npm - claude-nomad - Versions diffs - 0.25.2 → 0.25.3 - Mend

claude-nomad 0.25.2 → 0.25.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +13 -0
package/README.md +8 -2
package/package.json +1 -1
package/src/commands.doctor.version.ts +7 -7
package/src/config.ts +1 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 # Changelog
+## [0.25.3](https://github.com/funkadelic/claude-nomad/compare/v0.25.2...v0.25.3) (2026-05-26)
+### Changed
+* **config:** add skipAutoPermissionPrompt to KNOWN_SETTINGS_KEYS ([#142](https://github.com/funkadelic/claude-nomad/issues/142)) ([09b4d7c](https://github.com/funkadelic/claude-nomad/commit/09b4d7c27d74cc922f9c516296ca6123e1ee84f5))
+### Documentation
+* document runtime deps and foreground the security posture ([#145](https://github.com/funkadelic/claude-nomad/issues/145)) ([fb029ee](https://github.com/funkadelic/claude-nomad/commit/fb029eec1a6d915224a39cc2755ff76e42618365))
+* refresh hero.svg tagline and doctor mockup ([#144](https://github.com/funkadelic/claude-nomad/issues/144)) ([58a0176](https://github.com/funkadelic/claude-nomad/commit/58a01760e8d977ce4cf46dcd3137c02f3bc6541c))
 ## [0.25.2](https://github.com/funkadelic/claude-nomad/compare/v0.25.1...v0.25.2) (2026-05-26)

package/README.md CHANGED Viewed

@@ -6,12 +6,12 @@
 ![claude-nomad - Sync your Claude Code setup. Same environment. Any machine.](docs/hero.svg)
-**Your entire Claude Code setup, on every machine. History included, secrets excluded.**
+**Your entire Claude Code setup, on every machine. History included, every push secret-scanned.**
 Open Claude Code on a second machine and it is a blank slate: none of your custom agents, slash commands, tuned settings, or past conversations. claude-nomad keeps all of it in sync through a private Git repo you control. `nomad push` on one machine, `nomad pull` on the next, and everything is there, conversations included.
 - **Resume your sessions on any machine.** Start a conversation on your desktop and pick it up on your laptop. claude-nomad remaps the file paths Claude Code embeds in every transcript, so your history follows you instead of getting stranded on the box where it started.
-- **Private by default.** Your `~/.claude/` also holds OAuth tokens, MCP credentials, and the full text of every conversation. Every push is secret-scanned before it leaves your machine, credentials and ephemeral state never sync, and `nomad init` disables CI on your private mirror by default, so transcripts can't leak through Actions logs.
+- **Secret-scanned, private by default.** Your `~/.claude/` also holds OAuth tokens, MCP credentials, and the full text of every conversation, so claude-nomad is deliberate about what leaves your machine: credentials and ephemeral state never sync, only an explicit allow-list of paths is pushed, and everything that does go up is scanned by [gitleaks](https://github.com/gitleaks/gitleaks) before it leaves your machine; the push aborts on any hit. `nomad init` also disables Actions on your private mirror by default, so transcripts can't leak through CI logs.
 - **One setup, every machine.** Your agents, skills, slash commands, and settings live in one place and follow you everywhere. Per-machine tweaks like model choice, MCP URLs, and env vars merge on top instead of clobbering your shared defaults.
 Not dotfiles, not rsync. claude-nomad understands Claude Code's state, so your session history survives different file paths and your secrets never ride along.
@@ -215,8 +215,14 @@ Read these before adopting so you opt in with eyes open.
 - Node.js 22.22.1 or newer (24 LTS recommended; the npm `engines` field declares the 22.22.1 floor and surfaces a warning on older runtimes - npm only blocks the install when `engine-strict=true` is configured)
 - `tsx` (ships as a runtime dependency of the published package; no separate global install required)
 - Git
+- [`gitleaks`](https://github.com/gitleaks/gitleaks) (required for `nomad push`, which fail-fasts if it is not on PATH; `nomad doctor` also checks it against the pinned 8.30.x and warns when it is absent or mismatched)
 - A **private** GitHub repo (or any Git remote you control)
+**Optional:**
+- `gh` (GitHub CLI), used only by `nomad init` to auto-disable Actions on the private repo; if it is missing or unauthenticated, init prints a manual fallback tip and continues
+- `curl`, used only by the version/update check (the `nomad doctor` latest-release line and the post-`nomad update` check); it degrades silently when curl is absent or offline, so the rest of the CLI works without it
 ## Setup
 **Why not just fork?** GitHub doesn't let you flip a public fork to private, and your config (especially session transcripts) must stay private. So the bootstrap is a one-time mirror-push into a fresh private repo, not a fork.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.25.2",
+  "version": "0.25.3",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.doctor.version.ts CHANGED Viewed

@@ -123,13 +123,13 @@ function saveCache(latest: string): void {
 /**
  * Fetch the latest release tag from the upstream GitHub releases API. Uses
  * `execFileSync('curl', ...)` rather than `node:https` because curl honors
- * system proxies, respects the `-m` timeout reliably, and is already a
- * required dependency on every supported host (push uses gitleaks; pull uses
- * git). 3-second timeout, fail-fast on non-2xx (`-f`), silent (`-s`), follow
- * redirects (`-L`). Returns `null` on ANY failure path including a missing
- * `tag_name` field or a tag that fails strict-semver validation after the
- * leading `v` strip. Release tags ship as `v<semver>` per
- * `release-please-config.json`'s `include-v-in-tag: true`.
+ * system proxies and respects the `-m` timeout reliably. curl is optional, not
+ * a hard dependency: this is its only consumer, so a host without curl simply
+ * skips the version line. 3-second timeout, fail-fast on non-2xx (`-f`), silent
+ * (`-s`), follow redirects (`-L`). Returns `null` on ANY failure path (curl
+ * missing from PATH, a missing `tag_name` field, or a tag that fails
+ * strict-semver validation after the leading `v` strip). Release tags ship as
+ * `v<semver>` per `release-please-config.json`'s `include-v-in-tag: true`.
  */
 function fetchLatestTag(): string | null {
   try {

package/src/config.ts CHANGED Viewed

@@ -139,6 +139,7 @@ export const KNOWN_SETTINGS_KEYS = new Set<string>([
   'pluginRepositoryEnabled',
   'pluginsLocalConfig',
   'proxy',
+  'skipAutoPermissionPrompt',
   'statsig',
   'statusLine',
   'subagents',