claude-nomad 0.26.1 → 0.26.2

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.26.2](https://github.com/funkadelic/claude-nomad/compare/v0.26.1...v0.26.2) (2026-05-28)
+
+
+### Fixed
+
+* **gitleaks:** condense push output and group doctor check-shared layout ([#161](https://github.com/funkadelic/claude-nomad/issues/161)) ([d9e5758](https://github.com/funkadelic/claude-nomad/commit/d9e57589f616e70b8e2d6249c957af55a25a578b))
+
 ## [0.26.1](https://github.com/funkadelic/claude-nomad/compare/v0.26.0...v0.26.1) (2026-05-27)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.26.1",
+  "version": "0.26.2",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.doctor.check-shared.scan.ts

@@ -7,14 +7,14 @@
  * Owns the post-stage block: run the shared `scanStagedTree` (the same git
  * init + add + `gitleaks protect --staged` mechanism push uses), classify the
  * findings via `partitionFindings`, and emit the doctor glyph rows (clean,
- * per-session leak with rotate-and-scrub guidance, and the nested "other"
- * bucket). All external work flows through `scanStagedTree`; this module spawns
+ * per-session leak rows, then a Remediation block, then a Finding types legend).
+ * All external work flows through `scanStagedTree`; this module spawns
  * nothing itself.
  */
 
 import { join } from 'node:path';
 
-import { green, red, dim, okGlyph, failGlyph } from './color.ts';
+import { green, red, dim, bold, okGlyph, failGlyph } from './color.ts';
 import { addItem, type DoctorSection } from './commands.doctor.format.ts';
 import { CLAUDE_HOME } from './config.ts';
 import { type Finding, partitionFindings, scanStagedTree } from './push-gitleaks.ts';
@@ -32,31 +32,18 @@ function scrubPath(logical: string, sid: string, logicalToEncoded: Map<string, s
 }
 
 /**
- * Emit one fail row per affected session plus rotate-and-scrub + allowlist
- * guidance, and set `process.exitCode = 1`. `logicalBySession` carries the
- * `<logical>` captured from the same match that keyed `bySession`, so the
- * scrub-path hint reuses the authoritative parse. The hint guard omits a row
- * rather than print a wrong path if the invariant ever breaks; the leak row is
- * always emitted.
+ * Emit one fail row per affected session (the `✗ ... in session` rows only)
+ * and set `process.exitCode = 1`. Rotate-and-scrub guidance and the
+ * false-positive hint are NOT emitted here; they belong to `reportRemediation`
+ * which is called after all finding rows.
  */
 function reportSessionFindings(
   section: DoctorSection,
   bySession: Map<string, Map<string, number>>,
-  logicalBySession: Map<string, string>,
-  logicalToEncoded: Map<string, string>,
 ): void {
   for (const [sid, counts] of bySession) {
     const summary = [...counts.entries()].map(([rule, n]) => `${rule} (${n})`).join(', ');
     addItem(section, `${red(failGlyph)} ${red(summary)} in session ${sid}`);
-    const logical = logicalBySession.get(sid);
-    /* c8 ignore next -- false branch is defensive; every bySession sid is keyed in logicalBySession */
-    if (logical !== undefined) {
-      addItem(
-        section,
-        `  ${dim(`rotate the credential, then scrub ${scrubPath(logical, sid, logicalToEncoded)}`)}`,
-      );
-    }
-    addItem(section, `  ${dim('false positive? add a pattern to .gitleaks.toml')}`);
   }
   process.exitCode = 1;
 }
@@ -75,6 +62,36 @@ function reportOtherFindings(section: DoctorSection, other: Finding[]): void {
   process.exitCode = 1;
 }
 
