming the diverging files. The existing local content is backed up to `~/.cache/claude-nomad/backup/<ts>/extras/<encoded-localRoot>/<rel>/` before the pull copy lands (`<encoded-localRoot>` is the `localRoot` with `/` rewritten as `-`, so two opted-in projects with the same relative extras path do not collide in one backup run).
+The `extras` block is additive and back-compatible: legacy `path-map.json` files without it continue to work unchanged. Each value is an array of directory or root-file names (e.g. `.planning`, `CLAUDE.md`) validated against `SUPPORTED_EXTRAS` in `src/config.ts`; values outside the whitelist are skipped with a log line so an unrecognized name cannot widen the sync surface. On `push`, opted-in content at `<localRoot>/<name>` (a directory subtree or a single file) is copied to `shared/extras/<logical>/<name>` and inherits the staged-tree gitleaks scan. On `pull`, the reverse copy runs after `git pull --rebase`; just before it overwrites your working tree, a divergence check compares the incoming content against your local copy and emits a per-file WARN naming the diverging files. The existing local content is backed up to `~/.cache/claude-nomad/backup/<ts>/extras/<encoded-localRoot>/<rel>/` before the pull copy lands (`<encoded-localRoot>` is the `localRoot` with `/` rewritten as `-`, so two opted-in projects with the same relative extras path do not collide in one backup run).
 
 ## Per-host overrides
 
@@ -206,7 +206,7 @@ Read these before adopting so you opt in with eyes open.
 - **Manual push/pull.** No file watcher. Shell hooks recommended.
 - **OAuth doesn't sync.** You'll log in once per host. Intentional.
 - **Only sessions in `path-map.json` are remapped.** Drive-by sessions on un-mapped paths are left alone.
-- **Extras are opt-in and whitelisted.** Projects without an `extras` entry in `path-map.json` are unaffected. Dirnames outside `SUPPORTED_EXTRAS` are skipped with a `skip ... not in SUPPORTED_EXTRAS` log line so an unrecognized name cannot widen the sync surface. Unsafe path-map values (path-traversal in `logical` keys, non-absolute or unnormalized `localRoot` values) FATAL before any filesystem mutation via `assertSafeLogical` / `assertSafeLocalRoot` in `src/extras-sync.ts`.
+- **Extras are opt-in and whitelisted.** Projects without an `extras` entry in `path-map.json` are unaffected. Names (a directory or a single root file) outside `SUPPORTED_EXTRAS` are skipped with a `skip ... not in SUPPORTED_EXTRAS` log line so an unrecognized name cannot widen the sync surface. Unsafe path-map values (path-traversal in `logical` keys, non-absolute or unnormalized `localRoot` values) FATAL before any filesystem mutation via `assertSafeLogical` / `assertSafeLocalRoot` in `src/extras-sync.ts`.
 - **Cross-OS `claude --resume` cwd binding.** Sessions embed the cwd where they were created, so the picker's `cd ... && claude --resume <id>` line fails on a different host. Use `nomad doctor --resume-cmd <id>` for a host-local equivalent (see [Cross-OS resume](#cross-os-resume)). The sidecar approach preserves transcript byte-equality.
 - **Empty directories don't survive sync.** Git doesn't track empty dirs; `nomad doctor` reports them as `missing` (benign). Drop a `.gitkeep` to force materialization.
 
@@ -287,10 +287,11 @@ nomad init --keep-actions
 Edit `path-map.json` to add your logical projects (see [Path remapping](#path-remapping)), then:
 
 ```bash
-nomad doctor     # read-only state check; reports host, repo state, every check as ✓ (pass) / ✗ (fail) / ⚠︎ (warn)
-nomad diff       # preview what nomad pull would change on this host; no lock, no network, no mutation
-nomad push       # send current state to the private remote
-nomad pull       # apply on another host (or this one after a remote update)
+nomad doctor                # read-only state check; reports host, repo state, every check as ✓ (pass) / ✗ (fail) / ⚠︎ (warn)
+nomad doctor --check-shared # read-only gitleaks preflight over the session transcripts a push would stage
+nomad diff                  # preview what nomad pull would change on this host; no lock, no network, no mutation
+nomad push                  # send current state to the private remote
+nomad pull                  # apply on another host (or this one after a remote update)
 ```
 
