claude-nomad 0.32.0 → 0.32.2

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [0.32.2](https://github.com/funkadelic/claude-nomad/compare/v0.32.1...v0.32.2) (2026-05-30)
+
+
+### Fixed
+
+* **remap:** reject path-traversal in path-map logical keys ([#190](https://github.com/funkadelic/claude-nomad/issues/190)) ([1526fbb](https://github.com/funkadelic/claude-nomad/commit/1526fbbbb7c6beb258d882c1c26cd45447ab226b))
+
+
+### Changed
+
+* **sonar:** source projectVersion from package.json at scan time ([#188](https://github.com/funkadelic/claude-nomad/issues/188)) ([c00dd6a](https://github.com/funkadelic/claude-nomad/commit/c00dd6a5135a8753d56cf4165cf5b9782c9bde3e))
+
+## [0.32.1](https://github.com/funkadelic/claude-nomad/compare/v0.32.0...v0.32.1) (2026-05-30)
+
+
+### Fixed
+
+* **redact:** make applyRedactions overlap-safe ([#186](https://github.com/funkadelic/claude-nomad/issues/186)) ([8da07d1](https://github.com/funkadelic/claude-nomad/commit/8da07d1ef58b7f6596ca479a3c57863fc75f35bb))
+
 ## [0.32.0](https://github.com/funkadelic/claude-nomad/compare/v0.31.0...v0.32.0) (2026-05-30)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.32.0",
+  "version": "0.32.2",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.redact.core.ts

@@ -3,25 +3,6 @@ import { join } from 'node:path';
 
 import { REPO_HOME } from './config.ts';
 
-/**
- * Replace every occurrence of a literal secret value in a raw line. Uses
- * split/join to avoid regex escaping and to replace all occurrences. Pure,
- * no I/O.
- *
- * The replacement token `[REDACTED:<ruleId>]` contains no JSON-special
- * characters, so the result remains valid JSON when the value sits inside a
- * JSON string token.
- *
- * @param line Raw JSONL line text.
- * @param match Literal secret value to replace (empty string is a no-op).
- * @param ruleId Gitleaks rule identifier included in the replacement token.
- * @returns Line with all occurrences of `match` replaced by `[REDACTED:<ruleId>]`.
- */
-export function redactValue(line: string, match: string, ruleId: string): string {
-  if (match === '') return line;
-  return line.split(match).join(`[REDACTED:${ruleId}]`);
-}
-
 /** Minimal finding shape consumed by `applyRedactions`. */
 export type RedactFinding = {
   StartLine: number;
@@ -29,25 +10,95 @@ export type RedactFinding = {
   RuleID: string;
 };
 
+/** A half-open byte interval `[start, end)` derived from a `Match` value. */
+type MatchInterval = {
+  start: number;
+  end: number;
+  ruleId: string;
+};
+
 /**
- * Apply all findings for one file in memory. Replaces each finding's `Match`
- * value globally across the whole content string (split/join, no column
- * arithmetic). To avoid a shorter secret being a substring of a longer one
- * causing a partial match, findings are sorted by `Match.length` descending so
- * the longer secret is replaced first. Findings with an empty `Match` are
- * silently skipped (a defensive guard: an empty match would otherwise inject
- * the token between every character). Pure, no I/O.
+ * Locate every occurrence of each finding's `Match` value in `content` using
+ * `indexOf`. Findings with an empty `Match` are skipped. Multiple
+ * non-overlapping occurrences of the same value are each recorded as a
+ * separate interval. Offsets are value-derived, not column-derived, so they
+ * are always correct regardless of gitleaks column alignment.
+ *
+ * @param content Full file content as a single string.
+ * @param findings Array of finding descriptors.
+ * @returns Array of `{start, end, ruleId}` intervals (unmerged, unsorted).
+ */
+export function collectMatchIntervals(
+  content: string,
+  findings: readonly RedactFinding[],
+): MatchInterval[] {
+  const intervals: MatchInterval[] = [];
+  for (const f of findings) {
+    const match = f.Match;
+    if (match === '') continue;
+    let from = 0;
+    let pos = content.indexOf(match, from);
+    while (pos !== -1) {
+      intervals.push({ start: pos, end: pos + match.length, ruleId: f.RuleID });
+      from = pos + match.length;
+      pos = content.indexOf(match, from);
+    }
+  }
+  return intervals;
+}
+
+/**
+ * Sort and merge a list of (possibly overlapping or adjacent) intervals into a
+ * minimal list of non-overlapping spans. Sort order is start ascending, then
+ * end descending so that a longer interval at the same start position wins its
+ * `ruleId`. Overlapping or adjacent intervals are folded into one span that
+ * extends to the maximum end seen, keeping the first span's `ruleId`.
+ *
+ * @param intervals Unmerged intervals from `collectMatchIntervals`.
+ * @returns Sorted, merged, non-overlapping intervals.
+ */
+export function mergeIntervals(intervals: MatchInterval[]): MatchInterval[] {
+  if (intervals.length === 0) return [];
+  const sorted = [...intervals].sort((a, b) => a.start - b.start || b.end - a.end);
+  let last = { ...sorted[0] };
+  const merged: MatchInterval[] = [last];
+  for (let i = 1; i < sorted.length; i++) {
+    const cur = sorted[i];
+    if (cur.start <= last.end) {
+      if (cur.end > last.end) last.end = cur.end;
+    } else {
+      last = { ...cur };
+      merged.push(last);
+    }
+  }
+  return merged;
+}
+
+/**
+ * Apply all findings for one file in memory. Collects every occurrence of each
+ * finding's `Match` value via `indexOf`, merges overlapping and adjacent spans
+ * into non-overlapping intervals, then replaces each interval right-to-left so
+ * earlier offsets remain valid. Findings with an empty `Match` are silently
+ * skipped. Returns `content` unchanged when there are no findings or no
+ * occurrences are found.
+ *
+ * The replacement token `[REDACTED:<ruleId>]` is byte-identical to the previous
+ * format. Right-to-left replacement guarantees that overlapping matches (e.g.
+ * two findings whose `Match` values share a middle span) are replaced by a
+ * single token covering the full union, leaving no fragment. Pure, no I/O.
  *
  * @param content Full file content as a single string.
  * @param findings Array of finding descriptors.
  * @returns Redacted file content.
  */
 export function applyRedactions(content: string, findings: readonly RedactFinding[]): string {
-  const sorted = [...findings].sort((a, b) => b.Match.length - a.Match.length);
+  const raw = collectMatchIntervals(content, findings);
+  if (raw.length === 0) return content;
+  const merged = mergeIntervals(raw);
   let result = content;
-  for (const f of sorted) {
-    if (f.Match === '') continue;
-    result = result.split(f.Match).join(`[REDACTED:${f.RuleID}]`);
+  for (let i = merged.length - 1; i >= 0; i--) {
+    const { start, end, ruleId } = merged[i];
+    result = result.slice(0, start) + `[REDACTED:${ruleId}]` + result.slice(end);
   }
   return result;
 }