+/**
+ * Emit the remediation block after all finding rows. Findings-first ordering
+ * means guidance is grouped at the end, not interleaved between session rows.
+ * Emits a leading blank, a bold `Remediation` header, one rotate-and-scrub
+ * line per session (using `logicalBySession` to build the scrub path), and
+ * exactly ONE false-positive hint after the loop (deduped, not once per session).
+ * The hint guard omits a rotate row rather than print a wrong path if the
+ * invariant ever breaks; the false-positive line is always appended.
+ */
+function reportRemediation(
+  section: DoctorSection,
+  bySession: Map<string, Map<string, number>>,
+  logicalBySession: Map<string, string>,
+  logicalToEncoded: Map<string, string>,
+): void {
+  addItem(section, '');
+  addItem(section, bold('Remediation'));
+  for (const [sid] of bySession) {
+    const logical = logicalBySession.get(sid);
+    /* c8 ignore next -- false branch is defensive; every bySession sid is keyed in logicalBySession */
+    if (logical !== undefined) {
+      addItem(
+        section,
+        `  ${dim(`- rotate the credential, then scrub ${scrubPath(logical, sid, logicalToEncoded)}`)}`,
+      );
+    }
+  }
+  addItem(section, `  ${dim('- false positive? add a pattern to .gitleaks.toml')}`);
+}
+
 /**
  * Captures both the `<logical>` segment and the `<sid>` from a repo-relative
  * `shared/projects/<logical>/<sid>.jsonl` path. The session-id group matches
@@ -112,14 +129,14 @@ function buildLogicalBySession(findings: Finding[]): Map<string, string> {
 }
 
 /**
- * Emit a deduplicated description legend in the footer: one `[rule-id]:
- * description` row per distinct RuleID across all findings, set off by a blank
- * line before and after. Sourced from the `Description` gitleaks bakes into
- * each finding, so it needs no network; rules whose description is absent
- * (older gitleaks, custom rules) are skipped, and the whole block (including
- * the surrounding blanks) is omitted when no descriptions are available. The
- * legend lives in the footer so a rule hit across many files or sessions
- * (e.g. `sonar-api-token`) is explained once, not per occurrence.
+ * Emit a deduplicated description legend in the footer: one `- [rule-id]:
+ * description` row per distinct RuleID across all findings, headed by a bold
+ * `Finding types` header with a leading blank but no trailing blank (renderSection
+ * attaches the `└` elbow to the last non-empty item). Rules whose description
+ * is absent (older gitleaks, custom rules) are skipped, and the whole block
+ * (including the surrounding blank and header) is omitted when no descriptions
+ * are available. The legend lives in the footer so a rule hit across many files
+ * or sessions (e.g. `sonar-api-token`) is explained once, not per occurrence.
  */
 function emitDescriptionLegend(section: DoctorSection, findings: Finding[]): void {
   const descByRule = new Map<string, string>();
@@ -128,16 +145,19 @@ function emitDescriptionLegend(section: DoctorSection, findings: Finding[]): voi
   }
   if (descByRule.size === 0) return;
   addItem(section, '');
+  addItem(section, bold('Finding types'));
   for (const [rule, desc] of descByRule) {
-    addItem(section, `  ${red(`[${rule}]`)}: ${dim(desc)}`);
+    addItem(section, `  ${red(`- [${rule}]`)}: ${dim(desc)}`);
   }
-  addItem(section, '');
 }
 
 /**
  * Scan the staged temp tree through the shared `scanStagedTree` and emit the
- * result rows. Isolates the deepest nesting from `reportCheckShared`: the scan
- * try/catch (failure -> fail row + exit 1, carrying `err.message` only, never
+ * result rows in findings-first order: other-bucket leak rows, then per-session
+ * leak rows, then a `Remediation` block (gated on bySession.size > 0), then a
+ * `Finding types` legend (gated on at least one finding carrying a Description).
+ * Isolates the deepest nesting from `reportCheckShared`: the scan try/catch
+ * (failure -> fail row + exit 1, carrying `err.message` only, never
  * stderr/stdout), the unparseable `findings === null` branch, `partitionFindings`,
  * and the clean / `other` / `bySession` rows. BOTH buckets gate the clean row: a
  * finding in `other` (nested transcripts matching neither the flat `SESSION_PATH`
@@ -175,8 +195,9 @@ export function scanAndReport(
     return;
   }
   if (other.length > 0) reportOtherFindings(section, other);
+  if (bySession.size > 0) reportSessionFindings(section, bySession);
   if (bySession.size > 0) {
-    reportSessionFindings(section, bySession, buildLogicalBySession(findings), logicalToEncoded);
+    reportRemediation(section, bySession, buildLogicalBySession(findings), logicalToEncoded);
   }
   emitDescriptionLegend(section, findings);
 }