 `nomad pull --dry-run` is the network-aware twin of `nomad diff`: it acquires the lock and runs `git pull` so you see what the next real pull would do given the latest remote, then exits without mutating.
@@ -333,9 +334,9 @@ nomad update
 `nomad update` (see `cmdUpdate` in `src/commands.update.ts`) detects which layout your `~/claude-nomad/` uses and does the right thing:
 
 - **vanilla** (`origin` points at the public repo): `git pull --ff-only origin main`.
-- **fork** (`upstream` points at the public repo, `origin` points at your private mirror): `git fetch upstream`, `git merge upstream/main`, then prompt before pushing the merge to `origin/main`. Pass `--push-origin` to skip the prompt.
+- **fork** (`upstream` points at the public repo, `origin` points at your private mirror): `git fetch upstream`, then (before merging) commit any whitelisted `shared/extras/` content that is still untracked locally so an overlap with upstream becomes a normal file merge instead of an untracked-overwrite abort, `git merge upstream/main`, then prompt before pushing the merge to `origin/main`. Pass `--push-origin` to skip the prompt. When the merge is a no-op (HEAD unchanged, nothing new to push) the prompt is skipped entirely and `nomad update` logs `already in sync with origin/main`.
 
-Pre-flight checks run before any mutation: `REPO_HOME` exists, topology resolves to `vanilla` or `fork`, current branch is `main`, working tree is clean per `git status --porcelain -z` (override with `--force`), and `--push-origin` is rejected on vanilla topology. After the merge or pull, `nomad update` re-runs `npm install` only when `package-lock.json` actually shifted, then invokes `nomad doctor`. The trailing version-check is non-fatal: `✓` when local matches the latest release, `⚠︎` when behind, an informational `ℹ︎ ... ahead of latest release` line when ahead (e.g. a `-dev` build between releases), and silent on network failures.
+Pre-flight checks run before any mutation: `REPO_HOME` exists, topology resolves to `vanilla` or `fork`, current branch is `main`, working tree is clean per `git status --porcelain -z` (override with `--force`), and `--push-origin` is rejected on vanilla topology. After the merge or pull, `nomad update` re-runs `npm install` only when `package-lock.json` actually shifted, commits the regenerated `package-lock.json` (fork topology) if the reinstall changed it, then invokes `nomad doctor`. The trailing version-check is non-fatal: `✓` when local matches the latest release, `⚠︎` when behind, an informational `ℹ︎ ... ahead of latest release` line when ahead (e.g. a `-dev` build between releases), and silent on network failures.
 
 Common cases:
 
@@ -358,24 +359,27 @@ If you installed an earlier version via `./install.sh` and a shell alias (the pr
 