package/src/commands.redact.ts

@@ -15,7 +15,6 @@ export {
   appendGitleaksIgnore,
   formatFingerprint,
   isRecentlyModified,
-  redactValue,
 } from './commands.redact.core.ts';
 
 /**

package/src/config.sharedDirs.guard.ts

@@ -1,11 +1,40 @@
 import { NEVER_SYNC } from './config.ts';
+import { NomadFatal } from './utils.ts';
+
+/**
+ * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
+ * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
+ * would escape `shared/projects/` (or `shared/extras/`) via `join()` (which
+ * normalizes `..`) and land content somewhere unexpected on the filesystem.
+ * The push allow-list catches such commits at the `git add` boundary, but the
+ * filesystem mutation has already happened by then. This check fails fast
+ * before any write. The pattern matches what every reasonable project name
+ * looks like and rejects everything else.
+ */
+const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
+
+/**
+ * Throw `NomadFatal` unless `logical` is a path-separator-free project
+ * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
+ * before any filesystem mutation by every remap and extras op that joins
+ * `logical` into a filesystem path.
+ *
+ * @param logical - A `path-map.json` projects key to validate.
+ */
+export function assertSafeLogical(logical: string): void {
+  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
+    throw new NomadFatal(
+      `invalid logical name in path-map.json: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
+    );
+  }
+}
 
 /**
  * Single-segment path characters allowed in a `sharedDirs` entry. Mirrors
- * `SAFE_LOGICAL` in `extras-sync.guards.ts` but applied to global support
- * directory names rather than per-project logical names. Must match
- * `^[A-Za-z0-9._-]+$` so no path separator, no shell-special character, no
- * leading dot that would collide with a hidden state directory.
+ * `SAFE_LOGICAL` above but applied to global support directory names rather
+ * than per-project logical names. Must match `^[A-Za-z0-9._-]+$` so no path
+ * separator, no shell-special character, no leading dot that would collide
+ * with a hidden state directory.
  */
 const SAFE_SEGMENT = /^[A-Za-z0-9._-]+$/;
 

package/src/extras-sync.guards.ts

@@ -2,30 +2,7 @@ import { isAbsolute, normalize } from 'node:path';
 
 import { NomadFatal } from './utils.ts';
 
-/**
- * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
- * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
- * would escape `shared/extras/` via `join()` (which normalizes `..`) and land
- * content somewhere unexpected on the filesystem. The push allow-list catches
- * such commits at the `git add` boundary, but the filesystem mutation has
- * already happened by then. This check fails fast before any write. The
- * pattern matches what every reasonable project name looks like and rejects
- * everything else; tighten only if a real project needs broader characters.
- */
-const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
-
-/**
- * Throw `NomadFatal` unless `logical` is a path-separator-free project
- * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
- * before any filesystem mutation by every extras op.
- */
-export function assertSafeLogical(logical: string): void {
-  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
-    throw new NomadFatal(
-      `invalid logical name in path-map.json extras: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
-    );
-  }
-}
+export { assertSafeLogical } from './config.sharedDirs.guard.ts';
 
 /**
  * Reject `localRoot` values that contain unnormalized segments (`..`,

package/src/remap.ts

@@ -1,6 +1,7 @@
 import { cpSync, existsSync, mkdirSync, readdirSync, rmSync, statSync } from 'node:fs';
 import { join, relative, sep } from 'node:path';
 
+import { assertSafeLogical } from './config.sharedDirs.guard.ts';
 import { CLAUDE_HOME, HOST, REPO_HOME, type PathMap } from './config.ts';
 import { die, log } from './utils.ts';
 import { backupBeforeWrite, backupRepoWrite } from './utils.fs.ts';
@@ -81,6 +82,7 @@ export function remapPull(
   if (!dryRun) mkdirSync(localProjects, { recursive: true });
 
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const localPath = hosts[HOST];
     if (!localPath || localPath === 'TBD') {
       unmapped++;
@@ -126,6 +128,7 @@ function buildReverseMap(map: PathMap): Map<string, string> {
   const reverse = new Map<string, string>();
   const encodedPaths = new Map<string, string>();
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const p = hosts[HOST];
     if (!p || p === 'TBD') continue;
     const encoded = encodePath(p);