package/src/push-gitleaks.scan.ts

@@ -83,10 +83,12 @@ export function readGitleaksReport(reportPath: string): Finding[] | null {
  *
  * `forwardStreams` (default `false`): when `true`, the gitleaks redacted
  * stderr/stdout captured on a non-zero exit is written to the process streams
- * so the operator sees which file is dirty. `runGitleaksScan` passes `true`
- * (byte-identical push behavior); the read-only `--check-shared` preflight
- * leaves it `false` so it never writes to stderr (its scan-failed row carries
- * the error message only, never the streams).
+ * ONLY on the scan-crash path (when the report is unparseable or missing, i.e.
+ * `readGitleaksReport` returns `null`). On the leaks-found path the report
+ * parses to a findings array, the structured caller FATAL fully describes the
+ * findings, and the raw streams are suppressed to avoid printing them twice.
+ * `runGitleaksScan` passes `true`; the read-only `--check-shared` preflight
+ * leaves it `false` so it never writes to streams on any path.
  */
 export function scanStagedTree(repoDir: string, forwardStreams = false): Finding[] | null {
   const cacheDir = join(homedir(), '.cache', 'claude-nomad');
@@ -111,11 +113,12 @@ export function scanStagedTree(repoDir: string, forwardStreams = false): Finding
   } catch (err) {
     const e = err as NodeJS.ErrnoException & { stderr?: Buffer; stdout?: Buffer };
     if (e.code === 'ENOENT') throw err;
-    if (forwardStreams) {
+    const report = readGitleaksReport(reportPath);
+    if (forwardStreams && report === null) {
       if (e.stderr) process.stderr.write(e.stderr);
       if (e.stdout) process.stdout.write(e.stdout);
     }
-    return readGitleaksReport(reportPath);
+    return report;
   } finally {
     rmSync(reportPath, { force: true });
   }

package/src/push-gitleaks.ts

@@ -92,6 +92,20 @@ export function partitionFindings(findings: Finding[]): {
  * session, since those nested paths route to the `other` bucket and are
  * not listed per-session. Pure.
  */
+/**
+ * Render one `Also found:` row for a non-session ("other"-bucket) finding as
+ * `  <File>:<StartLine>  <RuleID>`, where the line number is the manual-scrub
+ * locator for the nested transcript. `StartLine` is typed `number` but comes
+ * from an unvalidated `parsed as Finding[]` cast over gitleaks subprocess
+ * output, so a missing or non-positive value (gitleaks line numbers are
+ * 1-indexed) drops the `:<line>` suffix rather than emit a confusing
+ * `:undefined` / `:0`.
+ */
+export function formatOtherFinding(f: Finding): string {
+  const loc = Number.isInteger(f.StartLine) && f.StartLine > 0 ? `:${f.StartLine}` : '';
+  return `  ${f.File}${loc}  ${f.RuleID}`;
+}
+
 export function buildSessionAwareFatal(
   bySession: Map<string, Map<string, number>>,
   other: Finding[],
@@ -110,7 +124,7 @@ export function buildSessionAwareFatal(
     lines.push(
       '',
       'Also found:',
-      ...other.map((f) => `  ${f.File}  ${f.RuleID}`),
+      ...other.map(formatOtherFinding),
       '  Review with: git diff --cached, then unstage manually.',
     );
   }
@@ -133,8 +147,10 @@ export function buildSessionAwareFatal(
  * missing/locked file, or a non-finding runtime failure, since gitleaks v8.x
  * returns exit 1 for both "leaks found" and runtime errors) it throws a
  * distinct scan-failed FATAL so the operator does not chase a phantom
- * `nomad drop-session` recovery; the forwarded stderr/stdout above carries the
- * underlying gitleaks output.
+ * `nomad drop-session` recovery. On the leaks-found path the raw gitleaks
+ * streams are suppressed (the session-aware FATAL fully describes the findings).
+ * On the scan-failed/null-report path the raw stderr/stdout is forwarded so
+ * "Review the gitleaks output above." has something to point at.
  *
  * ENOENT (gitleaks or git absent) propagates from the helper and is mapped to
  * the platform-aware install-hint FATAL. Defense-in-depth: the presence probe