 ## Commands
 
-| Command                          | Description                                                                                                                                                                                                             |
-| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `nomad init`                     | Scaffold empty `shared/`, `hosts/`, `path-map.json` on a fresh clone. Refuses to clobber existing scaffold. Auto-disables Actions on a detected private GitHub mirror (see [Privacy by default](#privacy-by-default)).  |
-| `nomad init --snapshot`          | Overlay current host's `~/.claude/` into `shared/` and write `~/.claude/settings.json` verbatim into `hosts/<NOMAD_HOST>.json`. Originals not modified. Same auto-disable behavior as `nomad init`.                     |
-| `nomad init --keep-actions`      | Skip the auto-disable. Combinable with `--snapshot`. Use when an upstream org policy already governs Actions, or you intentionally want CI on the private mirror.                                                       |
-| `nomad pull`                     | `git pull --rebase --autostash`, apply symlinks, regenerate `settings.json`, remap session paths, and pull opted-in per-project extras. FATAL if scaffold missing.                                                      |
-| `nomad pull --dry-run`           | Network-aware preview: acquire lock + `git pull --rebase`, print planned changes (symlink moves, `settings.json` diff, transcript overwrites), exit without writing.                                                    |
-| `nomad diff`                     | Offline, lockless twin of `pull --dry-run`. No network, no lock. Works against the current local repo state.                                                                                                            |
-| `nomad push`                     | Export local sessions and opted-in per-project extras to logical names, commit (`chore: sync from <NOMAD_HOST>`), push.                                                                                                 |
-| `nomad push --dry-run`           | Run pre-push safety checks (gitleaks probe, rebase, remap preview, gitlink scan, allow-list); skip stage, scan, commit, and push.                                                                                       |
-| `nomad drop-session <id>`        | Surgically unstage every `shared/projects/*/<id>.jsonl` from the staged tree of `~/claude-nomad/`. Idempotent; the local `~/.claude/projects/<encoded>/<id>.jsonl` is preserved. See [Recovery flows](#recovery-flows). |
-| `nomad update`                   | Topology-aware upgrade to the latest upstream. Flags: `--dry-run`, `--force`, `--push-origin`. See [Upgrading the tool](#upgrading-the-tool).                                                                           |
-| `nomad doctor`                   | Read-only health check. Each line carries a status glyph (`✓` pass, `✗` fail, `⚠︎` warn); any `✗` sets `process.exitCode = 1` (`⚠︎` does not). Includes an offline-tolerant release-version staleness check.              |
-| `nomad doctor --resume-cmd <id>` | Print a host-local `cd ... && claude --resume <id>` line for a session (see [Cross-OS resume](#cross-os-resume)).                                                                                                       |
-| `nomad --version`                | Print the installed CLI version as bare semver to stdout; exits 0. Used by the npm-publish smoke test and useful for ad-hoc upgrade checks.                                                                             |
+| Command                          | Description                                                                                                                                                                                                                                                                                                                                              |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `nomad init`                     | Scaffold empty `shared/`, `hosts/`, `path-map.json` on a fresh clone. Refuses to clobber existing scaffold. Auto-disables Actions on a detected private GitHub mirror (see [Privacy by default](#privacy-by-default)).                                                                                                                                   |
+| `nomad init --snapshot`          | Overlay current host's `~/.claude/` into `shared/` and write `~/.claude/settings.json` verbatim into `hosts/<NOMAD_HOST>.json`. Originals not modified. Same auto-disable behavior as `nomad init`.                                                                                                                                                      |
+| `nomad init --keep-actions`      | Skip the auto-disable. Combinable with `--snapshot`. Use when an upstream org policy already governs Actions, or you intentionally want CI on the private mirror.                                                                                                                                                                                        |
+| `nomad pull`                     | `git pull --rebase --autostash`, apply symlinks, regenerate `settings.json`, remap session paths, and pull opted-in per-project extras. FATAL if scaffold missing.                                                                                                                                                                                       |
+| `nomad pull --dry-run`           | Network-aware preview: acquire lock + `git pull --rebase`, print planned changes (symlink moves, `settings.json` diff, transcript overwrites), exit without writing.                                                                                                                                                                                     |
+| `nomad diff`                     | Offline, lockless twin of `pull --dry-run`. No network, no lock. Works against the current local repo state.                                                                                                                                                                                                                                             |
+| `nomad push`                     | Export local sessions and opted-in per-project extras to logical names, commit (`chore: sync from <NOMAD_HOST>`), push.                                                                                                                                                                                                                                  |
+| `nomad push --dry-run`           | Run pre-push safety checks (gitleaks probe, rebase, remap preview, gitlink scan, allow-list); skip stage, scan, commit, and push.                                                                                                                                                                                                                        |
+| `nomad drop-session <id>`        | Surgically unstage every `shared/projects/*/<id>.jsonl` and the sibling `shared/projects/*/<id>/` subagent directory from the staged tree of `~/claude-nomad/`. Idempotent; the local `~/.claude/projects/<encoded>/<id>.jsonl` and `<id>/` tree are preserved. See [Recovery flows](#recovery-flows).                                                   |
+| `nomad update`                   | Topology-aware upgrade to the latest upstream. Flags: `--dry-run`, `--force`, `--push-origin`. See [Upgrading the tool](#upgrading-the-tool).                                                                                                                                                                                                            |
+| `nomad doctor`                   | Read-only health check. Each line carries a status glyph (`✓` pass, `✗` fail, `⚠︎` warn); any `✗` sets `process.exitCode = 1` (`⚠︎` does not). Includes an offline-tolerant release-version staleness check plus two `⚠︎`-only drift checks: gitleaks version drift and, on a private GitHub mirror, re-enabled Actions.                                    |
+| `nomad doctor --resume-cmd <id>` | Print a host-local `cd ... && claude --resume <id>` line for a session (see [Cross-OS resume](#cross-os-resume)).                                                                                                                                                                                                                                        |
+| `nomad doctor --check-shared`    | Read-only gitleaks preflight: stages the session transcripts a `push` would publish into a temp tree and scans them, failing (`✗`, exit 1) per affected session with rotate-and-scrub guidance. Skips with a `⚠︎` when gitleaks is not on PATH. See [Recovery flow: gitleaks FATAL on a session JSONL](#recovery-flow-gitleaks-fatal-on-a-session-jsonl). |
+| `nomad --version`                | Print the installed CLI version as bare semver to stdout; exits 0. Used by the npm-publish smoke test and useful for ad-hoc upgrade checks.                                                                                                                                                                                                              |
 
 The version-check emits ``⚠︎ version: <local> -> <latest> (run `nomad update`)`` when the local install is behind the latest upstream release, and `✓ version: <local> (latest)` when current. It silently skips on network failures.
 
+Two further `⚠︎`-only drift checks run in `nomad doctor`. The gitleaks version-drift line `⚠︎ gitleaks: <local> -> <pinned> (...)` fires when the local gitleaks major.minor differs from the CI-pinned `GITLEAKS_PINNED_VERSION` (gitleaks rule and allowlist behavior tracks the minor line, so a patch-only difference stays `✓`), and is silent when gitleaks is not on PATH. The mirror-Actions line (carrying a `gh api -X PUT repos/<owner>/<repo>/actions/permissions -F enabled=false` remediation hint) fires when origin is a private GitHub mirror that is gh-authed with Actions re-enabled, complementing the auto-disable that runs on `nomad init` (see [Privacy by default](#privacy-by-default)); it is silent on every prerequisite miss (non-GitHub origin, `gh` unauthed, public repo, or Actions already off).
+
 Every `nomad pull`, `nomad push`, and `nomad diff` run ends with a single `summary:` line. The status glyph (`✓` green / `⚠︎` yellow / `✗` red / `ℹ︎` dim) carries the severity, mirroring `nomad doctor`'s left-gutter format:
 
 ```text
@@ -390,7 +394,7 @@ Every `nomad pull`, `nomad push`, and `nomad diff` run ends with a single `summa
 
 ### `nomad drop-session <id>`
 
-Surgically unstages every `shared/projects/*/<id>.jsonl` from the staged tree of `~/claude-nomad/`. The local `~/.claude/projects/<encoded>/<id>.jsonl` is never touched.
+Surgically unstages every `shared/projects/*/<id>.jsonl` plus the sibling `shared/projects/*/<id>/` subagent directory (whose nested transcripts are keyed by the same session id) from the staged tree of `~/claude-nomad/`. The local `~/.claude/projects/<encoded>/<id>.jsonl` and the local `<id>/` tree are never touched.
 
 ```bash
 nomad drop-session <id>
@@ -398,18 +402,18 @@ nomad drop-session <id>
 
 Single positional id (the session filename minus `.jsonl`). Anything else (missing id, leading dash, extra arg) exits 1 with a `usage:` line.
 
-For each match in the staged tree, `cmdDropSession` (in `src/commands.drop-session.ts`) classifies the entry as tracked-in-HEAD vs newly-staged and unstages it via `git restore --staged --worktree --` or `git rm --cached -f --` respectively. Idempotent: a second run on the same id sees no matching staged file and exits 0.
+For each match in the staged tree, `cmdDropSession` (in `src/commands.drop-session.ts`) classifies the entry as tracked-in-HEAD vs newly-staged and unstages it via `git restore --staged --worktree --` or `git rm --cached -f --` respectively. The `<id>/` subagent directory is expanded into its staged entries via `git ls-files -z` so every nested transcript flows through the same per-entry classification; a session that has only a subagent directory (no flat `<id>.jsonl`) is still droppable. Idempotent: a second run on the same id sees no matching staged entries and exits 0.
 
 Exit codes:
 
 - `0` on any drop, including an idempotent re-run.
-- `1` with `✗ no staged session matches <id>` on stderr when no `shared/projects/*/<id>.jsonl` matches.
+- `1` with `✗ no staged session matches <id>` on stderr when neither a `shared/projects/*/<id>.jsonl` nor a `shared/projects/*/<id>/` directory with staged entries matches.
 
-What it does NOT do: touch the local `~/.claude/projects/<encoded>/<id>.jsonl` file. The local copy is preserved for `claude --resume`, grep recovery, or whatever the user wants. If the underlying secret is real, scrub the local file separately.
+What it does NOT do: touch the local `~/.claude/projects/<encoded>/<id>.jsonl` file or the local `<id>/` subagent tree. The local copies are preserved for `claude --resume`, grep recovery, or whatever the user wants. If the underlying secret is real, scrub the local files separately.
 
 ### Recovery flow: gitleaks FATAL on a session JSONL
 
-`nomad push` runs `gitleaks protect --staged` before commit. When findings live in a session transcript, the FATAL names every affected session id and the recovery command:
+`nomad push` runs `gitleaks protect --staged` before commit. To catch the same findings before you push (and without mutating anything), run the read-only preflight `nomad doctor --check-shared`, which stages and scans the exact transcripts a push would publish. When findings live in a session transcript, the push FATAL names every affected session id and the recovery command:
 
 ```text
 ✗ gitleaks detected secrets in 1 session transcript(s).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.23.0",
+  "version": "0.25.0",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.doctor.check-shared.ts

@@ -0,0 +1,309 @@
+/**
+ * Owns the `nomad doctor --check-shared` preflight reporter.
+ *
+ * Read-only diagnostic that runs gitleaks against the LOCAL session
+ * transcripts `nomad push` would stage (each path-map entry mapped to this
+ * host), surfacing secret leaks BEFORE the push pipeline fires. Mirrors the
+ * push-time scan (`runGitleaksScan` in `./push-gitleaks.ts`) but: scans a
+ * temp COPY of the live transcripts (never the live dir), uses the
+ * purpose-built `gitleaks dir` subcommand, and emits doctor-flavored glyph
+ * rows + `process.exitCode` instead of throwing a push-flavored FATAL.
+ *
+ * Composition only: reuses `partitionFindings` / `readGitleaksReport` /
+ * `SESSION_PATH` (the gitleaks JSON parser) and `copyDirJsonlOnly` (the
+ * push-fidelity source filter) verbatim. The doctor-flavored guidance
+ * composer is new (push's `buildSessionAwareFatal` is wrong at doctor time:
+ * `nomad drop-session` operates on the staged tree, and nothing is staged
+ * during a preflight).
+ *
+ * All external calls use `execFileSync` argv-array form (no shell), the
+ * codebase PUSH-04 invariant.
+ */
+
+import { randomBytes } from 'node:crypto';
+import { execFileSync } from 'node:child_process';
+import { existsSync, mkdirSync, readdirSync, rmSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+import { green, red, yellow, okGlyph, failGlyph, warnGlyph } from './color.ts';
+import { addItem, type DoctorSection } from './commands.doctor.format.ts';
+import { CLAUDE_HOME, HOST, REPO_HOME, type PathMap } from './config.ts';
+import { type Finding, partitionFindings, readGitleaksReport } from './push-gitleaks.ts';
+import { copyDirJsonlOnly } from './remap.ts';
+import { encodePath, nowTimestamp, readJson } from './utils.ts';
+
+/**
+ * Result of staging the scan tree. `malformed` is true when `path-map.json`
+ * exists but does not parse as JSON; the caller emits a FAIL row and stops
+ * (mirroring `reportPathMap`'s `readJsonSafe` degradation) rather than letting
+ * the `SyntaxError` propagate past `nomad.ts`'s `NomadFatal`-only handler and
+ * abort the whole doctor run with a stack trace.
+ */
+type ScanTree = {
+  logicalToEncoded: Map<string, string>;
+  staged: number;
+  malformed: boolean;
+};
+
+/**
+ * Build the temp staging tree under `tmpRoot/shared/projects/<logical>/` by
+ * copying each local encoded session dir that resolves to a path-map logical
+ * for this host. Returns the `logical -> encoded-dir` association so the
+ * scrub-path hint can name the live `~/.claude/projects/<encoded>/<sid>.jsonl`
+ * file, plus the count of session dirs staged. Skips `TBD`/unmapped entries
+ * (the D-03 scope: exactly what `remapPush` would stage). Uses the same
+ * depth-0 `*.jsonl` filter as push via `copyDirJsonlOnly`. A malformed
+ * `path-map.json` sets `malformed: true` rather than throwing.
+ */
+function buildScanTree(tmpRoot: string): ScanTree {
+  const logicalToEncoded = new Map<string, string>();
+  let staged = 0;
+  const mapPath = join(REPO_HOME, 'path-map.json');
+  if (!existsSync(mapPath)) return { logicalToEncoded, staged, malformed: false };
+  let map: PathMap;
+  try {
+    map = readJson<PathMap>(mapPath);
+  } catch {
+    return { logicalToEncoded, staged, malformed: true };
+  }
+  if (typeof map.projects !== 'object' || map.projects === null) {
+    return { logicalToEncoded, staged, malformed: false };
+  }
+
+  const reverse = new Map<string, string>();
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    if (typeof hosts !== 'object' || hosts === null) continue;
+    const p = hosts[HOST];
+    if (!p || p === 'TBD') continue;
+    reverse.set(encodePath(p), logical);
+  }
+
+  const localProjects = join(CLAUDE_HOME, 'projects');
+  if (!existsSync(localProjects)) return { logicalToEncoded, staged, malformed: false };
+  for (const dir of readdirSync(localProjects)) {
+    const logical = reverse.get(dir);
+    if (!logical) continue;
+    copyDirJsonlOnly(join(localProjects, dir), join(tmpRoot, 'shared', 'projects', logical));
+    logicalToEncoded.set(logical, dir);
+    staged++;
+  }
+  return { logicalToEncoded, staged, malformed: false };
+}
+
+/**
+ * Probe for the gitleaks binary on PATH, distinguishing the not-installed case
+ * (ENOENT -> `'missing'`, a WARN skip per the read-only doctor contract) from a
+ * real probe failure (EACCES, corrupt binary -> `{ fail: message }`, a FAIL).
+ * Mirrors `reportGitleaksProbe`'s ENOENT-vs-other split rather than collapsing
+ * every failure into "not on PATH". Probes directly (not via `probeGitleaks`)
+ * so the doctor flavor stays read-only and need not unwrap a `NomadFatal`.
+ */
+function probeGitleaksForScan(): 'ok' | 'missing' | { fail: string } {
+  try {
+    execFileSync('gitleaks', ['version'], { stdio: ['ignore', 'pipe', 'pipe'] });
+    return 'ok';
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT') return 'missing';
+    return { fail: (err as Error).message };
+  }
+}
+
+/**
+ * Recover the live encoded-dir for a finding by mapping its `<logical>`
+ * segment through the staging association. Returns the absolute live
+ * transcript path `~/.claude/projects/<encoded>/<sid>.jsonl`, falling back to
+ * the logical name when the association is missing (defensive; the temp-tree
+ * model guarantees a hit).
+ */
+function scrubPath(logical: string, sid: string, logicalToEncoded: Map<string, string>): string {
+  /* c8 ignore next -- the `?? logical` fallback is defensive; the temp-tree build keys every staged logical */
+  const encoded = logicalToEncoded.get(logical) ?? logical;
+  return join(CLAUDE_HOME, 'projects', encoded, `${sid}.jsonl`);
+}
+
+/**
+ * Emit one fail row per affected session plus rotate-and-scrub + allowlist
+ * guidance, and set `process.exitCode = 1`. `logicalBySession` carries the
+ * `<logical>` segment captured from the same `SESSION_PATH` match that keyed
+ * `bySession`, so the scrub-path hint reuses the authoritative parse rather
+ * than re-deriving the logical name from the finding `File`. Every `bySession`
+ * sid is keyed in `logicalBySession` (both come from the identical sid capture),
+ * so the scrub hint always renders; the guard omits the hint rather than
+ * printing a wrong path if that invariant ever breaks, and the leak row itself
+ * is always emitted.
+ */
+function reportSessionFindings(
+  section: DoctorSection,
+  bySession: Map<string, Map<string, number>>,
+  logicalBySession: Map<string, string>,
+  logicalToEncoded: Map<string, string>,
+): void {
+  for (const [sid, counts] of bySession) {
+    const summary = [...counts.entries()].map(([rule, n]) => `${rule} (${n})`).join(', ');
+    addItem(section, `${red(failGlyph)} session ${sid}: ${summary}`);
+    const logical = logicalBySession.get(sid);
+    /* c8 ignore next -- false branch is defensive; every bySession sid is keyed in logicalBySession */
+    if (logical !== undefined) {
+      addItem(
+        section,
+        `  rotate the credential, then scrub ${scrubPath(logical, sid, logicalToEncoded)}`,
+      );
+    }
+    addItem(section, `  false positive? add a pattern to .gitleaks.toml`);
+  }
+  process.exitCode = 1;
+}
+
+/**
+ * Emit one fail row per non-session ("other"-bucket) finding and set
+ * `process.exitCode = 1`. These are findings whose `File` did not match the
+ * flat `SESSION_PATH` shape (nested transcripts under `subagents/`, `memory/`,
+ * etc., which `copyDirJsonlOnly` copies recursively and `nomad push` would
+ * stage). Names the repo-relative path and RuleID only, never the matched
+ * secret. Mirrors the push-side guarantee that any finding outside `bySession`
+ * still fails the scan (`buildSessionAwareFatal`'s `LEGACY_FATAL` fallback).
+ */
+function reportOtherFindings(section: DoctorSection, other: Finding[]): void {
+  for (const f of other) {
+    addItem(section, `${red(failGlyph)} leak in ${f.File}: ${f.RuleID}`);
+  }
+  process.exitCode = 1;
+}
+
+/**
+ * Captures both the `<logical>` segment and the `<sid>` from a repo-relative
+ * `shared/projects/<logical>/<sid>.jsonl` path. The session-id group matches
+ * the exported `SESSION_PATH` shape; the extra `<logical>` group lets the
+ * scrub-path hint reuse this single authoritative parse.
+ */
+const SESSION_PATH_LOGICAL = /^shared\/projects\/([^/]+)\/([^/]+)\.jsonl$/;
+
+/**
+ * Emit the single canonical clean row reporting the scanned-project count
+ * (`staged` is the number of mapped project directories whose transcripts were
+ * staged, not a transcript total). Centralizing the literal (zero-staged,
+ * scanned-clean, and the findings-but-no-`other` paths all route through here)
+ * keeps the phrasing consistent and prevents one copy drifting from another,
+ * which is what let a "no session findings == clean" path slip past the
+ * `other`-bucket gate.
+ */
+function emitClean(section: DoctorSection, staged: number): void {
+  addItem(section, `${green(okGlyph)} ${staged} project(s) scanned, no leaks`);
+}
+
+/**
+ * Run the `--check-shared` preflight and append its rows to `section`.
+ *
+ * Flow (D-01..D-10): probe gitleaks (missing -> one WARN row, exit untouched;
+ * a non-ENOENT probe failure -> FAIL row + exit 1, mirroring
+ * `reportGitleaksProbe`); stage a temp copy of this-host mapped session dirs
+ * (a malformed `path-map.json` -> FAIL row + exit 1, no crash); scan with the
+ * positional `gitleaks dir shared/projects` invocation (NOT `--source`, which
+ * `gitleaks dir` rejects with exit 126); on a clean scan emit one ok row
+ * reporting the scanned-project count; on findings emit per-session fail rows
+ * with rotate-and-scrub guidance and set `process.exitCode = 1`; on a non-zero
+ * exit with no parseable report emit a scan-failed fail row carrying the
+ * gitleaks error message (never its stderr/stdout, which may hold secrets) +
+ * exit 1 (do not chase phantom sessions). Removes both the temp report and the
+ * temp tree in `finally` on success and failure. Never writes to stderr
+ * (read-only doctor contract).
+ *
+ * `gitleaksReady` lets the doctor orchestrator pass the result of the
+ * Repository section's gitleaks probe so the `version` subcommand is not
+ * invoked a second time on a `--check-shared` run. When omitted (the module's
+ * standalone contract) this reporter probes for itself.
+ */
+export function reportCheckShared(section: DoctorSection, gitleaksReady?: boolean): void {
+  if (gitleaksReady !== true) {
+    const probe = probeGitleaksForScan();
+    if (probe === 'missing') {
+      addItem(section, `${yellow(warnGlyph)} gitleaks not on PATH; shared scan skipped`);
+      return;
+    }
+    if (probe !== 'ok') {
+      addItem(section, `${red(failGlyph)} gitleaks probe failed: ${probe.fail}`);
+      process.exitCode = 1;
+      return;
+    }
+  }
+
+  const cacheDir = join(homedir(), '.cache', 'claude-nomad');
+  mkdirSync(cacheDir, { recursive: true });
+  // nowTimestamp() is second-resolution and --check-shared takes no lock
+  // (read-only), so two same-second, same-pid invocations would otherwise
+  // share a stamp and clobber each other's temp tree / report. The random
+  // suffix makes the stamp collision-resistant, matching the push report path.
+  const stamp = `${nowTimestamp()}-${process.pid}-${randomBytes(4).toString('hex')}`;
+  const reportPath = join(cacheDir, `check-shared-${stamp}.json`);
+  const tmpRoot = join(cacheDir, `check-shared-tree-${stamp}`);
+
+  try {
+    const { logicalToEncoded, staged, malformed } = buildScanTree(tmpRoot);
+    if (malformed) {
+      addItem(section, `${red(failGlyph)} path-map.json malformed JSON; shared scan skipped`);
+      process.exitCode = 1;
+      return;
+    }
+    if (staged === 0) {
+      // No path-map entry maps to this host (or all are TBD). Nothing would be
+      // staged by push either, so report clean without invoking gitleaks (a
+      // scan of a non-existent dir would exit non-zero and misfire).
+      emitClean(section, 0);
+      return;
+    }
+    const tomlPath = join(REPO_HOME, '.gitleaks.toml');
+    const args: string[] = [
+      'dir',
+      'shared/projects',
+      '--redact',
+      '-v',
+      '--report-format=json',
+      `--report-path=${reportPath}`,
+    ];
+    if (existsSync(tomlPath)) args.push('--config', tomlPath);
+
+    try {
+      execFileSync('gitleaks', args, { cwd: tmpRoot, stdio: ['ignore', 'pipe', 'pipe'] });
+      emitClean(section, staged);
+    } catch (err) {
+      const findings = readGitleaksReport(reportPath);
+      if (findings === null) {
+        // Carry the gitleaks error message only (never e.stderr/e.stdout, which
+        // can echo the redacted-but-still-sensitive scan output), matching
+        // runGitleaksScan on the push side.
+        const msg = (err as Error).message;
+        addItem(section, `${red(failGlyph)} scan failed: no parseable gitleaks report (${msg})`);
+        process.exitCode = 1;
+        return;
+      }
+      const { bySession, other } = partitionFindings(findings);
+      // Both buckets must gate the clean row. A finding routed to `other`
+      // (nested transcripts that match neither the flat SESSION_PATH nor any
+      // session) is still a stageable secret push would catch, so reporting
+      // clean on `bySession.size === 0` alone would make the preflight weaker
+      // than the push scan it stands in for.
+      if (bySession.size === 0 && other.length === 0) {
+        emitClean(section, staged);
+        return;
+      }
+      if (other.length > 0) reportOtherFindings(section, other);
+      if (bySession.size > 0) {
+        // Capture <logical> alongside <sid> from the same authoritative match
+        // so the scrub hint never re-derives the logical name independently.
+        const logicalBySession = new Map<string, string>();
+        for (const f of findings) {
+          const m = SESSION_PATH_LOGICAL.exec(f.File);
+          if (m?.[2] !== undefined && !logicalBySession.has(m[2])) {
+            /* c8 ignore next -- `?? ''` is defensive; group 1 is always captured when the match succeeds */
+            logicalBySession.set(m[2], m[1] ?? '');
+          }
+        }
+        reportSessionFindings(section, bySession, logicalBySession, logicalToEncoded);
+      }
+    }
+  } finally {
+    rmSync(reportPath, { force: true });
+    rmSync(tmpRoot, { recursive: true, force: true });
+  }
+}